Slashdot Mirror
NSA Director Says Agency Is Still Trying To Figure Out Cyber Operations
Trailrunner7 writes: In a keynote speech at a security conference in Washington on Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war. "We're still trying to work our way through distinguishing the difference between criminal hacking and an act of war," said Rogers. "If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what's an act of defense." Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.
YOU ARE THE CYBER-THREATS.
Maybe they should just get off their lazy fucking asses and start pulling all those exploitable 'cyberweapons' off the fucking public network and start having them running on a private network akin to MILNET. There's no excuse for the power grid, medical records, social security, police records, etc being accessable over the public internet, except as a threat window to use in the quest for more security theater. Eliminate access to the resources and you eliminate the majority of non-military threats. On the off chance such information *IS* needed via the internet (see: online banking), make it run through isolated systems with limited end-user data available on the 'public' side, and a batch processing system in-between the public and private networks. While it wouldn't stop exploitation of the end-user, it could stop the majority of actual banking system hacking by eliminating direct access to the computing resources. While this is probably already done to some degree the level of isolation is obviously insufficient.
Militarizing turf wars over the internet however is bad for everyone.
...definitively the most honest thing I've ever heard to come publicly from NSA, ever.
Personally I translate that to "It's important that we don't see ghosts everywhere here!".
And yes, very! Even the NSA know they've gone out of hands here, they also have humans working for them - and nothing they ever do will ever stay 100% a secret everywhere, so it's a better strategy to play with open cards (which they have *NOW* learned the hard way) in the long run. Besides, you can't possibly store all the 1 terabyte personal computer harddisks in the world in even googles vast server-lands anyway. It's all about spotlight. If you're in their spotlight, you'll be spied on, your data will get collected no matter where it is. Going trough vast amounts of byte garbage will yield certain finds - but mostly it's just noise, people who use words that could be similar to what you're looking for, but ultimately...just noise.
What this world is coming to - is for you and me to decide.
that would be a good start.
"We're still trying to work our way through distinguishing the difference between criminal hacking and an act of war," said Rogers
NSA supposed to be a government agency filled with very intelligent folks, and they are telling us that they can't differentiate between common hacking (whether it be criminal or otherwise) and an _Act of War_ ?
I dunno about you, but I find it very hard to believe!
Muchas Gracias, Señor Edward Snowden !
We're having coming up with a definition that means "It's fine when we do it, but an act of war if we want it to be when someone does it to us" that passes the laugh test.
Pretty bloody easy to define the difference between hacking and act of war. Any hacking attack you can simply divert by cutting the connection is not an act of war. A major electro magnetic pulse generated by a thermonuclear war head is an act of war.
For the idiots at the NSA, permanent damage versus repaired disruption. They just need to ask the buddies at the CIA when it comes to their idea of torture, permanent harm equals torture non permanent harm according to them, based upon them being a bunch of sick psychopath sadists, does not equal torture.
So if you ain't using explosives on digital infrastructure it ain't war. No matter how badly behaved the NSA has been, their acts have not quite crossed the bounds of an act of war. Somehow I guess this will be another example of American exceptionalism and when the US does it, it is not an act of war and when any other country does it, it is an act of war and the US must spend another billion dollars on the US military industrial complex per incident or so the lobbyists say.
Chaos - everything, everywhere, everywhen
Careful what you wish for. With the current generation, you might end up with iWar instead.
Opus: the Swiss army knife of audio codec
How do you control the spread of information and disinformation, when it becomes so easy to do it?
All these connections becoming ever closer to instantaneous and covering the whole globe.
Trust.
Only the truth will set us free.
While you're looking for "the cyber threats" you might as well just buy a modern dictionary. Nobody calls anything "cyber" anymore and the number two threat is malware... right behind the number on threat... the NSA.
Cyber-think your way out of that one, NSAmen. Time is short. The cybermen are coming.
...you're so stupid it's adorable.
Seems our favorite Spook is a little more than "Spooked": lets say "Targeted",
When you went online you agreed to accept any traffic thrown at you. There never has been any system to prevent that. If you can't handle it don't get on the internet. It's not war when someone attacks you- it's the internet.
