""Intelligence officials say that any legal case could result in exposing American intelligence operations inside China — including the placement of thousands of implants in Chinese computer networks to warn of impending attacks.""
That also sounds like hacking into another country's systems.
The rational move is a massive investment in security technology including strong encryption and the kind of work that the NSA used to do in the 1990s of working to make Windows and Linux more secure for American businesses.
Any attempt by our intelligence services to back door computer systems, instead of working to make everyone more secure, is a grave disservice to the American taxpayer.
> Any attempt by our intelligence services to back door computer systems, instead of working to make everyone more secure, is a grave disservice to the American taxpayer.
And that's what our leaders don't understand. If the NSA has access to backdoors in collusion with vendors, what stops China or Russia from exploiting the same backdoors ? absolutely nothing. If the NSA can hack phones because provider X or Z has setup a "secret" interface for that purpose, well it's going to be exploited by someone else, and foreign hackers will figure it out. How can the NSA be sure that PRISM and co themselves aren't compromised?
So everyone is concentrating on the offensive abilities, because that's where the easy pickings are. And you can make flashy presentations about "how we f*cked them over". Flashy presentation about how you probably reduced the risk of a security breach by a few percentage points? Not so much.
Retaliation is a side show. Focus on hardening. The same sets of laws that exist for products and environmental liabilty must be implemented for information liability. Make companies economically liable for hardening their software and hardware and the lawyers will get it done. If there is one thing our overly litigious system is good it... Its extracting economic penalties for failure.
Think of a fort. Forts had defined security controls in the old times. In a fort, you go through a security rotation of making sure the pot of boiling oil tips over on time. You practice your smoke signaling so that the appropriate people are notified in the event of a wall breach. You measure your walls and review their height periodically. You protect transports carrying crown jewels. But the only way to make sure all these worked effectively was to write down their processes down and practice them.
You need a systematic checklist to control your sensitive environment and protect your fort. In an agile environment, keeping all the processes in your head is painful. By prescribing to a series of security rotations (e.g. Code review process, Change control process, Log review process, Key Rotation process, Secure Delete process) you can provide accountability that reasonable steps were taken to build your fort and protect your crown jewels.
1. Boundary Control (e.g. Firewall, Router, Switch)
11. Write current processes (e.g. Code review process, Change control process, Log review process, Key Rotation process, Secure Delete process)
Its writing down current processes (and following them) that's the missing piece to a holistic security program.
The other missing piece to a hardened environment is buy-in from the three primary stakeholders that hold up the fort: Sysadmins, Developers, and Security Officers.
Developers don't realize the importance of Source Code Analysis. Is your code even 80% covered? That's a big part of building up a good defense :).
I couldn't agree more, it's completely ridiculous. The sad part is I believe they actually have a department that was/is in charge of it (NSA), but they've been completely focused on "terrorism" (the kinds where stuff blows up) and offensive work.
To be fair, in the modern international climate, we've seen that wars between developed countries have dropped off drastically because of the development of nuclear weapons and the creation of MAD. There are few truly formidable defensive structures from the past 100 years - the circumvented Maginot Line and the overrun encampments on the beaches of Normandy come to mind.
The point being that it doesn't seem unreasonable to expect that a legion of military minds trained in deterrence as the primary response to threats from rational entities would think first to build the capability to retaliate and second the capability to defend.
I'm not really sure how far the comparison between physical military threat and cyber threat really carries, though.
You're absolutely right, there is no decision, there is no announcement, they even say the White House can't decide how to. NYT needs to add a [RUMOR] tag.
In my opinion, seeing an article like this is a huge display of weakness of behalf of the united states.
You don't see other nations who engage in adversarial ways against the US broadcasting their intentions in public theatre.
If the US and obama administration really wanted to demonstrate power and deter china from cyber attacks, they wouldn't go chatting about all the things they're going to do. They would go do it and it would be heard of after the fact.
Has the concept of the element of surprise been forgotten?
"One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence," said one senior administration official involved in the debate
This sentiment should probably be read as "so as not to appear impotent to the citizens at home" instead.
What you're missing is that this has been publicized by someone inside the administration, who likely thinks the leak is the best way to force the action / inaction they want. It's not "the government" as a monolith showing their hand.
