Cyberwar and American Freedom

[G M]

 

As China works to turn the Pacific into their lake, they'll seriously consider our protests.

 

[Crafty_Dog]

POTH:

WASHINGTON — The chief of the military’s newly created Cyber Command told Congress on Tuesday that he is establishing 13 teams of programmers and computer experts who could carry out offensive cyberattacks on foreign nations if the United States were hit with a major attack on its own networks, the first time the Obama administration has publicly admitted to developing such weapons for use in wartime.
 

“I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone.”

General Alexander’s testimony came on the same day the nation’s top intelligence official, James R. Clapper Jr., warned Congress that a major cyberattack on the United States could cripple the country’s infrastructure and economy, and suggested that such attacks now pose the most dangerous immediate threat to the United States, even more pressing than an attack by global terrorist networks.

On Monday, Thomas E. Donilon, the national security adviser, demanded that Chinese authorities investigate such attacks and enter talks about new rules governing behavior in cyberspace.

General Alexander has been a major architect of the American strategy on this issue, but until Tuesday he almost always talked about it in defensive terms. He has usually deflected questions about America’s offensive capability, and turned them into discussions of how to defend against mounting computer espionage from China and Russia, and the possibility of crippling attacks on utilities, cellphone networks and other infrastructure. He was also a crucial player in the one major computer attack the United States is known to have sponsored in recent years, aimed at Iran’s nuclear enrichment plants. He did not discuss that highly classified operation during his open testimony.

Mr. Clapper, the director of national intelligence, told the Senate Intelligence Committee that American spy agencies saw only a “remote chance” in the next two years of a major computer attack on the United States, which he defined as an operation that “would result in long-term, wide-scale disruption of services, such as a regional power outage.”

Mr. Clapper appeared with the heads of several other intelligence agencies, including Lt. Gen. Michael T. Flynn of the Defense Intelligence Agency, the F.B.I. director Robert S. Mueller III, and the C.I.A. director John O. Brennan, to present their annual assessment of the threats facing the nation. It was the first time that Mr. Clapper listed cyberattacks first in his presentation to Congress, and the rare occasion since the Sept. 11, 2001, attacks that intelligence officials did not list international terrorism first in the catalog of dangers facing the United States.

“In some cases,” Mr. Clapper said in his testimony, “the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.” He said it was unlikely that Russia and China would launch “devastating” cyberattacks against the United States in the near future, but he said foreign spy services had already hacked the computer networks of government agencies, businesses and private companies.

Two specific attacks Mr. Clapper listed, an August 2012 attack against the Saudi oil company Aramco and attacks on American banks and stock exchanges last year, are believed by American intelligence officials to have been the work of Iran.

General Alexander picked up on the same themes in his testimony, saying that he was adding 40 cyber teams, 13 focused on offense and 27 on training and surveillance. When pressed, he said that the best defense hinged on being able to monitor incoming traffic to the United States through private “Internet service providers,” which could alert the government, in the milliseconds that electronic messages move, about potentially dangerous attacks. Such surveillance is bound to raise more debate with privacy advocates, who fear government monitoring of the origin and the addressing data on most e-mail messages and other computer exchanges.

Traditional threats occupied much of Mr. Clapper’s testimony. American intelligence officials are giving new emphasis to the danger posed by North Korea’s nuclear weapons and missile programs, which are said for the first time to “pose a serious threat to the United States” as well as to its East Asian neighbors. North Korea, which recently made a series of belligerent statements after its third nuclear test, has displayed an intercontinental missile that can be moved by road and in December launched a satellite atop a Taepodong-2 launch vehicle, Mr. Clapper’s prepared statement noted.

“The rhetoric, while it is propaganda laced, is also an indicator of their attitude and perhaps their intent,” Mr. Clapper said during one exchange with a lawmaker, adding that he was concerned that North Korea “could initiate a provocative action against the South.”

In his discussion of terrorism, Mr. Clapper noted that while Al Qaeda’s core in Pakistan “is probably unable to carry out complex, large-scale attacks in the West,” spinoffs still posed a threat. Listed first is the affiliate in Yemen, Al Qaeda in the Arabian Peninsula, which Mr. Clapper said had retained its goal of attacks on United States soil, but he also noted militant groups in six other countries that still threaten local violence.