That said the underlying problem is shitty code on a grand scale. If the US wanted to defend itself it would start implementing programs to review every bit of critical code multiple times, minimizing baggage, developing best practices and standards for critical infrastructure like: TCIP/IP, OS software, core web software (Apache, lightweight web servers, IIs, etc), standards, automation technology, vehicular technology, cellular technology, etc. Then implement levels. Code which has gone through certain audits, reviews, etc gets certified to a certain level of trust. 'level 1' critical code like OS, BIOS, flash (USB controllers, keyboard controllers, wifi firmware, etc), database software, encryption software, communications software, access control software, image libraries, video libraries, browsers, word processors, and similar, etc, 'level 2' would be code that was semi-critical like medical applications, and level 3 would be non-critical business applications, etc, level 4 would be pretty much everything else (ie code that didn't matter, like games, purely entertainment applications, etc). Then you could require certain types of devices to match certain levels. General purpose computers could be required to meet level 1 at the core (BIOS, flash chips, etc), consumers could still get devices/hardware/software that didn't match that, but they'd not be legally usable by businesses and government.
What we don't need are things like proprietary bits all over the place and excessive baggage that is total shit (think intel's remote access software built into hardware/BIOS/etc, while useful to some it simply adds to the surface area which can be easily attacked and the insecurity for us all).
Yep, this is absurd. It's just the internet, it's not to be used for anything serious. Get your stupid crap off the internet, take those idiots using it for advertising with you if possible. Oh, and stop saying "cyber", you're killing me.
We're having coming up with a definition that means "It's fine when we do it, but an act of war if we want it to be when someone does it to us" that passes the laugh test
Remember it's NSA we are talking about
They do not need to speak the truth, and in fact, they have lied to the congress and nobody could do anything to them
In other words, they can declare "An Act of War" any time they want, even if nobody did nothing, because right now, as we speak, NSA is an entity that no one have any right to inspect - not the congress, not the court, and surely, not the White House
Muchas Gracias, Señor Edward Snowden !
Attacks against targets that are considered basic infrastructure for life, government or defense with damages that severely cripple those sites and cause harm to American citizens.
Shutting off power, blanking out emergency services, crashing planes, etc.
NOT downloading a MP3 or looking at porn or reading a johnny rocket how-to for do-it-yourself nuclear reactors. I am still on the fence about economic stuff since that does affect everyone, however it's all fixable. It's hard to goto war over damages to your economic system the entire American payment card industry is completely off it's rocker and ineffective.
"Network penetration is network engineering, in reverse."
A/S/L?
Pass me the floppies, I've got my acoustic coupler hooked up and I'm loading up the BBS! Gonna get some sweet warez from the sysop.
giddeeup
we need to have pity upon government workers tasked with these jobs, especially the military
some of them spend their entire working day on tasks that *help* us (of course others do other things too...ahem)
so..."criminal activity" or "act of war"
i understand the distinction...but beneath those options are huge icebergs of heirarchy and process
the way out is to take the technology out of the equation...
chinese government hacker uses the internet to steal nuclear plans
-now take the tech out-
chinese government spy uses social engineering to steal paper documents of nuclear plans
with the tech *out* is it an act of war?
what if it is a private contractor? take the tech out...would it then be "war" or "crime"?
Thank you Dave Raggett
Intel's remote management software is scary when you look at what it can do.
They mention some of the more powerful features are only available on your LAN, hoping you'll forget that to some... The entire internet is their LAN.
Then there's the features they don't tell you about.
Scary capabilities advertised as control features.
My sympathies are with the people who are trying to defend while standing on the front line. By www.travelthee.com
NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.
How about starting with no more privacy violations of innocent Murican's?
The solution is simple. The NSA should continue to spend the lion's share of its effort on attacking the United States' own citizens. It's not an act of war if you're attacking yourself!
The problem for that is the origin. Other nations and their fellow travellers, cult members, dual citizens, deep cover agents or useful groups can stage any kind of network event with internal or expected external IP address, time zones and other code hints all pointing to the expected 'country' or group.
Contractors, the politically connected all then feed from the event with digital products, services, clean ups, changes, new expensive training and long term monitoring.
All that is found is a legal working company legend, cut out or site used. How would a country find where the bad code entered the internet?
The neutral country with great hosting and low bandwidth costs that all was traced back to? The country who has on average produced expert coders over generations of very gifted academics? The code used kind of looks like something from that part of the world? Something was left to be found days later in the code in that language, it fits the time zone, ip and with international politics?
It could all be a distraction, false flag or just average code re used by an unexpected nation for their own national interest with the skills to have a great cover story.
The only good method is to air gap a nations vital infrastructure and clear all on site local staff.
The problem with networks is they face the wider world or strangers can build trust with cleared staff who then allow code to move along a trusted internal network.
All a nation gets in the end is a local staff members account was the origin or easy found, expected code fragments 100% that 'that' country.
International partners then have to be 100% told it was that 'that' country.
