U.S. Defense Secretary Warns of a Possible 'Cyber-Pearl Harbor' 190
SpzToid writes "U.S. Secretary of Defense Leon E. Panetta has warned that the country is 'facing the possibility of a "cyber-Pearl Harbor" and [is] increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government.' Countries such as Iran, China, and Russia are claimed to be motivated to conduct such attacks (though in at least Iran's case, it could be retaliation). Perhaps this is old news around here, even though Panetta is requesting new legislation from Congress. I think the following message from Richard Bejtlich is more wise and current: 'We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.' Times do changes, even in the technology sector. Currently Congress is preoccupied with the failure of U.S. security threats in Benghazi, while maybe Leon isn't getting the press his recent message deserves?"
translation (Score:4, Insightful)
Haliburton now has a kompootar division that needs money.
Another Translation: (Score:5, Interesting)
That's a guess, but it seems a likely guess given the fact that technically knowledgeable people use different language and recommend examination of code for security problems and sloppiness.
Some of those who want government corruption want continuous war because government "defense" contracts provide easy profits, and it is easy to keep corruption secret.
If they get easy money, the corrupters don't care who is killed, what lives and property are destroyed, or how much money is wasted. For example, the book Funding the Enemy: How U.S. Taxpayers Bankroll the Taliban [amazon.com] provides a huge amount of detail about a small part of the corruption.
Divide the cost to the U.S. taxpayer of just the war in Afghanistan ($574,624,781,538) [costofwar.com] by the population of Afghanistan (35,320,445) [google.com]. The U.S. taxpayer has already paid 16,268 hard-earned dollars for every man, woman, and child in Afghanistan. The results: Mostly, things are worse.
If those who want corruption can't get the taxpayers to pay for killing other people, they want "cyber war". See, for example, Obama Order Sped Up Wave of Cyberattacks Against Iran [slashdot.org].
The U.S. government has invaded or bombed 27 countries since the end of the 2nd world war.
Constant war makes us poor.
Re:Another Translation: (Score:5, Informative)
The U.S. taxpayer has already paid 16,268 hard-earned dollars for every man, woman, and child in Afghanistan.
I am not an anthropologist, but I heard about Afghanis from a friend who used to visit up until the Soviets gave him the boot. From what I heard, we could have bought the love of everyone in the country for much, much, less.
Probably should have handed out AK47s and a fat purse to every man/woman/child about 18 December 2001, declared the country free, and come home.
US. taxpayers paid 61 years income (Score:2)
After bribes are paid, the income is $265. But that is misleading, because people who take the bribes are included in the overall average. So the average income for those who don't get bribes is apparently much less than $265.
Using $265 as the figure, U.S. taxpayers paid the equivalent of 61 y
you mean they could have spent less money spying.. (Score:5, Insightful)
Instead of this crazy cloak and dagger shit, they could have invested in systems that were secure by default, and well coded that would resist cyber assault. In fact with the money spent, I'm sure they could simply paid many many many programers to do nothing but check and re-double check code, fuzz, and re-fuzz a bunch of apps until cyber breakins were not feasaible.
I am sure they could have done the same with all routers, and in the case of a massive foriegn DDoS, simply firewalled it.
Re:you mean they could have spent less money spyin (Score:4, Interesting)
> There is more likelihood of a million monkeys randomly typing for a million years to
> create one of Shakespeare's plays than for creating a truly secure OS in the manner
> described. And even coming close could not be done before whatever product is
> completely, totally irrelevant from obsolescence.
The first question in many security cases is "WTF was the idea behind connecting it to the internet?" Many SCADA systems are controlled by Windows computers which are often net connected. Disconnect the system from the net (wired and wireless), and turn off autorun/autoplay on the machines, disable USB port access for all but authorized personnel. It may not be perfect, but it'll be a lot better than today.
What a shocking declaration! (Score:5, Funny)
Bring on the onslaught of Jihadist Erectile Dysfunction Spam!
Re:What a shocking declaration! (Score:5, Funny)
Yeah, erectile dysfunction is especially bad for jihadists. Imagine you get your 72 virgins, and then you can't get it up.
