US Prepares for Eventual Cyberwar

The New York Times is reporting on preparations in the works by the US government to prep for a 'cyberwar'. Precautionary measures are being taken to guard against concerted attacks by politically-minded (or well-paid) hackers looking to cause havoc. Though they outline scenarios where mass damage is the desired outcome (such as remotely opening a dam's gates to flood cities), most expect such conflicts to be more subtle. Parts of the internet, for example, may be unreachable or unreliable for certain countries. Regardless, the article suggests we've already seen our first low-level cyberwar in Estonia: "The cyberattacks in Estonia were apparently sparked by tensions over the country's plan to remove Soviet-era war memorials. Estonian officials initially blamed Russia for the attacks, suggesting that its state-run computer networks blocked online access to banks and government offices. The Kremlin denied the accusations. And Estonian officials ultimately accepted the idea that perhaps this attack was the work of tech-savvy activists, or 'hactivists,' who have been mounting similar attacks against just about everyone for several years."

Re:Isn't this blown out of proportion, again?

[garoo]

Not all that unusual. I was visiting a water treatment/chlorination plant in the UK a few years ago (for complex reasons related to archaeology rather than anything particularly on-topic, so it is likely that we got the Cliff Notes version). They pointed to the computer that controls the water chlorination and said 'we control this via this modem right here'. Presumably there are all sorts of security controls around actually accessing via said modem, given that we are talking about a PC controlling the quality of the drinking water supplied to maybe 20,000 people.

This doesn't matter very much anyway. TFA seems to have confused 'you can connect to it remotely via some mechanism or another' and 'anyone connected to the internet can just ssh right in/DDOS it'. FUD.

Re:Obvious safeguard - not so safe

[ancientt]

Back in the late '90s I was infected by my first virus. I had never connected to the internet, I had just used the library and school computers. Somehow, I still managed to get a virus on my floppy diskette.

I don't think it is unlikely that there are people who hook their laptops up to their work network, and I suspect it is even more likely that people plug in a floppy/thumbdrive/cdrom from home. I don't doubt that it would be safer to stay disconnected from the Internet, but a handcrafted virus would be far more likely to avoid detection by most antivirus and probably accomplish just as much in a hacker war. It would have to be a targeted program, but that is really the point isn't it, that hackers could be targeting networks that are supposed to be secured. Of course, it probably doesn't help security that they probably assume their network is safe.

It's not just the Internet

[vtcodger]

***Isn't this blown out of proportion, again?***

Probably not out of proportion. The military has separate secure communications, but civil society doesn't. And many of our key networks aren't exactly robust. We've had incidents in the past of phone networks going down because of bad software upgrades to switches. And of power distribution networks going down for no very good reason and taking many hours to get back up. And satellites going out.

So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs, uses other update services to brick all sorts of devices, then simultaneously goes after the DNS servers; North American power grid controls; and every satellite link they have previously found a vulnerability in? What if they can take down major parts of the cell phone network? Probably they can DOS the financial service network providers if they can't hack into them -- No functioning ATMs and likely no functioning banks and likely few functioning stores of any kind. And they reprogram a lot of the nation's traffic signals to turn all lights green permanently. They do the same for the railroads. And they turn off the natural gas distribution system -- in January. And they shut down the aquaduct pumping stations feeding Southern California. ... etc, etc, etc. And finally, they shut down as much of the phone system as they can get to.

A serious attack by a technically savvy attacker with significant resources and a good plan can very likely do most of those things and a great many more.

If an attacker can do even a quarter of that, it'd take any industrial country a week to get back up after a fashion, and months to really get things back under control. So, no, it's probably not blown out of proportion.

***I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?***

What is the cheapest and most cost effective way to control a remote power facility? And who says cyber attacks are limited to the Internet? If your dam is 300 miles away, you're going to need remote access -- at least for monitoring and quite likely for command and control. Seems to me like most, maybe all, of the technologies to do that -- internet, phone network, satellite, radio links, etc--are open to interception and attack. Even if you can't break into the control link, you likely can deny service in one way or another.

Stupid-wordism

[SoapBox17]

"Hactivist" is a perfectly cromulent word, right? No, not really. I really despise this weird need everyone has to create new words. He already have perfectly good words, like "hacker", "activist" and "loser kids who want to feel powerful." Why anyone felt the need to create another buzz word is beyond me. This one is going right on the top of my list [slashdot.org].

Remember the big eastern brown out?

[WindBourne]

During that time, one of the nuclear reactors that shutdown was found to have numerous Windows based computers connected to the Internet. Apparently, the techs had put them in there and hooked up to make servicing easier. It happened then. It will happen again and again. Until companies decide to take back computing (laptops without USB or modem, ethernet that requires low-level authentication, etc., we will continue to see issues. In fact, if a company wanted to start up big against Dell, et. al. they could do the above and win big. There are LOADS of places that require secured non-windows systems.

Personal anecdotes of a cyberwarfare researcher

[Anonymous Coward]

As an academic, I've studied the effects of cyberwarfare and cyberterrorism since the mid-nineties. I'm fortunate to have had my research partially funded by Israeli academic institutions who, in connection to the IDF, have an obvious interest in such studies.
During my research I've been given the "attack" statistics of Israeli .gov.il servers, and even some (not highly) classified statistics of intrusion attempts from inside-users in the Knesset's own networks. Suffice to say, no one is really protected against highly skilled inside jobs, but the gov.ils' web-facing HTTP servers have yet to be hacked.
I have some anecdotes from my study in my (personal) website [ouch.co.il].

Posted anonymously because, even though I don't mention any(!) secret details, I still don't want this to be at the top of the search results when people google for my name...

