CIA's Info Ops Team Hosts 3-Day Cyber Wargame 279
ScentCone writes "The CIA has booked some conference rooms and is working through a simulated 'digital Pearl Harbor' to see how government and industry handle a monster net attack from an imaginary future foe composed of anti-American and anti-globalization hackers. Having been accused of lacking imagination about potential terror attacks, they're using the exercise to better shape the government's roles in a variety of attack scenarios. The networking industry, it seems, is expected to always play a big part in detecting and thwarting such threats, as 9/11-scale economic disruption is a likely bad-guy objective."
Government computer security? (Score:4, Interesting)
Has any progress been made in the last few years on improving the state of government computer security?
sounds like fun (Score:3, Interesting)
Re:People don't die when networks crash (Score:2, Interesting)
Or, suppose that someone manages to sneak a virus inside a nuclear plant control system. Wait -- that actually already happened! Slammer worm crashed Ohio nuke plant network [securityfocus.com].
Help from private technology firms (Score:2, Interesting)
anti globalism = anti americanism? (Score:1, Interesting)
Re:Simulation Games are useless (Score:4, Interesting)
To some people money doesn't matter. Time and time again the military and intelligence communities attract hugely talented individuals because of the work environment. Dave Grossman talked about this in his book On Killing [amazon.com]. There is a small minority of people who are talented warlike mischeif makers who given the right environment, ethical and monetary backing can go a long way to louse up the enemies day. Bruce Schneier says the same thing in Secrets and Lies. Examples of this in history are myriad. Google topics like the Tunnel Rats in vietnam. The bad guy mentality in the right environment attracts these guys.
You don't have to have to be a "bad guy" but being/thinking so is what separates the best intelligence and military personnel from the average. Obviously, you still need a 'good' value system but the 'bad guy' psyche still is needed.
It's even written in the vast majority of intelligence literature out there that the best overall intelligence guys are borderline 'bad guys'. Examples are myriad:
The original detective Eugène François Vidocq [vidocq.org] was the founding father of criminal investigation. He was a notorious bad guy whose innovations bolstered police intelligence gathering.
Michael Levine [totse.com] who was one of the top undercover agents ever assigned to the Drug Enforcement Agency said in an interview that "The secret to my success was ..... A police lieutenant, with whom I worked many years later, looked at me, after I had done, in one day, something like four or five undercover buys from different groups -- from Hispanics, from Blacks, from Whites -- and he was covering me along with my group. He said: "You know what the thing is about you, Levine? You're a guy who should've gone bad. You should have been a gangster. You should have been in jail. But somehow you turned out right. And that's why you're so ..." [convincing]. And I thought about it, and I thought about my youth and about the way I grew up, and I realized that there was a lot of truth in what he said. I was FROM the streets. The streets were in me. There was a thin line between me and the guys who I was working against. And that line was so thin that drug dealers couldn't see it. Do you understand? The line that separated them from me as a suspected agent was so thin that drug dealers could NEVER believe that I was an agent. And that's an attitude .... that's something you can't teach."
The CIA Case officer Gust Avrakotos [amazon.com] who ran the covert operation arming the Mujahideen by proxy through Pakistan in the 1980's Afgan-Russian war was nicknamed 'Dr Dirty' by his CIA peers because he was such an aggressive rule-breaking intelligence operative who had an inherent 'bad guy' view of intelligence operations which helped him numerous times in executing deals inside and outside the CIA.
Ex US Army intelligence analyst Ralph Peters [amazon.com] Essay "The Black Art of Intelligence" speaks that the best intelligence analysts have a specific talent for the job and that talent is an underlying understanding of the dark side of humanity and this talent is born not made.
I could go on and on. Of course, you don't have to be a bad guy or empathise to be good at the job. In fact having an organisation filled with these guys would be counter-productive. But, like I stated, what separates the good from the brilliant is this 'bad guy' mentality.