Mr. Clapper began his remarks by criticizing policy makers for the current budget impasse, saying that the budget cuts known as sequestration will force American spy agencies to make sharp reductions in classified programs and to furlough employees. The classified intelligence budget has ballooned over the past decade, and Mr. Clapper compared the current round of cuts to the period during the 1990s when the end of the cold war led to drastic reductions in the C.I.A.’s budget.

“Unlike more directly observable sequestration impacts, like shorter hours at public parks or longer security lines at airports, the degradation of intelligence will be insidious,” Mr. Clapper said. “It will be gradual and almost invisible unless and until, of course, we have an intelligence failure.”

The threat hearing is the only scheduled occasion each year when the spy chiefs present open testimony to Congress about the dangers facing the United States, and Mr. Clapper did not hide the fact that he is opposed to the annual ritual. President Obama devoted part of his State of the Union address to a pledge of greater transparency with the Congress and the American public, but Mr. Clapper, a 71-year-old retired Air Force general, made it clear that he saw few benefits of more public disclosure.

“An open hearing on intelligence matters is something of a contradiction in terms,” he said.


Scott Shane contributed reporting

[bigdog]

http://nationalinterest.org/print/commentary/china-the-cyber-great-game-8241

From the article:

Although significant in its own right, the PLA’s apparent involvement in cyber espionage has broader implications. In particular, the allegations against Unit 61398 and other recent developments highlight the emerging great game in cyberspace across the Asia-Pacific—as well as the growing link between competition in cyberspace and traditional geopolitics.

The interconnected nature of the Internet has allowed cyber espionage to impose economic costs that are historically unique, creating enormous pressures for states and other organizations to respond. In the case of the United States, gauging the cost of cyber espionage to the economy is difficult. Although intelligence reviews point out that estimates range from $2 billion to $400 billion each year, NSA Director General Keith Alexander has said that cyber theft of economic information represents “the greatest transfer of wealth in human history.”

Moreover, these economic cybersecurity challenges originate disproportionately from the Asia-Pacific, the emerging global power center and increasing focal point of American security policy. A 2012 report by the Internet firm Akamai alleges that 51 percent of cybersecurity breaches worldwide originate in the Asia-Pacific, with one third of global totals originating from China.

[bigdog]

http://thehill.com/blogs/hillicon-valley/technology/290103-draft-cybersecurity-bill-aims-to-stiffen-computer-hacking-law




A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz. 


 
The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked, according to a copy obtained by The Hill.








It would also change existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.
 
Such measures could spark concern among advocates outraged over the death of Swartz, the 26-year-old Internet activist and computer programmer who killed himself earlier this year while facing a possible 35-year prison term for hacking. Advocates have called on Congress to make changes to what they say is a draconian law that led to too harsh a prosecution of Swartz




http://www.wilsoncenter.org/event/cyber-gridlock-why-the-public-should-care?utm_source=social&utm_medium=general&utm_campaign=social_media

"As Washington fiddles, the vulnerability of U.S. infrastructure, private and public devices and networks grows.  The U.S. has no clear, coordinated and effective policy to mitigate the complex threat. The public has no idea how vulnerable they (sic) are (sic), and are (sic) left out of the debate."  Time approx. 90minutes

[G M]

I'm no fan of computer crime, but 35 years for what Aaron Swartz was supposed to have done was hardly justice in my mind.

http://thehill.com/blogs/hillicon-valley/technology/290103-draft-cybersecurity-bill-aims-to-stiffen-computer-hacking-law




A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz. 


 
The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked, according to a copy obtained by The Hill.








It would also change existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.
 
Such measures could spark concern among advocates outraged over the death of Swartz, the 26-year-old Internet activist and computer programmer who killed himself earlier this year while facing a possible 35-year prison term for hacking. Advocates have called on Congress to make changes to what they say is a draconian law that led to too harsh a prosecution of Swartz




http://www.wilsoncenter.org/event/cyber-gridlock-why-the-public-should-care?utm_source=social&utm_medium=general&utm_campaign=social_media

"As Washington fiddles, the vulnerability of U.S. infrastructure, private and public devices and networks grows.  The U.S. has no clear, coordinated and effective policy to mitigate the complex threat. The public has no idea how vulnerable they (sic) are (sic), and are (sic) left out of the debate."  Time approx. 90minutes

[Dog Robertlk808]

A recent survey from Lieberman Software reveals that more than 80% of IT security professionals believe that corporate employees deliberately ignore security rules issued by the IT department.

