Author Topic: Cyberwar, Cyber Crime, and American Freedom  (Read 180540 times)

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Re: Cyberwar, Cyber Crime, and American Freedom
« Reply #500 on: January 11, 2019, 06:44:02 PM »
That is not what I got out of BD's post at all GM.

Not only is the shut down the Dems fault and not the Bad Orange Man, but I see no reason not to take it at face value-- that the 25% shutdown is having a cost on our cybersecurity capabilities while it lasts, plus some additional points.



Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
GPF: Looks like Chinese hit Australia
« Reply #503 on: February 18, 2019, 11:00:09 AM »


Australia under cyber fire. In an address to the Australian Parliament today, Prime Minister Scott Morrison revealed that authorities believed that a Feb. 7 cyberattack, which breached the computer networks of Australia’s Parliament and major political parties, was carried out by a “sophisticated state actor.” The prime minister did not point directly to a specific state, but Australian media has made it clear that the government believes that China is the culprit. Morrison insisted that the attack had not compromised the integrity of Australia’s electoral system in advance of upcoming federal elections. This episode is the latest sign that relations between Australia and China are souring.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Cyber Vulnerability of the Energy Grid
« Reply #504 on: March 04, 2019, 09:30:35 AM »
Pasting here from the Homeland thread:

https://chicagoboyz.net/archives/59310.html

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Bruce Scheier CryptoGram
« Reply #505 on: March 04, 2019, 10:12:42 AM »
New Book Announcement: Click Here to Kill Everybody

[2018.09.04] I am pleased to announce the publication of my latest book: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. In it, I examine how our new immersive world of physically capable computers affects our security.
I argue that this changes everything about security. Attacks are no longer just about data, they now affect life and property: cars, medical devices, thermostats, power plants, drones, and so on. All of our security assumptions assume that computers are fundamentally benign. That, no matter how bad the breach or vulnerability is, it's just data. That's simply not true anymore. As automation, autonomy, and physical agency become more prevalent, the trade-offs we made for things like authentication, patching, and supply chain security no longer make any sense. The things we've done before will no longer work in the future.
This is a book about technology, and it's also a book about policy. The regulation-free Internet that we've enjoyed for the past decades will not survive this new, more dangerous, world. I fear that our choice is no longer between government regulation and no government regulation; it's between smart government regulation and stupid regulation. My aim is to discuss what a regulated Internet might look like before one is thrust upon us after a disaster.

Click Here to Kill Everybody is available starting today. You can order a copy from Amazon, Barnes & Noble, Books-a-Million, Norton's webpage, or anyplace else books are sold. If you're going to buy it, please do so this week. First-week sales matter in this business.

Reviews so far from the Financial Times, Nature, and Kirkus.
** *** ***** ******* *********** *************
Speculation Attack Against Intel's SGX
[2018.08.16] Another speculative-execution attack against Intel's SGX.

At a high level, SGX is a new feature in modern Intel CPUs which allows computers to protect users' data even if the entire system falls under the attacker's control. While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine's private attestation key. Making things worse, due to SGX's privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem.

News article.

The details of the Foreshadow attack are a little more complicated than those of Meltdown. In Meltdown, the attempt to perform an illegal read of kernel memory triggers the page fault mechanism (by which the processor and operating system cooperate to determine which bit of physical memory a memory access corresponds to, or they crash the program if there's no such mapping). Attempts to read SGX data from outside an enclave receive special handling by the processor: reads always return a specific value (-1), and writes are ignored completely. The special handling is called "abort page semantics" and should be enough to prevent speculative reads from being able to learn anything.

However, the Foreshadow researchers found a way to bypass the abort page semantics. The data structures used to control the mapping of virtual-memory addresses to physical addresses include a flag to say whether a piece of memory is present (loaded into RAM somewhere) or not. If memory is marked as not being present at all, the processor stops performing any further permissions checks and immediately triggers the page fault mechanism: this means that the abort page mechanics aren't used. It turns out that applications can mark memory, including enclave memory, as not being present by removing all permissions (read, write, execute) from that memory.

EDITED TO ADD: Intel has responded:

L1 Terminal Fault is addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software that are available starting today. We've provided more information on our web site and continue to encourage everyone to keep their systems up-to-date, as it's one of the best ways to stay protected.

I think this is the "more information" they're referring to, although this is a comprehensive link to everything the company is
saying about the vulnerability.
** *** ***** ******* *********** *************
New Ways to Track Internet Browsing

[2018.08.17] Interesting research on web tracking: "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies:

Abstract: Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser.

In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.
The researchers discovered many new tracking techniques that work despite all existing anonymous browsing tools. These have not yet been seen in the wild, but that will change soon.

Three news articles. Boing Boing post.

** *** ***** ******* *********** *************
James Mickens on the Current State of Computer Security

[2018.08.20] James Mickens gave an excellent keynote at the USENIX Security Conference last week, talking about the social aspects of security -- racism, sexism, etc. -- and the problems with machine learning and the Internet.

Worth watching.
** *** ***** ******* *********** *************
"Two Stage" BMW Theft Attempt

[2018.08.21] Modern cars have alarm systems that automatically connect to a remote call center. This makes cars harder to steal, since tripping the alarm causes a quick response. This article describes a theft attempt that tried to neutralize that security system. In the first attack, the thieves just disabled the alarm system and then left. If the owner had not immediately repaired the car, the thieves would have returned the next night and -- no longer working under time pressure -- stolen the car.
** *** ***** ******* *********** *************

Good Primer on Two-Factor Authentication Security

[2018.08.22] Stuart Schechter published a good primer on the security issues surrounding two-factor authentication.
While it's often an important security measure, it's not a panacea. Stuart discusses the usability and security issues that you have to think about before deploying the system.

** *** ***** ******* *********** *************

John Mueller and Mark Stewart on the Risks of Terrorism
[2018.08.23] Another excellent paper by the Mueller/Stewart team: "Terrorism and Bathtubs: Comparing and Assessing the Risks":

Abstract: The likelihood that anyone outside a war zone will be killed by an Islamist extremist terrorist is extremely small. In the United States, for example, some six people have perished each year since 9/11 at the hands of such terrorists -- vastly smaller than the number of people who die in bathtub drownings. Some argue, however, that the incidence of terrorist destruction is low because counterterrorism measures are so effective. They also contend that terrorism may well become more frequent and destructive in the future as terrorists plot and plan and learn from experience, and that terrorism, unlike bathtubs, provides no benefit and exacts costs far beyond those in the event itself by damagingly sowing fear and anxiety and by requiring policy makers to adopt countermeasures that are costly and excessive. This paper finds these arguments to be wanting. In the process, it concludes that terrorism is rare outside war zones because, to a substantial degree, terrorists don't exist there. In general, as with rare diseases that kill few, it makes more policy sense to expend limited funds on hazards that inflict far more damage. It also discusses the issue of risk communication for this hazard.
** *** ***** ******* *********** *************
Future Cyberwar

[2018.08.27] A report for the Center for Strategic and International Studies looks at surprise and war. One of the report's cyberwar scenarios is particularly compelling. It doesn't just map cyber onto today's tactics, but completely reimagines future tactics that include a cyber component (quote starts on page 110).

The U.S. secretary of defense had wondered this past week when the other shoe would drop. Finally, it had, though the U.S. military would be unable to respond effectively for a while.

The scope and detail of the attack, not to mention its sheer audacity, had earned the grudging respect of the secretary. Years of worry about a possible Chinese "Assassin's Mace" -- a silver bullet super-weapon capable of disabling key parts of the American military -- turned out to be focused on the wrong thing.

