US Prepares for Eventual Cyberwar

The New York Times is reporting on preparations in the works by the US government to prep for a 'cyberwar'. Precautionary measures are being taken to guard against concerted attacks by politically-minded (or well-paid) hackers looking to cause havoc. Though they outline scenarios where mass damage is the desired outcome (such as remotely opening a dam's gates to flood cities), most expect such conflicts to be more subtle. Parts of the internet, for example, may be unreachable or unreliable for certain countries. Regardless, the article suggests we've already seen our first low-level cyberwar in Estonia: "The cyberattacks in Estonia were apparently sparked by tensions over the country's plan to remove Soviet-era war memorials. Estonian officials initially blamed Russia for the attacks, suggesting that its state-run computer networks blocked online access to banks and government offices. The Kremlin denied the accusations. And Estonian officials ultimately accepted the idea that perhaps this attack was the work of tech-savvy activists, or 'hactivists,' who have been mounting similar attacks against just about everyone for several years."

Isn't this blown out of proportion, again?

[Anonymous Coward]

I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?

It's not just the Internet

[vtcodger]

***Isn't this blown out of proportion, again?***

Probably not out of proportion. The military has separate secure communications, but civil society doesn't. And many of our key networks aren't exactly robust. We've had incidents in the past of phone networks going down because of bad software upgrades to switches. And of power distribution networks going down for no very good reason and taking many hours to get back up. And satellites going out.

So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs, uses other update services to brick all sorts of devices, then simultaneously goes after the DNS servers; North American power grid controls; and every satellite link they have previously found a vulnerability in? What if they can take down major parts of the cell phone network? Probably they can DOS the financial service network providers if they can't hack into them -- No functioning ATMs and likely no functioning banks and likely few functioning stores of any kind. And they reprogram a lot of the nation's traffic signals to turn all lights green permanently. They do the same for the railroads. And they turn off the natural gas distribution system -- in January. And they shut down the aquaduct pumping stations feeding Southern California. ... etc, etc, etc. And finally, they shut down as much of the phone system as they can get to.

A serious attack by a technically savvy attacker with significant resources and a good plan can very likely do most of those things and a great many more.

If an attacker can do even a quarter of that, it'd take any industrial country a week to get back up after a fashion, and months to really get things back under control. So, no, it's probably not blown out of proportion.

***I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?***

What is the cheapest and most cost effective way to control a remote power facility? And who says cyber attacks are limited to the Internet? If your dam is 300 miles away, you're going to need remote access -- at least for monitoring and quite likely for command and control. Seems to me like most, maybe all, of the technologies to do that -- internet, phone network, satellite, radio links, etc--are open to interception and attack. Even if you can't break into the control link, you likely can deny service in one way or another.

Re:It's not just the Internet

[zmollusc]

If the attackers want to maximise chaos, they will leave the traffic signals functioning normally.

Re:

[MisterSquid]

A serious attack by a technically savvy attacker with significant resources and a good plan can very likely do most of those things and a great many more.

William Gibson called and he's asking for Wintermute back.

Re:It's not just the Internet

[mcrbids]

So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs,

What makes you think they have to hijack MS Update? It seems to be a problem right now, today. [bbc.co.uk] Anybody who thinks this is something new is clueless. It's a problem right now, today.

A few things that can help:

1) Stop using systems that are inherently flaky. (EG: MS Windows) Move on to something that's proven to be resistant to viruses and the like. MacOSX, Linux, BSD, and other *nix variants are a good bet for the immediate future, but I'd wager that the best bet would be to revive DEC VMS! The security on that system is just simply awesome, and its reliability is second to none. Get somebody with chutzpah like Steve Jobs to make it work, and it would. Very well.

2) Demand basic, reasonable security policies in force at ISPs. The federal govt should require that ISPs should use basic technologies to ensure that packets appear to come from the right network, malformed packets are rejected, etc. and it should also provide reasonable initial funding so that they can comply with this law without undue hardship.

Another interesting thought - computers have gotten complex enough that the average person can no longer maintain them. So what if there was a way that the average person could outsource this administration to somebody else? There's quite a few ways this might work:

A) The "pool service" model - some local techie shop periodically accesses your computer (either physically or remotely) and performs a routine maintenance, fixing security holes, ensuring updates are done, performing backups, etc.

B) The "terminal" model - rather than store all your data/files on your local machine, your local machine becomes a dummy terminal, and you access your data and programs remotely. Something like the "terminal" that was common on mini and mainframes in the 1980s. Think Google office? This may be where Microsoft goes with their 'Windows Live' service, and where Linux goes routinely with X11.

C) The "Updater" model - almost in place now, you pay a subscription fee to have software downloaded automagically that takes care of security issues. The main point here is that for this to work, it has to provide a strong assurance of quality, which this does not.

Man, got windy on this post. Hope you enjoyed it!

Re:It's not just the Internet

[djmcmath]

OP is right, and he's optimistic about our defenses. Even the military practices "network security" at only a childish level. Most users have no clue how security works, and our military's network security training is horribly remiss.

