Slashdot Mirror
Norway Becomes First NATO Country To Accuse China of Stealing Military Secrets (softpedia.com)
An anonymous reader writes: A high-ranking general in the Norwegian Army and head of the Norwegian Intelligence Service E-tjenesten (Etterretningstjenesten) has made official statements accusing the Chinese government of launching cyber-attacks against his country. Gen. Lunde says that state-sponsored hacking groups have targeted many Norwegian companies during the past year. He says that these companies are suppliers and collaborators of the Norwegian army and that hackers have stolen information considered to be state military secrets. The statements were made to Norwegian TV station TV2 by General Lt. Morten Haga Lunde, who was detailing his agency's most recent intelligence report.
Let's see... China has a truly awful record on human rights. China steals military secrets from Western countries. China makes cheap knock-offs of products designed by businesses in more developed countries. And lets not forget that China backs the DPRK, with a brutal nutjob of a dictator who threatens nuclear conflict and has an even worse human rights record. It's easy to point to countries where a regime change might help the world. In the case of China, we'd all be better off if the commie government was gone and they would play nice with their people and the rest of the world. Unfortunately for now China is pretty much the biggest shithead in the world.
So this tiny little country is willing to step up and call out the state-sponsored hacking from China that undermines the military posture of NATO? Meanwhile on a golf course somewhere in the continental US... the executive branch is silent on the topic. Time to re-connect with my Norwegian college buddy to find out their countries "man up" secret so I might be able to share.....
Air Gap.
Keep your state secrets off of internet connected systems and the only way that someone can steal those secrets is with a "Mission Impossible" team sneaking in and crawling through the duct work.
Oh, and maybe you shouldn't have a duct running to your super secret computer room that is large enough for a human to crawl through. Just a thought.
I am armed because I am free. I am free because I am armed.
Nice job, comrade. That was 11% better than a random word generator.
I'm confused. Tell me what is easier, an air gap or buying and maintaining gobs of firewalls to keep the bad guys out?
Security is a process and somewhere along the line someone failed to maintain security or else this would not have happened.
I've worked on air gapped systems before. I'd have two computers on my desk, one on the air gapped network and the other on the internet connected corporate network. That way I could write my code and run my test cases on the secure computer and still have access to e-mail, be able do some internet research, and generally communicate with the outside world. We were not allowed to have our cell phones in the room, the closest they could be was a faraday cage box outside the lab.
There were few telephones in the room to discourage speaking to people outside but still allow people to make quick calls to family or coworkers. (Side note: It was an unlisted number so we'd sometimes get wrong numbers or phone surveys that used a random phone number generator that would normally black list known business numbers. We had to be careful how we answered the phone to not reveal where the phone was located.)
Transfer of information in or out of the lab had to follow a process to keep the lab secure. This is where failures usually happen, the process isn't followed and we'd get a virus or someone did not properly log out a disc. The network was monitored regularly to keep people from removing a computer from the network, a sign someone might take a hard drive or move the computer to the insecure network, or adding anything to the network.
Sharing of data between sites was done by discs sent by a trusted courier. My job did not require me to do this sort of thing so I was not trained on sending discs but I was trained on the process of receiving files from outside the air gap. If a courier was too slow then we'd get a secure network. I'm not sure I can talk on how that network was secured.
Once in a while we'd have the cleaning crew come in to clean the floors and carry out the trash. At that point all work was to stop, computers locked and screens cleared, file cabinets locked, a blinking red light was turned on to indicate the room was no longer secure, and we'd sit around and discuss hunting, sports, or the weather.
As much as the air gap process sucked it was liberating in some ways. One nice thing was that work would stop once I left the room. If we went out to lunch then work never came up while we ate. I didn't have to worry about a cell phone call interrupting me, family and friends learned I was effectively off the grid while working. If someone really needed to get a hold of me that someone would just have to call the front desk and I'd be paged.
An air gap does not require any fancy hardware. Where I worked it was a bit over the top in some respects such as how the front door was secured. Creating an air gap system is pretty cheap, all things considered. The primary thing is to make sure everyone involved is knowledgeable on the processes of maintaining security, those methods were pretty simple as well.
If these private companies and government agencies are not willing to go through the work to create an air gap then they can expect to see a network attack from some far off country. If the firewalls used to secure these systems fail then an attacker's ability to copy or corrupt sensitive data can be bound only by the network bandwidth. An air gap failure tends to be quite limited in scope.
