US Most Vulnerable To Cyberattack? 118
alphadogg writes "Several nations, most prominently Russia, the People's Republic of China and North Korea, are already assembling cyber armies and attack weapons that could be used to attack other nations. Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control, it's particularly vulnerable to the denial-of-service attacks, electronic jamming, data destruction and software-based disinformation tricks likely in a cyberattack. Here's what ex-presidential adviser Richard Clarke, who is releasing a new book called Cyber War, and others are saying needs to be done to keep cyberwars from escalating into full-scale combat."
first post (Score:1, Insightful)
Clarke's Been Playing This Violin for Years (Score:4, Interesting)
Same damn tune.
I'm in InfoSec - vulnerability assessment and remediation. I used to see him speak in the Clinton years, when he'd toot the f-ing horn, how he had Big Bill's ear about this. After 911 he went on a book and lecture circuit.
Bullshit then, and now.
Re: (Score:3, Informative)
> I used to see him speak in the Clinton years
As I recall he was one of the few people who was trying to warn about the rise of AQ. Given the outcome, I don't see how this should be construed to be a negative.
Re: (Score:3, Insightful)
Really??? Oh, now THAT is interesting.
Descend with me for a moment into conspirator territory:
1) Assume for a moment that 'terrorism' was mostly just a rip-and-replace of the old enemy, 'communism'. And I could discuss this at length if desired, but bear in mind, at a minimum, that Osama being a terrorist was not only okay during the 80's, but he was terrorizing using our own tax dollars. Terrorism isn't new, by any means, and it has only recently become intolerable. Anyway, assume 's/communism/terroris
Re: (Score:2)
I am not averse to conspiracy theories and I wouldn't dismiss this one out of hand. But at this point in time, with the information available to the general public, Occam's razor doesn't favor this interpretation.
Although he has a public profile, Clarke is by no means the early voice on this. Check and you will see that this has been raised publicly for at least 3 years now. (The name of early guy escapes me - he's from the Naval War College.) The defense companies started hiring in earnest for this abo
Re: (Score:2)
Occam's razor is an appropriate tool to identify elegance in scientific theory related to observed processes and phenomena without a determined theoretical explaination. For instance, water seeks its own level, not because of an attraction of the tiny water spirts to other naiads, but rather because of the constant force of gravity
Applying Occam to complex relations of desire, will, psychology, politics and covert coersion constitutes a fallacy. It's as if you tried to explain racism by means of Ohm's law.
B
Re: (Score:2)
Al CIAda? Pull the other one, it's got bells on it.
Re: (Score:2)
Re: (Score:2)
You're in security and you call bullshit on someone who was saying the things that could have prevented the 9/11 attacks?
You're in a dreamworld.
He did have Bill's ear. The Clinton administration, as much as I detested it, did do a decent job of protecting the U.S. from terrorist threats.
Enter George Bush who wanted us to be attacked. They ignored Mr. Clarke and we all know the results.
Re: (Score:2)
911 was conducted with the deliberate collusion of agents within the US government, among others. The WTC attacks were a desired outcome, in the Operation Northwoods model, writ large.
It was always preventable, and intentionally allowed to continue.
Read PNAC again.
"Does the order still stand?" [youtube.com]
Re: (Score:2)
You must be new here. I have been around since "Chips & Dips" - when Malda was famous for writing Enlightenment DR 0.9 modules and themes. He had Window Maker themes, too.
I got my UID in the first few hours that Slashdot began the system 1997, I think. I am pretty sure I am now the lowest active UID on /. - other than the original crew of Hemos, Malda, etc. (Remember "Blockstackers"? Of course you don't.) I also snagged UID 167 for Technocrat.com - when Perens used slashcode to start that site. BTW
FUnny how there's no eviDence... (Score:4, Insightful)
Re: (Score:2)
Serious security assessment on critical infrastructures is the least effort the government should do. I personally think that allowing full disclosure of security problem would greatly help that but what do I know...
Re:FUnny how there's no eviDence... (Score:4, Insightful)
I personally think that allowing full disclosure of security problem would greatly help that but what do I know...
About as much as me, I'd assume.
The obvious staring-you-in-the-face difference between this and 9/11 is that this book is flinging accusations at specific parties - all of them major world governments - without any evidence. It's very different from saying "a group of cyberterrorists is in principle capable of hijacking our servers and messing with our communications", and more like saying "Iraq has WMD, let's fuck their shit up" - also without evidence.
