This is true up to a point. The rules are in place to keep those things from becoming so excessive that they turn into abuse. That said, easy and informal working relationships - within the bounds of law - also positively influence regulated environments by reducing misunderstandings, enhancing willingness to work through issues, assuring that the regulated and regulators start from much more similar conceptual pages, and improving the overall effectiveness and applicability of future regulations. It's an issue with mixed values; coming down on the overly formal and legalistic side of it can be just as damaging as the opposite to the ultimate objective of regulation - safer, fairer, more effective industries.
That article and the sources it references fatally misunderstand both the nature of cybersecurity as a large scale problem space and the paths to improve the situation.
First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.
Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.
Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)
Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.
Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.
It's been awhile since Bruce really has said anything that hadn't already been thought through, discussed, and agreed on by a large part of the industry. Bruce leads from the middle of the pack these days - so who cares if the NSA has compromised him?
The releasing of that many indicators and this information a)Puts Mandiant as a business and as individual employees at risk of retaliation and b)Means that the Chinese will change their tactics away from the indicators that have been released, so Mandiant and their clients will have *less* visibility than they had before. The report was released for the common good, IMO.
Territory control is only a side effect of most wars. Most of the time, territory is gained for resources or to take away resources. There are other resources to take away or gain that are not geographically based - clear threat to financial stability is a simplistic example. That will certainly, through force, have the other side closer to suing for peace.
Air only (or officially air only) wars are a great counter example. You're not really taking territory, but controlling it. Why are you controlling it? To influence the enemy: Deny them freedom to move, to cause casualties, to damage production capability, etc, etc, etc in order to achieve a political objective. All of those are accomplishable almost exclusively in the cyber domain for some set of possible objectives.
Choosing to define something out of existence by using a purist definition defies how things work. More often, domains and tactics are blended together (air, sea, land, space, cyber) to achieve, by force, political objectives. Sabotage is part of war, as is espionage, as is subversion.
If the point was "there are no cyber-only wars", I don't believe it, but it's tenable (as is "there are no air only wars" - there is always ground support and/or ground effect). But that's not what the point of "carrot for those selling the stick" is. Whatever your definition of "war" is, several facts remain:
You can achieve kinetic, financial, and political effect using cyber only means; There is activity by nation states to use force in the cyber domain; Military organizations have already used cyber attacks in kinetic conflicts to help them achieve their aims against other military organizations.
You don't have to call any of these (or the sum of their implied possibilities) "cyberwar", but that doesn't mean the threats, vulnerabilities, or consequences are being hyped up either.
Not believing in cyber war is like not believing in air war, sear war, land war, or space war.
Computers have tangible effects on our culture, our economics, our politics, and our military. We all know this.
Computer systems are broken into regularly, we all know this (go google a list of known data breaches, for example).
"Someone" (for this purpose it doesnt matter who) has used code to manipulate physical controls of industrial equipment (possibly for politics/military reasons). We all can see this (see: Stuxnet)
Cyber attacks have their own logical benefits that don't really need proof, they exist by definition (can be executed, remotely, relatively difficult to attribute, can reach multiple geographically separate locations at once, etc).
So, to deny "cyber warfare" here is a lot like saying "I know the enemy can reach out assets this way, I know they can impact us this way, Ive seen lesser versions of it in action so I know it could work if there was political will....but I havent actually SEEN anyone use ballistic nuclear weapons so the threat must not be there".
(And this is assuming there isnt any evidence for it, which is itself debatable. But if you can prove the likelihood and possibility given the right motivations, the difference in position if there is/isnt evidence of it *currently* going on doesn't amount to much. Defensive and offensive pre-positioning should be the same.)
Sure, but that's not specific to this particular mess. And, as this doc clearly wasn't analysis of the general impact of worms and malware on control systems in general, they didnt need to say it here.
Actually, you are factually incorrect here. The methodologies youre describing do make it more difficult, but we have plenty of insight into what's been happening - it's just either close hold or not making the news. Just because -you- don't know, don't assume "we" don't know.
I fully expect/. to be blocked by TSA there
Ionno - No one gave a crap that I looked at Slashdot when I worked there. Good job taking a poorly worded bureaucratic ass-covering and attributing Dan Brown levels of +eleventy-billion conspiracy powers to it. And feel free to jump to my website, resume, art site, whatever for a pretty decent counter-example to your a$$-hattery here.
//God, some people, they do need babysitters and soft walls.
Please, knocking out the power grid or making all the red lights turn green or whatever they're afraid of is nothing like having a bullet penetrate someone or a bomb going off - it's almost impossible, if not impossible to kill someone by hacking into a computer.
You're flat out incorrect here. First, not only can the power be shut off, but generators can be made to explode. Second, if you mess with the supply chain electronically, it's possible to do some really interesting stuff with medical supplies, parts for just in time manufacturing, etc. Could go on - but the overall effect is direct, substantial life threatening consequences.