The survey, which looked at the attitudes of nearly 250 IT security professionals, also discovered that more than half of those who think that workers deliberately ignore IT security directives do not believe end-users would listen more even if these mandates were issued by executive management.

These findings are despite the fact that more IT security professionals and vendors are insisting that in order to improve IT security within organizations, strategic guidance must be issued from the board level.

Commenting on the research, Philip Lieberman, CEO of Lieberman Software, said: “These figures highlight the fact that most end-users are still not taking IT security seriously and are unnecessarily putting corporate data – and potentially customer information – at risk. And these behaviors are continuing even after it has been proven that human error is the leading cause of data breaches. Organizations need to implement better cyber security training that properly instructs staff about the consequences of data breaches.

“IT groups must also look beyond conventional security products and invest in technology like privileged identity management (PIM),” continued Lieberman. “PIM products ensure that powerful privileged accounts found throughout the enterprise in large organizations are available only to authorized IT personnel with limited-time, audited access. This ensures that end-users are not able to accidentally or maliciously change configuration settings, access systems with sensitive data, or perform other actions that are not required of their jobs.”

http://www.net-security.org/secworld.php?id=14650

[Dog Robertlk808]

http://www.darkreading.com/blog/240151108/on-security-awareness-training.html

On Security Awareness Training
The focus on training obscures the failures of security design
Mar 19, 2013 | 07:39 AM | 

By Bruce Schneier
Dark Reading


 
Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater failings in security design.

In order to understand my argument, it's useful to look at training's successes and failures. One area where it doesn't work very well is health. We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever. And people are forever ignoring the lessons. One basic reason is psychological: We just aren't very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald's Super Monster Meal sounds really good right now.

Similarly, computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.

Another reason health training works poorly is that it’s hard to link behaviors with benefits. We can train anyone -- even laboratory rats -- with a simple reward mechanism: Push the button, get a food pellet. But with health, the connection is more abstract. If you’re unhealthy, then what caused it? It might have been something you did or didn’t do years ago. It might have been one of the dozen things you have been doing and not doing for months. Or it might have been the genes you were born with. Computer security is a lot like this, too.

Training laypeople in pharmacology also isn't very effective. We expect people to make all sorts of medical decisions at the drugstore, and they're not very good at it. Turns out that it's hard to teach expertise. We can't expect every mother to have the knowledge of a doctor, pharmacist, or RN, and we certainly can't expect her to become an expert when most of the advice she's exposed to comes from manufacturers' advertising. In computer security, too, a lot of advice comes from companies with products and services to sell.

One area of health that is a training success is HIV prevention. HIV may be very complicated, but the rules for preventing it are pretty simple. And aside from certain sub-Saharan countries, we have taught people a new model of their health and have dramatically changed their behavior. This is important: Most lay medical expertise stems from folk models of health. Similarly, people have folk models of computer security (PDF). Maybe they're right, and maybe they're wrong, but they're how people organize their thinking. This points to a possible way that computer security training can succeed. We should stop trying to teach expertise, pick a few simple metaphors of security, and train people to make decisions using those metaphors.

On the other hand, we still have trouble teaching people to wash their hands -- even though it’s easy, fairly effective, and simple to explain. Notice the difference, though. The risks of catching HIV are huge, and the cause of the security failure is obvious. The risks of not washing your hands are low, and it’s not easy to tie the resultant disease to a particular not-washing decision. Computer security is more like hand washing than HIV.

Another area where training works is driving. We trained, either through formal courses or one-on-one tutoring, and passed a government test to be allowed to drive a car. One reason that works is because driving is a near-term, really cool, obtainable goal. Another reason is even though the technology of driving has changed dramatically over the past century, that complexity has been largely hidden behind a fairly static interface. You might have learned to drive 30 years ago, but that knowledge is still relevant today.

On the other hand, password advice from 10 years ago isn't relevant today (PDF). Can I bank from my browser? Are PDFs safe? Are untrusted networks OK? Is JavaScript good or bad? Are my photos more secure in the cloud or on my own hard drive? The “interface” we use to interact with computers and the Internet changes all the time, along with best practices for computer security. This makes training a lot harder.

Food safety is my final example. We have a bunch of simple rules -- cooking temperatures for meat, expiration dates on refrigerated goods, the three-second rule for food being dropped on the floor -- that are mostly right, but often ignored. If we can’t get people to follow these rules, then what hope do we have for computer security training?