Re:FUnny how there's no eviDence... (Score:4, Insightful)
At the end of the day, the argument you make is disturbingly similar to: because Neo-Nazis just post the details of people they want assassinated that they aren't themselves responsible, when it's almost certain that given and address and a motive somebody will follow through.
And no, I'm not being as extreme with the examples as it might appear, there's any number of electronic devices which could cause that level of trouble. Ever imagine what would happen if somebody were to screw with the communications infrastructure? It's not that hard to believe that people could die as a result. Especially if done in conjunction with a suspected terrorist attack.
Re: (Score:2)
That's not analogous at all. We know, and have known for some time, that a huge number of attacks come out of China and Russia.
Just as we knew that Saddam had rockets of some type and the willingness to utilize them?
Seems perfectly analogous to me.
Ever imagine what would happen if somebody were to screw with the communications infrastructure? It's not that hard to believe that people could die as a result. Especially if done in conjunction with a suspected terrorist attack.
Deaths would be assured. The military response against such 'terrorists' would be a decade long, and "China and Russia" know that well.
Re: (Score:3, Interesting)
That's not analogous at all. (...) At the end of the day, the argument you make is disturbingly similar to: because Neo-Nazis just post the details of people they want assassinated that they aren't themselves responsible, when it's almost certain that given and address and a motive somebody will follow through
Please, do point out to me where I said that it was analogous. What I did say is that
It's very different from saying "a group of cyberterrorists is in principle capable of hijacking our servers and messing with our communications", and more like saying "Iraq has WMD, let's fuck their shit up" - also without evidence.
which is very different from your Neo-Nazi analogy. By the way, how is that different from when the police or news outlets divulge photos and information on wanted criminals? someone might decide to hunt them down and do justice with their own hands as well. Or is the fact that the known criminals happen to be missing somehow a merit of the people who are setting the hounds on them?
Your example is extreme, and it is not
Re: (Score:2)
> this book is flinging accusations at specific parties - all of them major world governments - without any evidence
This is very much a mouse and cat game. Given how difficult it is to trace attacks to their source you are rarely going to have absolute technical evidence. What you will have is human asset confirmation of suspicions of each country's programs and capabilities. No country is going to reveal those assets before hand, certainly not for a book issued to the general public.
Honestly I don
Re: (Score:2)
Re: (Score:2)
But...there was evidence that "something's up" before 9/11. Wasn't followed properly.Not much of an evidence what exactly will happen of course, but it was quite clearly established that some people are capable of suicide missions, taking many bystanders with them. And that you can hit a building with a plane.
Somewhat the opposite of what we have here - we are preparing for such attacks all the time after all, trying to secure our networks. Now, it seems, al we need is perpetrators.
Re: (Score:2)
I honestly think that every sane country should keep, eve
Re: (Score:2)
Somewhat the opposite of what we have here - we are preparing for such attacks all the time after all, trying to secure our networks. Now, it seems, al we need is perpetrators.
You obviously do not work in the security field.
The problem is, we _aren't_ trying to secure our networks, and we're _not_ preparing for such attacks. We have the idea that "follow this checklist, and I'm secure" and the checklist is giving out 5 year old security advice that's no longer valid.
Following old security advice is not only ineffective, but it can be dangerous.
We assume that since we've never noticed an attack, there must not have been one. That works fine in the physical world with bombs and s
Re: (Score:2)
Sure, the hijacker never crashed it into a building, thus there was no building collapse. Any idiot could see that a successfully hijacked jet makes a great weapon.
Re: (Score:2)
There was no evidence that terrorists could hijack a plane into a building and make it collapse before 9/11.
Not only was there evidence of this, but it was common knowledge. Hijacking happens, and planes do collide with buildings occasionally.
What was not common knowledge, was the amazing effect of doing so. But the factuality of exactly how this happened is still in debate today.
Re: (Score:2)
There were probably lots of books including the Tom Clancy tome, Debt of Honor from 1994 where a jumbo jet was crashed into The Capitol in DC, that brought up the possibility of an airplane crashing into a building on purpose.
[John]
Re: (Score:2)
Be afraid. Be very afraid.
Re: (Score:2)
So what, we shouldn't worry about it? That's how the Iranian cylons will win!
Re:FUnny how there's no eviDence... (Score:4, Informative)
That's an awfully broad statement. There's evidence, though it's mostly based on circumstance. I don't think I need to be linking articles about the China Cyber Attack stuff, or North Korea, as that's all fresh.
But I'm happy to offer other links from the recent and not so recent past that are relevant.