And of course, the OP only outlined a few attacks that can be conducted from the safety of an office somewhere remotely. We face an enemy who isn't at all afraid to blow stuff up, even if it means the explosives are personally delivered. Anyone take a look at the physical security on a dam recently? Storage sites for nuclear waste? Ferries, busses, trains?

We are ripe for attack from a small team of well-funded and determined enemies, and we're not doing enough to prepare for it.

Re:

[korbin_dallas]

"A serious attack by a technically savvy attacker with significant resources and a good plan can very likely do most of those things and a great many more.

If an attacker can do even a quarter of that, it'd take any industrial country a week to get back up after a fashion, and months to really get things back under control. So, no, it's probably not blown out of proportion. "

Correct.

For instance. Simply screw with everyones Identity. If you got 50% or more of the taxpaying population screwed with ID theft,

Re:

[rtb61]

A serious internet attack is all about attacking hardware. The stuff that makes the internet work, the routers, switches and modems. So if you are producing the hardware and the drivers for the hardware, then taking down the Internet is no problem at all, from knowing the back doors you have inserted in the hardware, to making use of the bug that 'er' you accidentally forgot to fix or still haven't quite gotten around to provide a fix for.

So let me see, who makes most of the hardware now, has access to th

Remember the big eastern brown out?

[WindBourne]

During that time, one of the nuclear reactors that shutdown was found to have numerous Windows based computers connected to the Internet. Apparently, the techs had put them in there and hooked up to make servicing easier. It happened then. It will happen again and again. Until companies decide to take back computing (laptops without USB or modem, ethernet that requires low-level authentication, etc., we will continue to see issues. In fact, if a company wanted to start up big against Dell, et. al. they coul

Re:

[kevlarboots]

"During that time, one of the nuclear reactors that shutdown was found to have numerous Windows based computers connected to the Internet." If: you discover the real causes of the event: http://en.wikipedia.org/wiki/Northeast_Blackout_of _2003#Causes [wikipedia.org]. Then: you might not post such an uninformed and leading statement that can be so easily dismissed by those of us who work in the industry.

Re:

[WindBourne]

PLEASE READ AND PARSE WHAT YOU COPIED. I never said that it caused it. It was the fact that they FOUND a number of windows systems that were connected to the internet via modem . And yes, it did occur.

You should think before writing misleading statements.

Re:

[delvsional]

Do you have ANY proof of that? That would be a violation of tech specs and as I recall that eastern brown out had nothing to do with a nuclear plant and everything to do with the way the grid was shabbily set up with bandaids.

even having someone without a license (nuclear not driving) cause a change in power by manipulating something like a valve is a violation. You can't just service something whenever you want. there are strict controls in place.

There are however systems connected to monitor ce

Re:

[timeOday]

Actually some very important things are reachable via the internet. Like millions of people's bank accounts, for instance. Heck, it's not the Internet, but highly classified satellites download data all the time through the open air. Relying on encryption is unavoidable.

Re:

[Lord Apathy]

I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?

That is smartest comment that I've read all morning. Has it ever occurred to these dumb fucks that there is somethings that don't need to be wired up? My toaster, the urinal down at the truck stop, the FUCKING flood gates to a damn!

Re:Isn't this blown out of proportion, again?

[Anonymous Coward]

Looks like you were right; FTA:

"..through the industrial remote-control technologies known as Scada systems, for Supervisory Control and Data Acquisition. The technology allows remote monitoring and control of operations like manufacturing production lines and civil works projects like dams"

Words fail me.

Re:Isn't this blown out of proportion, again?

[garoo]

Not all that unusual. I was visiting a water treatment/chlorination plant in the UK a few years ago (for complex reasons related to archaeology rather than anything particularly on-topic, so it is likely that we got the Cliff Notes version). They pointed to the computer that controls the water chlorination and said 'we control this via this modem right here'. Presumably there are all sorts of security controls around actually accessing via said modem, given that we are talking about a PC controlling the quality of the drinking water supplied to maybe 20,000 people.

This doesn't matter very much anyway. TFA seems to have confused 'you can connect to it remotely via some mechanism or another' and 'anyone connected to the internet can just ssh right in/DDOS it'. FUD.

Re:

[NeverVotedBush]

Strangelove: I would not rule out the chance to preserve a nucleus of human specimens. It would be quite easy...heh, heh...(He rolls his wheelchair forward into the light) at the bottom of ah...some of our deeper mineshafts. Radioactivity would never penetrate a mine some thousands of feet deep, and in a matter of weeks, sufficient improvements in drilling space could easily be provided.
President: How long would you have to stay down there?
Strangelove: ...I would think that uh, possibly uh...one hundred y

Re:

[BakaHoushi]

I will admit I'm not a tech-savvy person (by slashdot standards. Compared to normal people, simply knowing the difference between Windows, OS X, and Linux makes me a super-genius). Even so, for me, the idea of having Internet access to super-important structures online is a bad idea. Sure, it might be convenient for certain overweight employees to work from home (possibly using a dipping bird to hit the "y" key frequently), but obviously it makes it a bit too easy for extremist/mercenary/bored hackers to ga

Re:

[torgosan]

...think electric grid...