Im not a fan of the IRS, but let's be real: 1. There are almost no government agencies or civilian organizations that don't have fairly terrible security...2. These checkbox requirements dont really tell a story. 2. These checkbox requirements dont tell a story of the actual level of security. You'd have to take a look at the whole architecture to figure out whether, for example, those UNIX passwords actually were important or not.
There should be a moratorium on government internet legislation of any kind until the first crop of kids who grew up with it and understand it are in power. The current group doesnt and will do long lasting damage - even if their intentions were/are good.
No. 1. That wasnt run by the government and it was a joke - even to the government. 2. Do you think the government changes decades old policy in the space of a week or two with such large implications? Not without a lot more motivation.
However, the simulation WAS accurate insofar as it portrayed how the gov't deals with the internet...so it's going to be a fun time the more they get involved;)
The Constitution is perfectly fine. At any point in time, we could elect other people than the farktards we elect now (over and over again). It's a brilliant document that assures we all get the government we deserve.
0day implies that there is a --non public-- vulnerability and/or exploit out in the wild that has not yet been disclosed outside of relatively small private circles (nothing to do with the time between vuln and exploit). Its meaning has been lately bastardized to include "things for which we dont have a patch yet" - and it's that bastardization which creates scenarios that don't make "sense".
-all of them- deliberately misleads to sell. Fox only differs in that they're public explicit about their market niche / demographic. (This comes from someone who's watched staged media events:P ). Shrug.
It's the reason why I don't anything from Fox News affiliates [wikipedia.org] and avoid them altogether.
I dont get why people single out Fox here. The whole media mess is a cross between a game of "telephone" where stories are single sourced and passed along from outlet to outlet losing fidelity over time, deliberate pandering for access, staged details for "clarity", deliberate playing down or up of details to meet advertising demands, shoddy fact checking, and - more than anything else - wild misrepresentation of stories through just reports not understanding what they're reporting on (they're entertainers after all).
These are all things I've personally encountered with multiple news outlets. Calling Fox out on it in particular is sort of ridiculous, IMO.
Really, it's both: IE should be avoided until there's a patch and yes, blaming one software package does give people who dont know any better or dont think about it a false sense of security when they switch. They're not mutually exclusive positions...
Slashdot Mirror
This is true up to a point. The rules are in place to keep those things from becoming so excessive that they turn into abuse. That said, easy and informal working relationships - within the bounds of law - also positively influence regulated environments by reducing misunderstandings, enhancing willingness to work through issues, assuring that the regulated and regulators start from much more similar conceptual pages, and improving the overall effectiveness and applicability of future regulations. It's an issue with mixed values; coming down on the overly formal and legalistic side of it can be just as damaging as the opposite to the ultimate objective of regulation - safer, fairer, more effective industries.
That article and the sources it references fatally misunderstand both the nature of cybersecurity as a large scale problem space and the paths to improve the situation.
First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.
Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.
Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)
Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.
Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.
It's been awhile since Bruce really has said anything that hadn't already been thought through, discussed, and agreed on by a large part of the industry. Bruce leads from the middle of the pack these days - so who cares if the NSA has compromised him?
The releasing of that many indicators and this information a)Puts Mandiant as a business and as individual employees at risk of retaliation and b)Means that the Chinese will change their tactics away from the indicators that have been released, so Mandiant and their clients will have *less* visibility than they had before. The report was released for the common good, IMO.
Territory control is only a side effect of most wars. Most of the time, territory is gained for resources or to take away resources. There are other resources to take away or gain that are not geographically based - clear threat to financial stability is a simplistic example. That will certainly, through force, have the other side closer to suing for peace.
Air only (or officially air only) wars are a great counter example. You're not really taking territory, but controlling it. Why are you controlling it? To influence the enemy: Deny them freedom to move, to cause casualties, to damage production capability, etc, etc, etc in order to achieve a political objective. All of those are accomplishable almost exclusively in the cyber domain for some set of possible objectives.
Choosing to define something out of existence by using a purist definition defies how things work. More often, domains and tactics are blended together (air, sea, land, space, cyber) to achieve, by force, political objectives. Sabotage is part of war, as is espionage, as is subversion.
If the point was "there are no cyber-only wars", I don't believe it, but it's tenable (as is "there are no air only wars" - there is always ground support and/or ground effect). But that's not what the point of "carrot for those selling the stick" is. Whatever your definition of "war" is, several facts remain:
You can achieve kinetic, financial, and political effect using cyber only means; There is activity by nation states to use force in the cyber domain; Military organizations have already used cyber attacks in kinetic conflicts to help them achieve their aims against other military organizations.
You don't have to call any of these (or the sum of their implied possibilities) "cyberwar", but that doesn't mean the threats, vulnerabilities, or consequences are being hyped up either.
Not believing in cyber war is like not believing in air war, sear war, land war, or space war.
Computers have tangible effects on our culture, our economics, our politics, and our military. We all know this.
Computer systems are broken into regularly, we all know this (go google a list of known data breaches, for example).