To those who think that training users in security is a good idea, I want to ask: "Have you ever met an actual user?" They're not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behaviors to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.

Even if we could invent an effective computer security training program, there's one last problem. HIV prevention training works because affecting what the average person does is valuable. Even if only half of the population practices safe sex, those actions dramatically reduce the spread of HIV. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in. As long as we build systems that are vulnerable to the worst case, raising the average case won't make them more secure.

The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones. Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested. That's how we should be designing security interfaces. And we should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.

If we security engineers do our job right, then users will get their awareness training informally and organically from their colleagues and friends. People will learn the correct folk models of security and be able to make decisions using them. Then maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off. That makes a whole lot more sense.

Bruce Schneier is chief security technology officer at BT, and the author of several security books as well as the Schneier On Security blog. Special to Dark Reading

[bigdog]

 

IBM executives head to Washington to press lawmakers on cybersecurity bill
By Jennifer Martinez
04/15/13
http://thehill.com/blogs/hillicon-valley/technology/293715-ibm-launching-cispa-advocacy-tour


Nearly 200 senior IBM executives are flying into Washington to press for the passage of a controversial cybersecurity bill that will come up for a vote in the House this week.

The IBM executives will pound the pavement on Capitol Hill Monday and Tuesday, holding nearly 300 meetings with lawmakers and staff. Over the course of those two days, their mission is to convince lawmakers to back a bill that’s intended to make it easier for industry and government to share information about cyber threats with each other in real time.

“We’re going to put our shoe leather where our mouth is,” Chris Padilla, vice president of governmental affairs at IBM, told The Hill.

“The message we're going to give [lawmakers] is going to be a very simple, clear message: support the passage of CISPA,” he later added.

The Cyber Intelligence Sharing and Protection Act, or CISPA, by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.), passed out of committee on an 18-2 vote last Wednesday and is expected to come to the floor for a vote as soon as mid-week.

While the bill enjoys strong backing from industry, privacy advocates warn the bill lacks sufficient protections for people’s information online. The White House issued a veto threat against the first iteration of CISPA last year, due in part to privacy concerns.

Despite the opposition, CISPA safely passed the House last year on a bipartisan vote—and IBM intends to make sure it does again this week.

The technology services company runs the information technology networks of major hospitals, banks and electric companies—key infrastructure that lawmakers and security officials warn are top targets for hostile actors to launch a cyberattack.

Big Blue is also the top recipient of U.S. patents and owns a trove of valuable intellectual property that would be enticing to probing hackers looking to siphon valuable proprietary information. A report published by computer security firm Mandiant this year concluded that an elite military unit of Chinese hackers has allegedly cracked into the computer systems of more than 100 U.S. companies and stolen intellectual property.

The company believes the best way to thwart a cyberattack is to encourage companies to share more data about malicious source code and other online threats with the government and their private-sector peers so they can take steps to address it, according to Padilla.

“It’s our experience that the most effective thing you can do when a cyberattack occurs is to share information quickly between government and industry and between industry actors in real time in order to find where the attack is coming from and to shut it down,” he said.

"The key really is when an attack happens—and they will happen—is detecting it, and shutting it down and preventing the loss of data as quickly as possible. That's a question of information and it's a question of speed," Padilla said. "And often, the government will have very timely and critical information that banks or telecommunications companies need to know that there is an attack. Other times, we detect it first and sharing [information] with the government could serve to warn others that there may be an attack."


But companies are currently hesitant to share information about cyber threats they spot on computer networks with the government because they fear it may put them at risk for being sued. CISPA would address that concern, Padilla said, by granting companies liability protection from lawsuits if they share threat information with the government, allowing firms to get the assistance and data they need faster.

If a cyberattack is launched against a key piece of infrastructure, “you don't want a bunch of lawyers sitting in a room arguing whether to tell the government,” he said. “You want there to be clear and established procedures. CISPA will help facilitate that.”

But the cyber information-sharing bill has rankled privacy advocates from Washington to Silicon Valley. One of their chief concerns with the bill is that it would allow companies to share threat information directly with the military, including the National Security Agency, without being required to take steps to remove personally identifiable information from that data. Privacy advocates warn that could lead to people's email and IP addresses, names, and other personal information being inadvertently passed on to the NSA without their knowledge.

