Why Chinese Hacking Is Only Part of the U.S. Security Problem

An anonymous reader writes "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.' 'The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security."

So start demanding changes.

[khasim]

First off, demand that every software vendor provide a list of files that their product installs, where those files are installed by default and different checksums/hashes/etc for them.

It should be possible to boot a machine with a live CD (or PXE) and inventory every single file on that machine and identify the origin of each of them.

At least you'd know whether a machine was cracked or not.

Right now, with existing anti-virus, all you can say is that a machine does not have anything that matches the signatures that you have right now.

Just plain silly

[Gorshkov]

The whole idea that China should be 'held responsible' for the hacking is just plain silly on it's face. Governments and private corporations have been spying on each other ever since the first cave man tried to keep a secret.

Can you imagine during the cold war of the US President went to Stalin and said "please stop spying on us"? Because that's exactly what's been suggested here.

Oh, I'm Sorry

[doctor+woot]

Do you expect medical professionals to be able to cure every disease and infection ever? Do you expect automotive engineers to be able to build mechanically perfect vehicles? No. Of course the attitude the majority of people take towards online security is a joke, but no more so than saying "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration."

Cyber espionage, crime, and warfare exist through the same mechanisms that allow viruses to become resistant to treatment: adaptation. Systems can be designed to be harder to break, systems can't be made to be impenetrable. The language used in this article is just the same old IT-focused yellow journalism we've all come to expect on the subject.

Re:Your kidding of course

[pspahn]

You may be over-estimating the will of developers who actually intend to build something secure out of the box. Sure, you've got the chunk of folks that require fine-grained security in their day-to-day, but the rest of them that take security for granted (we're not big enough yet to make things secure, we'll wait until revenue hits $xxx and then "do it right") are just going to worry about making their stuff function according to the spec.

I have left some code lying around before that I am not particularly proud of, not that anyone important would notice, as it tends to be things only another developer would recognize. It's difficult to think of other occupations that are not affected by this type of thinking either, otherwise we wouldn't have to send the Dept. of Health around to restaurants to make sure the kitchens are clean, or the pedagogists around to the elementary school to make sure learning is happening, or aviation officials to enforce maintenance standards...

Of course there needs to be accountability for code that does important things. That is clearly obvious. There are too many people interacting with code in occupations that previously wouldn't have done so. At some point it's going to be a good idea to have a nice audit trail.