Measuring China's Cyberwar Threat 79
An anonymous reader writes with this excerpt from Network World: "A lengthy report prepared for the U.S. government about China's high-tech buildup to prepare for cyberwar includes speculation about how a potential conflict with the U.S. would unfold — and how it might only take a few freelance Chinese civilian hackers working on behalf of China's People's Liberation Army to sow deadly disruptions in the U.S. military logistics supply chain. As told, if there's a conflict between the U.S. and China related to Taiwan, "Chinese offensive network operations targeting the U.S. logistics chain need not focus exclusively on U.S. assets, infrastructure or territory to create circumstances that could impede U.S. combat effectiveness," write the report's authors, Bryan Krekel, Patton Adams and George Bakos, all of whom are information security analysts with Northrop Grumman. The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar."
Cyber war threat level (Score:2, Funny)
I believe "Anonymous" works for China (Score:2)
Bring it on. We have "Anonymous"!
Or Russia
Or Cuba
Or Venezuela
Or the Taliban
Re: (Score:2)
The color thing has been dropped by DHS [dhs.gov]:
The National Terrorism Advisory System, or NTAS, replaces the color-coded Homeland Security Advisory System (HSAS).
The ISC [sans.edu] is a little slow on the uptake, but isn't government.
For those of us who've lived thorugh it. (Score:2, Informative)
Because the Chinese government has sponsored research on "attack-induced cascading power failures" related to the U.S. power grid, ...
For those of who have lived through power shut downs for days and weeks on end because of snow and hurricanes, BFD. Ooooo, I won't be able to surf the internet or watch TV or pop my microwave popcorn. Oh noes!
And for the folks that really need the power, like hospitals, they have on site generation equipment that will last as long as they can get the diesel or the natural gas flows. AND some are even putting solar on their roofs - made in China, btw.
Re: (Score:2)
Too many fair weather people. Snow related power outages which are common here, which tend to happen in the middle of winter, to which typically your furnace stops working because a lack of electricity even if its NG. Doesn't phase people, you know its there and you must live with it.
Some people just need to Harden the f**k up and accept life for what it is. But that would involve personal responsibility, which means, its unlikely to happen.
Wanna cyber? (Score:5, Insightful)
In computers and network security, every time someone uses 'cyber' in a serious, unironic manner, they lose credibility.
TFA uses it 9 times.
Re: (Score:2)
Do the words "geek" and "cracker" make you blush as well?
Re: (Score:1)
Only when it precedes and succeeds the word "ass."
Re: (Score:2)
I agree. It's nice to key in on a buzz word for judgement. It precludes having to examine and think about what is actually being said.
Re: (Score:2)
It's nice to key in on a buzz word for judgement.
Whenever a defence contractor goes to Capital Hill and uses words like "Cyber", "China", "Threat", "Hacker", "Attack", "War" --- you know fair well that they are after one thing
Oh, no, they don't care if America's infrastructure collapse because of the Chinese hackers
All they care is money
Oh yea, $$$$, aka moolah, greenbacks
That's the thing they are after
The more fear they spread, the more they can smear "China" the more the congresscritters are willing to shell out gazillion $$$ in the name of "protecting
Ahh yes (Score:5, Insightful)
Our newest 'threat' we need to throw money at to 'combat'.
Instead of ohhhh... i dont know... not connecting important shit to the internet...
What's it gonna be called.. Thats the big question. 'War on Cyber' Doesnt sound catchy enough.
Re:Ahh yes (Score:4, Insightful)
With friends like Duke Cunningham and KBR, we don't need enemies...
They missed one key tid bit... (Score:5, Insightful)
This is what I would add:
All speculation is geared toward ensuring that the report's authors
or their agents are beneficiaries in any efforts the US government would take to "mitigate" any China factor(s).
Re: (Score:2)
It's more hilarious than that. Who has the best capability, and the worst track record of attacking and subverting? Why, it's Team America (fuck noes).
Re: (Score:2, Interesting)
It's all Bogeyman BS.
1) USA has thousands of nukes including ICBMs
2) China has about two hundred nukes including ICBMs.
3) NONE of that cyberwar hacking is going to stop the nuclear missiles.