The cyber attacks varied. Sailors stationed at the 7th Fleet' s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls' cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency's initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine's account under which it had been posted was hacked. But the damage had been done.

There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron's Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth.

Soldiers at Fort Sill were at each other's throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.

The variations elsewhere were endless. Marines suddenly owed hundreds of thousands of dollars on credit lines they had never opened; sailors received death threats on their Twitter feeds; spouses and female service members had private pictures of themselves plastered across the Internet; older service members received notifications about cancerous conditions discovered in their latest physical.

Leadership was not exempt. Under the hashtag # PACOMMUSTGO a dozen women allegedly described harassment by the commander of Pacific command. Editorial writers demanded that, under the administration's "zero tolerance" policy, he step aside while Congress held hearings.

There was not an American service member or dependent whose life had not been digitally turned upside down. In response, the secretary had declared "an operational pause," directing units to stand down until things were sorted out.

Then, China had made its move, flooding the South China Sea with its conventional forces, enforcing a sea and air identification zone there, and blockading Taiwan. But the secretary could only respond weakly with a few air patrols and diversions of ships already at sea. Word was coming in through back channels that the Taiwanese government, suddenly stripped of its most ardent defender, was already considering capitulation.

I found this excerpt here. The author is Mark Cancian.

** *** ***** ******* *********** *************
NotPetya
[2018.08.28] Andy Greenberg wrote a fascinating account of the Russian NotPetya worm, with an emphasis on its effects on the company Maersk.

Boing Boing post.

** *** ***** ******* *********** *************
CIA Network Exposed through Insecure Communications System

[2018.08.29] Interesting story of a CIA intelligence network in China that was exposed partly because of a computer security failure:

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected -- and there would be no way to trace the communication back to the CIA. But the CIA's interim system contained a technical error: It connected back architecturally to the CIA's main covert communications platform. When the compromise was suspected, the FBI and NSA both ran "penetration tests" to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

In the words of one of the former officials, the CIA had "[f*cked] up the firewall" between the two systems.

U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official -- links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA's own website, according to the former official.

People died because of that mistake.

The moral -- which is to go back to pre-computer systems in these high-risk sophisticated-adversary circumstances -- is the right one, I think.
** *** ***** ******* *********** *************

Cheating in Bird Racing

[2018.08.30] I've previously written about people cheating in marathon racing by driving -- or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race:

The essence of the plan involved training the pigeons to believe they had two homes. The birds had been secretly raised not just in Shanghai but also in Shangqiu.

When the race was held in the spring of last year, the Shanghai Pigeon Association took all the entrants from Shanghai to Shangqiu and released them. Most of the pigeons started flying back to Shanghai.

But the four specially raised pigeons flew instead to their second home in Shangqiu. According to the court, the two men caught the birds there and then carried them on a bullet train back to Shanghai, concealed in milk cartons. (China prohibits live animals on bullet trains.)

When the men arrived in Shanghai, they released the pigeons, which quickly fluttered to their Shanghai loft, seemingly winning the race.
** *** ***** ******* *********** *************
Eavesdropping on Computer Screens through the Webcam Mic

[2018.08.31] Yet another way of eavesdropping on someone's computer activity: using the webcam microphone to "listen" to the computer's screen.
** *** ***** ******* *********** *************
Using a Smartphone's Microphone and Speakers to Eavesdrop on Passwords

[2018.09.05] It's amazing that this is even possible: "SonarSnoop: Active Acoustic Side-Channel Attacks":

Abstract: We report the first active acoustic side-channel attack. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a smart phone into a sonar system. The echo signal can be used to profile user interaction with the device. For example, a victim's finger movements can be inferred to steal Android phone unlock patterns. In our empirical study, the number of candidate unlock patterns that an attacker must try to authenticate herself to a Samsung S4 Android phone can be reduced by up to 70% using this novel acoustic side-channel. Our approach can be easily applied to other application scenarios and device types. Overall, our work highlights a new family of security threats.

News article.

** *** ***** ******* *********** *************
Five-Eyes Intelligence Services Choose Surveillance Over Security

[2018.09.06] The Five Eyes -- the intelligence consortium of the rich English-speaking countries (the US, Canada, the UK, Australia, and New Zealand) -- have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone's needs for security and privacy.

...the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that
appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.

To put it bluntly, this is reckless and shortsighted. I've repeatedly written about why this can't be done technically, and why trying results in insecurity. But there's a greater principle at first: we need to decide, as nations and as society, to put defense first. We need a "defense dominant" strategy for securing the Internet and everything attached to it.

This is important. Our national security depends on the security of our technologies. Demanding that technology companies add backdoors to computers and communications systems puts us all at risk. We need to understand that these systems are too critical to our society and -- now that they can affect the world in a direct physical manner -- affect our lives and property as well.

This is what I just wrote, in Click Here to Kill Everybody:

There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We've got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.

We need to have this debate at the level of national security. Putting spy agencies in charge of this trade-off is wrong, and will result in bad decisions.

Cory Doctorow has a good reaction.
Slashdot post.
** *** ***** ******* *********** *************
Reddit AMA

[2018.09.07] I did a Reddit AMA on Thursday, September 6.
** *** ***** ******* *********** *************
Using Hacked IoT Devices to Disrupt the Power Grid

[2018.09.11] This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid":
Abstract: We demonstrate that an Internet of Things (IoT) botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid. We study five variations of the MadIoT attacks and evaluate their effectiveness via state-of-the-art simulators on real-world power grid models. These simulation results demonstrate that the MadIoT attacks can result in local power outages and in the worst cases, large-scale blackouts.

Moreover, we show that these attacks can rather be used to increase the operating cost of the grid to benefit a few utilities in the electricity market. This work sheds light upon the interdependency between the vulnerability of the IoT and that of the other networks such as the power grid whose security requires attention from both the systems security and power engineering communities.

I have been collecting examples of surprising vulnerabilities that result when we connect things to each other. This is a good example of that.

Wired article.
** *** ***** ******* *********** *************
Security Vulnerability in Smart Electric Outlets

[2018.09.12] A security vulnerability in Belkin's Wemo Insight "smartplugs" allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network.

From the Register:

The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.
Even when security measures are added to the devices, the third-party hardware used to make the appliances "smart" can itself contain security flaws or bad configurations that leave the device vulnerable.

"IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation," the McAfee researchers wrote.

"However, these devices run operating systems and require just as much protection as desktop computers."

I'll bet you anything that the plug cannot be patched, and that the vulnerability will remain until people throw them away.
Boing Boing post. McAfee's original security bulletin.
** *** ***** ******* *********** *************
Security Risks of Government Hacking

[2018.09.13] Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include:

•   Disincentive for vulnerability disclosure
•   Cultivation of a market for surveillance tools
•   Attackers co-opt hacking tools over which governments have lost control
•   Attackers learn of vulnerabilities through government use of malware
•   Government incentives to push for less-secure software and standards
•   Government malware affects innocent users.

These risks are real, but I think they're much less than mandating backdoors for everyone. From the report's conclusion:
Government hacking is often lauded as a solution to the "going dark" problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched.

The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that's a big ask, but the alternatives are worse.

This is the canonical lawful hacking paper.
** *** ***** ******* *********** *************
Quantum Computing and Cryptography
[2018.09.14] Quantum computing is a new way of computing -- one that could allow humankind to perform computations that are simply impossible using today's computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length.