No it hasn't been forgotten. I think you've confused the purpose of the message.
This is meant as a last warning for China, and everyone else, that the US is going to begin aggressively attacking in response, instead of mostly just taking it. I don't think anybody is going to like what's going to come of it. Picture the US military, with its $600 billion budget, treating all global digital infrastructure as its new battlefield.
No, it's not a display of weakness, not even close. It's purely an act of public opinion manipulation. They are trying to steer the public opinion to a certain direction.
I'd guess US would retaliate by releasing information that hurts the Chinese government politically, specifically corruption. I don't think it would escalate into anything other than stealing/releasing information. Full on cyber war is really unlikely as both sides would prefer to stay in power.
> While James R. Clapper Jr., the director of national intelligence, said last month that “you have to kind of salute the Chinese for what they did,”...
You have to kind of salute Clapper for what he did, committing perjury and then keeping his job
I think cyber warfare is inevitable. Because systems are so complex, defensive techniques will always fall short. The only effective deterrent is an offensive attack or at least the fear of an attack. The US has to create a catch-22 situation for China so that it fears the repercussions.
The Snowden documents showed that the US had already hacked SMSCs and other major communications infrastructure right across China. The notion that China is the aggressor here is laughable.
We could have the US conduct a widespread, multi-day DDOS against Baidu which would be proportional considering the Chinese government used Baidu to conduct a widespread multi-day DDOS of github.
“This is one of those cases where you have to ask, ‘Does
the size of the operation change the nature of it?’ ” one
senior intelligence official said. “Clearly, it does.”
But of course, that doesn't apply to NSA's bulk data collection, right?
If they weren't so conflicted about encryption, the logical response would be to get serious about defensive measures and make sure they're more widely available.
"But in a series of classified meetings, officials have struggled to choose among options that range from......"
Apparently the meetings weren't really all _that_ classified.
Sadly, it has come to a point I don't know what to believe anymore. Whoever released the story has an agenda. Does the agenda in any way mirror factual reality? Beats me.
I'm a westerner. I support the west. My lively hood depends on it. So if they say we've always been at war with Eastasia I guess I don't know enough to say differently.
Looking around at bureaucratic politic filled government agencies and big companies I don't see real protective measure being taken any time soon. The leadership of those places has been filling up for years with ass covers and bullcrappers, and a turn around towards effectiveness isn't going to happen any time soon. So maybe send some drones or something. Oh wait... we can't do that, because those are all reserved for poor Muslims who can't really fight back at any scale. So I don't know. I guess puffing around and taking the lumps is about the only option for now.
Hardening security measures should be more important than announcing retaliation like a bunch of angry children. I don't know the nature of all of these attacks but didn't Sony get broken into via simple social engineering? The guy literally walked into main lobby and got ahold of network engineer's credentials or something of this kind. A lot of companies have very little to no basic security awareness, let alone any kind of significant security infrastructure in place.
This will most assuredly end well. I'm sure the Chinese won't respond in kind by escalating even further, thus creating mutual demand in both markets for cyber warfare.
Well... at one point the loser in the cyber war might decide real bullets can compensate for a loss in cyberspace...
I wouldn't count on China coming out on top at that point.
But more than likely it will stay just short of that and be like a fly that is just annoying enough not to walk inside for the flyswatter. Incidentally, what would China want with personal records of US government employees? Is it going to send them all spam or order stuff on Amazon using their bank accounts or something?
Not that counterattacking is necessarily the best option, but from what I've heard from colleagues in China, the security ecosystem there is far worse than the US. Especially with respect to encryption, many companies and government services rely on poorly designed homebrew solutions.
First of all, China likely has far less cyber surface area than US. Which means US will suffer more damage in the event of a cyber war.
Secondly, it is dangerous to suppress cyber attacks via negotiations, appeals and threats (as opposed to technological means) because then we'll be in the dark as to their capabilities and our exposures, and in the event of an actual war we'll be unprepared and they will cripple us easily.
Instead, we should do what companies such as Google and recently United Airlines have done: reward hackers who find vulnerabilities. Then disarm the opponent by fixing our vulnerabilities as quickly as possible.
