America's 'CyberWar' With Foreign Governments Could Get More Aggressive

America's Department of Defense "has quietly empowered the United States Cyber Command to take a far more aggressive approach to defending the nation against cyberattacks, a shift in strategy that could increase the risk of conflict with the foreign states that sponsor malicious hacking groups," reports the New York Times. Long-time Slashdot reader TheSauce shares their report: In the spring, as the Pentagon elevated the command's status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed, according to strategy documents and military and intelligence officials... The new strategy envisions constant, disruptive "short of war" activities in foreign computer networks... "Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks"...

The risks of escalation -- of U.S. action in foreign networks leading to retaliatory strikes against U.S. banks, dams, financial markets or communications networks -- are considerable, according to current and former officials... The chief risk is that the internet becomes a battleground of all-against-all, as nations not only place "implants" in the networks of their adversaries -- something the United States, China, Russia, Iran and North Korea have done with varying levels of sophistication -- but also begin to engage in daily attack and counterattack.
An article shared by schwit1 notes that officials in the Obama administration "were also worried that a vigorous cyber response...could escalate into a full scale cyber war."

Yet the Times reports that this new policy reflects "a widespread view that the United States has mounted an inadequate defense against the rising number of attacks aimed at America."

Re:Do it

[Nkwe]

It is high time to do the right things and first off strengthen our telecommunications network. We should be running vlan on equipment that is made ONLY in the west. Utilities should be on 1 vlan, and with absolutely NO CROSS-OVER. Likewise, MIlitary/Intelligence should be on one, Roads on another, banks on another (used only for transfers between banks), etc, etc.

You do understand that VLAN only offers security if you have complete control over the physical network? I suspect you may not because you mention using VLAN to isolate services that would typically be at significantly different physical locations and be administered by different people.

Using US made equipment would be a start, but the issue with VLAN is that if anyone has access to the configuration of anything touching a physical connection that is "protected" by VLAN, they can just change the configuration and you don't have isolation any more. All VLAN does is add a couple of bytes to the header of the packets and you *hope* that everyone listening honors those packets. It can really only be used within a physically trusted segment of your network *and* you have to trust everyone who can configure the related network gear. This means that if an attacker gets configuration access to any of your devices touching the VLAN trunk, they can alter the configuration and escalate their access. If you are using VLANs to isolate workstation access at the workstation NIC, well just don't.

In your example of using VLAN to isolate military, utilities, and banking, I would have to assume that you mean isolating them when they run across a common set of network links. This is an unlikely scenario because VLAN is a physical layer 2 (data link / Ethernet segment) thing and you typically would use a network layer 3 (routing / IP subnet) thing to deal with connecting disparate networks over distance. If you are actually talking about tying these entities together at the physical layer of the network, you would have to trust that the parties at both ends and everyone in the middle absolutely kept physical administrative control and that there were no bad actors in the mix. This is unlikely.

Other technologies, such as VPN would be more appropriate. This as well as regulations that require either air-gapping of sensitive systems or proven control of the encryption keys used to create VPN sessions running through shared networks.