You might find air gaps as a silly idea on computer security but if you have a better idea then I'd like to hear it.
Where I worked it was a bit over the top in some respects such as how the front door was secured.
If it was secured properly, then it was not possible for anything short of a small army to walk in.
I continue to be amazed at the fancy electronic security that is used in many businesses, yet you could just walk right in the front door if you physically wanted to and all they could really do is call the police (assuming you didn't prevent that from the start).
If you honestly have anything worth so much that electronic security of the level you described is required, then you also need physical security. And I don't mean the rent-a-cop that is moonlighting from the mall, I mean you need trained armed guards in body armor with radios and a secure control center that they can communicate with.
All the air-gap in the world won't help if 5 armed men can walk in the door and simply shoot everyone and take what they like.
---
Note: The above is expensive to do correctly, which is why it is so rarely done. But if you need real security, it has to be both electronic and physical.
Naah, it'll take them years to decrypt words like Etterretningstjenesten so the Norwegians are pretty safe.
Dude, Norwegian IS high pitched Swedish. Don't try to fool us into thinking otherwise.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That's why they're not lifting military secrets from Iceland.
Fundamentally, the United States foots the military budget for a huge portion of the developed world--Pretty much all of Western Europe, Japan, Australia, South Korea, etc...
While some of those countries have an impressive military budget, The UK, France, Germany, Japan, South Korea, Australia, Italy and Canada together spend only about 45% of what the US spends. (Not all are NATO members, but they all have significant military expenditures.)
If the US walked out of NATO it would lose 2/3rds of its military budget and a lot of its logiistical and nuclear capability. https://en.wikipedia.org/wiki/...
I'm Asian and I keep having to emphasize this with my Caucasian friends. Standards of behavior are arbitrary. Just because you're used to one standard doesn't mean you should expect other people elsewhere in the world to adhere to the same standard.
The Western standard is that you don't directly steal things someone is trying to keep secret. You pass a few laws making the behavior illegal, and that's it. Anyone who breaks the law and steals your secret is a "shithead" (to quote another comment), and should be tried and jailed. You can infer the secret from afar, based on secondary information which leaks out, but stealing it directly is a no-no.
The Eastern standard is that if you want to keep something secret, you'd better do everything you can to keep it secret. If someone manages to hack you and steal your secrets, it's your own damn fault for not protecting yourself. Corporate and state-sponsored espionage isn't just encouraged, it's expected. You can be fired if you refuse your company's orders to spy on a competing company. Just don't get caught doing it. That'll result in you being fired in order for the company to save face - everyone pretends they respect each others' secrets, even while they're secretly trying to steal them.
The Hainan Island incident is a good example. The U.S. felt justified spying because they flew the EP-3 just outside Chinese territorial waters. They weren't breaking any laws, so by Western standards the behavior was OK. By Eastern standards, the behavior became unacceptable the moment it was clear they were spying. If the U.S. had been spying secretly, it'd be OK. But doing it overtly and openly by flying the EP-3 in plain sight just outside the Chinese border was a faux pas.
Because of this difference in standards of behavior, I read about all the joint technology deals Western companies make with China, and just shake my head in disbelief. Like the German company agreeing to manufacture high speed trains in China, instead of manufacturing them in Germany and shipping them to China. After a couple years, the Chinese told them they didn't need their help anymore, and didn't renew the contract. Obviously what happened was the Chinese went over every inch of the production facilities during off-hours to glean every nugget of information they could about manufacturing these trains. And after a couple years when they felt they had a good enough handle on how it all worked, they ditched the German company and started manufacturing the trains themselves. The Germans expected the Western standard of behavior - that the Chinese would "respect" the sanctity of their production secrets and not try to copy them. (Kawasaki did the same thing to my surprise, since they knew going in that this would happen.)
So don't expect the Chinese hacking and spying to stop. As long as there's plausible deniability, they're going to keep at it. The onus is on Western companies and governments to protect themselves as best they can, because the Eastern standard wins in a race to the bottom.
They'd be right. What is Norway using China for anything that could be used in military equipment. Why are systems with military secrets on the WWW (or accessible by that route)? Quite frankly it is no wonder that the new Chinese fighters look like F-22s as well.
-- I ignore anonymous replies to my comments and postings.