New peace activist slogan:

[Khaed]

"Make cyberlove, not cyberwar!"

Re:New peace activist slogan:

[The One and Only]

I put on my robe and wizard's hat.

Obvious safeguard

[maharg]

don't connect the dam floodgate controller to the internet ?

Re:Obvious safeguard

[Anonymous Coward]

Welcome to the whitehouse.gov administration panel, please enter your 6 digit password below:
_ _ _ _ _ _

Access granted! Hello Mr. President,

would you like to...
[1] Raise taxes
[2] Open floodgates
[3] Administrate the US Army
[4] Launch nuclear warheads
[5] Play online poker

Re:

[Anonymous Coward]

Access granted! Hello Mr. President,
would you like to...
[1] Raise taxes
[2] Open floodgates
[3] Administrate the US Army
[4] Launch nuclear warheads
[5] Play online poker

[6]Global Thermonuclear War

Re:

[Dogtanian]

[5] Play online poker
[6]Global Thermonuclear War

Let's hope you don't accidentally hit "6" instead of "5"; which reminds me of the end of this video [youtube.com].

Re:

[KillerBob]

Reminds me more of the movie War Games...

Re:Obvious safeguard - not so safe

[ancientt]

Back in the late '90s I was infected by my first virus. I had never connected to the internet, I had just used the library and school computers. Somehow, I still managed to get a virus on my floppy diskette.

I don't think it is unlikely that there are people who hook their laptops up to their work network, and I suspect it is even more likely that people plug in a floppy/thumbdrive/cdrom from home. I don't doubt that it would be safer to stay disconnected from the Internet, but a handcrafted virus would be far more likely to avoid detection by most antivirus and probably accomplish just as much in a hacker war. It would have to be a targeted program, but that is really the point isn't it, that hackers could be targeting networks that are supposed to be secured. Of course, it probably doesn't help security that they probably assume their network is safe.

Re:

[Dogtanian]

Back in the late '90s I was infected by my first virus. I had never connected to the internet, I had just used the library and school computers. Somehow, I still managed to get a virus on my floppy diskette.

Sheesh, I forget so easily, but now that you mention it... Viruses of that nature had been around since the late-80s.

It sounds laughable now, but they were actually a real problem on the likes of the Amiga and Atari ST during the early 90s. No network required; the Amiga ones resided on the floppy boot-sector and could survive a warm reset.

Re:

[jgrahn]

Back in the late '90s I was infected by my first virus. I had never connected to the internet, I had just used the library and school computers. Somehow, I still managed to get a virus on my floppy diskette.

Sheesh, I forget so easily, but now that you mention it... Viruses of that nature had been around since the late-80s.

It sounds laughable now, but they were actually a real problem on the likes of the Amiga and Atari ST during the early 90s. No network required; the Amiga ones resided on the floppy bo

Tickle Me Elmos transformed into killing machines

[niceone]

Now that would have made a good headline. It's directly from the article:

microchip-controlled Tickle Me Elmos will be transformed into unstoppable killing machines

(taken slightly out of context)

Well, naturally

[weston]

microchip-controlled Tickle Me Elmos will be transformed into unstoppable killing machines

They didn't start that way, they were just programmed to fight effectively against Hello Kitty Jason:

http://www.hellokittyhell.com/2007/06/19/hello-kit ty-jason/ [hellokittyhell.com]

but to quote Jurassic Park "Life.... finds a way."

Newspaper ad

[suv4x4]

As the government is getting ready for the upcoming cyberwar, the following ad was noticed in a local newspaper:

We're looking for a young man named John Connor, to lead our efforts in the war against the machines. We offer $1000 to anyone who has any substancial information in discovering his location. If you can help, please dial 1-800-ILL-BE-BACK.

    - The Government (it's not Terminator this time, I swear)

Re:

[suv4x4]

The next day another ad was printed:

This is The Government. We're warning you that Terminator seems to be posting newspaper ads looking for John Cohnor and presenting himself as The Government. Do NOT call him. The real Government would never post ads in a newspaper in a fashion like that.

Hmm, wait a second. Bob, stop typing, let me call the general. Hello, General? I just realized, we can't type in a newspaper ad, that we'd never post in a newspaper ad, we'd look like damn morons. Uhuh. Uhuh.. Wait.. BOB I

Re:Newspaper ad

[suv4x4]

How does it feel to reply to your own post?

Makes me feel Slashdot had an edit post button, so I wouldn't have to ammend myself in an entire new post.

Re:

[suv4x4]

Of course, editing would kill the whole karma system unless there were something like a 'see original post' link on edited posts.

It wouldn't kill anything. First there could always be the "see previous revision" buttons, and second the system could only accept edits that ammend to the original (not replacing it) and accept, say 7-8% changes on the original (for the typos).

It could also display the edits in a different color, thus putting it in plain sight what was edited.