Somewhat recent -
Russian Cyber Attacks on Georgia
http://blogs.zdnet.com/security/?p=1670 [zdnet.com]
PowerGrid Vulnerability of the US
http://www.time.com/time/nation/article/0,8599,1891562,00.html [time.com]
In a Galaxy Far Far Away... 1998, a brief description of L0pht testifying before congress.Excerpt included.
http://hsgac.senate.gov/l0pht.htm [senate.gov]
""We have become so dependent on communications links and electronic microprocessors that a determined adversary or terrorist could shut down federal operations or damage the economy simply by hacking into our computers. The two General Accounting office reports which will be released at our hearing--one on the State Department and one on the Federal Aviation Administration- -raise serious concerns about the risks to the public because of information security weaknesses.""
Re: (Score:1)
That being said, I am not attempting to fearmonger and take away freedom or privacy. I'm playing devil's advocate for what is really more of a business continuity issue than a government concern (at the moment).
Re: (Score:1, Flamebait)
But perhaps that's just me being picky. What really worries me about all this is the combination of this "ciberwar/cyberterrorism" concept with the general mentality of the USA government that "all of our citizens are domestic terrorists until proven otherwise". That just spells out "invasion of privacy" in big bold red letters.
Comment removed (Score:3, Insightful)
Re: (Score:3, Funny)
Pray tell, why should a system such as Air Traffic Control even be accessible on a public network such as the internet? To the best of my knowledge air traffic controllers aren't allowed to telecommute. Why aren't networks such as this hardened and kept off public networks?
How else are the Air Traffic Controllers going to get their fix of cute kittens [worldscutestanimals.com]?
Re: (Score:3, Insightful)
Use a data diode (Score:3, Interesting)
Re: (Score:2)
> Pray tell, why should a system such as Air Traffic Control even be
> accessible on a public network such as the internet?
Why do you believe that it is?
Re: (Score:2)
> Pray tell, why should a system such as Air Traffic Control even be
> accessible on a public network such as the internet?
Why do you believe that it is?
Um...
Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control, it's particularly vulnerable to the denial-of-service attacks, electronic jamming, data destruction and software-based disinformation tricks likely in a cyberattack
I know that's all the way at the top of the page there, but you really might scroll up to see the summary before engaging in the discussion...
Re: (Score:2)
Heavily dependent on technology != connected to the Internet.
Oh for chrissakes (Score:1, Interesting)
They have super duper ultra evil weapons that only those in the upper echelons (hehe) of the government know about! Give up more of your freedoms, citizen!
Re: (Score:2, Insightful)
The only thing they can't figure out is how to explain it to us with a bad car analogy.
second post (Score:3, Insightful)
Re: (Score:2)
So by your logic unless we have our own IT 100% in the US then we will not be the leaders in IT? So even having .00something% not in the US we will not be the leaders in IT?
How about if we outsource the bottom of the barrel tech support but keep the more advanced stuff here in the US? I'm pretty sure that describes the current situation of outsourcing better.
Re: (Score:3, Informative)
Nope.
At my company, a large indian offshoring company has taken over about 80% of the top technical jobs.
And of our remaining programmers, at least 90% are not allowed to code any more- only design. out of a 200 person staff that coded for 10 to 20 years, less than 20 code.
I coded until 2007. Used to be pretty good too. Probably would take me 90 days to come back up to speed even with just installing the tools (and that's assuming I could get to the tools over a battle damaged internet).
Re: (Score:2)
So basically the management of the company you work at sold 80% of how the business is run to another company that will eventually make the company you work for obsolete for short term gain.
And that is why management makes the big bucks...for now, then like others the management when out of a job will bemoan the outsourcing movement.
Outsourcing to the extent that you say your company has outsourced is a bad idea in my opinion.
Outsourcing first level tech support not so bad.
Re: (Score:1)
Re: (Score:2)
WHAT preeminence???
Re: (Score:1)
Re: (Score:2)
*home* broadband speed. I wonder what our enterprise fiber roll outs look like.
The book summarized (Score:2)
Bill Gates is the "Manchurian Candidate"? (Score:5, Insightful)
MicroSoft has been more diligent about security lately. But the damage has already been done.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
So? (Score:1)
Re: (Score:1)
Whats so special about the fact that the US is more vulnerable?
All our IT (plus or minus rounding errors) is outsourced to our global competitors, most of whom are beyond the reach of our legal system. In the short term they benefit by keeping us running. In the long run they're better off sinking us. Wonder what'll happen?