China can retaliate by going after American economic interests, but ultimately they'd be cutting off their nose to spite their face. China is not a friendly environment for non-domestic companies, and American companies are going to need to understand sooner or later that this is a dangerous market to pin hopes of growth. Google got out of China and now they're liberated from China's coercion tactics. Retatiation would inflict some short term pain on American companies, but ultimately they'd rebalance and it would be China that would suffer from their economic withdraw.
I wonder if this is how they decided to retaliate...by saying they would? This has the feel of an intentional leak to tell the Chinese that we mean business. If so, why telegraph our actions if we're actually going to follow through?
It leaves a definite calling card, closing off some of the debate about who's doing what. Perhaps removing some of the ambiguity also reduces the chances of unintended political or market fallout.
[+] [-] mark_l_watson|10 years ago|reply
That also sounds like hacking into another country's systems.
The rational move is a massive investment in security technology including strong encryption and the kind of work that the NSA used to do in the 1990s of working to make Windows and Linux more secure for American businesses.
Any attempt by our intelligence services to back door computer systems, instead of working to make everyone more secure, is a grave disservice to the American taxpayer.
[+] [-] aikah|10 years ago|reply
And that's what our leaders don't understand. If the NSA has access to backdoors in collusion with vendors, what stops China or Russia from exploiting the same backdoors ? absolutely nothing. If the NSA can hack phones because provider X or Z has setup a "secret" interface for that purpose, well it's going to be exploited by someone else, and foreign hackers will figure it out. How can the NSA be sure that PRISM and co themselves aren't compromised?
[+] [-] _0ffh|10 years ago|reply
Attacking is easy, securing is hard.
So everyone is concentrating on the offensive abilities, because that's where the easy pickings are. And you can make flashy presentations about "how we f*cked them over". Flashy presentation about how you probably reduced the risk of a security breach by a few percentage points? Not so much.
[+] [-] rrggrr|10 years ago|reply
[+] [-] akshatpradhan|10 years ago|reply
Think of a fort. Forts had defined security controls in the old times. In a fort, you go through a security rotation of making sure the pot of boiling oil tips over on time. You practice your smoke signaling so that the appropriate people are notified in the event of a wall breach. You measure your walls and review their height periodically. You protect transports carrying crown jewels. But the only way to make sure all these worked effectively was to write down their processes down and practice them.
You need a systematic checklist to control your sensitive environment and protect your fort. In an agile environment, keeping all the processes in your head is painful. By prescribing to a series of security rotations (e.g. Code review process, Change control process, Log review process, Key Rotation process, Secure Delete process) you can provide accountability that reasonable steps were taken to build your fort and protect your crown jewels.
1. Boundary Control (e.g. Firewall, Router, Switch)
2. System Hardening (e.g. Chef, Puppet)
3. Data Storage (e.g. SAN, File Servers)
4. Data Encryption (e.g. VPN, TLS, SSH)
5. Malware Protection (e.g. App Isolation Containers)
6. Source Code Analysis (e.g. Unit Testing, Integration Testing, Code Coverage, Linting, Code Formatting, Brakeman)
7. Authorization/Authentication (e.g. LDAP)
8. Physical Access (e.g. Badges)
9. Log Monitoring (e.g. FIM, Logstash, Papertrail, Splunk)
10. Intrusion Prevention (e.g. Snort, Metasploit, Burp suite, Nmap, Nessus, Kismet)
11. Write current processes (e.g. Code review process, Change control process, Log review process, Key Rotation process, Secure Delete process)
Its writing down current processes (and following them) that's the missing piece to a holistic security program.
The other missing piece to a hardened environment is buy-in from the three primary stakeholders that hold up the fort: Sysadmins, Developers, and Security Officers.
Developers don't realize the importance of Source Code Analysis. Is your code even 80% covered? That's a big part of building up a good defense :).
[+] [-] SG-|10 years ago|reply
[+] [-] TTPrograms|10 years ago|reply
The point being that it doesn't seem unreasonable to expect that a legion of military minds trained in deterrence as the primary response to threats from rational entities would think first to build the capability to retaliate and second the capability to defend.
I'm not really sure how far the comparison between physical military threat and cyber threat really carries, though.