Re:

[HAKdragon]

Personally, I'd be preferential to a time-out editing system. Say 2-3 minutes, then make it take 5 minutes for the comment to show up on a story. That way you could go back and quickly edit something, but you wouldn't be able to change the comment after it's modded.

Re:

[PopeRatzo]

editing would kill the whole karma system

And we all know that would be cataclysmic. I mean, any system that lets a liberal flamebaiter like me moderate about 4 days a week must be keeping the universe in balance.

Re:

[account_deleted]

Comment removed based on user account deletion

The Need for an Enemy

[segedunum]

Well, everyone needs a credible enemy to keep themselves in a job. I mean, what would all those government agencies do with their time? The whole thing is just playing peoples worst fears, and the scenarios they've got there are straight out of Die Hard......or that film Sandra Bullock was in, and of course the all have no basis in reality.

Bring back the Cold War, that's what I say, and it looks as though they are. This whole terrorism thing just isn't working out ;-).

Re:

[Timesprout]

This whole terrorism thing just isn't working out

Well even the dummies are starting to put 2 and 2 together now over the whole 'terrorist global domination' charade and 'Cyber terrorists' are a ready made replacement in terms of fear mongering. Another vague, unknown threat that could be anywhere and somehow capable of causing immense destruction and loss of life at any given moment.

Re:

[suv4x4]

Bring back the Cold War, that's what I say, and it looks as though they are. This whole terrorism thing just isn't working out ;-).

Maybe it's not working out, but Cold War was even worse. It was so hopelessly outdated, that they tried rebranding it "Cool War", "Hot War" and what not, but it just wouldn't catch on.

Cyberwar and war on terror is where it's at. And war on child abuser. Who doesn't agree? You child abusers, you.

Cool War by Frederik Pohl

[fritsd]

Nonono, "The Cool War" was that SF book by Frederik Pohl which seems to become more realistic year by year. In fact, it's even on-topic!

What, like 1984?

[r_jensen11]

Well, since nobody else has said it, there it is.

Re:

[Courageous]

The whole thing is just playing peoples worst fears,...

Well, except that their fears are REAL. Not the dams and infrastructure part: the espionage part. We're under constant electronic attack every day, by many nations, threatening or otherwise. There's no commercial defense contractor today who does not have foreign electronic agents planted in their systems.

C//

Re:

[kinglink]

That's right because people aren't dying every day because of terrorist activities. We're kind of blessed right now because we are fighting a war in Iraq, so the main focus is in Iraq. But all those deaths could be anywhere. No one seems to care when a couple innocent Israelis die by a person blowing themselves up yet the scream bloody murder when the Israelis respond to it. We've had numerous attacks in Europe.

Yeah terrorism isn't a real threat, because no one dies in America because of it. Except the

Ladies and Gentlemen, Start Your Memes!

[ettlz]

In 2007, cyberwar was beginning.

Re:

[Anonymous Coward]

What happen?
Somebody set us up teh hax!

always a war

[had3z]

Why is it that america is always preparing for a war? a war on 'terrer', a cyberwar, a war on drugs, a war on immigrants, a war on pirates, a war on guns. When is the last time america made peace?
I guess big budgets need big reasons

Re:

[Hrothgar The Great]

This really isn't anything like those other "wars" though in that there will probably be nothing actively done in this case. It's a popular thing right now in the corporate world right now as well as the government - worst case scenario disaster planning. What you do is you call a meeting, and you pull in members from your various technical teams, and then you ask a roomful of developers and IT staff what their plan is in case - oh, I don't know, there's a global pandemic next week, or a terrorist blows u

Re:always a war

[suv4x4]

Why is it that america is always preparing for a war? a war on 'terrer', a cyberwar, a war on drugs, a war on immigrants, a war on pirates, a war on guns. When is the last time america made peace?

Amen. Let's declare war on war!

Re:

[melikamp]

OK, let's just cut the bullshit and declare

War On WOW

where WOW, of course, stands for War On WOW.

Re:

[suv4x4]

<Tom Lehrer>
So long mom
I'm off to drop the bomb
So don't wait up for me
</Tom Lehrer>

So. Tom Lehrer is into toilet humor, huh.

Re:

[Guppy06]

"When is the last time america made peace?"

1919. Didn't work out so well.

Re:

[petes_PoV]

Why is it that america is always preparing for a war?
Because it's a neat way to get around the freedoms and protections afforded to the populace.

People understand that in war it's necessary to restrict what people may normally do, in order to "win". Theoretically, once the war is over, the old freedoms can be restored.
In practice, there are so many rules, laws and protections in place that it's impossible for a government to obey them all and still enact all the dodgy deals that they, and their friend

Re:

[aepervius]

You forgot the war on "tities". Seeing the great scandal that a breast on TV can generate, I would not be surprised that there is a big need to have some vent to let out the frustration. Since you can't have sex, then you have got to have wars, lot of them.