This is why cryptographers are hard at work designing and analyzing "quantum-resistant" public-key algorithms. Currently, quantum computing is too nascent for cryptographers to be sure of what is secure and what isn't. But even assuming aliens have developed the technology to its full potential, quantum computing doesn't spell the end of the world for cryptography.

Symmetric cryptography is easy to make quantum-resistant, and we're working on quantum-resistant public-key algorithms. If public-key cryptography ends up being a temporary anomaly based on our mathematical knowledge and computational ability, we'll still survive. And if some inconceivable alien technology can break all of cryptography, we still can have secrecy based on information theory -- albeit with significant loss of capability.

At its core, cryptography relies on the mathematical quirk that some things are easier to do than to undo. Just as it's easier to smash a plate than to glue all the pieces back together, it's much easier to multiply two prime numbers together to obtain one large number than it is to factor that large number back into two prime numbers. Asymmetries of this kind -- one-way functions and trap-door one-way functions -- underlie all of cryptography.

To encrypt a message, we combine it with a key to form ciphertext. Without the key, reversing the process is more difficult. Not just a little more difficult, but astronomically more difficult. Modern encryption algorithms are so fast that they can secure your entire hard drive without any noticeable slowdown, but that encryption can't be broken before the heat death of the universe.
With symmetric cryptography -- the kind used to encrypt messages, files, and drives -- that imbalance is exponential, and is amplified as the keys get larger. Adding one bit of key increases the complexity of encryption by less than a percent (I'm hand-waving here) but doubles the cost to break. So a 256-bit key might seem only twice as complex as a 128-bit key, but (with our current knowledge of mathematics) it's 340,282,366,920,938,463,463,374,607,431,768,211,456 times harder to break.

Public-key encryption (used primarily for key exchange) and digital signatures are more complicated. Because they rely on hard mathematical problems like factoring, there are more potential tricks to reverse them. So you'll see key lengths of 2,048 bits for RSA, and 384 bits for algorithms based on elliptic curves. Here again, though, the costs to reverse the algorithms with these key lengths are beyond the current reach of humankind.

This one-wayness is based on our mathematical knowledge. When you hear about a cryptographer "breaking" an algorithm, what happened is that they've found a new trick that makes reversing easier. Cryptographers discover new tricks all the time, which is why we tend to use key lengths that are longer than strictly necessary. This is true for both symmetric and public-key algorithms; we're trying to future-proof them.

Quantum computers promise to upend a lot of this. Because of the way they work, they excel at the sorts of computations necessary to reverse these one-way functions. For symmetric cryptography, this isn't too bad. Grover's algorithm shows that a quantum computer speeds up these attacks to effectively halve the key length. This would mean that a 256-bit key is as strong against a quantum computer as a 128-bit key is against a conventional computer; both are secure for the foreseeable future.

For public-key cryptography, the results are more dire. Shor's algorithm can easily break all of the commonly used public-key algorithms based on both factoring and the discrete logarithm problem. Doubling the key length increases the difficulty to break by a factor of eight. That's not enough of a sustainable edge.

There are a lot of caveats to those two paragraphs, the biggest of which is that quantum computers capable of doing anything like this don't currently exist, and no one knows when -- or even if ¬- we'll be able to build one. We also don't know what sorts of practical difficulties will arise when we try to implement Grover's or Shor's algorithms for anything but toy key sizes.

(Error correction on a quantum computer could easily be an unsurmountable problem.) On the other hand, we don't know what other techniques will be discovered once people start working with actual quantum computers. My bet is that we will overcome the engineering challenges, and that there will be many advances and new techniques¬but they're going to take time to discover and invent. Just as it took decades for us to get supercomputers in our pockets, it will take decades to work through all the engineering problems necessary to build large-enough quantum computers.

In the short term, cryptographers are putting considerable effort into designing and analyzing quantum-resistant algorithms, and those are likely to remain secure for decades. This is a necessarily slow process, as both good cryptanalysis transitioning standards take time. Luckily, we have time. Practical quantum computing seems to always remain "ten years in the future," which means no one has any idea.

After that, though, there is always the possibility that those algorithms will fall to aliens with better quantum techniques. I am less worried about symmetric cryptography, where Grover's algorithm is basically an upper limit on quantum improvements, than I am about public-key algorithms based on number theory, which feel more fragile. It's possible that quantum computers will someday break all of them, even those that today are quantum resistant.

If that happens, we will face a world without strong public-key cryptography. That would be a huge blow to security and would break a lot of stuff we currently do, but we could adapt. In the 1980s, Kerberos was an all-symmetric authentication and encryption system. More recently, the GSM cellular standard does both authentication and key distribution -- at scale -- with only symmetric cryptography. Yes, those systems have centralized points of trust and failure, but it's possible to design other systems that use both secret splitting and secret sharing to minimize that risk. (Imagine that a pair of communicants get a piece of their session key from each of five different key servers.) The ubiquity of communications also makes things easier today. We can use out-of-band protocols where, for example, your phone helps you create a key for your computer. We can use in-person registration for added security, maybe at the store where you buy your smartphone or initialize your Internet service. Advances in hardware may also help to secure keys in this world. I'm not trying to design anything here, only to point out that there are many design possibilities. We know that cryptography is all about trust, and we have a lot more techniques to manage trust than we did in the early years of the Internet. Some important properties like forward secrecy will be blunted and far more complex, but as long as symmetric cryptography still works, we'll still have security.

It's a weird future. Maybe the whole idea of number theory¬-based encryption, which is what our modern public-key systems are, is a temporary detour based on our incomplete model of computing. Now that our model has expanded to include quantum computing, we might end up back to where we were in the late 1970s and early 1980s: symmetric cryptography, code-based cryptography, Merkle hash signatures. That would be both amusing and ironic.

Yes, I know that quantum key distribution is a potential replacement for public-key cryptography. But come on -- does anyone expect a system that requires specialized communications hardware and cables to be useful for anything but niche applications? The future is mobile, always-on, embedded computing devices. Any security for those will necessarily be software only.

There's one more future scenario to consider, one that doesn't require a quantum computer. While there are several mathematical theories that underpin the one-wayness we use in cryptography, proving the validity of those theories is in fact one of the great open problems in computer science. Just as it is possible for a smart cryptographer to find a new trick that makes it easier to break a particular algorithm, we might imagine aliens with sufficient mathematical theory to break all encryption algorithms. To us, today, this is ridiculous. Public- key cryptography is all number theory, and potentially vulnerable to more mathematically inclined aliens. Symmetric cryptography is so much nonlinear muddle, so easy to make more complex, and so easy to increase key length, that this future is unimaginable. Consider an AES variant with a 512-bit block and key size, and 128 rounds. Unless mathematics is fundamentally different than our current understanding, that'll be secure until computers are made of something other than matter and occupy something other than space.

But if the unimaginable happens, that would leave us with cryptography based solely on information theory: one-time pads and their variants. This would be a huge blow to security. One-time pads might be theoretically secure, but in practical terms they are unusable for anything other than specialized niche applications. Today, only crackpots try to build general-use systems based on one-time pads -- and cryptographers laugh at them, because they replace algorithm design problems (easy) with key management and physical security problems (much, much harder). In our alien-ridden science-fiction future, we might have nothing else.

Against these godlike aliens, cryptography will be the only technology we can be sure of. Our nukes might refuse to detonate and our fighter jets might fall out of the sky, but we will still be able to communicate securely using one-time pads. There's an optimism in that.