Re:What a shocking declaration! (Score:5, Funny)
Re: (Score:2)
I thought the Muslim version of hell was that they get their 72 virgins...and they're all ugly overweight male otaku.
Re: (Score:2)
"Imagine you get your 72 virgins, and then you can't get it up."
They might be MALE virgins, and you won't need to get yours up.
Re:What a shocking declaration! (Score:4, Funny)
FTFY
Re: (Score:2)
They ARE male virgins.
Do some research into Islamic culture.
Re: (Score:2)
Good point. When we deployed to KSA years ago and visited Bahrain, the Bahrainis kept coming on to our young male Airmen and offered to pay for some butt.
Our suggestions that he "take one for the beer fund" didn't go over well!
I believe you mean ..... (Score:2)
Re:What a shocking declaration! (Score:5, Insightful)
I've been reading these overblown scare stories with regularity since I've been reading /. ... it just means it's budget allocation time again for the 'cybersecurity divisions' and these types of reports are just a way of trying to justify oversized budgets for ever-larger 'departments' to push paper around while pretending to protect you from something.
Easy solution (Score:5, Funny)
They just have to make all U.S. routers drop packets with the Evil bit set. Problem solved.
Re: (Score:2)
That would get in the way of government and corporate operations. I don't see it happening.
And just how easy can this be .... (Score:2)
... fabricated by the same people making the claim?
Re: (Score:3, Insightful)
Re: (Score:3)
Biology question: how do I throw a zinger about "consporacy theories" at a biologist?
Ahhh, you're not trying hard enough. One word: Anthrax!
You don't even need the real thing. A bit of flour in an envelope stuffed into random screen door mail slots in residential neighbourhoods overnight, and you can shut an entire city down for days, maybe weeks. You can even bribe homeless winos with a bottle to do it early in the morning (tell them it's a promotional campaign for a contest and give 'em a cheap bottle of ripple to do it).
Worked on Congress.
Re: (Score:2)
Consporacy theories? Sorry, I don't know much about fungi.
I've heard a few good ideas about the evolution of creationism, but none of the resultant jokes were designed very intelligently.
Well, that explains it (Score:5, Interesting)
I could never understood why America doesn't improve its cybersecurity, but if the plan is the same as with Pearl Harbor that would explain it. The US leaves their systems open and lures China to attack them to get a convincing casus belli for their counterattack, just like they did in WW2.
Re: (Score:2)
Re: (Score:2)
Re:Well, that explains it (Score:5, Informative)
lol you think the US 'lured' Japan into attacking Hawaii? Seriously?
Hrm, the gp said 'lured'. The oil embargo created the conditions where Japan wanted to seize the oil fields of the Dutch East Indies. Roosevelt said this himself. Then he moved the only fleet that could stop them from San Diego to Honolulu. They had radio intel on Japanese movements and kept some of that info from the Navy by Presidential order. (see some good comments here [amazon.com] or buy the books)
Roosevelt wanted war and had big trouble selling it (both matters of fact) and these conditions got him an attack which got him what he wanted.
But that doesn't mean the Japanese had to maintain their empire or that the People had to accept a Japanese attack on Hawaii as a reason to go to war in Europe. Plenty of blame to spread around, but one can't cast Roosevelt as completely surprised or ignorant of the conditions in the region.
Re: (Score:2)
Re: (Score:2)
The fly in the ointment was the Japs using shallow-running aerial torpedoes and causing too much damage.
The US public didn't have to accept Pearl as reason for war in Europe.
Hitler promptly declared war on the US due to treaty with Japan.
Re: (Score:2)
lol you think the US 'lured' Japan into attacking Hawaii? Seriously?
"Let's line up all the planes on the ground close right beside each other, uh, to deter saboteurs and looters, yeah."
Meanwhile, strangle Japan's oil supply and bitch, bitch, bitch about what they're doing to the poor Chinese.
Yeah, utterly implausible. I wonder why the carriers weren't in Pearl that day. Oh, and Midway, that was just pure great work and execution on the US' part. Uh huh.
Re: (Score:2)
Re: (Score:2)
No, he just saw it coming and made sure that it was successful enough to galvanise the rest of the country into action.