Maybe we in the EU should organize a USA-thon ? I propose that we get big transport plane full of penthouse, playboy, maxim, german porn , a few fetish and silicon "realistic" sex doll, then we air drop the whole on washington. While everybody is occupye

Re:always a war

[GooberToo]

Why is it that america is always preparing for a war?

Um...perhaps because it's the smart thing to do? Only an idiot wouldn't prepare.

You see, any country that has two nickles to rub together makes preparations to keep their two nickles. The reason is simple. Someone with only one nickle or maybe someone with two nickles that would like to have four, may decide to come take your two nickles. So you have a choice. One, give your two nickles up tomorrow (it will happen), or be in a position where it will cost someone three nickles to take your two.

Perhaps you've heard, "Hope for the best. Plan for the worst." Only an idiot running a country wouldn't do that.

Re:

[Anonymous Coward]

Of course, centralized power is what gives birth to war in the first place. Without a centralized power to plan and conduct war -- funded through coercive means -- how could war ever come to be? Individuals can form a militia (voluntarily-supported army) for purposes of self-defense, but never could a militia be used for offense, i.e. attacking peaceful groups of people. Who would pay for it? I sure wouldn't -- I'm a peaceful individual. You might find a few nutcases willing to go along, but an entire army?

Re:

[rhizome]

So you have a choice. One, give your two nickles up tomorrow (it will happen), or be in a position where it will cost someone three nickles to take your two.

Where's the part where you blow someone's house up because someone who lives there once wore a t-shirt with a picture of a nickel on it?

Re:

[CodeBuster]

si vis pacem, parabellum

Re:

[suv4x4]

>> a war on 'terrer'

What about the war on grammar?

How about war on grammar nazies, and nazies in general (I'm sure Steven Spielberg would even make a movie about it).

And that's a typo, not a grammatical error.

Re:

[KillerBob]

I think the quotation marks around 'terrer' made it clear he knew that the word is actually spelled 'terror' and was trying to poke fun at an otherwise ridiculous situation.

Re:

[ozbird]

WAR=MONEY

War is Peace
Freedom is Slavery
Ignorance is Strength

Re:

[doctormetal]

And because when a country is in fear, it is much easier to control its populace.

..and take their righs away.
Just look ate the war on terror has resulted in: no more privacy and all people (especially foreigners) are considered to be potential terrorists.

Disaster contingency planning

[zmollusc]

Can we agree on a flag to wave so that, once the 3vi1 h4xx0rs have destroyed all the intarnets, we can signal to others in visual range 'willing to trade pr0n dvdroms via sneakernet'? Maybe any suitably encrusted piece of fabric?

Born to Lose

[Doc Ruby]

Every US "Cybersecurity Czar" [wikipedia.org] has quit in disgust. The Homeland Security agency can't even find someone to run the office [cybertelecom.org], because it's a total joke.

Meanwhile, the US has already been under siege by China in a full-blown cyberwar [google.com] for several years.

It's cheap to attack the US tech infrastructure, and expensive to defend against it. That's what asymmetric warfare [wikipedia.org], like terrorism, is all about. So 6 years into Bush's Terror War, and the government is still preparing to get started, while our enemies just surge around us.

Stupid-wordism

[SoapBox17]

"Hactivist" is a perfectly cromulent word, right? No, not really. I really despise this weird need everyone has to create new words. He already have perfectly good words, like "hacker", "activist" and "loser kids who want to feel powerful." Why anyone felt the need to create another buzz word is beyond me. This one is going right on the top of my list [slashdot.org].

Re:

[TheRaven64]

Of course, the term hactivist should really be used to describe people like RMS who use their hacking ability for social change in a constructive way. The article is really talking about cracktivists.

preparing to START a cyberwar?

[petes_PoV]

OK, there's defensive preparations and offensive preparations. I think it would be nice to know exactly how these guys are intending to fight (offence is the best form of defence?) such a war, before we all become collateral damage?

Slight factual error in summary

[ja]

The summary says that Estonia wanted to "remove Soviet monuments", which is an excaggeration. The monument in question was moved to a less prominent place, which is kind of understandable since the Soviet era of Estonia isn't regarded much higher than, say the Nazi occupation of places like Denmark or The Netherlands ...

The important thing to remember here is that the monument is still visible for those who wish to pay their respect to their ancestors. The monument is not, and never was, removed.

PLAN FOR ACTION

[allanc]

Okay, this is serious, and the US could be in serious danger. Here's my plan for action to make sure we can come through a potential cyber-war victorious:

1. "Security through Conformity": Standardize on exactly one platform. Make sure everyone in government is using it. That way, if we discover a gaping security hole in that platform, we only have to patch one type of system. Homogeneity is the key.
2. We need to put our trust in professionals. That one platform should definitely be Microsoft Windows. Sure, having people from all over the world looking for bugs might be quicker and more effective, but that also means that people from all over the world have the potential to find a security hole, but we have no clear target to blame for that security hole. And don't forget that backdoor that was almost slipped into Linux (though, fortunately, caught before it got into source control because of all of the people able to look at it)! We wouldn't have to worry about that with Microsoft Windows
3. Don't leave computer decisions in the hands of long-haired computer geeks who spend all day working with technology. They tend to have decidedly leftist--if not communist!--leanings. All IT decisions for the US government should be made by the people best qualified to make them: Career bureaucrats.