The American Civil Liberties Union, Center for Democracy and Technology and Electronic Frontier Foundation argue that a civilian agency, namely the Homeland Security Department (DHS), should be the first recipient of cyber threat data from companies. DHS would then pass on that data with other government agencies and departments.

Privacy advocates argue that a civilian agency is subject to more oversight relative to the secretive spy agency.

Reps. Jan Schakowsky (D-Ill.) and Adam Schiff (D-Calif.) proposed a set of privacy-focused amendments during the markup of CISPA last week, which did not receive enough votes to be adopted into the bill. One of the amendments by Schakowsky would have ensured that DHS is the first recipient of threat data from companies and would relay that information to other agencies.

"I think if you're looking just to maximize efficiency and you don't care about anything else, then we should give the job to NSA. But we have a separation of civilian and military in this country when you're talking about domestic cyber information," Schiff said at a press conference after the House Intelligence panel's markup of CISPA. "If we wanted efficiency only, then we wouldn't have a Fourth Amendment." 

CISPA would “shift the control of the cyber program from civilian hands to a secretive military agency," said Greg Nojeim, senior counsel for the Center for Democracy and Technology, last week. "It'll be very difficult for there to be any transparency or any accountability if that shift happens."

Padilla, however, says companies need to be able to share threat data directly with the NSA “because that’s where the expertise is.”

“It really is a simple matter. The expertise in the U.S. government on cybersecurity largely rests in one place, and that's the National Security Agency,” he said. “They tend to know the most, the soonest about cyber threats and I think, frankly, there is a certain amount of feeling in the business community that you should be able to work directly and share information directly with the agency that has the most expertise.”

He said that IBM is open to working with DHS and other civilian agencies on the company’s cybersecurity efforts, but it believes the NSA has the most expertise at this point.

“We don't have a bias. We just want to work with who's got the expertise,” Padilla said.

During their fly-in trip, the executives also plan to press lawmakers to pass comprehensive immigration reform, which would include measures aimed at raising the cap for H-1B visas for skilled workers and freeing up more green cards.

[Dog Robertlk808]

US Creating Cybersecurity Working Groups With Japan and China
(April 14 & 15, 2013)
US Secretary of State John Kerry says that the US is creating working groups with Japan and China to address cybersecurity related issues. Because "some of the most serious cyber threats to businesses emanate from" the Asia Pacific Region, it is important to have countries there be part of the solution to the problem.

http://www.computerworld.com/s/article/9238385/John_Kerry_Cyberdefense_a_major_part_of_Asian_security?taxonomyId=17

http://www.zdnet.com/cn/us-china-to-form-cybersecurity-working-group-7000013976/

[Editor's Note (Pescatore): There are strong parallels between the US/USSR in the Cold War and "Mutually Assured Destruction" nuclear restraint strategies, and today's international cybersecurity issues. Having *both* diplomatic and military initiatives in the cyber area is important. 

(Murray): China wants to control the content.  (If one is running a single-party state, Facebook is more than a mere inconvenience.)  The US wants to defend its fragile infrastructure.  That said, both have an interest in an orderly Internet.  Before we turn the Internet into a battlefield, we should at least try diplomacy to find mutually agreed state behavior, short of "war," that serves  both interests.]

[Dog Robertlk808]

--EPIC Urges NIST to Draw Distinction between Cybercrime and Cyberterrorism
(April 15, 2013)
The Electronic Privacy and Information Center (EPIC) wants the US National Institute of Standards and Technology (NIST) to make clear distinctions between cyber crime and cyber terrorism. NIST is developing a cybersecurity platform as part of the president's executive order on cybersecurity, and asked for public comments on the development of that platform. In its comments, EPIC notes that "the overwhelming majority of cybersecurity incidents do not fall within the 'national security' designation."

http://www.gsnmagazine.com/node/28918?c=cyber_security

[Editor's Note (Pescatore): First: the horrible attacks at the Boston Marathon once again point out the schlockiness of the term "cyberterrorism."  After each bombs and blood actual terrorist attack, from Oklahoma City in 1995 through the terrorist attacks against the US in September 2011, someone says "The next terror attack will be cyber" - - no, it will not. With that out the way, EPIC is dead on here. The cyber attack public relations focus shifted from cybercrime to China because that is a great way to go after funding and government budgets. The actual volume of attacks and likelihood of damage most companies face did *not* shift.  (Murray): Well, EPIC is right to take the opportunity of the NIST RFC to raise the issue.  However, the problem is not limited to NIST.  Most of the attacks in the Internet are motivated by things other than terror (e.g., economics).  Those that are intended to terrorize represent a "national security" threat only to the extent that we react to them as the terrorists hope.  Government policy that treats them all as "war" is not efficient and, at least arguably, is not effective.  It is essential that we distinguish between existential threat and the human condition.