Re: (Score:2)
Re: (Score:2)
Just trolling =) There's a line of thinking that says that the US sentiment was very much against war at the time but that the president would ignore this or attempt to manipulate the public, and would need a decisive attack from which no retaliation could be given until the US war effort was well under way. It's fairly well explained here [straightdope.com] that this isn't really true, US polls showed that the people were happy to go to war with Japan and Germany, so I don't really think the motive the conspirators are claim
Re: (Score:2)
There's a line of thinking that says that the US sentiment [etc]
A lot of those people apparently are here commenting in this thread.....
Re: (Score:2)
From that link, it comments that a lot of it may have been influenced by Nixon's decisions. I'd like to add that it was probably furthered by GWB with his WMD wild goose chase in Iraq... these people fail to realise that there was once a time when the US/UK was actually threatened by countries which did real harm to more than a couple buildings...
Re: (Score:2)
Re: (Score:2)
So what, you think Roosevelt ordered the Japanese attack?
It didn't have to be FDR. Spooks in the back rooms come up with !@#$ like this all the time. FDR was trying to drag the US out of the Depression and had been trying to figure out how to get the US into WWII for close to a year. The spooks just came up with a way for that to happen. Condolences to the navy.
Re: (Score:2)
Re: (Score:2)
So you think the 'spooks' ordered Japan to attack?
All 'm saying is, after all the things I've read recently now that some of that stuff's becoming declassified and starting to hit historians' desks, I wouldn't put it past them. Dieppe? William Stevenson (Intrepid) attempting a snatch and grab of the Nazi four rotor Enigma machine and code books. J. Edgar Hoover? Cross dresser. Hell, FDR's polio crippling was a closely guarded secret back then. Read some Vasili Mitrokhin (KGB's historian) for some really stunning stuff.
FDR, et al, maneouvering Japan i
Re: (Score:2)
Re: (Score:2)
ok, you're dumb.
Fine. Carry on. Blissfully.
Re: (Score:2)
Come on, I was just trying to make a joke here. Of course I don't seriously think that the US wants a war with China, they both depend on each other. Unfortunately, Slashdot has a terrible sense of humour, I should start to use smileys :-(
As for Pearl Harbor, it's a fact that the American elite wanted a war, but the general population was unconvinced. Tensions with Japan were rising, and the US stopped their oil exports putting Japan in a position where they couldn't continue their war on China unless they
Re: (Score:2)
Re: (Score:2)
As someone who has had a handful of contracts by government agencies, I can tell you the problem... Visual Basic. I'm up to VB6 for most projects, but I still have one that "requires" Visual Basic 3, because all of the workstations are antiquated Windows 3.11 (for workgroups!) machines that never get replaced. When one finally dies, it gets removed/destroyed and you have one less workstation for everyone to work with. Quite frankly, I a
Why Is the Power Grid on the Internet? (Score:5, Insightful)
Re: (Score:2)
Wasn't Stuxnet installed locally via USB?
Re: (Score:2)
Yeah, because smashing a centrifuge is so less likely to be detected than planting ma
Re: (Score:2)
In the sense that you are implying, it's not ... don't worry, calm down, sleep peacefully, the 'nation's power grid' is in no way going to be brought down by hackers. This is called 'fearmongering'.
Not scared (Score:2)
What's the chance of a person in the U.S. being killed or harmed by any sort of terrorist attack? I don't remember exactly, but I know I'm far more likely to die or get hurt every time I hop into my car, so I hope Uncle Sam will forgive me for not jumping up and shitting my pants in fear this very second.
Re: (Score:2)
Precedence... (Score:3)
Given that the US is the main protagonist in this field they should be careful what precedent they set...
