Cyberwar
August 6, 2011 1:46 AM   Subscribe

Washington has no comment, post Assage.
posted by Mblue at 2:33 AM on August 6, 2011

It seems like there is some expectation that the US should respond on behalf of american companies. It is inexcusable if government i.t. has been successfully attacked this long but as far as these companies that have sold american jobs down the river....well tough sh*t.
posted by dibblda at 3:00 AM on August 6, 2011 [1 favorite]

It seems like there is some expectation that the US should respond on behalf of american companies. It is inexcusable if government i.t. has been successfully attacked this long but as far as these companies that have sold american jobs down the river....well tough sh*t.

Noted outsourcers like Google, yes.
posted by atrazine at 3:12 AM on August 6, 2011

There's some really imaginative stuff here.

The U.S. could protest cyberattacks by sending a couple of aircraft-carrier groups to the China Sea for a little gunboat diplomacy, but it would be pretty embarrassing if China were to just repossess the whole fleet as partial repayment of the $1.2 trillion the U.S. owes it.

We'd end up having to pay off the whole debt just to get the boats back—plus whatever huge fee there would be for the towing and daily storage fee at the aircraft-carrier impound lot, and that's a lot of money to spend for bit of saber-rattling that would be futile in the real world and irrelevant in the virtual one.

I can't see any of that happening - not the US sending carrier groups, not China attempting to take them as debt payments, not the US acceding to such a demand - none of it.
posted by Kirth Gerson at 4:26 AM on August 6, 2011 [10 favorites]

I'd guess 99.99% of the programmers, system administrators, and users would say I'm dead nuts wrong for saying this, but I hope to find others who agree with me in stating:

Computer security CAN be FIXED. It definitely does NOT have to be like this.

The problem is deep and subtle, and the solution isn't easy, but there IS a solution, called capability based security.
posted by MikeWarot at 5:22 AM on August 6, 2011 [4 favorites]

Just because I'm carrying a gps enabled, camera and phone assembled in China is no reason to I should panic. I'm going to download some free games from a random website. But fist let me send an email about some company trade secrets.
posted by humanfont at 5:25 AM on August 6, 2011

I suspect we place too much emphasis upon what China and others might be doing to us and ignoring what we in turn are also doing. Take, for example, biological warfare. We worry about that but have a big place set up to not only study how to combat it but also how to make use of it. So, too, with dirty (nuke) bombs--we have tested them right here, secretly. I am sure we have as many people screwing about with cyber spying on Them as they do on Us.
Recall the general who as short time ago said any attack on our computers might constitute a military attack and therefore we had the right to go to war? Sor of like "weapons of mass destruction in Iraq" charge--
posted by Postroad at 6:10 AM on August 6, 2011

Could we possible abandon this incorrect sensationalist term cyber-war for the more honest term electronic espionage? Seriously folks!

Interesting perspective. I'd agree that espionage plays kinda complementary role to nuclear weapons, i.e. nuclear weapons make traditional conflict untenable while espionage provides a non-violent outlet for the economic incentives driving conflict. I'd agree that the United States' push for less-lethal conflict through more advanced precisely targeted weaponry simply doesn't provide an outlet for said economic competition. In short, there are various foreign powers able to aggressively pursue an economic advantage against the U.S. using their electron espionage capabilities, while the U.S. cannot seek complementary advantage using its military forces.

Isn't this analogous to many military advancements throughout history? Vaguely like running round ming better swords while everyone else upgrades to gunpowder. And obviously the empire is being sacked by internal barbarians too.
posted by jeffburdges at 6:30 AM on August 6, 2011 [2 favorites]

What they should do is hack into Wall Street's computers...
posted by infini at 6:42 AM on August 6, 2011

Computer security can be fixed against-some-thread for-some-time-period given-some-operating-conditions given-some-budget given-some-qualified-personnel.

That we can fix it for some installations some of the time is really quite impressive when you think about it.
posted by LogicalDash at 6:54 AM on August 6, 2011 [2 favorites]

Could we possible abandon this incorrect sensationalist term cyber-war for the more honest term electronic espionage?

But that would diminish the heroism of our bold cyber-warriors! Don't you understand? If they die fighting a cyber-war while jacked into cyberspace, they die in real life!
posted by moss at 7:00 AM on August 6, 2011 [11 favorites]

Somehow the contractor-industrial complex and the cyber-defense lobby will be able to monetize this big time.
posted by xetere at 7:02 AM on August 6, 2011 [3 favorites]

You know, any serious efforts towards real security will run afoul of our own espionage and law enforcement establishments. Could you imagine the next Windows or Mac OS X including PGP/GPG? Forget offering users a public key creation dialog when they first launch Outlook or Mail.
posted by jeffburdges at 7:06 AM on August 6, 2011 [1 favorite]

Computer security can be fixed, and it doesn't take specially trained users and administrators... however it does require a re-write of things to work in a default deny environment, instead of default permit... which is definitely non-trivial.