Re:Humans

[ardor]

The only way to prevent war is to prevent the existence of more than one opinion.
So, a hive mind would end the wars.
But would this be really better?

Re:It's not just the Internet

[mcrbids]

So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs,

What makes you think they have to hijack MS Update? It seems to be a problem right now, today. [bbc.co.uk] Anybody who thinks this is something new is clueless. It's a problem right now, today.

A few things that can help:

1) Stop using systems that are inherently flaky. (EG: MS Windows) Move on to something that's proven to be resistant to viruses and the like. MacOSX, Linux, BSD, and other *nix variants are a good bet for the immediate future, but I'd wager that the best bet would be to revive DEC VMS! The security on that system is just simply awesome, and its reliability is second to none. Get somebody with chutzpah like Steve Jobs to make it work, and it would. Very well.

2) Demand basic, reasonable security policies in force at ISPs. The federal govt should require that ISPs should use basic technologies to ensure that packets appear to come from the right network, malformed packets are rejected, etc. and it should also provide reasonable initial funding so that they can comply with this law without undue hardship.

Another interesting thought - computers have gotten complex enough that the average person can no longer maintain them. So what if there was a way that the average person could outsource this administration to somebody else? There's quite a few ways this might work:

A) The "pool service" model - some local techie shop periodically accesses your computer (either physically or remotely) and performs a routine maintenance, fixing security holes, ensuring updates are done, performing backups, etc.

B) The "terminal" model - rather than store all your data/files on your local machine, your local machine becomes a dummy terminal, and you access your data and programs remotely. Something like the "terminal" that was common on mini and mainframes in the 1980s. Think Google office? This may be where Microsoft goes with their 'Windows Live' service, and where Linux goes routinely with X11.

C) The "Updater" model - almost in place now, you pay a subscription fee to have software downloaded automagically that takes care of security issues. The main point here is that for this to work, it has to provide a strong assurance of quality, which this does not.

Man, got windy on this post. Hope you enjoyed it!

Hacking the Media

[Divebus]

The Joker laughing out of every TV and Radio in Gotham city would be a powerful psychological win and a plausible goal for a determined enemy. What if part of a cyber war campaign was designed to replace Podcasts, Music streams, VOD Movie services, CNN Video or any internet delivered media with a message from our enemy? Could they commandeer Internet connected set-top boxes deployed by Cable providers and replace what we see and hear?

I was approached by some people recently who wanted to know exactly how someone could pull that off. By "some people", I mean someone who works with an unnamed National Security Agency of sorts. I shrugged it off at first, then thought of the potential impact. Eek. Does anyone in the media business even anticipate or have a strategy for combating such an attack?

Sometimes a legitimate complaint: Racism.

[TerranFury]

Flamebait? Sure. But badly-constructed flamebait- the only people who use the expression "politically correct" are those attacking the concept.

Very true.

In fact, I'd go so far as to say that "political correctness" only ever really existed as a convenient strawman caricature, useful for smearing anything remotely smacking of "liberal" or left wing views.

Heh, I don't know: I'd always considered myself reasonably to the left, but... I was surprised to run into a bunch of socially-acceptable racial bigotry during college, and the only way I can think to characterize it, is as having been "ok" because it was "politically correct." And this is the real point of my post.

What am I talking about? People complaining, over and over, about "rich white kids;" they'd use sneering language like "bastion of white privilege," repeat racial slurs like W.A.S.P. as though that was somehow acceptable (besides, at least get your facts straight: second-wave European immigrants were neither Anglo-Saxon nor Protestant), and harp on hundred-year-old European imperialism (as though they, going to an Ivy League school, were somehow victims thereof). This was insidious stuff, nothing more than socially-acceptable racism. And it wasn't just something that affected interactions with strangers; it infected friendships, sowing mistrust and contributing to the slow self-segregation that students settled into by senior year. Watching this happen was the saddest part of college for me.

An example:

I started out as good friends, my freshman year, with a Chinese-American girl, but by senior year this language had gotten even to her. In particular, she began to use the phrase "rich white kids" over and over -- never "spoiled rich kids" or "spoiled jerks;" always "rich white kids." In her case, there was irony written all over it, as (1) her father was a well-to-do doctor; (2) she had traveled all over the world at his expense; (3) I remember her being demonstrably shocked when one day I mentioned that I was responsible for paying for all of my own credit card bills ("What, you mean your parents don't pay them for you? Mine do!"); and (4) she'd had a number of important opportunities handed to her that she hadn't had to work for at all. It was a little infuriating to hear her, of all people, call someone else spoiled.

It got worse with time. I remember one incident in particular: I was walking down the sidewalk with her and an African-American (male) friend of hers (and so an acquaintance of mine), and she was complaining that Barak Obama wasn't dark enough: that the Caucasian part of his ancestry polluted him. She said that his skin looked "like mud." It was then that this other guy and I started exchanging meaningful glances, and I spoke our shared thought, "So, I'm not sure how to say this, [her name], but... look: You're standing between a dark black guy and a pale white guy *holds out arm with forearm up*, and... you're complaining that people with skin tones in-between are ugly? [(Implication: Look at yourself.)]" (I never understood how the racial ideas she'd begun to develop could withstand even a drop of sarcasm: You'd have thought that their self-contradictoriness would have caused them to annihilate each other at the tiniest hint of ironic illumination.)

A large part of the reason she was acting as she was at that time in particular was that she'd just broken up with another guy -- who, as always for her, was white. Now, the people you date are the people who get close to you and the people who cause you emotional pain, so it's easy to hate them and their groups -- hence the ubiquity of sexism -- so I understand, in part, how her anti-white sentiments had developed. But I don't think that this history of hers is the full explanation: I really think that the politically-correct norms on racial discourse had something to do with it too: She was using its language to justify her hate. Her pol