[+] [-] jsprogrammer|10 years ago|reply
[+] [-] Bahamut|10 years ago|reply
And yet, the title is "U.S. Decides to Retaliate Against China’s Hacking" - this is quite sensationalistic.
[+] [-] sosuke|10 years ago|reply
[+] [-] adam419|10 years ago|reply
You don't see other nations who engage in adversarial ways against the US broadcasting their intentions in public theatre.
If the US and obama administration really wanted to demonstrate power and deter china from cyber attacks, they wouldn't go chatting about all the things they're going to do. They would go do it and it would be heard of after the fact.
Has the concept of the element of surprise been forgotten?
[+] [-] Redoubts|10 years ago|reply
[+] [-] fiatmoney|10 years ago|reply
[+] [-] adventured|10 years ago|reply
This is meant as a last warning for China, and everyone else, that the US is going to begin aggressively attacking in response, instead of mostly just taking it. I don't think anybody is going to like what's going to come of it. Picture the US military, with its $600 billion budget, treating all global digital infrastructure as its new battlefield.
[+] [-] Ankaios|10 years ago|reply
[+] [-] kordless|10 years ago|reply
[+] [-] tellthetruth|10 years ago|reply
[+] [-] ohsnap|10 years ago|reply
[+] [-] themeekforgotpw|10 years ago|reply
They would also have to disrupt the world reputation of China - not just its domestic one.
And be rest assured the US already does and attempts to do this.
[+] [-] cottonseed|10 years ago|reply
[+] [-] brayton|10 years ago|reply
[+] [-] pvnick|10 years ago|reply
You have to kind of salute Clapper for what he did, committing perjury and then keeping his job
[+] [-] ub|10 years ago|reply
[+] [-] trhway|10 years ago|reply
sounds like a typical BigCo's PM argument when waiving security bugs.
[+] [-] bahador|10 years ago|reply
[+] [-] im3w1l|10 years ago|reply
[+] [-] contingencies|10 years ago|reply
[+] [-] JohnTHaller|10 years ago|reply
[+] [-] CamperBob2|10 years ago|reply
[+] [-] Zikes|10 years ago|reply
[+] [-] skybrian|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] jqm|10 years ago|reply
Apparently the meetings weren't really all _that_ classified.
Sadly, it has come to a point I don't know what to believe anymore. Whoever released the story has an agenda. Does the agenda in any way mirror factual reality? Beats me.
I'm a westerner. I support the west. My lively hood depends on it. So if they say we've always been at war with Eastasia I guess I don't know enough to say differently.
Looking around at bureaucratic politic filled government agencies and big companies I don't see real protective measure being taken any time soon. The leadership of those places has been filling up for years with ass covers and bullcrappers, and a turn around towards effectiveness isn't going to happen any time soon. So maybe send some drones or something. Oh wait... we can't do that, because those are all reserved for poor Muslims who can't really fight back at any scale. So I don't know. I guess puffing around and taking the lumps is about the only option for now.
[+] [-] sakopov|10 years ago|reply
[+] [-] ccvannorman|10 years ago|reply
[+] [-] gruez|10 years ago|reply
[+] [-] jqm|10 years ago|reply
I wouldn't count on China coming out on top at that point.
But more than likely it will stay just short of that and be like a fly that is just annoying enough not to walk inside for the flyswatter. Incidentally, what would China want with personal records of US government employees? Is it going to send them all spam or order stuff on Amazon using their bank accounts or something?
[+] [-] seccess|10 years ago|reply
[+] [-] petilon|10 years ago|reply
Secondly, it is dangerous to suppress cyber attacks via negotiations, appeals and threats (as opposed to technological means) because then we'll be in the dark as to their capabilities and our exposures, and in the event of an actual war we'll be unprepared and they will cripple us easily.
Instead, we should do what companies such as Google and recently United Airlines have done: reward hackers who find vulnerabilities. Then disarm the opponent by fixing our vulnerabilities as quickly as possible.
[+] [-] tellthetruth|10 years ago|reply
[+] [-] rdlecler1|10 years ago|reply
[+] [-] dikaiosune|10 years ago|reply
[+] [-] lotu|10 years ago|reply
[+] [-] themodelplumber|10 years ago|reply
[+] [-] dragonbonheur|10 years ago|reply