This essay originally appeared in IEEE Security and Privacy.
** *** ***** ******* *********** *************
Click Here to Kill Everybody Reviews and Press Mentions

[2018.09.14] It's impossible to know all the details, but my latest book seems to be selling well. Initial reviews have been really positive: Boing Boing, Financial Times, Harris Online, Kirkus Reviews, Nature, Politico, and Virus Bulletin.
I've also done a bunch of interviews -- either written or radio/podcast -- including the Washington Post, a Reddit AMA, "The 1A " on NPR, Security Ledger, MIT Technology Review, and WNYC Radio.

There have been others -- like the Lawfare, Cyberlaw, and Hidden Forces podcasts -- but they haven't been published yet. I also did a book talk at Google that should appear on YouTube soon.

If you've bought and read the book, thank you. Please consider leaving a review on Amazon.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2018.08.31] This is a current list of where and when I am scheduled to speak:
•   I'm giving a book talk at Fordham Law School in New York City on September 17, 2018.
•   I'm giving an InfoGuard Talk in Zug, Switzerland on September 19, 2018.
•   I'm speaking at the IBM Security Summit in Stockholm on September 20, 2018.
•   I'm giving a book talk at Harvard Law School's Wasserstein Hall on September 25, 2018.
•   I'm giving a talk on "Securing a World of Physically Capable Computers" at the University of Rochester in Rochester, New York on October 5, 2018.
•   I'm keynoting at SpiceWorld in Austin, Texas on October 9, 2018.
•   I'm speaking at Cyber Security Nordic in Helsinki on October 10, 2018.
•   I'm speaking at the Cyber Security Summit in Minneapolis, Minnesota on October 24, 2018.
•   I'm speaking at ISF's 29th Annual World Congress in Las Vegas, Nevada on October 30, 2018.
•   I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018.
•   I'm speaking at the The Digital Society Conference 2018: Empowering Ecosystems on December 11, 2018.
•   I'm speaking at the Hyperledger Forum in Basel, Switzerland on December 13, 2018.
The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books -- including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the CTO of IBM Resilient.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM, IBM Security, or IBM Resilient.
Copyright © 2018 by Bruce Schneier.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
STratfor: 10/5/18 A new more aggro strategy
« Reply #506 on: March 04, 2019, 10:44:24 AM »
Third post of the day

A New, More Aggressive U.S. Cybersecurity Policy Complements Traditional Methods
U.S. President Donald Trump speaks during a Jan. 31, 2017, White House meeting with cybersecurity experts.
(CHIP SOMODEVILLA/Getty Images)

Highlights

    Recent moves by the Trump administration appear to loosen previous restrictions on U.S. offensive cyber operations.
    A more offensive policy will complement, not replace, the traditional U.S. methods of maintaining cybersecurity: regulation, cooperation with the private sector and the legal process.
    A best-case scenario for a U.S. cyberattack would be disabling computer systems and networks being used against U.S. interests to prevent an attack from happening or to disrupt an attack that is in progress.
    Perhaps the main challenge to U.S. engagement in tit-for-tat cyberattacks is that the United States is by far the biggest target for such attacks.

Editor's Note: This security-focused assessment is one of many such analyses found at Stratfor Threat Lens, a unique protective intelligence product designed with corporate security leaders in mind. Threat Lens enables industry professionals and organizations to anticipate, identify, measure and mitigate emerging threats to people, assets and intellectual property the world over. Threat Lens is the only unified solution that analyzes and forecasts security risk from a holistic perspective, bringing all the most relevant global insights into a single, interactive threat dashboard.

The administration of U.S. President Donald Trump released its National Cyber Strategy on Sept. 20, which most notably indicated a greater willingness than before to conduct offensive cyber operations against adversaries. Discussing the strategy, national security adviser John Bolton hinted that the administration had already taken steps to bolster offensive efforts in recent weeks, warning that the United States is no longer just playing defense when it comes to cybersecurity. But despite the Trump administration's more hawkish tone regarding cybersecurity, it will continue mainly to rely on traditional measures such as the legal process, regulations and cooperation with the private sector when it comes to cybersecurity.

A More Aggressive Policy

In introducing the new National Cyber Strategy, Bolton also confirmed a Wall Street Journal article from August which reported that Trump had rescinded former U.S. President Barack Obama's guidance on conducting cyber activities, replacing it with a policy that gives more authority to the U.S. Cyber Command. Former National Security Agency contractor Edward Snowden leaked the previous guidance, Presidential Policy Directive 20 of October 2012. He sought to expose how the U.S. government was considering offensive cyber operations, defined as those that could cause physical harm or major property damage. The old guidance made clear that such drastic measures should be taken only as a last resort and with the express permission of the president. Presidential Policy Directive 20 also emphasized that cyber operations should follow the interagency process in order to coordinate the response and ensure a "whole-of-government" approach.

While we do know that Trump issued National Security Presidential Memorandum 13 (ostensibly covering cybersecurity policy) around the same time that he rescinded Presidential Policy Directive 20, likely laying out the new policy, the contents of the new memo remain classified. But though a side-by-side comparison of the two policies is not possible, Bolton's statements regarding the new policy clearly suggest it takes a more aggressive approach.

Little precedent exists for assessing offensive U.S. cyber capabilities. The Stuxnet attack on Iran's nuclear program is one of the few true offensive cyberattacks attributed to the United States available for analysis due to a mistake in its execution. Stuxnet was designed to look like an internal technical failure instead of a cyberattack, and was discovered only because it spread more rapidly than intended.

Clandestine, discreet attacks are certainly already key elements of U.S. cyber tactics. There have likely been more examples of U.S.-launched attacks that have not come to light, perhaps because they were never recognized as cyberattacks. While the less known about U.S. cyber capabilities, the more effective they will be when deployed, this by definition limits the deterrence value of U.S. cyber capabilities.

Traditional Approaches Likely to Remain Dominant

Despite Bolton's implication that offensive operations will form a greater share of the U.S. cybersecurity mix, regulation, cooperation with the private sector and the legal process will still account for the bulk of the mix. For example, regulatory bodies like the U.S. Securities and Exchange Commission can punish (or threaten to punish) firms that do not implement best cybersecurity practices and therefore leave themselves vulnerable to external attack. Government cooperation with the private sector, meanwhile, was on display in recent cases like the September indictment of North Korean cyber operatives, which displayed heavy FBI reliance on private security firms such as Mandiant and Alphabet to collect technical evidence and carry out investigations. Finally, prosecution through the traditional legal process will remain the preferred response to cyberattacks in the United States. Of course, this approach will continue to work better on the domestic front, where U.S. law enforcement agencies have the advantage of jurisdiction.

But when it comes to punishing foreign cyber intrusions, the three tools listed above are much weaker. Certainly, federal law enforcement agencies can continue to indict individuals and groups associated with foreign cyberthreats, but the chances they will ever see a U.S. courtroom are slim.

Indictments against foreign government officials for cyberattacks go back to 2014 when the Department of Justice accused the People's Liberation Army Unit 61398 of engaging in cyberattacks against the United States. Dozens of other investigations have uncovered efforts by foreign governments to gain access to critical U.S. networks. So far in 2018 alone, major indictments have been made against North Koreans, Iranians and 13 Russian individuals directly involved in the campaign to disrupt the 2016 U.S. presidential election. While such investigations are helpful for naming and shaming foreign cyberthreats, they rarely stop them. And this is where the appeal of offensive cyber operations comes into play.

