By Kevin Coleman — Defense Tech Cyberwarfare Correspondent
Last week another hearing up on Capitol Hill brought out concerns and warnings over cyber attacks on the critical infrastructure of the United States. The intelligence community agrees that a major cyber attack within the United States is becoming increasingly possible. This should be no surprise to anyone. It is the latest in a long list of warnings about acts of cyber aggression against the United States. Yet, Congress seems to be stuck in neutral. Two years after President Obama declared the cyber threat “one of the most serious economic and national security challenges we face as a nation,” the White House released their proposed plan to address the dramatically growing threat of cyber attacks. According to one insider, this is one of about 50 pieces of proposed legislation in various stages of completeness. How long will it take to reconcile all these individual efforts?
Beltway insiders are referring to cyber as the battlefield of the future. I don’t think so — it is the battlefield of the present. Cyber attacks take place at light speed over fiber optic cables and continuously change and morph, making this a challenging environment to say the least. The U.S. government is operating at the speed that grass grows. If that continues, we will always be playing catch-up and chasing after solutions to the latest threat to our cyber assets and infrastructure. Many believe it will take a major attack on critical systems to spur officials into action at a pace commensurate with the threat!
{ 16 comments… read them below or add one }
Cyberwar is a fraud and a waste of government money. As one senior network security leader told me recently – the cyberwar clowns are just a distraction, network security is only about war because they want to tap federal national security funds. If the money was in the health care system they would have spun it as a public health issue.
The bottom line is not network security it's a concentration of getting money out of the government.
so threats to American electronic infrastructure don't exist?
you sir, are an idiot.
…it is quite evident, both in the US and around the world, that nation's are being targeted through computers/internet; it is not some quack conspiracy theory.
Get off your cynical high horse.
Sounds like someone is is a bit light on the threat. Unfortunately; that is why we are so behind in this area. Being in the "Computer security" business, I can tell you that the threats are real and varied. What is out there can and may take us down in a multi-front confrontation. Do some studying!
They are not clowns, they are professional politicians doing a CYA op. Yes we are vulnerable, but there not really much we can do about it. Most of the people who implement stuff are not professional hackers, and have no desire to break stuff. It would be like asking the construction crew with a minimal budget to make it so that no one could blow up the bridge they are building, OHH and YEAH this can't cost anymore, inconvenience anyone ever, or delay the project by a millisecond. What kinda security do you think your going to get in an environment like that?
I agree, these are not clowns. But in my experience, they have a radically different imperative. Political types are all about the power climb and the positioning. If it benefits them or there is some "hero" aspect, they may do something. The problem is their imperative. Where you and I see a direct and real threat that needs to be dealt with directly and concisely, they see it as another step in the ladder, either position or power or both. I see this all the time in corp America. Just data / information alone is a form power and held in almost a draconian fashion. These people have no concept of the technical. When someone comes along that sounds good and agrees with them, they hire them. It may not be the best choice. Most computer geeks don't have the social skills to play that level of the game. That's why I was kinda happy to Jeff Moss on a gov cyber security team. But we'll see how frustrated he gets because of the politics.
Hackers should be hung. Teach them a lesson.
why do so many people have such hate for hackers? everytime some big corporation or establishment gets hit, people cry for the death penalty.
Then when a physical crime is committed, which IMO is worse since hacking causes at most a temporary minor financial hitch, everyone is calm again.
Why? Because the vast majority of people haven't a clue how the internet works. A big majority see it as something evil. Unfortunately most in congress don't have a clue so they will jump on the "we must do something" bandwagon. Sadly those that know the least will be writing legislation on this with all the crap that follows.
No one cares about the real reasons- re. SONY almost no security, HBGary stupid security and social engineering, stuxnet-laughable security.
All the better for fear mongers such as Kevin.
Actually I am a realist! Look at all the data!!!
You're not going to be able to hang Chinese hackers, idiot.
says the Troll
The word "hacker" is far too generic. Hacking can be as simple as hacking a old AM/FM radio to get aircraft band signals. Contemporary hackers in the everyday world are people who try to circumvent computer systems rules, period. I don't think hanging them is intelligent. Keep in mind that there are multiple facets to computer security. 1) the threat against you computer (basically criminals), 2) Threats against corporations (think Sony, TjMaxx etc), 3) APT style threats (China /Google/Aurora style attacks and intelligence gathering from corps). 4) Technology espionage, stealing (among other things), stealth tech, radar tech etc. 5) State-sponsored sabotage (think Stuxnet). 6) Battlefield tactics, think (http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece).
The list could go on. An the scenario's are endless. China has "acquired" more tech and info from us through cyber means that you can shake a stick at. They have cut dev costs and time by decades.
So please, do some research before you leap.
I wish cyberwar really was a "fraud and a waste of government money". But it isn't. Up until very recently the primary threat was cybercrime, which was something banks had to worry about, but not the government or military. In just the past couple of years, however, we've seen the Chinese government attack on Google, Stuxnet, Anonymous vs. HBGary, and the governments of the world vs. whoever happened to be hosting Wikileaks at any given moment. None of these are for-profit ventures–they're cyberwar.
Network security pros may indeed be loudly advertising the threat in order to get government funds. If so, good for them–that is the right and responsible thing to do when you see a genuine threat.
Unfortunately, I don't think some extra funding is going to be enough. The U.S. government online presence is badly fragmented, with scattered IT departments all the way down to the branch office/platoon level in many cases. That is impossible to secure for organizational reasons. Furthermore, the reliance on COTS operating systems and applications makes security impossible for technical reasons. Until the feds put in a more centralized infrastructure based on validated secure separation kernels, we really will always be vulnerable to cyberattack.
Low priority comment, but these posts would be less insufferable if they weren't full of generalities about gloom and doom, lacking any tangible substance.
Think about this post. "Cyber attacks take place at light speed over fiber optic cables and continuously change and morph" – Okay, cyber attacks exist and adapt. What forms? What scope or scale? And the second message – Congress is inactive short of post hoc reactions to a massive cyber attack. Again, so what? Who's leading the charge?
Of course, they could also stop relying on cheesy graphics from the glory days of the Information Superhighway (e.g. human shape or globe made of green 1's and 0's, globe with beams of light shooting between points, people in front of computer monitors showing vague but important consequences, etc.).
Whatever you're paying Kevin Coleman, it's too much.
Well at least I am now cowardly like you hiding behind "Anon"
A blog is written so other can contribute, but that is above your comprehension level!
Grow-up try and contribute rather that the garbage post like this!
The technical nuts and bolts of cyberwar are probably beyond the scope of this blog. The Chinese attack on Google, for example, exploited a known IE bug that Microsoft hadn't got around to fixing. It allowed IE to continue to access memory for an object that had been deleted and replaced with arbitrary code, which I think was a keylogger in this case. (Go to http://www.exploit-db.com/exploits/11167/ if you want to see the code.) But Stuxnet was a USB-infecting malware attack, and Wikileaks/Anonymous was mostly DOS.
The point is that 1) the current environment of COTS operating systems is not securable, because there are far fewer resources being devoted to finding and fixing vulnerabilities than there are being employed to finding and exploiting them, and 2) we now know there are hostile state actors engaged in cyberwar for purposes of espionage and sabotage against U.S. government installations. Because computers are complicated and scary, I think the number of congresspeople who understand the situation is approximately zero. We can either help them understand, or just wait for the inevitable cyber-Pearl Harbor.