(McBride): This is a pivotal distinction that needs to be addressed. Having a set of predetermined criteria to judge between national security issues and non-national security issues would help the federal government provide appropriate support while maintaining civil liberties and conserving taxpayer resources. It would also encourage rather than discourage participation and innovation that comes from private sector cyber security firms. ]

[Crafty_Dog]

http://www.nytimes.com/2013/04/23/world/asia/united-states-and-china-hold-military-talks-with-cybersecurity-a-focus.html?nl=todaysheadlines&emc=edit_th_20130423

[Dog Robertlk808]

  --Chinese General Says Cyber Attacks Are Like Nuclear Bombs
 (April 22, 2013)
 While rejecting claims that the Chinese military is behind cyberspying aimed at Western companies, the chief of staff of the People's Liberation Army, likened cyber attacks to nuclear bombs, saying "If the security of the Internet cannot be guaranteed, then ... results may be  as serious as a nuclear bomb."

http://online.wsj.com/article/SB10001424127887323551004578438842382520654.html

http://www.informationweek.com/security/attacks/cyber-strikes-like-nuclear-bombs-says-ch/240153442

[Editor's Note (Paller): Not so far fetched. When Gary Roughead was U.S.  Chief of Naval Operations he told Tony Sager and Jim Lewis and me, "for  the Navy, Cyber is more important now than nuclear." Sadly, the Navy's  new leadership hasn't followed through on making the Navy a leader in  cyberspace.)

[Crafty_Dog]

U.S. Directly Blames China’s Military for Cyberattacks
By DAVID E. SANGER
Published: May 6, 2013 30 Comments



WASHINGTON — The Obama administration on Monday explicitly accused China’s military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map “military capabilities that could be exploited during a crisis.”


While some recent estimates have more than 90 percent of cyberespionage in the United States originating in China, the accusations relayed in the Pentagon’s annual report to Congress on Chinese military capabilities were remarkable in their directness. Until now the administration avoided directly accusing both the Chinese government and the People’s Liberation Army of using cyberweapons against the United States in a deliberate, government-developed strategy to steal intellectual property and gain strategic advantage.

“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” the nearly 100-page report said.

The report, released Monday, described China’s primary goal as stealing industrial technology, but said many intrusions also seemed aimed at obtaining insights into American policy makers’ thinking. It warned that the same information-gathering could easily be used for “building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis.”

It was unclear why the administration chose the Pentagon report to make assertions that it has long declined to make at the White House. A White House official declined to say at what level the report was cleared. A senior defense official said “this was a thoroughly coordinated report,” but did not elaborate.

On Tuesday,  a spokeswoman for the Chinese Ministry of Foreign Affairs,  Hua Chunying, criticized the report.

‘‘China has repeatedly said that we resolutely oppose all forms of hacker attacks,’’ she said. ‘‘We’re willing to carry out an even-tempered and constructive dialogue with the U.S. on the issue of Internet security. But we are firmly opposed to any groundless accusations and speculations, since they will only damage the cooperation efforts and atmosphere between the two sides to strengthen dialogue and cooperation.’’

Missing from the Pentagon report was any acknowledgment of the similar abilities being developed in the United States, where billions of dollars are spent each year on cyberdefense and constructing increasingly sophisticated cyberweapons. Recently the director of the National Security Agency, Gen. Keith Alexander, who is also commander of the military’s fast-growing Cyber Command, told Congress that he was creating more than a dozen offensive cyberunits, designed to mount attacks, when necessary, at foreign computer networks.

When the United States mounted its cyberattacks on Iran’s nuclear facilities early in President Obama’s first term, Mr. Obama expressed concern to aides that China and other states might use the American operations to justify their own intrusions.

But the Pentagon report describes something far more sophisticated: A China that has now leapt into the first ranks of offensive cybertechnologies. It is investing in electronic warfare capabilities in an effort to blind American satellites and other space assets, and hopes to use electronic and traditional weapons systems to gradually push the United States military presence into the mid-Pacific nearly 2,000 miles from China’s coast.