4) China will come out worse in a nuclear war against the USA (unless the rest of the world nuke the USA too)
5) Neither side appear to have suicidal leaders, and most of the leaders are enjoying their lifestyles at the top.
6) The USA owes China trillions of US dollars.
So why would China start a war on a country with way
Re: (Score:2)
Hmmm...so you think the U.S. is going to threaten nuclear war while the PLA is victory dancing in Taipei? Well, I think that pretty much sums up your ability think about geopolitics. Thanks for playing, go back to your games now, bye-bye...
Military using the public Internet?!? (Score:2, Insightful)
Does the "cyber war" threat mention the public Internet at all? If so, then that's totally stupid!
The military has no business *relying* on the public Internet for anything!
The power grid has no business *relying* on the public Internet for anything!
Telephone companies has no business *relying* on the public Internet for anything!
If hackers using the plain Internet have any way in to any U.S. military communications system, then people need to be fired!
The Internet is NOT a secure communications network, a
Re:Military using the public Internet?!? (Score:5, Informative)
There are many different tasks and functions for which the military and government agencies use the public/commodity internet. There are also various levels of private [wikipedia.org] networks [wikipedia.org] for more sensitive requirements.
None of that, however stops the NSA from operating under the assumption that its networks are compromised [democracyarsenal.org].
Brookings just put out a great paper on a related topic, Cybersecurity and U.S.-China Relations [brookings.edu] (PDF). It's worth a read.
Re:Military using the public Internet?!? (Score:5, Interesting)
One the things TFA mentions is how many of the targets wouldn't actually be military, but rather civilian contractors which the military needs to run day-to-day operations. This isn't a computer security problem, it's a cultural problem. The contracting / privatization craze has hit the military in a big way. I know this will sound like old-soldier grumbling, but when I was in (late 80s to mid 90s) we didn't have this problem, much. We had plenty of civilian contractors around, sure, but combat-critical logistics and maintenance functions were handled by people in uniform. Now we have a situation where units engaged in active combat can't function unless civilians who are not under oath and are not trained for the situation (and who are often paid much, much more than soldiers used to be to perform the same jobs; the "privatization saves money" argument is complete bullshit) decide to show up for work that day. The military needs to be able to handle its own operations in a war zone, and right now, it can't do that.
Occupying the (Score:2)
Occupying the...
Pitching tents in front of websites and smoking crack.com is no way to go through life, son.
How much damage can be done sustainably? (Score:4, Interesting)
I'm sceptical of how much damage 'cyberwar' can really do sustainably. I suspect it would be a bit like Pearl Harbor - you make enormous damage the first day with a surprise attack, but it goes downhill from there.
I mean, I'm sure that the first day a lot of computers will go offline, and even factories will stop, etc. But what happens after a month when those computers have their OS reinstalled - with Linux or a commercial UNIX, or even, zOS if need be, and the data you've deleted has been restored from backup CDs, and everywhere there are billboards on the road proclaiming that whomever isn't updating their computer is giving Hitler a drive. Would it be as easy to go on inflicting damage then?
Re:How much damage can be done sustainably? (Score:5, Interesting)
But what happens after a month when those computers have their OS reinstalled - with Linux or a commercial UNIX, or even, zOS if need be, and the data you've deleted has been restored from backup CDs
Most businesses don't have disaster recovery plans. And those that do, like mine, haven't given much thought to the timetable on a full restore of all IT resources from nothingness. The one I'm working for right now has a 4 year plan for rolling out Windows 7 that started last month. In other words, they started the rollout late, and they'll be deploying outdated tech well past the point when the next version comes out. This just loading the operating system... consider all the other IT resources that would need to be rebuilt.
On to data backup and restore functionality: All the backups are stored on NAS devices that are always connected. There is no offline backup. They don't use tapes, optical media, or any of that jazz. And most of those backups are located on-site, adding insult to injury. It's taking them 4 years to roll out an operating system remotely, the process is largely manual, riddled with errors, and each system requires, on average, 3 hours of support resources to complete the upgrade.