Re: (Score:2)
The US has been doing this since 1982. See http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage [wikipedia.org]
> In 2004, Reed, a former Air Force secretary of the Reagan administration, wrote that
> they had added a Trojan horse to equipment that the Soviet Union obtained from a
> company in Canada. When the components were deployed on a Trans-Siberian gas
> pipeline, the Trojan horse led to a huge explosion, according to Reed. As Reed explained,
> "The pipeline software that was to run the pumps, turbines a
a 'cyber' pearl harbor? what's this guy on? (Score:3)
persian1234: hey baby, wanna cyber?
panetta_l: sure
persian1234: aight, i put on my flight suit and helmet
Ah! another government false flag huh? (Score:2)
Gee it is now common knowledge that the U.S. LET Pearl Harbor happen... Thank you Dusko Popov for exposing that in your book "Spy Counter Spy". And more and more proof is coming out about how 9/11 was also a false flag, just like the Gulf of Tolkien, lets not forget Oklahoma City, just like the nasty things outlined in "Operation Northwoods" - no tinfoil hat needed here - the facts are all out in the open and available for all to read. If this happens - we will know the government did it... Heck remember w
Re: (Score:2, Funny)
a false flag, just like the Gulf of Tolkien
Those middle-earth bastards sucked us in!
Re: (Score:2)
cyber-Pearl Harbor (Score:2)
....does include cyber-Kate Beckinsale, doesn't it?
Ask a cranky 'ol guy (John Dvorak) (Score:5, Interesting)
http://www.pcmag.com/article2/0,2817,2410931,00.asp [pcmag.com]
He's still good for entertainment some days. And he's got this one nailed: "Cyber War? Bring It On! : The so-called imminent threat of cyber-attack by U.S. enemies is another in a long line of fear-mongering propaganda lines."
Re: (Score:2)
He'd be a lot more credible if he didn't bring up the old "Y2K wasn't a problem" saw. Yeah, Y2K wasn't a disaster. That's because not only did we see it coming in time, but a lot of effort was spent fixing the problems before it was too late. I realize that it is so rare that a problem is actually anticipated and fixed before disaster happens that this seems unbelievable, but it's true.
The physical-world equivalent is claiming that there was no problem with the Citicorp Center [duke.edu] because it's stood up to ev
Isolate the networks as best you can (Score:2)
Why do we expose ourseles to such risks in the first place? Because we are willing to trade efficiency and lower cost now for certain vulnerabilities, that's why.
Nothing says we HAVE to have the power grid and other essential utilties on a non-isolated network. We do so because it's convenient and saves money in the short run.
If it's not practical to physically isolate the electrical grid's control systems from the rest of the world, at the very least put each one in a "bubble" and make sure all traffic i
well what about triggering fail safe shutdowns? (Score:2)
well what about triggering fail safe shutdowns? Hacks can just try to triggering one or trigger the alarms and you better hope someone is on site to handle that alarm.
Re: (Score:2)
So how many major power grids have been brought offline by hackers so far? Ever? Has there been one even?
Re: (Score:2)
Because we are willing to trade efficiency and lower cost now for certain vulnerabilities, that's why.
I think it's a lot simpler than all of that. Simply put, they don't trust us and don't want to have to use us if they can get away with it. They don't understand our message even when we dumb it down into words they understand. They think we're still the Priests In White Coats and all we really do is feather our nests. If we're not doing something that's going to quickly bring in short term profit, then what we do is a waste of time and money in their view.
Short of re-education (and I can't realisticall
Re: (Score:2)
Timing (Score:2)
So just what legislation does he want . . . ? (Score:2)
FTFA:
It would require new standards at critical private-sector infrastructure facilities — like power plants, water treatment facilities and gas pipelines — where a computer breach could cause significant casualties or economic damage.
In August, a cybersecurity bill that had been one of the administration’s national security priorities was blocked by a group of Republicans, led by Senator John McCain of Arizona, who took the side of the U.S. Chamber of Commerce and said it would be too burdensome for corporations.
So a new bureaucracy to create standards of questionable usefulness, and then to enforce their compliance.
. . . then he adds:
“We’re not interested in looking at e-mail, we’re not interested in looking at information in computers, I’m not interested in violating rights or liberties of people,” Mr. Panetta told editors and reporters at The New York Times earlier on Thursday. “But if there is a code, if there’s a worm that’s being inserted, we need to know when that’s happening.”
Please elaborate on what exactly you are talking about there, Mr. Panetta . . . ? It sounds to me like that means more snooping . . .
After TSA, comes ITSA (IT Safety Administration) (Score:2)
> So a new bureaucracy to create standards of questionable usefulness, and then to enforce their compliance.