The report argues that China’s first aircraft carrier, the Liaoning, commissioned last September, is the first of several carriers the country plans to deploy over the next 15 years. It said the carrier would not reach “operational effectiveness” for three or four years, but is already set to operate in the East and South China Seas, the site of China’s territorial disputes with several neighbors, including Japan, Indonesia, the Philippines and Vietnam. The report notes a new carrier base under construction in Yuchi.

The report also detailed China’s progress in developing its stealth aircraft, first tested in January 2011.
===============
age 2 of 2)

Three months ago the Obama administration would not officially confirm reports in The New York Times, based in large part on a detailed study by the computer security firm Mandiant, that identified P.L.A. Unit 61398 near Shanghai as the likely source of many of the biggest thefts of data from American companies and some government institutions.


Until Monday, the strongest critique of China came from Thomas E. Donilon, the president’s national security adviser, who said in a speech at the Asia Society in March  that American companies were increasingly concerned about “cyberintrusions emanating from China on an unprecedented scale,” and that “the international community cannot tolerate such activity from any country.” He stopped short of blaming the Chinese government for the espionage.

But government officials said the overall issue of cyberintrusions would move to the center of the United States-China relationship, and it was raised on recent trips to Beijing by Treasury Secretary Jacob J. Lew and the chairman of the Joint Chiefs of Staff, Gen. Martin E. Dempsey.

To bolster its case, the report argues that cyberweapons have become integral to Chinese military strategy. It cites two major public works of military doctrine, “Science of Strategy” and “Science of Campaigns,” saying they identify “information warfare (I.W.) as integral to achieving information superiority and an effective means for countering a stronger foe.” But it notes that neither document “identifies the specific criteria for employing a computer network attack against an adversary,” though they “advocate developing capabilities to compete in this medium.”

It is a critique the Chinese could easily level at the United States, where the Pentagon has declined to describe the conditions under which it would use offensive cyberweapons. The Iran operation was considered a covert action, run by intelligence agencies, though many techniques used to manipulate Iran’s computer controllers would be common to a military program.

The Pentagon report also explicitly states that China’s investments in the United States aim to bolster its own military technology. “China continues to leverage foreign investments, commercial joint ventures, academic exchanges, the experience of repatriated Chinese students and researchers, and state-sponsored industrial and technical espionage to increase the level of technologies and expertise available to support military research, development and acquisition.”

But the report does not address how the Obama administration should deal with that problem in an economically interconnected world where the United States encourages those investments, and its own in China, to create jobs and deepen the relationship between the world’s No. 1 and No. 2 economies. Some experts have argued that the threat from China has been exaggerated. They point out that the Chinese government — unlike, say, Iran or North Korea — has such deep investments in the United States that it cannot afford to mount a crippling cyberstrike on the country.

The report estimates that China’s defense budget is $135 billion to $215 billion, a large range attributable in part to the opaqueness of Chinese budgeting. While the figure is huge in Asia, the top estimate would still be less than a third of what the United States spends every year.

Some of the report’s most interesting elements examine the debate inside China over whether this is a moment for the country to bide its time, focusing on internal challenges, or to directly challenge the United States and other powers in the Pacific.

But it said that “proponents of a more active and assertive Chinese role on the world stage” — a group whose members it did not name — “have suggested that China would be better served by a firm stance in the face of U.S. or other regional pressure.”

[bigdog]

http://www.lawfareblog.com/2013/05/cispa-an-assessment/

[Dog Robertlk808]

(May 10 & 13, 2013)
According to a report from Reuters, the US government is the single largest buyer in the "gray market" of offensive hacking tools. While tools that exploit unknown vulnerabilities provide a tactical advantage, not disclosing the flaws leaves other organizations, including those in the US, vulnerable to attacks. Former high level cybersecurity officials have expressed concern about the situation. Former White House cybersecurity advisor Richard Clarke said, "If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users." Howard Schmidt, also a former White House cybersecurity advisor, said, "It's pretty naive to believe that with a newly-discovered zero-day, you are the only one in the world that's discovered it." And former NSA director Michael Hayden said that although "there has been a traditional calculus between protecting your offensive capability and strengthening your defense, it might be time now to readdress that at an important policy level."

