FBI Warns of Sweeping Global Threat To US Cybersecurity

GovIT Geek writes "The FBI's newly appointed chief of cyber security warned today that 'a couple dozen' countries are eager to hack US government, corporate, and military networks. While he refused to provide country-specific details, FBI Cyber Division Chief Shawn Henry told reporters at a roundtable that cooperation with foreign law enforcement is one of the Bureau's highest priorities and added the United States has had incredible success fostering overseas partnerships."

Dark days of paranoia and spying.

[twitter (104583)]

'a couple dozen' countries are eager to hack U.S. government, corporate and military networks. While he refused to provide country-specific details

Where have I heard that before? Oh yeah [senate.gov].

While I cannot take the time to name all the men in the State Department who have been named as members of the Communist Party and members of a spy ring, I have here in my hand a list of 205.

But the second quote happened at the beginning of a horrible paranoia based on a real external threat. We still have the apparatus of that paranoia, though most of it was outlawed in the late 1970s and the only credible external threat is now our largest trade partner and "most favorable nation." Today we have secret "terrorist" blacklists with more than a million names. Domestic spying, especially web based spying, has jumped to levels that would make the freedom loving senator from Wisconsin angry. Anti-death penalty and peace groups are among those watched. Shame, isn't it?

Shoring up the nation's IT against spying is as easy as dumping the prevalent non free software used by most big dumb companies. This would also save the country hundreds of billions of dollars in licensing fees and other headaches unique to non free software. The problem is that it would make wiretapping very difficult or impossible.

Re:Dark days of paranoia and spying.

[HungryHobo (1314109)]

FOSS software isn't immune, there have been some terrible security flaws which have gone unnoticed for a long time. Of course proprietry software has even more flaws but profits pay for a team of guys in nice suits to give powerpoint presentations on how good it is and take the head of purchasing out to dinner.

I would be very surprised if there weren't a few NSA plants in the dev teams of some of the more popular linux distros. How hard would it really be for a tallented coder to slip in a few subtle flaws to be exploited later if he's on the dev team and in every other way does the job very well.

Re:Dark days of paranoia and spying.

[Mister Whirly (964219)]

Why need to be sly and plant agents? The NSA can just go to whatever corporation and say "We want this" and 9 times out of 10 the corporation will hand over whatever they are asking for without any hassle.

Re:Dark days of paranoia and spying.

[easyTree (1042254)]

In most other countries corporations usually don't just hand over data to a foreign agency if asked politely

Fortunately for the US, politeness isn't mandatory - they seem to find it quite easy to pressure a country to do whatever they like: http://www.theregister.co.uk/2006/06/19/us_pushes_sweden/ [theregister.co.uk] - *cough* assholes

Re:Dark days of paranoia and spying.

[zappepcs (820751)]

I hope you are modded up handily.... what you say is the truth, and the only reason that such information makes the news. If govt. agencies were doing their job as prescribed, it would not be news. This is simply creating a new evil-doer to distract the minds of Americans while the government continues it's wholesale grab of liberties and Constitutional pinata frenzy.

Mr Orwell would be happy to note that in 4 more years, most Americans will be on a terrorist watch list, augmented heartily by those signing up for unemployment benefits. How much farther down this rabbit hole must we go before government whistle blowers become folk heroes? Will our grandchildren hear stories of Babe the blue ox, superman, and joe whistleblower? I hope so.

Re:Dark days of paranoia and spying.

[houstonbofh (602064)]

How much farther down this rabbit hole must we go before government whistle blowers become folk heroes? Will our grandchildren hear stories of Babe the blue ox, superman, and joe whistleblower? I hope so.

I hope not! That means that whistle blowers are so rare that they must be celebrated. I hope they are more common than bus drivers.

Re:

[Fluffeh (1273756)]

Superman is on a list. So are all the other people who wear their undies on the outside. He is likely to be one of those sex offender types. Seriously. And Joe Whistleblower? He blew his last whistle trying to protest in a safe zone away from everyone else where the media couldn't have access to him.

I really worry about the direction of America. For such a powerful country in the world, your government is really really managing to dick things up.

Re:Dark days of paranoia and spying.

[somersault (912633)]

FOSS software is swiss cheese for security, it's just that not many people eat it and therefore don't realise it has so many holes.

And gross generalisations are always wrong too! Like this one.

It really depends on the project. Most obvious projects to look at: Apache, PGP, Linux, etc. Very widespread adoption, and nothing like 'swiss cheese' in terms of security. FOSS software can be amazingly secure with the right guidance.