"The best soldiers have a seasoning of devilry." General A.P. Wavell
Wrong branch? (Score:2, Interesting)
"Information Operations Center, which evaluates threats to U.S. computer systems from foreign governments"
, which is understandable, but the conventional notion of "terrorists" aren't "foreign governments". Does this mean we're expecting to go to cybercarpetbombing against France, the "anti-Americans"?
Re:Government computer security? (Score:1, Interesting)
The short answer is: no.
I have some experience with this. I can't get into any details, but if I could, the stories might curl your toes. I can say that there are people working hard to keep up, but that they are stymied by resistance to improvements, particularly in the area of doctrine, rules, regulations, approvals, waivers, and so on, and by the sheer volume of systems. Change is slow and hard for the military, and it is damn frustrating.
On a related note, the Air Force is heavily involved in informations systems warfare.
I hope my anon posting takes.
About time Some appreciates the Sweet Deal that is (Score:2, Interesting)
Let me tell you something, the military is a swank deal and everyone should stop crying wolf over a bogus issue. Let me break it down.
Okay, so starting off, military pay is kind of on the low side. However, its not low considering the great benefits, which render the salary pure gravy. Especially considering, you're getting free paid training. How many companies offer free paid training, with total benefits, to completely unskilled people? Not many. You get free housing, all you have to do is pay for optionals like cable TV and telephone calls. But even that is subsided by the BAH II, which chips in some dough, tax-free, to you, to pay for things, like toilet paper and paper towels. Hell, your initial work clothes are given to you free, everyone else in the real world has to pay out of pocket.
Replacement work clothes, aka BDUs, are paid for too. They give you a nice fat check to use to buy new clothing as you see fit.
These things, and many many others, are sold at a heavily discounted rate
Plus you get 30 days of paid vacation and 12 federal holidays off a year. That's 42 day or 12% of the year off. That's 3xs the average of two weeks a year in the civilian world. The military even provides free travel on Space Available Flights, for, at worse a nominal fee, and there are often on base accommodations for members at discount. In addition to paid vacation time, you also receive unlimited paid sick leave. Plus there is no risk of being fired for using these benefits as very few soldiers are fired during their period of guaranteed employment. How many companies offer their wage slaves guaranteed employment? Again not many. This is because the military does not outsource its jobs overseas, rarely does it cut down on its numbers, and never does it fire anyway for anything less than gross incompetence or criminality. In many cases, criminal conduct is swept under the rung with a slap on the wrist thanks to Article 15s.
As you mature,get older, and serve longer guess what? The deal gets even sweeter. You only have to serve twenty years and guess what? You get a free retirement for life, a giant, never ending 401k you didn't have to pay into. Its free money and you can start receiving, depending on the age of enlistment at 37. The VA begins to provide you with low cost healthcare upon retirement as well. You get the MGIB, which will pay for any college expense you may have left over. This should not be too much of a problem given the military already pays 100% of all college tuition of all people on active duty. If you went to college before enlistment, the military has programs, for student loan repayment. Soldiers who retired or leave after one enlistment get access to numerous other benefits like low cost VA housing lows, job training, and preferential hiring for government jobs, no matter how unqualified or incompetent they are, allowing them to beat out superior applicants.
In addition, over those twenty years of service, you get multiple, guaranteed pay raises. You get more money for marrying and for each dependent you have, meaning the military pays you to fuck and have kids.
So to brake it down: The military deal includes
Free College
Free Housing
Free Health/Mental/Dental/Vision care (often for life)
Free Retirement
Free Paid Training
Paid Vacation
Unlimited Paid Sick Leave
Guaranteed Raises
Job Programs
Subsided Shopping/ Transportation/ Entertainment
Security Clearance
(taken from http://www.kuro5hin.org/comments/2005/5/23/15739/
Re:Comparison in slightly bad taste... (Score:3, Interesting)
I don't think they are comparing the 9/11 attacks themselves to a crack-fest, they are compairing the resulting economic disruption to something that could be done through a coordinated cracking session. I'm not wholly convinced that economic disruption of such large proportions can be coordinated through cracking though.