Then what? Other nations share the same code and other their different country of origin findings that they where 100% sure of?
Domestic spying is now "Benign Information Gathering"
The NSA is here and censoring comments
The other fun part is what where "nuclear plans" doing on the web to be found?
On average they might have been kind of expected to be found? The press getting whispers to stoke public outrage to show that they where very real?
A nation goes to try and build from altered plans that wastes a decade and makes import supply lines and requests show up?
The domestic press feeds a perfect operation to ensure plans are seen as real but nobody told the rest of the cleared political or signals intelligence teams not to worry.
For that to work the internet has to be fully connected to all kinds of interesting mil sites just waiting to be found, downloaded from and then discovered to have been accessed from around the world.
The only trick is to keep the term honeypot away from the tech press. Or not have the press recall the same trick been done with altered paper plans sold in old Europe.
Thats the problem with massive signals intelligence teams and other massive intelligence moving agencies all having their own hidden missions.
In the past signals intelligence teams could be kept as support only and intelligence agencies could roam the world tricking other nations for decades while keeping political leaders in the loop.
Now active signals intelligence teams, contractors and the press with political contacts are reporting on active projects by intelligence agencies as if they where fact vs just fun cover stories.
Protect the super new plans from been downloaded for free from wide open sites every year, get good press... more political interest and a bump in next years budget.
Act of luck or just net activity looking for wide open sites every year and finding decades of complex 'plans' waiting?
Domestic spying is now "Benign Information Gathering"
oops the ethernet is unplugged and im out with a few ladies and beers
haha have a nice wasted day twits
The internet isn't safe, so it's all the victim's fault, and we should ignore the attackers. Hmmm. .."
"Anyone in any business who doesn't realize that the internet^H^H^H^H^H^H New York isn't a safe playground.
That's your theory, right? Because the internet / New York / the ocean isn't a safe place, anyone attacked on the internet or in New York had it coming. The government of China is attacking our internet infrastructure, but theyget a pass because the internet isn't perfectly safe, right? The high seas also are not perfectly safe, so it would be okay for China to attack our shios at sea?
I guess their troubles are how to define it so that they are a mere criminal gang (and hence have immunity like all "law enforcement"), yet others are committing acts of war so they can be drone-killed and it is (legally, but not ethically) not murder...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
.... while they figure out what cyberwarfare looks like, they will continue to do their duty of spying on everybody for the benefit of their corporate overlords. Is it just me, or the MAFIAA has stopped using their own people to search for kids to sue and extort, and are now using the taxpayer-funded surveillance data provided by professionals from the NSA ?
while they try to sneak through another Secret Law like the Patriot Act which will assume that everyone is a CYBER WAR CRIMINAL.
Hacked some credit cards? Cyber war criminal.
Spoofed a website? Cyber war criminal.
Changed your grades? CYBER WAR CRIMINAL.
Wrote some open-source code? CYBER. WAR. CRIMINAL.
Of course the NSA knows what an act of war is, in cyber terms. They just don't want it defined as such because they themselves are no doubt performing those very acts on perceived threats and allies alike and yes, on American citizens as well.
blindly antisocialist = antisocial
Well, no, the theory is military who hooks up nuclear warheads to the internet should be imprisoned for life and those warheads disconnected. The surreal idiotic supposition, that other people can gain control of your nuclear warheads is ludicrous and if they can, well, it is all to late already, is in not?
Chaos - everything, everywhere, everywhen
Joe Biden is a square shooter. Joe Biden for 2016.
"We're still trying to work our way through distinguishing the difference between criminal hacking and an act of war,"
this is like the scene in the movie where the parent knocks on the door to the kids room asking "what are you doing in there!?!?" knowing full well... and the kid hurriedly puts out his joint and sprays air freshener... "nothing!!!"
... Stop.
I question your motives, junior.
Especially when you see it in consumer devices, considering it costs extra.
Your arguments are really quite poor. Let me expound on your two attempted examples. For posterity, "the Ocean" is at least close to the function of the Internet, where "New York" is not.
If a person runs a boat on the ocean are they not required to have gear to operate safely? If a boat owner had no lifeboats, no radar, no radio, not enough people to staff the boat would they not be held accountable if the boat had an accident?
If your job is to carry around cash for people and you live in New York, are you not required to do everything possible people's money safe? If an operator had no secure storage (locked briefcase, armored car, bodyguards, etc..) and just sent people walking down the street with wads of cash, they would not be held accountable when people's money ends up missing?