Re:

[allanc]

Yes, I was going for funny. :-P

(See, the joke is that the above is what we're basically doing now)

Re:

[allanc]

This is a good idea, because terrorists can use any new encryption techniques we think of. So best that we just don't do any encryption research so they can't profit from our efforts.

Ahhhh, Now I understand about paying taxes on ....

[3seas]

....virtual goods.

They can use the virtual taxes to pay for the virtual war (cyberwar) defense.

http://politics.slashdot.org/article.pl?sid=07/06/ 23/2055244 [slashdot.org]

Cyber Cyber Cyber

[gumpish]

Can't they call it "Digital Warfare" or "Internet Warfare"?

"Cyber" is so 1990's... anything that inserts it into the language more often is a nuisance. Can you imagine if it gradually became a synonym for "good"?

Dude, that pizza was totally cyber!

Ugh...

Re:

[VoidEngineer]

Can't they call it "Digital Warfare" or "Internet Warfare"?

EMP devices and van-eck phreaking devices aren't necessarily either 'Digital' or 'Internet', although they would both be important tactical weapons in cyber warfare. There's an analog component to Cyberwarfare which 'cyber' refers to, whereas 'digital' and 'internet' do not. 'Cyber' originally was a term used to refers to systems and control theory, ala cybernetics. Thus, a hydroelectric dam or nuclear powerstation both have 'cyber' systems, u

There really is a solution of uniqueness....

[3seas]

you know how linux doesn't suffer the windows viruses or the BSD system doesn't suffer linux holes?

Well its all about uniqueness. If ever computer ran a different operating system with different....whatever protocals..

Of course this is not realistic, or is it? Lets say the linux open source system could be compiled with something like an encription code that alters the system enough to make it unique. Any applications to run on that particular system would as well need to be compiled with the same code, etc

Re:

[HAKdragon]

1) It's not all about uniqueness. While having a heterogeneous environment can help security, it's not the end-all, be-all. What makes Linux/BSD and various other open source projects secure is the fact that people are constantly reviewing the code so if a vulnerability is found, it can be patched quickly. It also helps that the whole security model on Unix and Unix like systems is more secure than Windows. Is any functional system perfectly secure? No, but some are better than others.

2) The idea of usi

SECURE THE PROTOCOLS!!!

[Spy der Mann]

Just fix the darn protocols, dammit. It's been a year [washingtonpost.com] since Blue Security was taken down by PharmaMaster and NOBODY has done ANYTHING to prevent any subsequent DNS amplification attacks [securiteam.com] from happening.

If ISPs at least blocked forged-ip packets from exiting them, then THAT would be a nice start.

Re:

[MulluskO]

Don't most ISPs (in the U.S.) already do that?

http://spoofer.csail.mit.edu/summary.php [mit.edu]

It'd be nice if IPv6 would do more guard against spoofing; it tackles some of the issues, but not all.

"...knock them out in the first round"

[bl8n8r]

There's no way in hell the US is equipped* to deal with 'cyberwar', let alone the government. What do they plan to do to "knock them out in the first round"?; make sure that Norton is running and that they have the latest service packs installed? Most people have no idea what they are up against with computer security. Unless they can find it at Walmart, it doesn't exist. A lot like to pass the buck too: "Why didn't microsoft protect me from this?" "Why can my ISP let this happen"?, "Do I really have

Economic war?

[MarkWatson]

Sorry in advance if I am going a little off topic here, but I think that economic wars will define the future.

In the best of future worlds, governments will compete with each other for skilled workers and investment based on how well they can provide: a low tax base, control of local violence, educational infrastructure, effective markets and trading partners, etc.

The problem that I see for the USA (my country), the UK, and a few others is that they spend so much on "defense" that they will not be able to c

A word from the front lines

[AB3A]

I am a registered professional controls engineer. I design and manage a large SCADA system. I'm also a member of the SP-99 standards committee (the ISA standard for industrial control system security).

Industrial Control System Security is the subject of many books (with many more on the way), security committees, and even pending regulation. I could spend a long time trying to explain why things are the way they are. Here's an overview of the issue:

1) SCADA systems started out in isolation. Most were never designed for internet access and many were designed without any thought to security because there is a more important concern: Reliability and performance.

2) Office folks got wind of what information could be had from SCADA systems and the next thing that happened were a mass of people clamoring for the data. However, very few gave much thought to how that data could be extracted securely without affecting the reliability or performance of the system. As a result, there are many security compromises.

3) It's not easy to retrofit security in to an existing SCADA system. It would be like putting seat belts and air-bags on a Ford Model T. Such measures will help, but what is really needed is a re-engineering of the whole system.