Encryption has nothing to do with security, if any code the user runs can do anything, he has to trust each and every bit of code run on his behalf...

The closest real world example of how computers operate that I've come up with is this...

Imagine I owe you a dollar, and in order to pay you, I have to hand you my wallet, car keys, ID, a power of attorney, all while being sedated (the last bit because of the blinding speed of code vs people)... and hoping you only take a dollar.

Imagine doing that every day, every time.... that's what running a PC is like.


Virus scanners are equivalent to having a list of known bad people to check before you do the above. If the person hasn't been caught yet, they aren't on the list.



In the real world, we hand over a dollar if we have it, or some larger amount, which limits our risk... we never hand over control of our life. We operate in a default deny mode, why can't our computers?
posted by MikeWarot at 7:29 AM on August 6, 2011 [4 favorites]

The problem is deep and subtle, and the solution isn't easy, but there IS a solution, called capability based security.

No model is going to solve the problem by itself. Some are better than others, but at the end of the day it's how a large organization actually implements it. And large organizations (public or private) do nothing perfectly.
posted by fatbird at 8:31 AM on August 6, 2011

In any earlier era, this kind of state-sponsored espionage and sabotage would be met with military response. Could you imagine if Chinese commandos were regularly breaking into military bases and stealing, say, missile parts? And we caught them time and again, actually inside the base, and just sorta shrugged and said goodbye? And if that same Chinese commando division were also infiltrating US manufacturing companies and stealing all the business documents related to international trade with, say, Korea?

I certainly don't want to go to war with China, that would be insane. But I think the US has been ignoring these attacks because being virtual attacks, in computer networks, they seem somehow less important or less real. They're not. The data being stolen online is way more valuable than a crashed airplane. The companies being infiltrated via the Internet are far more damaged than a simple black bag op in an office. What's going on is ugly.

I also wonder how far behind the US is in cyberwar. We're not visibly organized, but then we've got a lot of talent. And the occasional event like Stuxnet demonstrates we have some capability, just not disclosed.
posted by Nelson at 8:38 AM on August 6, 2011

Could we possible abandon this incorrect sensationalist term cyber-war for the more honest term electronic espionage?

It’s Cyberwar! Let’s Play Bingo!
posted by homunculus at 8:51 AM on August 6, 2011

I'm afraid encryption would necessarily be a major component of any substantial security improvements. Do you think the FBI wants a good digital cash system being widely used to implement your default deny transaction model?

There is only one way to do cloud storage correctly, namely you encrypt and decrypt only on the client, and never share the key with the host. I doubt law enforcement appreciates that model.

An improved security infrastructure could be developed, but not by any company operating in a police state like China or the U.S. Scandinavia maybe? Nokia just laid off oodles of developers.
posted by jeffburdges at 10:09 AM on August 6, 2011 [1 favorite]

In other news, Anonymous goes apeshit on the police. Maybe government cybersecurity needs to be prioritized a bit more, yeah.
posted by furiousxgeorge at 10:15 AM on August 6, 2011 [3 favorites]

The problem is impossible and anyone who says otherwise is acting out of hubris. There are too many vectors and actors involved. We can make them slightly more secure, but once the data is in the machine it is just a matter of time before it gets out.
posted by humanfont at 10:24 AM on August 6, 2011

I use a simple heuristic to help reduce the noise level in my life when it comes to technology. It's widely applicable, from government policy to breathless public reporting to dealing with non-techie relatives who have been reading said breathless public reporting. It goes as follows:

If they prefix anything with the word "cyber-", then they don't know what they're talking about and can be safely ignored.

This comes into play more often than you might imagine, and it has never failed me.
posted by Rockear at 10:29 AM on August 6, 2011 [7 favorites]

An improved security infrastructure could be developed, but not by any company operating in a police state like China or the U.S. Scandinavia maybe? Nokia just laid off oodles of developers.

Nah, they put undergrad script kiddies on the job and then test it out on hapless middleaged non white women for the lulz
posted by infini at 10:54 AM on August 6, 2011

Rockear: (Re: cyber- as prefix) This comes into play more often than you might imagine, and it has never failed me.

That sounds very useful and I will probably be pressing it into service. (My own favorite such heuristic is, if a company uses pictures of smiling people as space-fillers on their website, whether using products, answering phones, or just doing nothing, they have a non-zero evil value. Hasn't steered me wrong yet.)
posted by JHarris at 1:58 PM on August 6, 2011 [2 favorites]

There have been a few interesting security articles from DefCon
BlackHat talks, including :
- Lockpickers Open Card-And-Code Government Locks In Seconds
- Microsoft Office documents are still exploitable
- Get Cyber-Mercenaries Suggests Ex-NSA, current CIA Director
- NSA Hiring At BlackHat
posted by jeffburdges at 2:47 PM on August 6, 2011 [1 favorite]

Sooner or later we'll all be working for mudge.
posted by scalefree at 3:05 PM on August 6, 2011

Could you imagine if Chinese commandos were regularly breaking into military bases and stealing, say, missile parts? And we caught them time and again, actually inside the base, and just sorta shrugged and said goodbye?