I'll even add one, using the always favorite car analogy. If a business is supposed to drive goods from point A to point B and has no insurance, no licensed drivers, trucks with no brakes, etc.. the company should face no civil or criminal action when an accident occurs? Are you trying to claim that accountability can only exist if they are on a highway and not a country road?
These are examples not dealing with critical infrastructure where you know damn well that people _should_ be held accountable for their poor decisions. They may simply be terminated from employment, or they may face criminal and or civil cases.
Why on Earth would the rules for critical infrastructure be any different than those examples? Hint: They should not be.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
> For posterity, "the Ocean" is at least close to the function of the Internet, where "New York" is not.
Okay, let's go with that, then.
> If a person runs a boat on the ocean are they not required to have gear to operate safely? If a boat owner had no lifeboats, no radar, no radio, not enough people to staff the boat would they not be held accountable if the boat had an accident?
An attack is not an accident. The government of China is _attacking_ US resources via the internet. We're not talking about accidents - someone didn't trip over the power cord. It's an attack by a foreign force. Having enough people to staff the boat, and a radio etc doesn't do much good when your ship is attacked by a foreign government. Your argument is that the ship (or web site) should have armament capable of defeating an attacking state, a rising superpower no less. "If they can't defend themselves against an attack from China, they deserve to be attacked and it's okay for China to attack them." That's your thesis, right? In the case of shipping, that would mean that each cargo ship should have anti-aircraft missiles, a squadron of fighter jets escorting it, etc. That's what it takes to defend a ship against an attack.
Other people think that operating fighter jets and otherwise defending the citizens against attacks by foreign nations is the proper role of the national government. "To raise and support armies", as the constitution says. Your idea that each citizen should have a private army capable of defending them against China is an interesting one.
Stumbling from one million constitutional violations into the other.
And yet this 'look we're pathetic' plea.
Well we're kind of getting somewhere.
Infrared: below red
Infrasound: below sound
Infrastructure: below structure
> "Infrastructure" means that everyone relies on this, and society can not function without it.
Not in any way, shape or form, not even a litle bit close or related.
Infrasound does not mean "sound that society cannot function without", and infrastructure does not mean "structure that society cannot function without".
Infrastructure means parts and pieces which are underneath structure. A wire is not itself a structure, but an underlying part of a structure, such as my home network. Wiring is therefore infrastructure. A building's infrastructure is it's wires, beams, etc - all of the stuff that underlies the structure.
You seem to be silently adding "nationally critical " to the word infrastructure. From there, you've decided it's okay for China to attack nationally critical infrastructure.
You seem to be attempting to mangle the meaning of infrastructure. Infrastructure is "foundational", not "not needed" as you seem to be implying with the term "below". Even though the term has a similar root "infra" to "infrared", the use of "infra" is absolutely not the same.
You are trying to claim, falsely I'll add, that some infrastructure is not actually infrastructure. In terms of Infrastructure, there is absolutely no difference. If someone can take out roads then we have an infrastructure problem, we can make the same claim for electricity, water, sewage, communications, etc... There is no difference except that "roads" would be much harder for some management person to create a single point of failure out in the ocean somewhere. In other words, your implication that "critical infrastructure" existed anywhere in my points is absolutely incorrect.
To prove that is incorrect, notice that I don't restrict the argument to just infrastructure. It's commerce as well, where some person/company accepts responsibility for another person's wealth or property (as with the original post and their stock exchange comment). All of these things are the same, and the argument is the same.
When it is not yours, you have no right to put other people's "things" at risk. Public property is no different than private property in this regard. If you take unnecessary risks with other people's "things" you must be held accountable and liable for your actions. As with the former, there is no difference between public and private property in this regard.
Obviously things change if the courts reveal that something completely unexpected happens. The distinction from that statement is that "Liability" can change, but "Accountability" can not or society breaks down (very much like the US has been heading for the last couple decades).
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
> I don't restrict the argument to just infrastructure. It's commerce as well, where some person/company accepts responsibility for another person's wealth or property (as with the original post and their stock exchange comment). All of these things are the same, and the argument is the same.
Okay, so the dry cleaner DOES need a private army to defend your clothes in case of attack by China.
A minute ago you shifted to "society absolutely cannot function without", but now we're back to all commerce. I can go either way, I just wish you'd pick one and stick with it. It's kind of annoying when you change your position with each post as your previous post is shown,to be ridiculous.
So now we're at "anyone in commerce is negligent unless they have a private army capable of standing their ground agains attack by the Chinese government ", correct?