Twitter is making gross generalisations too, of course.

A well conceptualised FOSS project can obviously be just as good as any well conceptualised cllosed source project. Popular Open Source projects will be able to have more developers looking over the code though, and are likely to thank people for disclosing security vulnerabilities, and patch them up quickly. Sometimes closed source vendors get really pissed off when people disclose vulnerabilities - even when they've been given a while to get a patch sorted out and have done nothing about it.

Re:

[teh kurisu (701097)]

Closed-source software is swiss cheese as well, but you're forced to eat it with your eyes closed, and this means that you can't see the holes.

Cheese analogies are much more fun than car analogies!

Re:

[nschubach (922175)]

Or, you have violated 235 of their (laws|patents) and they intend on receiving (taxes|royalties) for it from the (citizens|users) in order to properly fund their (job|development).

What's a Cyber?

[by Anonymous Coward]

I'm now worried that mine's at risk.

Re:

[Fred_A (10934)]

I'm now worried that mine's at risk.

That was my first question as well. At least I'm not in the US so maybe my cyber is safe.

Re:

[orclevegam (940336)]

So long as it doesn't keep me from sending my internets I'm not worried. Now just the other day one of them companies dumped a tremendous amount of data in the tubes and it buried my internets. If you get some of that tremendous amount of data could you look through it and see if maybe one of my internets is stuck in there somewhere?

Re:

[Walpurgiss (723989)]

Cyberspace is my guess, the topic field probably cut it off.

Re:

[somersault (912633)]

the topic field probably cut it off.

Please. Most likely it was a stray lolcat.

He's in ur cybers, stealin ur pace.

Re:

[internerdj (1319281)]

Don't worry no one wants to listen in on any of the /. crowd's cyber...

Re:

[Tetsujin (103070)]

Don't worry no one wants to listen in on any of the /. crowd's cyber...

A/S/L?

Re:

[xaxa (988988)]

Help! Help! My subculture [wikipedia.org]'s at risk!

no kidding?

[Utini420 (444935)]

News Flash: Guy in new job declares new job important!

Re:

[gsslay (807818)]

Don't mess with this guy. He has an army of cybermen [wikipedia.org] ready to invade the planet!

Well, either that, or a very silly job title.

Re:

[Jesus_666 (702802)]

To me it sounds like something from Megaman Battle Network. Actually, given the inanity of some of the laws recently passed in the USA it shouldn't suprise us to see Official Netbattler as a real job title soon...

However, while I'd like to think that the FBI has dozens of snotty kids with utterly professional and capable navis on its payroll, most likely all they have are a couple HealNavis with one MiniBomb J each.

Well...

[grub (11606)]

Don't worry, if McCain wins he'll make Joe the Plumber his special advisor on such issues.

Damn right!

[GameboyRMH (1153867)]

That guy knows how to fix a series of tubes!

USA! USA! USA!

Yay! More Security Theater!!!

[Garrick68 (1165999)]

and here come the cries from the government "Quick we pass these laws to protect us!!!" Yeah right...

They're threatening cybers?

[KeithIrwin (243301)]

Threats against cybers? Uh-oh. I've been cybering all morning. Heck, I even did cam to cam once. No global sweepers have threatened me yet, but now I'm scared. I hope they don't hurt me.

Um...

[Timothy Brownawell (627747)]

So use protection [clamav.net].

Or top truncating titles into something ambiguous, I guess.

Cybers?

[Digital Vomit (891734)]

Since when is it the FBI's mandate to protect online sex chatting?

Re:

[plasmacutter (901737)]

it's part of their two-pronged attack against child exploitation.

They will watch you cyber to assure there are no children involved, but assure protections so others don't watch you cyber.

I hope your fetishes involve spectators : )

What...

[cosmocain (1060326)]

...an abundant interview:

. While he refused to provide country-specific details[...]

He then hinted that an announcement[...]

Henry would not comment in detail[...]

He shied away from commenting[...]

No duh...

[cavis (1283146)]

So a newly appointed government official announces something that we in the network world have known for years and suddenly it is news? I think that anyone who has any amount of experience in computers would know this by now. If I had a dollar for every attack on my network from Asia, I'd take us all to lunch.

well, he would say that - wouldn't he?

[petes_PoV (912422)]

what's the point of having a cyber-tzar if he (or she) is then going to turn around and tell you everything's fine?

Of course he will talk up the threat - that's his job. Since there's no way that these intangibles can ever be measured, he's on pretty secure ground too. If no threats materialise it's because of his vigilance and the skill of his team - not because there were never any real threats to begin with.

