Should the US Go Offensive In Cyberwarfare? 276
The NYTimes has a piece analyzing the policy discussions in the US around the question of what should be the proper stance towards offensive cyberwarfare. This is a question that the Bush administration wrestled with, before deciding that the outgoing president didn't have the political capital left to grapple with it. The article notes two instances in which President Bush approved the use of offensive cyberattacks; but these were exceptions, and the formation of a general policy was left to the Obama administration. "Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare. Over the decades, a number of limits on action have been accepted — if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker's power grid if that would also shut down its hospital systems, its air traffic control system, or its banking system?"
Abso-freakin'-lutely! (Score:5, Interesting)
Starting in 2002 we gave away our dominance in software technology to other nations. The policy of China was to subsidize tens of thousands of students studying in the computer sciences. In 2002 American companies subsidized this policy of China by shipping over American jobs so that Chinese students could gain the necessary and hard to obtain experience of working on real systems. American programming jobs were shipped to India, China, and Russia and subsidized these nations in their ability to build expertise in software technology.
Now very few American students are enrolled in the computer sciences departments of America to provide the expertize necessary for threats to American computer systems, while other nations have tens of thousands that can obtain all of the benefits of software technology. American students will not enroll in the computer sciences when the policy of America is simply to ship programming jobs overseas. Now many American systems are dependent upon offshore foreign programmers. There have already been incidents where offshore foreign workers were bribed to provide account information on bank customers.
The reality is that major American system may have already been compromised by bribes to offshore foreign workers to insert malicious code into the American systems where they have direct access. Hollywood movies show complex schemes and supposedly sophisticated attacks to access computer system when the reality is that you can simply walk in the front door with a bribe and have complete access. It is meaningless to protect these systems from attacks over the internet when they may already have been seriously compromised.
=Smidge=
Comment removed (Score:5, Interesting)
disconnected (Score:2, Interesting)
Re:what the US should do (Score:3, Interesting)
If the "owner" or "user" of the computer is tricked, bribed or forced to install such malware, what computer is there that will protect itself?
Sorry, but if you have untrained and inexperenced people doing administration on computers, you are going to have problems. No matter what the computer operating system is, if the "administrator" installs malware on it and follows whatever procedures are required to install the software, it is compromised. Period.]
Linux, MVS, VM, Windows, Solaris, OS X, whatever. It doesn't matter. The only thing that has any chance of helping is to get the administration power out of the hands of inexperienced and untrained people. Give them "appliances" that cannot be subverted because nothing can be installed on them.
When was the last time you had to update the anti-virus software on an iPod? How about having to reboot your refrigerator because it locked up?
If all people need is web browsing and email, they need something that will do that and nothing else. No possibility of viruses, worms, trojans or whatever else. Just something that gets the job done without the possibility of anything bad happening.
Internet geography =! world geography (Score:4, Interesting)
Even if could be attacks lauched by other countries government internet addresses, but how you separate government willing to do that attack from some individuals there just checking the waters without autorization?
What is worse, what were the biggest internet attacks till today in general? From Morris worm to Conficker, passing thru all the spam in the middle, all were done by individuals and groups not related with government. There was the cyberattack to Estonia (?) some years ago, that was done more by individuals than from a government.
With nuclear bombs at least you have them enclosed in silos, military security, isolated. You need a small army to try to get one if not get disabled before. But a clever kid could take for its own benefit (from turning it to you or launching a big attack at your name) your entire botnet from the safety of his home.
But i have to agree that the 1st cyberattack from America was a big success. Crippled most of the computers of the world, caused lots of damages to other countries and still is active doing its work. But still, you cant say for sure if was launched by the government or Microsoft Corporation.
Re:what the US should do (Score:3, Interesting)
If the "owner" or "user" of the computer is tricked, bribed or forced to install such malware, what computer is there that will protect itself?
Sorry, but if you have untrained and inexperenced people doing administration on computers, you are going to have problems. No matter what the computer operating system is, if the "administrator" installs malware on it and follows whatever procedures are required to install the software, it is compromised. Period.]
Linux, MVS, VM, Windows, Solaris, OS X, whatever. It doesn't matter. The only thing that has any chance of helping is to get the administration power out of the hands of inexperienced and untrained people. Give them "appliances" that cannot be subverted because nothing can be installed on them.
When was the last time you had to update the anti-virus software on an iPod? How about having to reboot your refrigerator because it locked up?
If all people need is web browsing and email, they need something that will do that and nothing else. No possibility of viruses, worms, trojans or whatever else. Just something that gets the job done without the possibility of anything bad happening.
I agree with most of your reply, but your analogies seem a little flawed. My refrigerator doesn't call my friend's refrigerator in Sweden and show pictures of his latest backpacking adventure, nor does my iPod go on msn so (s)he can talk with his/her girlfriend on the web cam. I have already stopped crossing the street to avoid getting hit by a car, I change my underwear on a daily basis *just in case* it does happen and the paramedics have to take my clothes off, and I also have recently begun not even talking to or going near anyone who has ever been to, or flown over, Mexico. Who knows who has the swine flu that is going around. Why do you even have a fridge? You don't *need* one. All you really have to do is buy non-perishable items. There are hundreds of things people don't *need* but will continue to use anyway. Telling them they shouldn't have it doesn't fix the problem at all. People *are* going to keep using all the thousands upon thousands of features their computers have, and they *aren't* going to get any smarter about it. That's just reality. And *forced* to download malware? When was the last time you heard of a cyber thug holding a gun to someone's head, demanding they install their program, or else!?