Without getting into details, this is a Fortune 100 company, and because of the nature of its business is required by law to have stringent backup policies as well as data protection. The state of the art encryption and data protections can all be catastrophically bypassed by design using a 4 digit PIN. the 4 digit pin... is the last 4 digits of the user's SSN. The first and last name, as well as geolocation information, is in active directory, which even the 'guest' account can access. Every person who works support, from phone to desktop, network to deployment, as local admin rights to every workstation in the company. Do the math. Then cry.
This... is typical for most large businesses.
Re:How much damage can be done sustainably? (Score:5, Informative)
Oh, how true that is.
I've described my current employer's systems as a very large "what's wrong with this picture?" puzzle. This past week I found out that our remote offices aren't even logging on to our domain controller (located in the main office), because DNS requests weren't routed properly. Rather, the users there logged into their workstations with local accounts, then used RDP to access a workstation in the main office where they did all the actual work. For speed, they'd occasionally email themselves a file to be modified in a local copy of Office.
Effectively, this means that our confidential corporate data was being stored on machines with no password protection, despite the corporate password policy.
Never assume that being a big company implies any kind of decent security or sane practices. The disconnect between the ones who know and the ones who manage is just too great.
Re: (Score:2)
This is the natural result for any large company where they allow the sales and marketing department (for instance) to control the pace of business. S&M (deliberate abbreviation) people are far more focused on their personal sales success than they are on security. I saw similar problems at one large company I worked at and they were very security conscious. Laptops were a particular problem because they could be removed from the building. We gave a freshly configured brand new laptop to a sales guy and
Re: (Score:2)
But what happens after a month when those computers have their OS reinstalled
Many, possibly most businesses would be permanently ruined by going with revenue and being unable to make payroll for a month. A month might as well be a hundred years. It would be catastrophic, economically.
Comp Sci III to the Rescue (Score:1)
Cut the nonsense. (Score:2)
If there is ever a real war between the USA and China there will certainly be attempts (some successful) at remote computer sabotage but there is going to be no "cyberwar" (though something may happen that will be so labeled).
That kind of talent's in the USA too... apk (Score:2, Interesting)
Trust me, BOTH sides have "the talent" on all levels: But, why? It's like a street-fight really - BOTH SIDES TAKE A HELL OF A BEATING, & for what??
Some stupid rich man's steering nations into wars/conflicts (face it, we KNOW that's how real wars start up too, the wealthy/war profiteer "wanting more")).
* Almost makes me sad... the media "hyping it" doesn't help either because it gets folks gander up (regular folks that don't know any better, or have never met a person from 'the other side' personally,
Re: (Score:2)
Ah, the voice of reason.
Re: (Score:2)
http://www.sinfest.net/comikaze/comics/2009-07-05.gif [sinfest.net] :)
cyberattacks on the military supply chain (Score:2)
Re: (Score:3)
Everybody. Using the internet is now so essential to getting any business done that every military supplier uses it. Suppose you are selling tanks to the military. How do you order components? How do you get paid and how do you pay your suppliers and your employees?
Re: (Score:1)
Even so, how about using an encrypted VPN connection and only allowing people access on a need-to-know basic
Re: (Score:2)
For the average user out there on the internet, their computer is kinda like an interactive TV. They wouldn't understand how to use an encrypted VPN, and if it delayed them or caused any problems, their first move would be to figure out how to bypass it. Most people don't actually *want* to learn how to use a computer, they just want it to work as well as their toaster does - and without reading a manual.
Oh, please ... (Score:5, Interesting)
Has anyone in the US Military stopped to notice what critical supplies are manufactured solely in China today? I do not mean just armaments, but stuff that the US military would be utterly unable to move without. Stuff like light bulbs. Fuel filters. Glass containers.
Simple little things that the last US manufacturer closed down for either recently or as far back as 1980.
Do we still make toilet paper in the US? I suspect there may only be one factory that does and it will probably close down soon. It is much cheaper to have it made over there and shipped here.
We cannot possibly win a conflict with China - they would cut off our supply of manufactured items and the military would just grind to a halt.