Obstacles to Offensive Cyber Operations

The limitations on the traditional U.S. methods of maintaining cybersecurity can increase the appeal of more aggressive cyber operations to those in charge of U.S. national security. The individuals and groups targeted with U.S. indictments for cyberattacks are primary candidates for the administration's more aggressive cyber policies. Judging by the details available in the latest criminal complaint against North Korean hackers, for example, U.S. investigators were able to piece together a very detailed picture of the networks that targeted Sony Pictures and Bangladesh Bank.

Whereas the U.S. government used that intelligence to name and shame in an indictment, a more offensive-minded administration could use the same intelligence to infiltrate the hostile network and sabotage the group's work. Any such operations would be quiet, and attempts would be made to hide the origin of the attack. A U.S. response on a par with Iranian or North Korean cyber operations is unlikely, if for no other reason than that so public a response would reduce the effectiveness of similar future U.S. attacks.

As Erica Borghard and Shawn Lonergan point out in an article published last month by the Council on Foreign Relations, an offensive U.S. response would not necessarily be immediate. Offensive cyber actions represent carefully cultivated operations involving intensive and tedious intelligence work that requires gaining access to foreign devices and servers, monitoring activity and assessing vulnerabilities to exploit. Sometimes, the tailor-made exploit can be used only once because, to use the Stuxnet example, once the vulnerability has been identified, software developers around the world develop patches that render the weapon useless for future attacks against all but the most vulnerable devices.

Borghard and Lonergan also point out that cyber responses are limited in their destructive power. A best-case scenario for a cyberattack would be disabling computer systems and networks being used against U.S. interests to prevent an attack from happening, or to disrupt an attack that is underway. While this is better than nothing, it still leaves the individuals behind the operation free to learn from their mistakes and mount another attack. While using cyber operations against known threats in conjunction with indictments that name and shame perpetrators — along with specific details on how they carried out their alleged crimes — would certainly make it harder for individuals to reuse the same infrastructure for a future attack, regeneration is always possible, especially with state support.

A chart showing the number of world IP addresses by country.

Perhaps the main challenge to U.S. engagement in tit-for-tat cyberattacks is that the United States is by far the biggest target for such attacks. The number of IPv4 addresses — the standard for identifying unique devices connected to the internet — shows that the United States accounts for over one-third of all the world's connected devices. China, the runner-up, has just one-quarter of the unique IP addresses that the United States has, while Russia, Iran and North Korea are tiny by comparison.

The U.S. reliance on and integration with cyberspace simply makes the United States a bigger, and potentially more vulnerable, target.

bigdog

  • Power User
  • ***
  • Posts: 2321
    • View Profile

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Stratfor: Russia plants its flag in the digital realm
« Reply #508 on: March 20, 2019, 07:14:24 AM »
Some deep implications here methinks.  Why wouldn't this logic be applied to pesky Russki interference in US elections for example?

============================================


Highlights

    As Russia continues to develop and foster what it terms "internet sovereignty," it could eventually adopt similar infrastructure and integrate with the networks of other like-minded countries, such as China.
    While the development of sovereign internet structures would restructure the global internet to some degree, it would not necessarily affect its functionality at the core level.
    However, the additional independence and protection that accompany sovereign internet structures could ignite more state competition in the digital world, hampering global efforts to establish global norms on cyberspace.

 

Since its inception, the free-for-all nature of the global internet has defied the most robust forms of state control, but perhaps not for much longer. By April 1, the Russian government is expected to conduct a countrywide test of its ability to disconnect its internet infrastructure from the rest of the world's, following the Duma's passage of a draft law last month mandating changes to the country's internet infrastructure, Runet. While a test that actually disconnects the Russian web from the rest of the global internet may or may not eventually take place, one thing is certain: Russia is making significant changes to create infrastructure and a legal framework for what it terms a "sovereign internet." In essence, Russia hopes to develop a domestic intranet that can operate independently from the rest of the world, thereby giving it the opportunity to both protect online traffic — and go on the offensive against foreign internet traffic, if necessary.

The Big Picture

The divisions between Russia and the West have become more pronounced in recent years in a variety of fields, including, now, the cyber domain. Much as in the physical world, where Moscow has been developing a military deterrence and pursuing economic independence from the West to withstand threats and sanctions, Russia is shaping its internet infrastructure so that it can deal more effectively with internal challenges to its centralized rule, as well as external threats in the form of interstate competition.

The Quest for an Independent Internet

The idea for a sovereign internet emerged in China, but Russia has now taken the lead in developing the actual infrastructure needed to realize such plans. A sovereign internet differs slightly from existing control systems, such as North Korea's countrywide network, which is entirely disconnected from the global internet. And while sovereign internet systems bear some semblance to the "Great Firewall of China," or the control mechanisms that Iran has implemented — particularly in terms of the control of data flows in and out of the country — their aim is not simply to grant authorities control over internet access in a particular geographic area. Instead, the real target is to provide the state with the means to exercise the same level of sovereignty in the digital realm as it does in the physical world. In such a situation, the state assumes direct control over the internet infrastructure on its soil, allowing it to defend its systems from external attacks — much like states aim to guarantee their territorial integrity in the physical domain.

Sovereign internet infrastructure, moreover, allows states to reduce their dependence on foreign organizations that have assumed responsibility for its functions. Currently, the U.S.-based nongovernmental association ICANN manages the infrastructure that underpins the global internet. For Russia and China, this situation presents a liability since the organization — independent though it may be of the U.S. government — could become vulnerable to Washington's interference. Ultimately, the concept of a sovereign internet rests heavily on the idea that there should be equality among states in providing foundations for the internet's core functions through direct control over Domain Name System (DNS) servers, which essentially direct all traffic online.

For Russia, of course, this is not simply a principled quest for equality in internet infrastructure. Moscow has very real and practical goals in mind as it considers changes in the operation of Runet. Given the growing rifts between Moscow and the West — and particularly amid the increasing focus on the cyber domain — Russia is concerned about the vulnerability of its domestic infrastructure to large foreign cyberattacks. In the end, a more independent infrastructure, as well as the ability to maintain some level of functionality domestically when severing connections with the outside world, provides a blunt, yet effective, defense against such threats.

At the same time, information security is central to Moscow's efforts regarding Runet. Due to the inherent nature of the internet, online correspondence between Russian citizens and entities often leaves Russia's domestic infrastructure, raising the risk — as far as Moscow is concerned — that foreign powers could snoop on or disrupt such exchanges. Thus, as it redesigns its internet infrastructure to address such threats, Moscow is also seeking to ensure that digital communications or data transfers between Russians do not leave the country's domestic infrastructure.

This schematic diagram shows the rough workings of the future Russian internet

Naturally, controlling the flow of data in and out of Russia also assists the government on another major concern: countering domestic political opposition. In the past, Russia has attempted to block the use of messaging services like Telegram, which anti-government activists have used to evade state surveillance, on the grounds that it facilitated terrorism, but these interdictions have been crude, resulting in major disruptions to other services. Accordingly, the reconfiguration of the Russian internet could make Moscow's task of denying them access to foreign-hosted services much easier.

Russia's quest for a sovereign internet is part and parcel of its efforts to insulate itself economically in response to the Russia-West standoff that began in 2014. On an even more global level, Russia's actions also exemplify a broader effort by states to regulate the internet and establish common norms on behavior in cyberspace; the European Union, for one, has attempted to move forward on this front by enacting regulations on the General Data Protection Regulation to protect privacy. The establishment of a Russian sovereign internet ultimately touches upon a much broader dynamic — sovereignty over cyberspace, which raises the question of what rights countries have in the digital realm.