First people have to care about real security... (Score:5, Interesting)
As nearly anyone working on the "front lines" of security will tell you, most companies don't really care about security past some low level of lip service. Corporate networks [nearly] always have firewalls, but most of the time the IT staff is paid to care more about restricting employees from 'wasting company time' than in managing advanced multi-level defenses (why most networks are 'crunch on the outside, soft and chewy on the inside.') Equipment and software vendors provide password level security, often with authentication integration into LDAP/AD, but rarely support real tokens or PKI's backed by an HSM, as most companies don't want to pay for a real HSM (and with post dot bomb price escalation, that's often understandable - $40k for a 1U server with layered tamper switches and a custom app?) CSO's are treated as a cost center along with the rest of IT, and its often the policy to force people to keep quiet when major breaches occur. Its simpler and cheaper to make sure the board and stockholders don't know how often the databases and repositories are exported to FTP sites in China than to actually make it really difficult to succeed, as real security often costs real money. There's a whole underground industry of targeted penetration, as ethics and patriotism fall to greed - the underlying problems are far deeper than basic "cybersecurity".
Re: (Score:3, Funny)
well I requested an access to a machine where the procedure to get access are crazy (as in checking you are not a known terorist and making notarized declarations). When I had a problem login onto the machine, I sent a uncrypted/unsigned email to help@service and the admin replied by giving me a password in clear...
Next they have to have secure options (Score:2)
The next thing people need once they care about security is real options which make them secure. By default its not possible to run an untrusted program on a PC in a safe manner. There needs to be a way to do that. There needs to be a way to specify the capabilities a program is going to have at run time, to limit the side-effects to those designated by the user.
Useful steps in this direction include AppArmor and chroot jails on the Linux side, and SandboxIE on the windows side.
We could benefit from a (real) cyberattack. (Score:2)
Just as most users will never secure their PCs unless Something Very Bad happens, neither will many businesses and government agencies.
Virus and malware attacks provoke some immune response, but if we are to become strong something must weed out the weak.
Parasites, botnets, etc, aren't enough of a threat. The only thing that will provoke intelligent security practice is attacks that disrupt, disable, damage and destroy.
Re: (Score:2)
Oh yeah, the internet version of the Patriot Act will be a great benefit, I am sure.
What's with all this "Cyber"? (Score:1)
There is no "cyber". It's just the internet. These politicians sound like they've been briefed out of a copy of Mondo2000 from 1994.
It stands for cybernetics, of course! (Score:2)
Re: (Score:3, Interesting)
Indeed, that prefix really makes no sense. To quote Ted Nelson [xanadu.com.au]:
Re: (Score:1)
Newsflash (Score:1)
I bet the postage-stamp countries in Africa are LEAST vulnerable to cyber attack.
Re: (Score:1)
If they call it a war, you know what will happen to peace-time law.
Groan, cold war paranoia (Score:3, Insightful)
Or it could just be good old fashioned xenophobia
Re: (Score:2)
Moreover, a serious cyber-warfare attack against the US would probably serve as a strong deterrent to a repeated attack in the future.
A bunch of terrorists in a rogue state knock out the US power grid for a week. US government calls up government of rogue state and one of two things happens:
a. Rogue state tracks down terrorist, and makes a nasty public example of them, or hands them over to the US to be made a nasty public example of.
b. Rogue state pulls a Taliban, and US pulls an Enduring Freedom.
For so
Re: (Score:2)
Yes, it occurs to me also that escalating cyberwarfare into a real hot war, is the answer.
Hackers can't do very much when the city they come from has been hit by an EMP from a nuclear weapon.
Re: (Score:2)
Also, power plants tend to be susceptible to cruise missile attack...
Re: (Score:2)
Re: (Score:2)
Well, in the case of troublemakers back home, the solution would be swat teams or special forces, depending on severity. You don't need to out-hack the hacker - you just need to find them.
Re: (Score:2)
If they're from your own city, then it's even *easier* to stop them. Trace the packets to the specific neighborhood, pull the fuse from the power line.
Where's the NAZI spies? (Score:1)
Has anyone wonder why we need to scrap liberties in the name of security that we seemed to do fine with even during World War II or the Cold War? I mean, once upon a time, we actually had to worry about British spies (for the 19th century), German spies (two world wars), Soviet Spies (the Cold War), and yet we kept to open borders. Why now, is it, that a penny anny bunch of backwards people have us ripping up the Constitution? It's just not worth it.