If you like the TSA, you'll love the ITSA (IT Safety Administration). You'll have a minimum-wage "security officer" sticking their hand up your ass before you sit down in front of your computer.
They've been whining about this for over a decade (Score:2)
Like most stuff that comes out of Washington, it's pure shadow-theater. Or maybe just a bad clown show.
Warnings of a possible "Analogy-Pearl Harbor"... (Score:2)
... in which a gullible public is suddenly dive-bombed - without a formal declaration of war - by inadequate but impressive-sounding metaphors comparing present-day dangers with historical military engagements.
1982 Brittle Power by Amory & Hunter Lovins (Score:2)
http://en.wikipedia.org/wiki/Brittle_Power [wikipedia.org]
"Brittle Power: Energy Strategy for National Security is a 1982 book by Amory B. Lovins and L. Hunter Lovins, prepared originally as a Pentagon study, and re-released in 2001 following the September 11 attacks. The book argues that U.S. domestic energy infrastructure is very vulnerable to disruption, by accident or malice, often even more so than imported oil. According to the authors, a resilient energy system is feasible, costs less, works better, is favoured in t
Big problems: power, pipelines, financial (Score:3)
There are three areas that need attention - electric power distribution, pipelines, and financial systems - because the impacts are high and restoration times are long.
Power systems have Internet connections because, in the US, they are now market systems, and the bidding process between the various parties is conducted over the Internet. The seven US power grids worry a lot about this, but it's not clear if they worry enough. What needs to be done there is to insure that restoration after a failure in the high voltage network is faster. Worst case downtimes should be brought down from days (as in 2003) to hours. All plants bigger than 250MW or so should be required to have cold start capability, so they can start up and idle even if the grid is down.
Pipelines I don't know enough about, so I won't say much about that.
The financial system is a real worry. If the US had a week-long disruption of New York based trading, the center of the financial world would move elsewhere. In 2001, the non-US exchanges weren't big enough to take over. That's no longer the case. Of the top 5 stock exchanges, only one, the NASDAQ, is entirely in the US. London, Tokyo, Shanghai, and Hong Kong could take over.
Re: (Score:2)
"Markets" are only trading platforms ... the businesses themselves wouldn't move. Some jobs would be lost (or rather, move overseas) that are directly related to implementing a stock exchange, but it wouldn't represent some cataclysm ... 99% of America wouldn't even notice any difference.
laws (Score:2)
Perhaps this is old news around here, even though Panetta is requesting new legislation from Congress.
I hope by that she means laws funding more and better security (actual security, not security theatre) and not laws making it illegal for foreign powers to attack US networks.
If you need that explained, shoot yourself.
Remember, it will be a False Flag blamed on Iran (Score:2)
http://www.youtube.com/watch?v=M84l19H68mk [youtube.com]
http://www.youtube.com/watch?v=9y29sCsh0oY [youtube.com]
Re: (Score:2)
I'm right, they're trying to pin it on Iran.
http://www.nytimes.com/2012/10/14/world/middleeast/us-suspects-iranians-were-behind-a-wave-of-cyberattacks.html?_r=1 [nytimes.com]
And draft-dodging Panetta warns..... (Score:2)
Oh swee jaysus on a Harley, for chrissakes! Too late, Leon, AMD is already beginning their layoffs, chump! Will someone please vote for Dr. Jill Stein, the way I voted for Cynthia McKinney and Ralph Nader --- we've got to put an end to stooges in
And I neglected to mention.... (Score:2)
cyber pearl harbor (Score:3, Funny)
the delirium is under control (Score:2)
Keyword-Cyber (Score:2)
When some says "cyber", it means they are confused and frightened about technology, and should not, under any circumstances, be taken seriously on the subject.
I don't know whether to laugh or cry (Score:2)
Everybody and his granny knows that when you fill a country with computers and then let them manage actuators (you know: things that control real-world stuff), you introduce real-world vulnerabilities to cyberspace mayhem.
So you'd think that every single government branch in charge of some computer-controlled actuator would take very special care that said actuators can't be accessed by unauthorised people who happen to roam about, right?