*Aimed* is the crucial word. (Score:5, Interesting)
Israel's policy, which America supports, is that firing a missile into a block of flats full of civilians is okay, if they think a terrorist is in the building. The attack is not aimed at the civilians, they just happen to be there. I'm sure the same mindset would apply in this case.
Re:what the US should do (Score:0, Interesting)
What the US should do is disconnect all the countries that are attack vectors; as a type of sanction to force said countries' governments to deal with their cyber-criminals internally.
There, fixed that for you.
Re:Abso-freakin'-lutely! (Score:4, Interesting)
And there is the problem: who really thinks this?
The fact is that GATT and NAFTA had, and have, very little to do with "free" or "fair" trade. Subsidies and trade barriers remain on both sides of all borders, and in the main, they were giveaways of many trade advantages that the U.S. naturally enjoyed, to the eventual detriment of U.S. citizens and businesses.
However, your statement that the U.S. cannot compete is simply false. BEFORE these "trade giveaways", we competed just fine. Isn't it amazing that we have had trouble since?
Further, the "cheap" labor markets have also, over time, gained a well-deserved reputation for sub-standard products, whether those products are toys or software. That is not to say that there are not competent programmers and producers elsewhere. Of course there are. But I am referring to trends and averages. Further, "cheap" labor and production has led to environmental degradation that would not be tolerated within the U.S. So these multinational and outsourcing corporations are responsible for harming their cheap laborers even as they improve their income.
Globalization of the economy (as opposed to plain trade) is a bad, bad, disastrous idea. Diversity is essential for the survival of organisms, and that is a valid analogy to economies and cultures as well. Nationalism will not (had better not) be broken down, because if it is, woe to the people of Earth.
Re:Abso-freakin'-lutely! (Score:5, Interesting)
Yes, the jobs are right there in the careers section of the web site and as long as tech companies want to claim there's a shortage of qualified candidates, they'll remain there unfilled.
Richard Clarke's stance (Score:2, Interesting)
That's intelligence gathering (Score:3, Interesting)
Which, like it or not, is treated very differently. There is a tacit agreement among nations that spying isn't a cause for war. Many nations try to spy on each other and while the spys themselves have little to no protections, the spying itself doesn't result in major stir ups. Remember that not long ago Aldrich Ames, a CIA counter-intelligence officer, was convicted of spying for the Russians. While he went to prison for it, the US certainly didn't go to war with Russia, or for that matter even get mad and impose sanctions or the like. Heck for that matter Russia has even refused to release the identity of the bank account that has $2 million of money for Ames because they argue he rightfully earned it and it shouldn't be subject to seizure by the US.
It is just accepted as part of the game. Intelligence gathering is something all nations try to stop when it is against them, but they don't go and start wars over it. So if you want to start a cyber war with the US over their intelligence gathering, well then you might not like the result as that is a major change in the rules.
Re:what the US should do (Score:3, Interesting)
But other people don't suffer at the hands of your ability to operate a refrigerator and if they did (you cook them a meal) you are liable for food poisoning. A computer should be no different, users need to be held accountable for the damage their stupidity causes.
Ok I'll throw in a free car analogy.
If you don't know how to drive a car, yet you choose to anyway you are held liable if you crash, even though you didn't know what you where doing you would still be charged. Same goes for any other bit of machinery, try using a crane without a license and see who faces the lawsuit when you wreck something.
Yes, computers should be JUST applications limited to the users needs and if an unqualified person wishes to operate a computer further they should be liable to the damage it does.
Re:putting vital systems on the Internet (Score:2, Interesting)
Re:Huh? (Score:5, Interesting)
We did ALOT! (sic)
WHO gave "craploads" to teachers unions? Those vastly over paid teachers? Or are you claiming some secret back door from the government because THAT would be worth a laugh. The people we do know got a crap load of money were the banks, investment companies, etc., who have spent the last 20 years sending their back office operations, research departments, telemarketing and customer service offshore.
You scream about letting the market work but when it does, you don't like it. You complain about taxes, pay the teachers dirt and wonder why you didn't get wonderful results. Oh, wait! You have "studies" showing that increased school budgets don't bring better results. Amazing, just amazing how that argument is never used against CEOs and investment bankers. Boo hoo, if we don't pay them enough the best and brightest will run off to Dubai!
You blame some poor schnook doing their best for 35k/yr because they can't compensate for the sins of parents who pass on to their kids the attitude that the "piece of paper" is the only important thing. Or a society that wholly devalues and is embarrassed by academic achievement. Or the array of ipods, text messaging, facebook, and other trivialities that mommy and daddy buy for their precious offspring and allow them use without consequence.