Re: (Score:1, Flamebait)
Different kind of warfare. The British, Germans, and even the Soviets basically come from the same set of values we do- and thus their spies followed the unwritten rules (get military secrets only, don't attack civilians, etc).
The Islamics don't come from a Judaeo-Christian background; and the advent of the Dogma of Sola Jihad among the Muwahiddun sect of Islam [blogspot.com] has resulted in a a war we have already lost [blogspot.com].
This results in only TWO viable solutions: closed borders or genocide. Unfortunately our for-profit
Re: (Score:2)
You're so far off topic as to be incoherent.
Topic - 'cyber attacks'.
Summary - 'Russia, the People's Republic of China and North Korea'
Your rebuttal - 'Islamic terrorists'
Does not compute.
Re: (Score:2)
So was the gp post- we have no need to scrap any liberties to fight cyberattacks. Read what tjstork wrote on, and my reply will make more sense to you.
NK is cyber danger? (Score:1)
"Cyber" is propaganda? (Score:2, Informative)
Note to you USAers from China: (Score:1)
Nail Randall Monroe. He's a terrorist advocating the use of computers as weaponry. http://xkcd.com/504/ [xkcd.com]
Feed the Military-Industrial Complex (Score:3)
This is just lobbying for a powerful special interest group that wants lots of tax money.
The US is deployed in two nations at extreme cost. People ignore the brutal financial hit these military interventions are making. We're acting like an enraged bull. Our enemies win when they make us exhaust ourself. The military industrial complex is blind to this issue. They are a hammer that sees problems as nails--and they are self interested. The contractors are in it for the money. The military is focused on "defense." There is nothing wrong with either position--but we must DIRECT them--not let them direct us.
I worry about GPS (Score:2)
What worries me is overdependence on GPS. There are a small number of GPS satellites, there aren't as many on-orbit spares as there are supposed to be, and there's one central GPS control center. Migration to GPS as the primary air traffic navigational system is risky.
The satellites can survive 14 days of control center downtime, and the newer satellites with "autonav" capability can operate on their own for 180 days. If the USAF launches the ten additional satellites now being built on schedule, the
The Most? (Score:2, Interesting)
Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control,
Given that every country in the whole world is dependent on the same technology for literally everything --down to irrigation control in agriculture in some cases-- it doesn't seem to me like the USA are automatically the "most" vulnerable country.
Alright, the US has been the host of the most part of the internet for years. It's been the main, or one of the main, repositories of technology worldwide, for years. And yes, it's been the place where the most renowned cybercrimes were perpetrated... for years
Yes, we are (Score:1)
Cheapest solution (Score:1, Funny)
The cheapest solution is to outsource the security problem to either 1) India or 2) China. Outsourcing to China can lead to better cost benefits, but is in general less established than the outsourcing establishment already in place in Bangalore. American soldiers trained in IT can train the people replacing them in the PLA (Chinese Peoples Liberation Army) on how to keep America safe, and how to monitor America's networks. Similarly, the PLA can just take over for the Department of Homeland Security as
Not really worried (Score:1)
We still can disconnect the trunk lines and satellite feeds to any nation that tries this, and they all know it.
Besides, it won't impact the 1000 Gpbs Internet 2 that most major universities and other important things use - that runs on more secure protocols with more secure devices.
Not that it won't shut down Facebook ...
Oblig Star Trek link (Score:2, Interesting)
A noble goal. Forget trying to prevent cyberwars, but definitely contain them so that there is no actual physical combat. That way there are no real casualties, right? Somehow this instantly reminded me of the Star Trek episode "A Taste of Armageddon" (http://memory-alpha.org/en/index.php/A_Taste_of_Armageddon_%28episode%29) where two societies wage war using computer simulation, but with real human casualties. Star Trek really was ahead of its time
Cool! (Score:1)
> Here's what ex-presidential adviser Richard Clarke...and others are
> saying needs to be done to keep cyberwars from escalating into full-scale combat
How about threats of full-scale combat to keep cyberwars themselves from escalating?
US is most vulnerable to a convenient idiot attack (Score:1)
I mean an attack by US citizen(s) acting in the interest of foreign power. The Prague agreement should be sufficient example.
Well, in this case at least the US citizenship has been contested.
Re: (Score:2)
supplie5 to private this mistake or minutes. At home, was what got me consider worthwhile
So, are people using slashdot to coordinate terrorist attacks or something? I could see if this were some kind of coherent ad for Viagra, but barring that, my only guess is that the purpose of the communication isn't obvious to me... But it must be valuable to someone, enough so to go through the effort of doing it.