4) Many of the protocols we use every day live in carefully validated embedded systems. You can't just "update" them without digging in to a morass of other embedded systems issues, in addition to the protocol itself, you have issues of performance and expected behavior. For this reason, updates of embedded firmware are rare.

5) SCADA systems live for a long time. Typical lifetimes are at least 10 years for the field devices and five years for the control room software and hardware. These configurations are carefully validated (a very tedious and expensive process), so companies are loath to upgrade them unless there is a very good reason to do so.

I can go on, but that's should give you a taste of what the situation is.

Now for the reality of interational red-teams. Yes, they exist. The US has them too. I don't design for a red team. First, that would require very frequent software upgrades, something which I've already explained is not feasible for most SCADA system operators. Second, we opt for defense in depth. We try to segment our systems so that they fail in to smaller peices which are semi-autonomous in themselves. They won't be as efficient, but they will continue to work. And finally, in case you hadn't noticed, we design our physical security to eliminate the casual vandal, not the determined para-military group. The cost of going fully secure is so high that nobody would be willing to pay for it.

At the utility where I work, we keep our SCADA system carefully shielded behind firewalls. Yet many other SCADA system managers do not understand the security issues because they're not IT savvy. Conversely, most IT staffers in utilities and manufacturing companies do not understand what a SCADA really is and does. This is not just another app. The notion of a real time or even a near real time system is alien to most. Furthermore, there is no such thing as "rebooting" in this business. In most IT applications, restarting the application or rebooting the machine is routine. Not so in SCADA. If we restart, we often lose track of many critical on-going processses. You see in most IT applications, they are the whole system. With SCADA, there is a physical world of things going on with or without them. If you're not up and running all the time, you're probably going to miss something critical.

Finally, opening dams by remote control isn't likely. We have dams where I work too. Even if we did open them by remote control (we open ours manually), the systems that we use are as far as possible from the internet, and even our office intranet. Yes, we can wash out parts of a town downstream if we're not careful. The operators of such dams are licensed and they must be very careful about how the

neuromancer & ghost in the shell

[VoidEngineer]

Seems to me like we're heading towards some distinctly neuromantic and ghost-in-the-shellish conflict scenarios. Makes sense, considering all the recent technology advancements. Japan is busy at work making their first Mech prototypes, MIT is busy making invisibility cloaks, Van-Eck phreaking devices have been around for ages, and the Russia mafia seems to be busy writing custom viruses. The thing to remember is that a 'cyberwar' would *not* simply be conducted by script-kiddie hackers in their moms basements. Sure, you might have to deal with botnet DDOS attacks, but that's probably the least worrisome scenario. To use the Dam floodgate scenario, consider a sneakernet type attack, where a special-ops actually *applies for a job* at said energy company which runs said Dam floodgates, and moles their way past the firewalls, so they can install a custom one-time virus. Afterwords, they get a nice million dollar bounty from the sponsoring enemy state. That's the espionage scenario. There are others. Toss in some helicopters, invisibility cloaks, van-eck phreaking devices, and emp pulse generators, and you've got yourself an arguably new class of special-ops. You might say, 'yeah, US enemies aren't ever going to get helicopters and those kind of forces onto US soil, so the US only needs to concern itself with remote attacks.' Granted, the US still has a big advantage of being relatively isolated here in North America, but I'm not so convinced. We do have embassies, consulates, and business partnerns all over the world, and most all of them have VPN connections outside the US. Networks make distances less relevant, so we could simply be attacked at one of our embassies or consulates. But I digress. The idea that I'm trying to communicate here, is that a 'cyberwar' isn't necessarily all digital, just as a computer isn't all digital (keyboards and monitors are analog). As such, there will be a sneakernet and analog element to any such 'cyberwars', which will probably involve special-ops using the latest technology to tap into networks, nab passwords, and cover their tracks, *in conjunction* with the crackers doing the cracking. All nicely laid out in neuromancer and ghost-in-the-shell. The specifics differ, but the general concept is spot on in both works. At least in my opinion.

Re:

[JKConsult]

energy company which runs said Dam floodgates

Cursing doesn't help you get your point across.

Cyberattack Information Center

[podz]

I have put up a site a few months ago to start to track cyberattack related news, events, etc. I plan to build it out as I get more information, right now it's fairly basic. However, I hope that it will help someone who is looking for info. Cyber Attack Information Center [cyberattack.info] -- podz

Hacking the Media

[Divebus]

The Joker laughing out of every TV and Radio in Gotham city would be a powerful psychological win and a plausible goal for a determined enemy. What if part of a cyber war campaign was designed to replace Podcasts, Music streams, VOD Movie services, CNN Video or any internet delivered media with a message from our enemy? Could they commandeer Internet connected set-top boxes deployed by Cable providers and replace what we see and hear?

I was approached by some people recently who wanted to know exactly how someone could pull that off. By "some people", I mean someone who works with an unnamed National Security Agency of sorts. I shrugged it off at first, then thought of the potential impact. Eek. Does anyone in the media business even anticipate or have a strategy for combating such an attack?

No link to the Great Cyberwar of 2002 yet?