Starting with secure routers, credible VPN connections,
Largely Self inflicted ... (Score:2)
Assuming this is the case and not a pretext for getting a bigger budget, then it's largely self inflicted due to the excessive and compulsory use of Windows in finance, government and the DHS [dhs.gov] itself
If this did happen.. (Score:2)
Just shows you it was poorly designed in the first place and needed to be torn down.
Wrong. Wrong. Wrong. (Score:2)
Whatever mayhem a "cyber-atttack" might cause, it is almost inconceivable that it could rival the destruction and loss of life of the attack on Pearl Harbor.
It is insulting to those who died to imply otherwise.
My Grandfather served in the navy during the war, but was not at Pearl Harbor when it was attacked.
He was, however, briefly assigned to the detail that had to help clean out the dead, bloated bodies from the ships that were sunk in the attack.
Leon E Panetta, you are an asshole. Unless we do something
Oh really? (Score:2)
Re: (Score:2)
Of course the idea is to do it in a way that it cannot be traced back. Or even, so that it looks as if someone else did it. For example, hack into an Iranian computer, and attack the U.S. power grid from there. The CIA will find out that the attack came from Iran, and won't look further.
Re:Is that so? :p (Score:5, Insightful)
Re: (Score:3, Funny)
So it would be a line noise attack?
Re: (Score:3, Informative)
Mod parent up.
Pearl Harbor was bait. Major "oops" that the Japs used shallow-running torpedoes thus making a bigger mess, but hubris is a bitch. The British figured out how to plink ships in shallow harbors:
http://suite101.com/article/the-battle-of-taranto---inspiration-for-pearl-harbour-a307392 [suite101.com]
Re: (Score:2)
Mod parent up.
It'd be a waste of mod points; shills in their cubicles at Fort Meade are actually earning their salaries today! :p
Re:Really?! (Score:5, Insightful)
Why not leave them on an intranet
No! Never connect critical computer systems to an intranet (assuming you mean a general purpose internal network).
It's just too easy for a worm infection to create a bridge with the internet, or some person connecting his laptop to his phone to read slashdot and thereby creating a bridge.
These systems should be on their own network, and all communication should be encrypted using public-private key pairs (secure tunnels, so systems can only communicate with other systems when they're allowed to). Managing the keys/tunnels would be a hassle (making sure an authorized human is in the loop), but good security always has its costs.
Re: (Score:2)
First,
Change the default passwords on the systems.
Then
Set them up on a restricted access internal DMZ with a firewall in front of them
Then
Setup tunnels for encrypted access.
Then
Set authentication (token based are ok) for any access to the systems)
Re: (Score:2)
Re: (Score:2)
I was referring to a network that only could be accessed by passing through a firewall inside the INTERNAL network
so just anyone internal couldn't access the systems. (Not an IntErnet facing network)
With the right type of firewall NextGen you can write specific application rules to reduce exposures
like DDOS, buffer overflows, SQL injection attacks depending on how skilled your firewall people are,
and the level of understanding people who support the servers/services.
I'd guess/hope you can't telnet to the c
Re: (Score:2)
Remind me never to hire you as a security consultant. A DMZ is designed to provide access to limited services on machines in the DMZ space, but those machines are less or untrusted by the main network deeper in.
If your DMZ has unfettered inbound access, then you are overexposing yourself unnecessarily. Any machines in a DMZ are still properly protected, but do not pose as great a threat to the internal network if compromised as one hosted on the internal network itself.
Re: (Score:2)
Then some smart arse drives around in a diesel van with a generator and an electro magnetic pulse generator http://www.amazing1.com/emp.htm [amazing1.com] and all your network security is for nothing. Of course now your network is 100% secure ain't no one getting in with nothing.
Re: (Score:2)
The power grid worked before there WAS an Internet, and coped with massive demand.
Don't build in connectivity or exposure to Consumer operating systems.
the power grid needs to be able to link (Score:2)
the power grid needs to be able to link the sub stations , power plants, control centers to each other.
We need IT unions to make so cut cutting (Score:3)
We need IT unions to make so cut cutting does not end up being useing outsourcing as well as real hands on training and not just book based theory leaning.
Re: (Score:2)