If a threat does turn into a real attack - well, he needs more money, powers and curtailed freedoms to ensure it doesn't happen again.

Re:

[JCSoRocks (1142053)]

I'm going to go cry in a corner because of how absolutely right you are and how horribly depressing that is. The last line in particular pretty much sums up the last 7 years.

Re:

[plasmacutter (901737)]

Since there's no way that these intangibles can ever be measured..

What are you talking about?

Don't you know the recording, software, and film industries lose hundreds of billions of trillions of dollars a year to p2p piracy?!!

These things CAN be measured.. why just recently the chairman of the fed said a mere 700 billion dollars would fill the potholes in our credit industry!

(for the million /whooshes about to happen .. /sarcasm)

Job Security 101

[mpapet (761907)]

There is no doubt there are bad people that would like to do bad things to others in the world, but why anyone takes this kind of propaganda seriously is beyond me.

It's more than likely the amount of funding he gets is directly proportional to the amount of fear mongering produced.

Re:

[causality (777677)]

There is no doubt there are bad people that would like to do bad things to others in the world, but why anyone takes this kind of propaganda seriously is beyond me.

It's more than likely the amount of funding he gets is directly proportional to the amount of fear mongering produced.

Not to mention, that "of course" this means that the only way to be "safe" is to increase the size and police power of government. Why, that's always the solution now that you've had problem and reaction! When we all learn the goose step, just think of how incredibly wonderfully SAFE we'll all be!

It's on Topic!

[pete-classic (75983)]

Aight, I put on my robe and wizard hat.

-Peter

USAF Cyber-Command Demoted Relation

[jznomad (1007829)]

http://defensesystems.com/Articles/2008/10/Air-Force-demotes-Cyberspace-Command.aspx [defensesystems.com] The Air Force announced last week that it has backed off even further from its grand plan to establish a cyberspace command as the military entity primarily responsible for securing and conducting offensive operations in cyberspace. The Air Force launched a provisional Cyberspace Command more than a year ago and scheduled a formal command launch for Oct. 1. However, officials delayed that effort after the departures of Air Force Chief of Staff T. Michael "Buzz" Moseley and Air Force Secretary Michael Wynne, who were fired for incidents involving the mishandling of nuclear detonators and weapons.

Re:

[ColdWetDog (752185)]

he Air Force announced last week that it has backed off even further from its grand plan to establish a cyberspace command as the military entity primarily responsible for securing and conducting offensive operations in cyberspace.

The real reason they "delayed" that effort is because some twenty-something Captain told the old fogeys that the "space" term in "cyberspace" didn't mean what they thought it meant. They are now working on an "All your Space belong to us" concept - but it's taking a bit longer t

Was this followed by a request for more money?

[NoNeeeed (157503)]

Nice way to get more budget, "OMG the terrorists are going to control our nukes from their iPhones!!!11!! You must give us lot of money to protect you".

I know there are threats, and I know that a lot needs to be done about them, but this kind of scaremongering is getting boring after nearly a decade.

This is a real problem, there is no need to exaggerate it. You use unsupported hyperbole at your peril, after a while no-one will take you seriously. Especially now, when budgets are under so much scrutiny.

In many ways these financial problems could be great for civil liberties, constructing a surveillance society costs real money. Just take a look at the UK ID scheme, it will cost billions.

Cybers?

[Gothmolly (148874)]

Al Qaeda is on AOL chat rooms asking A/S/L ?

FUD

[whisper_jeff (680366)]

Anyone who has trouble explaining exactly what "FUD" is to a parent or whatnot should just send them to this tidbit - it's about as clear-cut an example of Fear, Uncertainty, and Doubt that I've ever seen...

Maybe they're vulnerable

[HalAtWork (926717)]

I'm sure there's hackers trying to break in to the FBI's computing system all the time, it's just now it's probably gotten so easy and there are so many holes and loose ends to tie up with security, and even if there are people who know what they're doing there, there is no real grand plan for their computer system or security and nobobdy knows how to bring it all together. They're probably also concerned with illegally hacking into other nations' computers and our own. Why should we care about what's wro

The penalty for threatening cybers

[snarfies (115214)]

You are inferior. Man will be reborn as Cybermen, but you will perish under maximum deletion. Delete, delete, delete, DELETE!

Title Misprint - They Mean Cybrans

[AioKits (1235070)]

What they ment to say was that any US Cybrans would be at risk. If you are Aeon or UEF, you have nothing to worry about.

Carry on Supreme Commander!