You set up and continue a dysfunctional system of local schools supported largely by community property taxes so that the difference between going to a public high school in Bethesda, MD and Washington, DC is comparable to going to school at Choate Academy and a village in Angola. And then you bemoan 50% drop out rates and the that 2/3rds of school children can't find their state on a map.
Yeah, blame it on the teachers unions. That's really where the problem is.
We passed onerous environmental and labor laws encouraging companies to abandon the US.
Right those nasty workers and their unions again. Imagine them wanting to work in places with basic safety measures and living in communities that aren't poisoned by their employers. Because, oddly enough, it NEVER seems to be the CEO's house that sits atop the toxic waste dump.
We have strong unions getting massive benefits at the cost of the consumer and the citizen.
Oh Lordy, do I EVER know what you mean! Who would have thought that 7% of the private sector that belongs to unions could cause SUCH problems. My god, they show up in doctor's offices now! You just can't get reservations at Spago anymore. And skiing at Vale, well don't get me started!
Re:Offensive? (Score:3, Interesting)
What does the NSA do, exactly? Yeah, they intercept international communications and develop systems to do this, but is that really all they do... really?
Hmm... Now that you mention it, I'm surprised I've not heard more conspiracy theories that the NSA is behind Conficker (or other worms, but Conficker seems the best bet since it's really well-designed and hasn't yet revealed its purpose) and that the government tends toward pro-Microsoft legislation so that there are more vulnerable, poorly-secured computers throughout the country/world for them to use to their advantage.
I'm not saying it's true, I'm just thinking that the NSA is doing a damn good job since no one has even thought to blame them yet.
Re:Offensive? (Score:3, Interesting)
1. What makes you think they don't already have a backdoor into every copy of Windows shipped?
2. Maybe Microsoft is really just a patsy in this whole affair, and the government just fosters their monopoly so they'll continue churning out shitty, security-hole-ridden software. I mean, it can't be good to have incredibly rich, influential civilians in on this level of conspiracy, so maybe the NSA doesn't deal with them directly at all...
Well, that's enough for my daily dose of paranoia. To bed!
Re:Offensive? (Score:3, Interesting)
I'm also fairly sure the NSA puts a decent amount of research into quantum computing, which can fairly easily break any encryption scheme in use today, if you line up enough qubits for enough time.
farm it out to the ultranationalist partisans (Score:4, Interesting)
that's what russia and china do
there is no need to encourage them, merely track them and get out of the way of any of their initiatives. and when the shit hits the fan and another government complains, the government can play dumb: it really wasn't their doing, there's no financing or chain of command. the only crime is one of omission: watching someone do something wrong and not stopping them. the nationalist partisans steer clear of their own nation's computers out of fealty (perhaps protecting them too), they obediently report to the government any stupendous finds (nuclear plant blueprints, warfare plans, etc.) simply for the renown, and in times of great duress, are predisposed to fall under the umbrella of government control. all at the same time, they are complete free of cost, and of the highest technical proficiency and motivation. their motivation is simply passion
this is already happening, for years. before 9/11 there was the hainan island incident:
http://en.wikipedia.org/wiki/Hainan_Island_incident [wikipedia.org]
this spy plane bump and crash brought american partisans and chinese partisans at full war online. how do i know this? because one of my windows boxen in new york at the time got hacked. its front page was replaced with the chinese flag and the text "fuck poisonbox! hacked by chinese". i traced the attacking ip to a technical college near beijing. who is poisonbox? i researched it: he was an american partisan hacker(s) laying waste to various chinese servers at the time
i found an article about the proceedings still online from that era:
http://attrition.org/security/commentary/cn-us-war.html [attrition.org]
there is no debate here, it's already happening, done by partisan hackers, in loose affiliation with their governments and the government's turning a blind eye to the hijinks
someone out there, perhaps reading this comment, has the makings of a great book or movie, with years of hardcore cyberwarfare already under their belt. they could be in any number of countries where ultranationalism rages (turkey, greece, israel, pakistan, india, etc.)
Re:what the US should do (Score:5, Interesting)
The only issue here is: should the OS trust the sysadmin?
No. The OS should only trust the combination of a verified sysadmin and a verified program.
That is what is sorely lacking in the security models coming from the mainframe era. It is based only on the level of trust of the user, but completly ignores the programs that the user runs.
Remember the story about the trojan horse. The problem wasn't that the people who pulled the horse into the city weren't trusted, because they were. The problem was that they didn't adequatly guard/check the horse which was an untrusted object.
Computer security needs to make it easier for those who want to use the computer to run programs but also want to be security minded. And that means increasing the ability to set access rights of program.
I should be able to do stuff like give any executable in the "notsotrusted" directory no internet access, as well as read only access to the documents folder, except for documents accessed via the operating system file dialog. And these access rights should work together with user access rights, so you would need both to be allowed access.
Of course, that is mostly me dreaming, because I don't think I'll see it in a very long time if ever. In the meanwhile I'll just keep use sandboxie or other sandbox programs to keep the least trusted programs seperated from the rest. It does work pretty well, but the lack of integration with the operating system is noticable.