The concept of a sovereign internet rests heavily on the idea that there should be equality between states in providing foundations for the web's core functions.

The Nuts and Bolts of an Independent Internet

One of the core elements of Russia's push to develop an independent internet infrastructure revolves around the functioning of the DNS servers that are a key component of the global internet infrastructure. These servers function as centralized directories that connect internet users with their intended destination. When someone attempts to visit a website or connect to an online service, DNS servers function as a high-level phonebook for internet domains. This means that when trying to connect to a service on the Russian .ru domain, the DNS servers will provide information on the location of the more detailed .ru registries to foster a connection.

While hundreds of DNS servers and mirrors (which reflect the former's datasets, thus improving capacity) are located in Russia and around the world, ICANN has centralized the management of this directory. Updated directories are distributed from one root server to the others before proceeding to a multitude of mirrors. But Russia is concerned that if the United States, for example, sought to remove the .ru domain from these directories, Moscow would have no direct control over the constellation of DNS servers to prevent it. In the past, Russia and China have tried to bring the management of the DNS system under the auspices of the United Nations, where they wield greater influence, but ICANN's assumption of responsibility for these monitoring tasks — instead of the U.S. government's — has precluded that effort. Whatever the case, the prospect of the .ru domain's erasure is remote, as the organizations sustaining the global internet infrastructure would unlikely tolerate any politicization of the domain directory.

Ultimately, Russia feels as if it must develop its own DNS infrastructure that it controls directly, both because it would be unable to rely on the global DNS infrastructure if it willingly disconnected from the global internet and because it wishes to prevent the unlikely event of anyone tampering with DNS functionality through the current structure to its detriment. In such a scenario, Russia's own independent DNS servers would continue to operate as intended and facilitate internet functionality within Runet alone, even if the .ru domain lost connection with the rest of the world.

Many, however, fear that such moves could balkanize the internet, replacing the current centralized and homogenous DNS infrastructure with separate groups of competing DNS networks. While this could occur if the trend of implementing sovereign internet infrastructure spreads to different countries, it would be unlikely to impede the functionality of the internet as a whole. After all, the very goal of creating independent DNS infrastructure is to impose sovereignty on domestic network infrastructure, all while maintaining compatibility with the rest of the worldwide internet.

What Happens in Russia Stays in Russia

Russia, meanwhile, has also enacted some legislation (and is proposing more) to force large service providers like Google, Facebook, Twitter and others to physically locate their servers or data centers within Russia. This effort is central to Russia's attempts to keep Russian internet traffic within the country, while also subjecting these operations to national legislation.

The very structure of Runet might already facilitate Russian cyberwarfare activities.

Internet service providers operating within Russia, for example, are required by law to provide a surveillance suite that allows Russian authorities to intercept online communications. By keeping all internet traffic among Russian entities contained in the country, the government will guarantee its ability to intercept all communications, reinforcing its internal security capabilities. In response to the rise of satellite-provided internet that threatens this capability, Moscow enacted a law that obligates all providers of such services in the country to establish Russian-based ground stations that would relay all traffic. Accordingly, even internet over the airwaves would fall under the purview of the system of surveillance that the Russian state has developed.

Such measures, however, are also designed to allow Runet, as much as possible, to operate independently. This means that while Russia hones its ability to conduct surveillance over Russian internet traffic, it also reduces the chances for others to do so. Furthermore, in the extreme event that Runet lost its connection with the rest of the world, it would still retain a large degree of functionality to continue operating in isolation in Russia. Without question, however, such an event would still be highly disruptive to Russia itself, as internet usage drawing on services located outside the country would no longer be able to function. In such a situation, the economic consequences could be vast.

Escalation in the Cyber Domain

Russia's exertions to create a sovereign internet, meanwhile, could also increase the feasibility of large-scale cyber offensives. Russia's very ability to disconnect itself from the rest of the world is not only a defensive measure shielding the country from the rest of the world, but also something that could allow Moscow to theoretically disrupt the global internet infrastructure to a significant degree while insulating itself from the aftereffects. In reality, however, such an act would be tantamount to economic suicide, meaning it would likely only occur in prelude to a war or as an act of desperation. As long as Runet is intertwined with the global internet infrastructure, an attack of that magnitude would damage Russia as much as it does others.

But it's not just a Russian disconnect and an attack against global internet infrastructure that could result in an escalation between Moscow and the rest of the world. The very structure of Runet might already facilitate Russian cyberwarfare activities and afford Moscow more room to invoke plausible deniability. Shielding all Russian internet activity on Russian-controlled DNS servers would significantly impede the investigation of malicious cyberactivity when attacks do occur. International investigators might still be able to point the finger at Russia following such attacks, but the isolation of Runet would complicate their efforts to assign responsibility to specific entities inside the country. Equally, forces outside Russian infrastructure would find it much more difficult to directly target separate Russian entities online.

Beyond the potential for an escalation in cyberactivity this added degree of protection provides, this infrastructure also gives Moscow a greater opportunity to repress internet activity within Russia. Moscow has been conducting a constant battle to block certain internet services, such as Telegram, that it has dubbed a threat to stability. As countries attempt to block such services, however, creative minds invariably find ways around the barriers. Developing the ability to sever Runet from the global internet infrastructure, accordingly, provides the ultimate response. While a scorched earth operation — internet style — would also disrupt a significant share of non-hostile foreign internet usage, it could provide Russia with a last-ditch defense in the event of an uprising against the government. In the end, a sovereign internet offers Russia a route to greater political stability — particularly as it would grant it greater control over the heretofore unruly web — and more resilience in the face of outside pressure. Given that, it's a prospect that Moscow is unlikely to pass up.
« Last Edit: March 20, 2019, 07:18:06 AM by Crafty_Dog »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Tablet: China's plan for global supremacy
« Reply #509 on: March 24, 2019, 09:27:01 AM »
I posted the other day about how China is bypassing our various Maginot lines.  Here is one example I mentioned, in greater detail from a lefty Jewish publication.

https://www.tabletmag.com/jewish-arts-and-culture/281731/chinas-plan-for-global-supremacy

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
GPF: Huawei
« Reply #510 on: March 29, 2019, 08:45:10 AM »


Huawei still under pressure, still churning out profits. The U.K.’s National Cyber Security Center released on Thursday a report criticizing the telecom giant for failing to patch security vulnerabilities in its equipment first identified in 2012. This comes as the U.S. continues to warn friends and allies that doing business with Huawei might force Washington to curtail intelligence-sharing and military cooperation. The company has good reason to be concerned about the campaign led by the “Five Eyes” countries (Australia, Canada, New Zealand, the U.K. and the U.S.) to freeze out the firm. On Wednesday, rival firm ZTE posted $1.03 billion in losses in 2018, with sales dropping 21 percent in part because of a brief U.S. ban on selling critical components like semiconductors to the company. Nonetheless, for the most part, Huawei is still riding high. Most European countries have thus far shrugged off the U.S. pressure and declined to freeze out the firm. And this morning, Huawei announced that its net profits soared more than 25 percent last year, with sales revenue topping $100 billion for the first time.


G M

  • Power User
  • ***
  • Posts: 17009
    • View Profile

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Re: Cyberwar, Cyber Crime, and American Freedom
« Reply #513 on: April 17, 2019, 01:23:20 PM »
I'm new to Defense One as a source-- it seems to cover serious issues, but it often seems to be of seriously Democrat wooliness.