Don't use Windows, use OS's designed with security in mind.
I'd agree with this - certainly for mission-critical systems anyway. However, *all* OSes must be kept patched and up to date - a 4 year old Linux distribution is probably just as vulnerable as a 4 year old Windows release, it's only when you keep them patched up to date that Linux gets significantly more secure than Windows.
For workstations, Windows is sometimes a necessary evil but I think in most cases you *can* ditch Windows in favor of a better OS (Linux or consider OS X if Linux won't run the software you need).
Use SELinux or equivalent on mission critical nodes.
SELinux is still far from perfect on current distributions - certainly under Fedora Core 3 the supplied policies are too restrictive in a number of cases (Apache can't do a lot of stuff you want it to do, etc.). Whilest you _could_ rewrite the SELinux policies, you probably need a brain the size of a planet.
And secondly, educate the users and gain a culture of safety.
This is probably _the_ most important point. No matter how much you secure the software, the users are always a weak point. For the servers this isn't a big deal coz anyone who can log into them has (hopefully) got a clue. But you don't need to compromise the servers to cause disruption - once a single workstation has been compromised (maybe the user wanted to look at the cool new screensaver someone mailed them, whcih turned out to be a trojan) then your network is unsafe - your firewall won't do you much good now.
Re:Comparison in slightly bad taste... (Score:5, Interesting)
Hell, god forbid
While you do make a good point in that we associate emotions with events, I would find a news story that lasted 10 minutes to be probably 8 or 9 minutes of filler or opinion. The media has a hard enough time keeping bias out of the news with 30 seconds a clip, how much do you imagine there will be if we ask them to fill up 10 minutes? The purpose of a news article is to inform people of what is happening in the world, not to impart some deep understanding to everyone who watches it.
The truth does not matter. Everything can be spinned and made into an emotional issue. Everything can be rationalized.
The truth as defined by whom? There are 3 versions of every memory and story. 1st we have your side and how you remember it happening - this is the truth to you. Next we have my side and how I remember it happening - this is the truth to me. Next we have what really happened, but since no one is see it for what it really is it may as well not even exist. Remember, nothing ever happens exactly the way you remember it.
and even then that is not enough time to capture everything needed to understand a topic
While some places do a really good job of presenting ideas and concepts (PBS, Nova, Etc) 0 if you want to really understand a topic, don't rely on TV at all, or for that matter
Hope you'll take what I said here as some constuctive feedback on posting and not much else
Re:Comparison in slightly bad taste... (Score:2, Interesting)
"Fantastically improbable" is the key phase there.
The ATC system, at least in the US, is comprised of some pretty old and pretty obscure equipment.
Not only would you have to take out the terminal area radars but you would also need to get the radio systems of both the pilots and the controllers. And don't forget that commercial airliners have radar and onboard aircraft avoidance systems of their own.
Add to that a regional result could probably only ever be achieved since it's quite easy for pilots to fly by looking out their window for problems.
In other words, the massive nationwide outtage could only occur on the improbable day where everywhere in the US has bad weather.
As much as people would like to think ATC is automated, when it is looked at in even a cursory fashion you quickly realize that the whole system is a lot closer to the "Airport" disaster movies (kinda scary huh?) than a perfectly choreagraphed system.
Re:Comparison in slightly bad taste... (Score:2, Interesting)
Re:Comparison in slightly bad taste... (Score:3, Interesting)
Total loss of power for a sustained time can cause loss of life, not to mention huge financial consequences. That 'non-critical' care you say might be inconvienienced might be someones organ transplant or chem therapy.
Re:Comparison in slightly bad taste... (Score:2, Interesting)
What about hacking into the radar system at airports? (circa Die Hard 2). Seems to me that you could kill a few thousand people if you managed a major hack into all the airports in the US at once. How many planes are landing at this exact instant? Seems like it could be slightly more than an inconvenience.