Sure, they could probably shut down a couple of factories making classified munitions, but who cares? They figured out that troops don't fight without toilet paper in WW I and trust me, it hasn't gotten any better. They cut off our supply of toilet paper and the US population would storm Washington and demand an end to the conflict immediately. I am not kidding here.
Re:Oh, please ... (Score:5, Informative)
Re:Oh, please ... (Score:5, Insightful)
On the other hand, China knows the US's reliance on its products, and knows that there is sufficient sentiment in America to restart such closed businesses. If China ever does shut down shipping, American factories will start back up quickly. We have the equipment and the people, both just waiting for a market to support them. I doubt very much that America would lose a war with China. We'll certainly be beaten back and spend the first several years hurting, but the logistics of China actually "winning" are a very tough obstacle. Both nations have the natural resources to continue fighting through the foreseeable future.
It's partly for that reason that I see a war as highly unlikely, despite the saber-rattling on both sides. Both nations are economically attached tighter than ever before, and they both must recognize it, despite the political irritation.
Re:Oh, please ... (Score:4, Interesting)
And Canada and the US sold hundreds of millions of bushels of grain to the USSR during the 1950's to 1980's, including the "height" of it with the Cuban Missile Crisis etc.
Don't let political posturing fool you, some decisions, such as helping your enemy feed its people is a better olive branch then any peace treaty or alliance.
Re: (Score:3)
"Has anyone in the US Military stopped to notice what critical supplies are manufactured solely in China today?" Yup, all branches as a matter of fact. Also as a matter of fact, there's not squat they can do about it. It was made worse (paradoxically) by Reagan and subsequent "conservatives" who blathered on about a strong America and how that meant the U.S. Government, including DoD, needed to contract out as much as possible. I guess the Chinese noticed too.
Anything can get owned (Score:3)
Anything internet connected can get owned... even stuff that isn't connected can get killed via service equipment (which is what the whole Stuxnet thing was about).
When you run everything with ambient authority, you're never going to be safe. EVERYTHING uses ambient authority, because it's what we're all used to, as far as computers go. Here's the difference:
In the real world, we operate with ambient deny... you car key doesn't open all cars of that model, it only has the capability to open your car. When you delegate it, your valet can't open all that model of car either.
The situation with computer security now is like having each car owner contractually promise not to open any other car than their own, rather than unique keys. The first hand off to a valet who didn't sign the promise does the whole system in. It also fails if they get confused and return the wrong car.
Until the model of computer security is brought in line with reality, things will continue to be fscked, Chinese or no Chinese.
Just read TFA (Score:5, Informative)
Cylon kill switch (Score:3)
When watching the pilot episode of remake Battlestar Gallactica few years ago, and how Cylons were able to defeat all battlestars and fighters by shutting down all their systems with "virus software" installed in the background (was done over many years by cylon spies). Since all Colonial spacecraft and systems were networked together, this virus effected all their systems. I was thinking if we went to war with China, this is ***exactly*** what will happen. OK, we can argue China will or not want to get into a shooting war with US. Most likely US will continue to decline.
In the TV series, the Gallactica survived because ship commander Adama was an old guy from the old school who never upgraded his systems to modern networked systems. All their computers were standalone systems, much like PDP-11s. Fighters were the old models with much more analog control sytems and looks like they still used Mocom-70 for 2-way radios.
Pass a law, carve off a piece of the GDP (Score:1)
The CIA and military intelligence made the Russians into an existential threat right up to their collapse.
Meanwhile, anyone who read the 2 books by the Russian General who defected (he used the name of a famous Russian General from Tsarist times, sorry I don't have time to find this in my bookshelves or on Amazon, tho I did try) or read the accounts of people who visited the USSR for any extended tour (Heinlein wrote one the trip he and his wife took) or had friends visit for even short periods (my mother s
Re:Pass a law, carve off a piece of the GDP (Score:4, Interesting)
Re: (Score:3)
Yup, that's right. Except for the fact that the Soviets had nuclear, chemical, and biological weapons with little safeguards, there was nothing all to worry about. Go peacefully amidst the noise and haste...