G M

  • Power User
  • ***
  • Posts: 17009
    • View Profile
Re: Cyberwar, Cyber Crime, and American Freedom
« Reply #514 on: April 17, 2019, 01:28:09 PM »
I'm new to Defense One as a source-- it seems to cover serious issues, but it often seems to be of seriously Democrat wooliness.

Yes. To both points.

DougMacG

  • Power User
  • ***
  • Posts: 11447
    • View Profile
Re: Defense One: Handling China's 5G Risk (Huawei)
« Reply #515 on: April 17, 2019, 03:07:23 PM »
"5G is a serious threat to privacy. 5G from Huawei? If you want Beijing's surveillance state to extend globally, far beyond what it does now."

It's a good article, asks the right questions but I don't think is finding the right answers.

"don’t let Huawei near their sensitive intelligence facilities"
"allow Huawei to play in the portion of the Radio Access Network where individual users connect to cell towers but not in what’s called the core network, where those towers connect and communicate to one another via a shared central node."

-------------------------------

What?  'Don't let them near'?  But let them be connected?  The time it takes a connected signal or collected data to travel from USA to Beijing is .03 seconds by my calculation.  How far are you going to keep them away, the most distant star?

 “The more we connect things, the greater insecurity,” he says. That trend of connecting things shows no signs of stopping.

Sounds like a failed security model.

Installing Chinese 5G Gear is Dangerous — and Probably Inevitable: NATO
https://www.defenseone.com/technology/2019/04/installing-chinese-5g-gear-dangerous-and-probably-inevitable-nato-report/156007/

The settlement between Apple and Qualcomm is an indication that US based Qualcomm will make the 5G modem chips - and Intel dropped out.  But who else besides Huawei makes the core network, Nokia?

https://www.lightreading.com/artificial-intelligence-machine-learning/huawei-dwarfs-ericsson-nokia-on-randd-spend-in-2017/d/d-id/741944

I don't want my "things" connected and 4G is great speed for most applications.


Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Stratfor: QCOM, 5G
« Reply #516 on: April 17, 2019, 09:49:37 PM »




            A compendium of Stratfor videos, maps, infographics and interactive content.
        Explore & Discover
     
         
         

Apr 17, 2019 | 22:59 GMT
5 mins read
Qualcomm Ends Its Fight With Apple, but an Antitrust Threat Still Looms
Qualcomm and Apple recently announced a worldwide legal settlement -- effectively ending the various royalty and patent disputes between the two U.S. tech giants.
(BRENDAN SMIALOWSKI/AFP/Getty Images)
Print

Highlights

    Apple and Qualcomm have resolved their litany of global legal disputes, which will likely allow Apple to introduce a 5G iPhone by 2020 and without having to partner with a rival to do so.
    But other legal challenges to Qualcomm's business model and preeminence in telecommunications remain, including a pending antitrust lawsuit from the U.S. Federal Trade Commission (FTC).
    Behind Qualcomm, China's Huawei and South Korea's Samsung are the next most influential leaders in the telecommunications space.
    Should the FTC ruling result in the breakup of Qualcomm's monopoly, it risks damaging the United States' dominance of the tech sector by opening the door for China to set standards for the future development of telecommunications technologies.

After years of litigation involving a number of countries and myriad disputes, Qualcomm and Apple agreed to put aside their differences and settle. As part of their accord, the two U.S. tech giants have also agreed to a new six-year supply agreement for Apple to buy Qualcomm chips, including its 5G modems. However, while the agreement may have freed Apple to develop 5G-capable iPhones using Qualcomm's chips, Qualcomm is still fending off other legal challenges from global regulators that could place the United States' current tech dominance in peril.

The Big Picture

The United States' long-held place at the forefront of developing emerging technologies is largely owed to the influence that U.S. companies, such as Apple and Qualcomm, wield in global markets. However, sweeping court decisions and anti-trust lawsuits now risk breaking up some of these large tech companies, and by proxy, their power. As a result, the United States may find that amid its ongoing tech war with China, the biggest risk to maintaining its dominance may come not from Beijing, but rather Washington.

The Lesser of Three Evils

To keep pace with the high-stakes, highly competitive 5G race in the smartphone sector, Apple had little choice but to make amends with Qualcomm. Qualcomm is one of only four companies in the world that currently have the capacity to develop of 5G modems for high-end smartphones, along with China's Huawei, South Korea's Samsung and the United States' Intel.

In 2016, Apple had stopped purchasing Qualcomm's modems for its smartphones because of the alleged overcharging of excessive royalties for use of chip patents. In doing so, Apple had counted on Intel developing a 5G modem in time for the 2020 iPhone model. But engineering challenges have bogged down Intel's 5G development since then, fueling concern that the company wouldn't be able to release a commercial modem until 2021 — two full years after Apple's biggest global rivals, Samsung and Huawei, were slated to release their line of 5G smartphones.

Such a delay was surely unacceptable for Apple, but so was the idea of having to partner with its two biggest global rivals, Samsung or Huawei, for a 5G modem. Huawei was reportedly open to working with Apple, but doing so would be a political impossibility thanks to the United States' increasingly heated campaign against the Chinese tech giant. Thus, in order to keep on schedule with its release of a 5G iPhone by 2020, the only feasible option Apple was left with was to resolve its disputes with Qualcomm.

Qualcomm's Legal Woes Are Far From Over

But while the agreement may have settled its legal disputes with Apple, Qualcomm is still facing other significant legal challenges from global regulators over its business model, which could place the United States' tech dominance in peril. Then is especially apparent when considering an antitrust lawsuit levied by the U.S. Federal Trade Commission (FTC). The FTC has accused Qualcomm of leveraging its monopoly over patents for certain designs (such as modems for smartphones) to force its customers into unfair licensing agreements. The trial wrapped up earlier this year, and is currently awaiting a decision from a federal district court judge in California. However, should a court decision result in an FTC victory, it could force Qualcomm to break up its monopoly and thus, its influence in the market — opening the door for Chinese Huawei to swoop in and take its spot.

Becoming a leader in chip manufacturing is an expensive and difficult process, which is why the sector is dominated by so few companies. Qualcomm has earned its current place at the top by investing across a wide spectrum of technologies — arming it with the kind of comprehensive end-to-end capabilities that allow Qualcomm to have such a key role in the global standardization, interoperability and development of telecommunications networks. While other large U.S. tech companies (such as Apple and Intel) share some narrow overlap with Qualcomm's business capabilities, their scope is nowhere near what's needed to lead the global debate on setting standards anytime soon. Shortly following Apple and Qualcomm's statement, Intel also announced that it was stopping its development of 5G modems for smartphones altogether.

A legally mandated breakup of Qualcomm could inadvertently pave the way to Chinese dominance in the tech sector, despite the United States' best efforts to maintain an edge.

The only other companies with the capabilities and influence to quickly replace Qualcomm are Samsung and Huawei — neither or which face realistic antitrust threats. In its effort to become a more significant player in global regulations on communications technology, China-based Huawei has been focusing on developing end-to-end expertise that goes beyond even Qualcomm's capabilities.