Paying the vulnerability purveyors for the malware also removes the incentive for talented hackers to inform software makers about the flaws.

http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

http://www.zdnet.com/u-s-government-becomes-biggest-buyer-of-malware-7000015242/

[Editor's Note (Pescatore): Governments are the largest buyers of all offensive weapons and the US government (DoD/Intelligence plus national law enforcement) is usually the largest of the government buyers, so this is sort of a "drug companies are the biggest buyers of opiates" story.

(Assante): The main ramification of a thriving tools market is greater investment in vulnerability discovery and the development of more powerful tools to assemble and test exploits.  2006 is considered a turning point as the emerging underground tool market breed specialization and provided paths for money to cycle through the system. Monetization of hacking gains began to feed upstream tool developers and people willing to commit attacks became more reliant on tools that were purchased.  Super buyers will certainly influence this market place, but they are only one category of participant - these markets are here to stay.]

[ccp]

This is so true.  Business spying is rampant.  There is some outrage when there is government spying.  There is some outrage over international sovereign spying.   But not enough about business/criminal spying.  It has to be rampant on Wall street.   It has to rampant in Wash DC.  I can tell you it is rampant in the entertainment industry.   I am not sure what can be done about.    Most people don't see it, are not big victims of it yet, or don't know.   So they don't care or don't believe it.   That is part of the problem.   Than what to do with the progressively advancing technology all the while more and more of everything is connected.  Thirdly one would have to assume people who are enforcing it are honest and not corruptible.  Good luck. 

http://www.nbcnews.com/id/15519811/ns/business-cnbc_tv/t/cnbc-special-report-big-brother-big-business/

[Crafty_Dog]

http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?nl=todaysheadlines&emc=edit_th_20130520&_r=0

[bigdog]

http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?nl=todaysheadlines&emc=edit_th_20130520&_r=0

The most telling paragraph from the article:

The Obama administration had bet that “naming and shaming” the groups, first in industry reports and then in the Pentagon’s own detailed survey of Chinese military capabilities, might prompt China’s new leadership to crack down on the military’s highly organized team of hackers — or at least urge them to become more subtle.


From BD: It is unclear to me why a more subtle cyberattack from China is better.

[Crafty_Dog]

Because then BO could pretend that nothing was happening and continue to do nothing.

[bigdog]

Perhaps I should have said "more effective." At any rate, the strategy doesn't make sense to me.

[G M]

Perhaps I should have said "more effective." At any rate, the strategy doesn't make sense to me.

What if we had a president who was raised on anti-Americanism and as a result didn't like this country at all...

[DougMacG]

It amazes me that the world's largest economy doesn't have leverage to influence hardly anyone on anything.  Assuming the European Union has the same interest in this that we do, one might think that the EU and US combined would have economic leverage with China.  http://en.wikipedia.org/wiki/List_of_the_largest_trading_partners_of_China 

So we shame them.  Scary!

Since we are talking about warfare, blowing up the building might make an impact - just thinking aloud - or more realistically, shut down their internet until they understand our concern.  We avoid bad choices by making the good ones work.  Unless there is something effective happening behind the scenes, this is another case of our Commander in Chief not even voting present in his responsibilities.

If he went after enemies, terrorists and geopolitical rivals with the zest that the uses to attack the tea party, Rush Limbaugh and Fox News, they might think twice before messing with us.

[Crafty_Dog]

BD:

Remember how Eisenhower backed up Britain, France, and Israel in 1956 from retaking the Suez Canal? 

He threatened to sell the bonds of theirs which we held from WW2.

BO, committed to deficit spending, needs the Chinese to buy our debt.  Currently, at negative real interest rates, we pay about $250-300B a year on interest on the national debt.  If the Chinese dump our bonds and interest rates go up, our numbers get real dicey in a big hurry.

So he barks occasionally and does nothing.

In the meantime in a few years our interest payments to China will be paying for 100% of their military.

What could go wrong?

[Dog Robertlk808]

Not picking fights or starting new arguments but portion of a comment intrigued me. 
BTW - I'm still reading the articles listed below.

"...shut down their internet until they understand our concern." 

How easy is it to shut off a country’s Internet?
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/01/how-easy-is-it-to-shut-off-a-countrys-internet/


Could It Happen In Your Country?
http://www.renesys.com/blog/2012/11/could-it-happen-in-your-countr.shtml


How did Syria cut off the entire country from the Internet?
http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/08/how-did-syria-cut-off-the-entire-country-from-the-internet/

[Crafty_Dog]

Your contributions here are appreciated Dog Robert.