I'm nervous that he would mention corporate nets

[Sloppy (14984)]

The implication of a government person saying we have a problem, is that the government should do something about it. And for the military and other government networks, that's fine.

But why do we ("we" being the government) need to do anything to protect corporate (or any other private) computers? The owner/operators of computers can protect them on their own. Just stop running foreign code.

This isn't like physical security, where, say, IBM can't (and shouldn't have the means) to protect themselves from nuclear ICBM attack. It makes sense to put government in charge of securing the country against certain threats, and that job (if stated broadly enough) is arguably the only reason we need government to exist at all. But cyber-security isn't one of those situations, because individuals and groups can protect themselves, without putting anyone else at risk.

Re:I'm nervous that he would mention corporate net

[Thorizdin (456032)]

The implication of a government person saying we have a problem, is that the government should do something about it. And for the military and other government networks, that's fine.

But why do we ("we" being the government) need to do anything to protect corporate (or any other private) computers? The owner/operators of computers can protect them on their own. Just stop running foreign code.

This isn't like physical security, where, say, IBM can't (and shouldn't have the means) to protect themselves from nuclear ICBM attack. It makes sense to put government in charge of securing the country against certain threats, and that job (if stated broadly enough) is arguably the only reason we need government to exist at all. But cyber-security isn't one of those situations, because individuals and groups can protect themselves, without putting anyone else at risk.

If you're premise was correct your position would have some merit, but because you're probably thinking very narrowly about the problem you've missed some very big issues.

First, much of our infrastructure is run by private companies. Think about how effective inter agency communication isn't when phones and cell phones don't work (think Katrina and 9-11). Our utilities are almost completely under private control and that includes nuclear reactors, dams, and the electrical grid. The Nuclear Regulatory Commission sets standards for security, but computer systems and security (both virtual and real) are all handled by private companies, most often contractors.

Second, even non-infrastructure companies can be hugely disruptive. Think what could happen if someone gained control over the automated systems that report on the prices of stocks, commodities, bonds, and other financial mechanisms. Creating a run on a bank, Wall Street, or a huge fluctuations in the value of the Dollar would be trivial if someone just had access for a short time period. If someone had undetected access and a more subtle mindset the damage could be both much longer term and much worse.

Finally, even companies and organizations that don't control infrastructure or financial systems can have a huge impact if their systems are compromised. Your example of IBM's being able to protect themselves without risk to others is also critically flawed. Last year IBM did $1.43 billion in consulting work for the US government. (1.4% of total 2007 revenue) You don't suppose that in that some of the work is classified? I know some of it is and further, given continued access, I could see the new stuff as the contracts are awarded to Big Blue. This also ignores the disruption that they could create because they are a well trusted ASN on the Internet. The sheer number of workstations and servers they have would also make them attractive to operate as part of a bot net.

In short, there are lots of ways that any large company can hurt the rest of us if they aren't responsible with their security. Now, I'm not buying into the idea that the government being responsible for everyone's network security, they couldn't if they wanted to, but right now network security is something that a lot of companies haven't taken seriously and they _can_ harm us with their negligence.

Re:

[Sloppy (14984)]

Your example of IBM's being able to protect themselves without risk to others is also critically flawed. Last year IBM did $1.43 billion in consulting work for the US government. (1.4% of total 2007 revenue) You don't suppose that in that some of the work is classified? I know some of it is and further, given continued access, I could see the new stuff as the contracts are awarded to Big Blue.

Fair enough on that. I'm ok with government demanding authority (or certain standards) over private computer securi

Re:

[Jherek Carnelian (831679)]

much of our infrastructure is run by private companies.

So, basically privatization leads to nationalization?
Interesting.

Countries?

[gmuslera (3436)]

First worry about individuals and groups of individuals, that are already doing some damage. Worms, spam, virus, botnets, exploiting vulnerabilities, social engineering, phishing... you dont need to have a country's government behind those threats.

And part of the solution is not "attacking", but defending having things right in your side. Detect infected and vulnerable sites and pcs and warn/educate owners/vendors about that, as they are the perfect source for i.e. a big DDos or other kind of attacks. That US is the biggest source of spam and probably botnet activity of the world is a good warning sign.

Re:

[Duradin (1261418)]

The "worst" part about free societies is that it isn't always easy being a citizen of one. The "easier" it gets the less free the society.

You've got to be willing to take a blow, usually the first one, and not overreact.

You've got to let the rights that protect you protect the people you hate.

Strength is not going medieval on someone who hurt you.

And thank you for reminding me what a scary word loyalty truly is.