Actually, Nelson, what you describe is pretty much the standard response to espionage, globally; the history of the cold war is wonderfully illustrative of this. Domestic espionage is punished far more severely than foreign because nobody wants to start a war, especially between nuclear powers.

There have been literally hundreds of examples of foreign espionage being exposed to little consequence. May it ever be so; the more information both sides have, the less the chance of war.
posted by smoke at 3:43 PM on August 6, 2011 [1 favorite]

...because nobody wants to start a war...

I don't know about that; recent history seems to contradict it.
posted by Kirth Gerson at 5:04 PM on August 6, 2011

Imagine s/he wrote "nobody wants to start a war they're going to lose". It's pretty nice beating up on poor countries like Afghanistan or Vietnam, give all that money to your friends in the defense industry.
posted by jeffburdges at 5:38 PM on August 6, 2011 [2 favorites]

Oh good. I'd been meaning to put something together, given all the stuff that's becoming public lately, but now I don't have to! The Vanity Fair article is pretty good at laying out what's going on in general, but I would definitely prefer less of the "cyber war!" rhetoric and for people say what it really is, which is just plain old espionage + industrial espionage in a new guise and at a much grander scale.

I don't think most people can even begin to fathom the scope of the problem, though. I don't know anyone here in D.C. who hasn't had a brush with the initial spear-phishing type emails, and I personally know more than a dozen people from well-known think tanks, government agencies, and the defense industry who have had their computers compromised - in at least one case I know it wasn't discovered for months.

I'm not a security researcher, but I knew a few. Seeing the logs from their monitoring of owned computers is mind-boggling. You can see the attackers logging in, browsing directories, then creating .rar files for exfiltration. And the owned computers are in all kinds of places - energy companies, think tanks, schools, law firms, government agencies... Even notifying law enforcement and the companies themselves might not really have much of an effect - it might stop that one operation from succeeding, but there are just SO many others that it doesn't really make a dent...

If you are interested in this topic, may I suggest a few places to read more. The Dell Secureworks blog has a writeup of the RSA issue, and a few other APT-related analyses. Jim Lewis from CSIS is mentioned in the VF article, and he has a good handle on the issue. The Contagio blog is great to see what's out there in malwareland. Infowar Monitor is great too. A few more general blogs include Krebs on Security, the F-Secure blog (also check out this great TED talk on viruses from F-Secure's Mikko Hypponen). There's a lot of info out there, and I'm glad (like I've said before) that more people are paying attention to this issue lately.
posted by gemmy at 6:06 PM on August 6, 2011 [4 favorites]

DARPA Commits To Funding Useful Hacking Projects (ml /.)
posted by jeffburdges at 9:04 AM on August 7, 2011

DARPA Commits To Funding Useful Hacking Projects

Yeah, that's mudge. And the #hack World Domination plan proceeds apace.
posted by scalefree at 3:42 PM on August 7, 2011

I think its also confusing for these outlets to be running with the CyberWar label when the industry is divided on whether these are APTs at all (original Symantec analysis here, PCWorld coverage here). As many above have mentioned many of these issues are addressable, and dressing things up as a big state sponsored boogie man only helps people avoid fixes.
posted by mdelaney at 8:25 PM on August 7, 2011 [1 favorite]

Why the US will lose a cyber war (/.)
Yeah, the article is all wonky talking about synchronicity vs. causality, but I agreed with the original thought that our focus on real world weapons systems will prevent the U.S. from dealing effectively with electronic espionage. As I said upthread, nukes dissuade conventional warfare, but conventional warfare doesn't dissuade espionage.
posted by jeffburdges at 10:18 AM on August 10, 2011

Full Disclosure: DEF CON 19 - hackers get hacked!
posted by scalefree at 7:40 PM on August 10, 2011 [1 favorite]

In other news: Hacked cybersecurity firm HBGary storms back after ridicule fades
posted by homunculus at 10:06 AM on August 21, 2011 [1 favorite]

Not surprised, they have been publicly revealed to be incompetent but so have a lot of contractors. In the end, the lawbreaking of all the businesses and organizations involved here was completely ignored as it always is.

The leaked mails revealed they were going after enemies of our government, Wikileaks, Greenwald, Unions...there is always money for someone willing to do that.
posted by furiousxgeorge at 11:02 AM on August 21, 2011

Interesting they claim that HBGary's Razor product has few competitors. Or perhaps their clients simply have trouble shopping around in such a niche industry?

There are definitely other companies in the intrusion detection game. Isn't big fish Dell's Secure Works? I donno if they offer a competing product.

There are also many free open-source intrusion detection systems. Anonymous should probably comb Razor's source for code violating the GPL or whatever.
posted by jeffburdges at 8:00 AM on August 22, 2011