Re: (Score:2)
I think the recent "cyberwarfare" scare is due to the corporate realization that with this sort of scare: :P
a) they can sell massive numbers of computer systems and peripherals with their attendant support contracts
b) they can provide massive numbers of contracted support personnel.
c) there actually is a real threat, but they can play it up considerably to their own profit
d) Expect Haliburton to get into computer security
e the last thing on the minds of any of the corporate players is the actual security of
impeding combat effectiveness (Score:4, Interesting)
Another (highly upstream) impediment to combat effectiveness is a change of attitude away from combat-based resolution. O, to have hackers so skilled, from any nation, that yang may cede to yin, at least for a few years, in our lifetimes...
(end lament)
why are critical systems on the net to begin with? (Score:5, Insightful)
Mod me double plus idiot if you will, but in our small company, our "critical computer" - the one hat has files I don't want to loose (yes, i do back ups), and the one I don't ever want hacked, it is NEVER connected to the internet. No wifi, no bluetooth, no cable, nada, zilcho. I even have independent power supply aside from plugging it into the wall.
Anything I need to introduce into the computer id done by a freshly formatted USB, and double checked and scanned first on a different machine running linux. When not in use, I physically turn it off and disconnect the power supply, and if the hackers can get into a machine with no power, well, I;ll just go back to pen and ink at that point. :)
Now seriously, I know you cannot turn off a computer that is running a nuke plant or a NORAD radar system, but why are so many critical systems connected to the internet? Or have online access of any kind? Back in the good old days of BBSes when I was a sysop and upgrading form a 9600 baud modem to a 28,800 like like a miracle (you know, this was back way when dinosaurs still roamed the earth, or so my kids see it as such :) ), the quickest way sometimes to block a hacker attack as to physically disconnect the phone line from the modem.
Again, mod me super simplistic idiot, but if I were operations manager for a nuke plant, and a major cyber attack was underway, to prevent a meltdown, wouldn't you be tempted to just take a pair of wire cutters and snip the physical connection to the internet?
Re: (Score:1)
"but why are so many critical systems connected to the internet?" because reimplementing a totally private network complete with security just to run your modern physical plant is horrendously expensive and finding the people to build it and run it is hard?
If there's a conflict (Score:3)
If the US and China butt heads too much, all China has to do is cut off supply of all our shiny objects, bankrupting many large US companies and destroying what is left of our economy.
They can also demand payment for what we owe them..
Re: (Score:3)
Iall China has to do is cut off supply of all our shiny objects
So we lose some shiny objects, and they lose millions of jobs. Who will suffer more from that?
They can also demand payment for what we owe them..
Do you understand how bonds work? They have a maturity date. Until that date arrives, you cannot "demand payment". The best they can do is try to sell them on the open market, and if they are dumping them in large amounts, they would not get a very good price.
Re: (Score:2)
Yes i know how bonds work. Do you know how war works? They can demand anything they want and threaten war if they don't get it. "contractual agreements" don't mean squat when you are staring down the wrong side of a barrel.
Also, if they cut us off from our shiny objects, they wont lose millions of jobs. They will just sell to other countries and subsidize the jobs ( they are a socialist nation remember )
Re: (Score:1)
they are a socialist nation
No, they are no. China is a Capitalist country! Mao has been dead for decades now, please get on with the times. Having a red flag doesn't makes them Socialists, you know.
Re: (Score:3, Interesting)
All of this talk about China winning any kind of conflict is hocus pocus. What China could do is cause a severe amount of damage to cyber infrastructure and repel any occupational force on the mainland. What they could not do is reach beyond their own border militarly, aquire enough energy to wage war, or find access to friendly markets once the war started. China may be a big economy but without the support of the world European and Japanese powers they would have an awful hard time keeping a stable econom
Give it a rest, neocon-spewing swineherds..... (Score:3)
Re: (Score:2)
"Northrop Grumman, majority owned, via a number of shell companies, offshore finance centers and holding companies, by the Bush family and James Baker." Wow, I didn't know that. Do you have references or is it fun talking out of your ass. Hey, maybe I can do it too...
"Obama isn't really an American", "The Jews run all the major media systems if not the entire world", "the U.S. government has been using alien technology for years"...
This is fun, there's just no end to what I can pull out of my ass too.
Formula to for Threat Determination (Score:1)