Why do you keep introducing invalid and unrelated arguments? Did I or anyone else claim that a dry cleaner needs a private army? The latter question I can answer, and that answer is "NO". Further, it does not at all relate to the debate. The first question I can only answer with the fact that that you continue to muddy the waters instead of answering the questions I posed earlier. Contrary to your 2nd paragraph, I have never shifted my position even the slightest. I stated that if people are not accountable society fails, and we have seen a massive growth in this exact issue in the US. My position that accountability and liability must exist has never changed in the slightest, in fact my first post explicitly stated that people must be held accountable for their actions, which you argued against.
Stick with the arguments and the Socratic method (reduce the arguments to their lowest form). Prove to me that your argument that politicians and some executives in charge of other people's "things" should not be held accountable for their management of those "things". You are the one claiming that a double standard should exist, not I. As Socrates stated, Justice never changes form. If person A does something just and person B does the same thing, it is also just (and visa versa). It can not be any other way and still be called "Justice".
If you can prove to me that there is a logical reason not to hold politicians and certain executives accountable while they manage other peoples property (including public property), I will concede the debate. If you can not, your belief is simply not rational.
Remove everything you just said and start over with where you were a post ago and answer the questions I posed. These two in particular.
1. Why should the boat (infrastructure) be in the Ocean (attached to the Internet)? As previously stated, "profit" is not an answer.
2. Why should any politician or executive in charge of property they do not own not be held accountable, when everyone else in society is held accountable?
As stated above, if you can not answer those two questions rationally your opinion is not rational. In my last posts, I demonstrated that an attack is no different than an accident in terms of accountability. The difference _may_ be in liability, but that would be for a court to decide. I may not have explicitly stated this, but it should have been obvious enough not to need calling out (I am assuming you read and write English).
Alternatively, if you can prove to me that nobody should ever be held accountable for anything they do with other people's property I will also concede the debate. I seriously doubt you would take that position, as that would indicate advocacy for complete lawlessness. E.G. Someone breaks into your house and rapes everyone inside, then steals everything of value you have no recourse.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
In the true spirit of the Socratic method I should have also added that my question number 1. is not really required to gaining the rational answer to primary question. It does however relate\ directly to the answer I gave in my first post.
The primary question is why anyone would believe that 2 forms of justice can exist simultaneously in the same society? The separation of infrastructure is not necessary in the grand scheme of your claim that certain people should be excluded from justice. Just like accident vs. attack should be no different in seeking justice.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1> Why should the boat (infrastructure) be in the Ocean (attached to the Internet)? As previously stated, "profit" is not an answer.
A ship should be in the ocean to bring bananas to North America, and generally get things to people eho need them. Foreign governments should not fire missiles at those ships. The internet made up of infrastructure , and can itself be considered to be critical infrastructure. It makes no sense to ask why it should be connected to itself. I see now you must have read the phrase "critical infrastructure " a lot and forgot that the word "critical" is there for a reason. Kind if like "fighter jet" - most jets aren't fighters, and most infrastructure isn't critical, so if you mean to distinguish critical infrastructure from Sony's PlayStation infrastructure please do so. The stock exchange should be network- connected so you can save fir retirement without paying a broker $150 transaction fee every month. Public health systems should be connected for fast, effective response to a public health crisis.
> Someone breaks into your house and rapes everyone inside, then steals everything of value you have no recourse
If that happens, you should be imprisoned. You failed to protect your family from armed attack. If you disagree , there's your answer to #2. We hold people accountable for what they DO. We don't hold people accountable and imprison them for getting raped or otherwise attacked. We imprison (or kill) the rapist, not the victim.
The attacker is at fault, not the victim. (The victim may have been foolish in the case of some crimes, but no amount of street smarts will protect you against a hostile super power on the rise.) You cannot protect yourself against China. They have zero-days, they have moles, and no company has the resources to fight China single-handedly. In this, I know of what I speak.
I think I answered them quite clearly. If there are English words you're unfamiliar with in my answers, I'd be happy to explain those words to you.
Here are two questions for you:
Why would you blame and punish the victim, rather than holding people accountable for what they do?
The attacker committed a crime / act of war. The victim tried to provide important services to people and was attacked while doing so.
Do have any idea what level 4 preparedness costs, or even what it is? If not, perhaps you're not qualified to speak on the subject.
You asked "why does the boat (infrastructure) need to be in the ocean (internet). You said very specifically that you were talking about ALL commerce, NOT just about critical infrastructure. Would you like to flip-flop a third time and go back to critical infrastructure? If so, refer to my explanation of why public health services are connected.