"Someone" (for this purpose it doesnt matter who) has used code to manipulate physical controls of industrial equipment (possibly for politics/military reasons). We all can see this (see: Stuxnet)
Cyber attacks have their own logical benefits that don't really need proof, they exist by definition (can be executed, remotely, relatively difficult to attribute, can reach multiple geographically separate locations at once, etc).
So, to deny "cyber warfare" here is a lot like saying "I know the enemy can reach out assets this way, I know they can impact us this way, Ive seen lesser versions of it in action so I know it could work if there was political will....but I havent actually SEEN anyone use ballistic nuclear weapons so the threat must not be there".
(And this is assuming there isnt any evidence for it, which is itself debatable. But if you can prove the likelihood and possibility given the right motivations, the difference in position if there is/isnt evidence of it *currently* going on doesn't amount to much. Defensive and offensive pre-positioning should be the same.)
Sure, but that's not specific to this particular mess. And, as this doc clearly wasn't analysis of the general impact of worms and malware on control systems in general, they didnt need to say it here.
is here: http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01B%20-%20Stuxnet%20Mitigation.pdf Probably a little more accurate than crappy media reporting.
You can't change the Siemens passwords in this case (and have things keep working).
Actually, you are factually incorrect here. The methodologies youre describing do make it more difficult, but we have plenty of insight into what's been happening - it's just either close hold or not making the news. Just because -you- don't know, don't assume "we" don't know.
I fully expect /. to be blocked by TSA there
Ionno - No one gave a crap that I looked at Slashdot when I worked there. Good job taking a poorly worded bureaucratic ass-covering and attributing Dan Brown levels of +eleventy-billion conspiracy powers to it. And feel free to jump to my website, resume, art site, whatever for a pretty decent counter-example to your a$$-hattery here.
//God, some people, they do need babysitters and soft walls.
Heh. That would be "most of them". There's a reason there're all these bills going before congress about critical infrastructure and cyber security.
Not all parts are easily or quickly replaceable and most things aren't designed correctly.
Please, knocking out the power grid or making all the red lights turn green or whatever they're afraid of is nothing like having a bullet penetrate someone or a bomb going off - it's almost impossible, if not impossible to kill someone by hacking into a computer.
You're flat out incorrect here. First, not only can the power be shut off, but generators can be made to explode. Second, if you mess with the supply chain electronically, it's possible to do some really interesting stuff with medical supplies, parts for just in time manufacturing, etc. Could go on - but the overall effect is direct, substantial life threatening consequences.
Im not a fan of the IRS, but let's be real: 1. There are almost no government agencies or civilian organizations that don't have fairly terrible security...2. These checkbox requirements dont really tell a story. 2. These checkbox requirements dont tell a story of the actual level of security. You'd have to take a look at the whole architecture to figure out whether, for example, those UNIX passwords actually were important or not.
There should be a moratorium on government internet legislation of any kind until the first crop of kids who grew up with it and understand it are in power. The current group doesnt and will do long lasting damage - even if their intentions were/are good.
No. 1. That wasnt run by the government and it was a joke - even to the government. 2. Do you think the government changes decades old policy in the space of a week or two with such large implications? Not without a lot more motivation.
;)
However, the simulation WAS accurate insofar as it portrayed how the gov't deals with the internet...so it's going to be a fun time the more they get involved
You hit it exactly. They're interested because of its ability to affect political power. Everything other reason is just an excuse.
I dont know about sodul, but my wife pays taxes but cant vote because she's a resident alien with Finnish citizenship
The Constitution is perfectly fine. At any point in time, we could elect other people than the farktards we elect now (over and over again). It's a brilliant document that assures we all get the government we deserve.
0day implies that there is a --non public-- vulnerability and/or exploit out in the wild that has not yet been disclosed outside of relatively small private circles (nothing to do with the time between vuln and exploit). Its meaning has been lately bastardized to include "things for which we dont have a patch yet" - and it's that bastardization which creates scenarios that don't make "sense".
-all of them- deliberately misleads to sell. Fox only differs in that they're public explicit about their market niche / demographic. (This comes from someone who's watched staged media events :P ). Shrug.
It's the reason why I don't anything from Fox News affiliates [wikipedia.org] and avoid them altogether.
I dont get why people single out Fox here. The whole media mess is a cross between a game of "telephone" where stories are single sourced and passed along from outlet to outlet losing fidelity over time, deliberate pandering for access, staged details for "clarity", deliberate playing down or up of details to meet advertising demands, shoddy fact checking, and - more than anything else - wild misrepresentation of stories through just reports not understanding what they're reporting on (they're entertainers after all).
These are all things I've personally encountered with multiple news outlets. Calling Fox out on it in particular is sort of ridiculous, IMO.
Really, it's both: IE should be avoided until there's a patch and yes, blaming one software package does give people who dont know any better or dont think about it a false sense of security when they switch. They're not mutually exclusive positions...
I just want to say this is my favorite Slashdot post in some time....