[ResidntGeek]

"The Great Cyberwar of 2002": http://www.wired.com/wired/archive/6.02/cyberwar.h tml [wired.com]

Always a good read.

This is way overblown

[PingXao]

Under cyberattack? Disconnect from the network at large. Is that too hard? If a system of national importance hasn't been designed to allow for operation while disconnected from the network, then that system needs to be redesigned.

Most of this cyberwar bullshit is just that: bullshit. It's a way for the Pentagon to funnel money to private interests without any meaningful oversight, since most of these programs are classified. They won't talk about it in public, so how is the public supposed to judge th

Enron

[mshurpik]

Wasn't Enron a cyberwar? According to the documentary "The Smartest Men in the Room," Enron employees shut down California power plants with direct phone calls, and monitored the price increase with their stockbroker software.

Mind yo businez

[ancientt]

That's right, because we all know that bullies only beat up other bullies. </sarcasm>>

I love that people assume that the US is a target because of it's actions. I wonder if these are the same people that assume that Microsoft gets hacked because it is an 'evil' company. Let me say it plainly: The US is a target because the US has a lot of money and influence. Microsoft is a target because they have a large number of users. There may be thousands of other reasons, but that is the real reason there is such a disparity in attacks against the two. I am not saying that MS shouldn't be a moral business or that the US shouldn't improve it's interactions in the world, I'm just saying that doing either one will not make a significant difference in the number of attacks.

Both have a need to do the same thing too, actually. They need to improve security and do it in such a way that it doesn't harm their base.

Re:

[ChameleonDave]

That's a bit of a weird straw-man you've set up there. Who thinks that Microsoft gets hacked (I presume you are referring to viruses and malware on Windows systems) because it's evil? The big debate is over whether Windows users are at risk because of their numbers (as you say) or because Windows security is fundamentally flawed. The fact that MS is evil is a separate issue.

You try to make some sort of weak analogy between this and hostility to the US. Your unexplained "money and influence" motivation

Re:Don't want to be attacked? It's SO simple reall

[Yetihehe]

And what if other country business is to take all your resources?

Re:

[vtcodger]

***Don't interfere in other countries' business and they won't have any reasons to attack you.***

Tain't entirely true. Ask the Poles.

Nonethelss, it'd be a very good start. Especially for people who have proved, on the whole, to be rather inept at meddling.

Re:

[Joebert]

People don't beat their kids for the better of the child, they beat their kids because they themselves are incapable of acting in a socially acceptable manor & beating the children allows the parent to vent the fustrations involved with being a failure in society as well as an incapable parent.

Don't beat your kids, better yourself & lead by example.
If the children don't follow your example, abandon them.

Corporal punishment useful ...

[AHumbleOpinion]

People don't beat their kids for the better of the child, ...

Wrong, most parents do not enjoy corporal punishment, they consider it a necessary evil.

... they beat their kids because they themselves are incapable of acting in a socially acceptable manor ...

Sorry, but you are confusing "socially acceptable" with the current fashion, a current social experiment, or more accurately engaging in a overreaction due to past excesses. The latter is very typical. Corporal punishment went too far, and was to

Re:

[Dogtanian]

Folks,if you catch your kid engaging in "hactivism" or using words like "politically correct"

Flamebait? Sure. But badly-constructed flamebait- the only people who use the expression "politically correct" are those attacking the concept.

In fact, I'd go so far as to say that "political correctness" only ever really existed as a convenient strawman caricature, useful for smearing anything remotely smacking of "liberal" or left wing views.

Sometimes a legitimate complaint: Racism.

[TerranFury]

Flamebait? Sure. But badly-constructed flamebait- the only people who use the expression "politically correct" are those attacking the concept.

Very true.

In fact, I'd go so far as to say that "political correctness" only ever really existed as a convenient strawman caricature, useful for smearing anything remotely smacking of "liberal" or left wing views.

Heh, I don't know: I'd always considered myself reasonably to the left, but... I was surprised to run into a bunch of socially-acceptable racial bigotry during college, and the only way I can think to characterize it, is as having been "ok" because it was "politically correct." And this is the real point of my post.

What am I talking about? People complaining, over and over, about "rich white kids;" they'd use sneering language like "bastion of white privilege," repeat racial slurs like W

Re:

[Dogtanian]

That's an interesting post; however, my point was that "political correctness" is a concept essentially created by those on the right and often applied as a useful strawman of left-wing thought.

For what it's worth though, the behaviour you describe sounds fairly par for the course in some universities. I'm not a massive fan of identity politics, and what you describe has been going on since the 1960s.

It was a little infuriating to hear her, of all people, call someone else spoiled.

I'm not familiar with the dynamic of your friendship, but personally I wouldn't bite my tongue for very l

Re:

[ardor]

The only way to prevent war is to prevent the existence of more than one opinion.
So, a hive mind would end the wars.
But would this be really better?

Re:

[echucker]

I'm sure Chairman Sheng-Ji Yang thinks it would be. And if you don't, a little nerve stapling might help.