America's 'CyberWar' With Foreign Governments Could Get More Aggressive

America's Department of Defense "has quietly empowered the United States Cyber Command to take a far more aggressive approach to defending the nation against cyberattacks, a shift in strategy that could increase the risk of conflict with the foreign states that sponsor malicious hacking groups," reports the New York Times. Long-time Slashdot reader TheSauce shares their report: In the spring, as the Pentagon elevated the command's status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed, according to strategy documents and military and intelligence officials... The new strategy envisions constant, disruptive "short of war" activities in foreign computer networks... "Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks"...

The risks of escalation -- of U.S. action in foreign networks leading to retaliatory strikes against U.S. banks, dams, financial markets or communications networks -- are considerable, according to current and former officials... The chief risk is that the internet becomes a battleground of all-against-all, as nations not only place "implants" in the networks of their adversaries -- something the United States, China, Russia, Iran and North Korea have done with varying levels of sophistication -- but also begin to engage in daily attack and counterattack.
An article shared by schwit1 notes that officials in the Obama administration "were also worried that a vigorous cyber response...could escalate into a full scale cyber war."

Yet the Times reports that this new policy reflects "a widespread view that the United States has mounted an inadequate defense against the rising number of attacks aimed at America."

What allies?

[Midnight+Thunder]

Once upon a time the US was an ally many nations wanted to have (discounting the relationships fostered by the CIA). Today, the image of the US is one of isolationism and paranoia, very much in the frame of the leader.

Granted, it is hard to tell what is due to the commander in chief and what is simply politics as usual? It is also hard tell who is creating more spin?

Whatever happens the next leader needs to heal the wounds and divisions created by Trump (he already started during Obamaâ(TM)s terms), but that wonâ(TM)t be easy while Trump is still respected by his base. It also wonâ(TM)t be easy while the Democrats donâ(TM)t listen to the nation.

Involuntary pen testing needed.

[Gravis+Zero]

If there is going to be any real defense of our critical systems then what we actually need is to have our own government bringing down vulnerable systems. Allowing these systems to continue to function when they could fail at any moment is like building on a fractured foundation: it's a disaster waiting to happen.

This effort will cause annoying outages but it will also force companies to invest in real security while allowing those who already have will thrive. Most companies have been complacent for far too long and it's made us very vulnerable.

Re:Is water wet?

[currently_awake]

There should be 1 government organization responsible for computer security, and they should not also be in charge of spying as that deters foreign governments and corporations from fully cooperating with them. Giving them legal authority to force companies to patch security holes would also help.

This "war" was lost in the 1970s

[ka9dgx]

Ambient Authority is a design decision which only appears once you have multiple users sharing a computer. As a result, everyone just kept using it without much thought... until we find ourselves in a world of persistent networks, mobile code, no system administrators, and multiple layers of firmware and OS from various hardware and software vendors.

In such a system, any code runs with the full authority of the user who started the task, and the users have no effective means of limiting the side effects of running a given program. This in turn means we have to try to guess the intent of code (which is equivalent to solving the halting problem, and is thus impossible). The band-aid is to then try to enumerate all the bad code in the world (virus scanners), and to enumerate all the code bugs in all our programs (security updates), and to eliminate the trust of users (DRM, forced updates, "safety" filters in our browsers). None of these band-aids will work against a determined individual, let alone a nation-state.

Running tasks with the least possible privilege, the "Principle of Least Authority" (POLA) allows a user in such a system to decide ahead of time exactly what files the program is allowed to read, write, etc. Because we're all used to dialog boxes, and drag to drop GUI elements, this doesn't even require any special training of users to accomplish.

Of course, rebuilding our infrastructure to fix a design flaw of the size and scope of using 2 digit years (the Y2K problem we once faced), isn't going to be easy... especially when there's no deadline to make the need for action obvious. It's just going to remain an insidious vulnerability instead for decades to come.

If you think EAL certifications address this, they don't. 8(