Without a viable U.S. alternative to take Qualcomm's place, the United States risks losing its place at the negotiating table, and its ability to set global standards for the tech sector — particularly, on key decisions on telecommunications and interoperability of systems. Without Qualcomm, U.S. leadership when it comes to 5G developments — and future generations, including 6G technology — will erode more quickly. A legally mandated breakup of Qualcomm may, therefore, inadvertently give way to China's rise in the tech sector, despite the United States' best efforts to maintain its edge over its chief Eastern rival.
« Last Edit: April 17, 2019, 09:51:17 PM by Crafty_Dog »

DougMacG

  • Power User
  • ***
  • Posts: 11447
    • View Profile
Re: Stratfor: QCOM, 5G
« Reply #517 on: April 18, 2019, 07:50:09 AM »
"A legally mandated breakup of Qualcomm could inadvertently pave the way to Chinese dominance"

Right.  The FTC should drop this now that Apple settled and Intel dropped out, except to enforce laws and punish any specific antitrust violations they have found.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Stratfor: The Splinternet
« Reply #518 on: April 25, 2019, 03:59:17 AM »
The Age of Splinternet: The Inevitable Fracturing of the Internet
By Matthew Bey
Senior Global Analyst, Stratfor

Highlights

    The days of a global internet with relative openness are over as regulation and digital borders rapidly increase in the coming years.
    Nationalism and concerns about digital colonization and privacy are driving the "splinternet." Those forces will not reverse, but only accelerate.
    The United States will still back a relatively open internet model, but it has clearly assessed that a global pact to govern cyberspace would tie its own hands in the competition with China.
    A complex labyrinth of different regulations, rules and cybersecurity challenges will rule the internet of tomorrow, which will become increasingly difficult for corporations to navigate.

In 2001, Amazon founder Jeff Bezos — whose company had yet to turn a quarterly profit — said in an interview, "I very much believe the internet is indeed all it is cracked up to be." Now, 18 years later, the emphasis should be placed on how "cracked up" the internet could become. The concept of a "splinternet" or the "balkanization of the internet" — in which the global digital information network would be sectioned off into smaller internets by a growing series of rules and regulations — has existed for years. But we're now barreling toward a point where concept will become reality.

The Big Picture

The first three decades of the internet's development will be remembered as the period of a largely open internet, with few regulations beyond unique cases like China. But that narrative is ending. Countries and companies are erecting new digital walls on the internet every day. That concept has been given many names — splinternet, the balkanization of the internet and the fragmentation of the internet — but regardless of the nomenclature, the concept is here to stay. And accelerate.


The Wild West days of an open internet are gone for good, and the implications of an increasingly fragmented internet will be profound. It will result in a regulatory minefield that will present new challenges to the current dominance of large U.S. multinational internet companies, like Amazon, and consequently has the potential to leave the United States with less ability to exert "soft power" through its corporate giants.

The Open Internet Rests in Peace

The internet developed in tandem with the United States' rise as the world's sole superpower; once the Cold War ended, it became a key hallmark of U.S. dominance. The internet began as something called ARPANET, a creation of the U.S. Defense Department, before going public in the 1990s. But although the internet became global, the United States still maintained its role as its primary manager through the Internet Corporation for Assigned Names and Numbers' (ICANN) contract with the U.S. government. ICANN plays a key role in managing the domain name system (DNS), a set of databases in root servers that make the internet functional.

The U.S. policy that information and data are human rights that should flow freely among countries, companies and individuals, combined with the country's internet managerial role, has helped facilitate the current U.S. dominance in the global internet sector. The largest U.S. internet companies — Amazon, Google, Facebook, Netflix and others — have been able to extend their dominance over most of the world relatively unencumbered by drastically different regulations or viable local competitors. The dominance of U.S. corporations has meant that U.S. companies also primarily control the 21st century's equivalent of oil (aka the most prized resource of the time): data. And they can spin it to their advantage. The omnipresence of U.S. companies in some countries has become akin to digital colonialism, exemplified by Facebook's control over mobile experiences in dozens of countries through its Free Basics program and Google's control over advertising. Moreover, as the Edward Snowden revelations in 2013 showed, U.S. intelligence services and law enforcement branches have more freedom than other countries to access data — legally or illegally — since it lives on U.S.-based servers.

Those dual realities — U.S. corporate dominance of the internet and its incomparable access to data — have fueled a backlash against the open internet model. At the same time, companies and countries have developed new tools that make it less expensive for authoritarian states to limit and stifle the free movement of information internally, as well as more easily use bots on social media to try to spin a narrative in their favor. Backlash against the open internet comes from multiple directions, and it's not going away.

A Divided Internet as an Authoritarian Tool

U.S. rivals are increasingly taking steps to compartmentalize the internet, creating global and domestic spheres. Most well-known is China, which for years has controlled the movement of information between global cyberspace and domestic cyberspace through its Great Firewall, which controls domestic access to the web, for instance restricting access to specific foreign sites. But Russia and Iran are taking notes from China and going one step further: creating domestic internets that can be cut off from the global internet if necessary while remaining internally intact and functional. Iran's National Information Network is now fully operational, and the country has been trying to force its netizens to set up websites and Iranian-made competitors to Western apps on Iran's domestic internet rather than the World Wide Web. Russia has done the same, although it's unclear whether a purported test to cut off all access to the global internet it had planned to carry out at some point before April 1 was actually conducted.

The U.S. corporate dominance of the internet and its incomparable access to data have fueled a backlash against the open internet model.

Russia, Iran and China setting up their own networks out of concern over meddling from Western countries may only be the tip of the iceberg of authoritarian governments developing robust internal networks to control information. As the price of internet control tools declines, they will be increasingly accessible to smaller and less developed countries. Obvious candidates for setting up domestic internets or employing robust internet filtering systems include Egypt, Saudi Arabia, Turkey and Brazil. (The latter has floated the possibility of increasing internet regulations in the past.) Russia has even proposed a smaller internet exclusive to BRICS countries (Brazil, Russia, India, China and South Africa) as a means of breaking free from U.S. digital hegemony.

Nationalism and the Push for More Data Privacy

It's not just authoritarian countries that are taking notice of U.S. internet hegemony. At the opposite end of the spectrum, data privacy, data nationalism and economic nationalism are driving internet regulations and controls. This is perhaps most true in Europe. Despite being as wealthy as the United States, Europe has struggled to create internet companies that can compete with U.S. counterparts. There is no European equivalent to Facebook, Google or Amazon. And individual European nations are too small for country-focused companies to compete with the financial firepower that U.S. competitors can wield in investments. Perhaps unsurprisingly, as nationalism has increased across Europe, so has a desire to lessen the United States' internet dominance. Examples so far include antitrust and monopoly investigations against Google, as well as increased regulations requiring data localization and calls for higher taxes.

Data privacy has been a crucial component of European reactions to U.S. internet control, particularly the European Union's deeply impactful May 2018 introduction of General Data Protection Regulation (GDPR). The regulatory scheme forced new compliance rules on data privacy, including how data can be used, where it is stored and how people can give consent on data issues. GDPR was driven in part by Snowden's revelations that the National Security Agency and the so-called "Five Eyes" intelligence-sharing alliance were accessing data globally. It introduced an enormous set of regulations, which require companies to uniquely navigate each European country's jurisdiction. And while this does not exactly equate to a wholly separate, physically divided internet like the Russian and Iranian proposals, it has a similar effect of increasing regulations and decreasing the global all-access quality of the internet.

Even in the United States, movements to increase internet fragmentation are emerging. Proponents aim to reduce the hegemony of large companies and their unparalleled control of data, and they also want to increase personal data protections, perhaps by introducing GDPR-like mechanisms in certain states.

And companies are also increasingly interested in slicing up the internet in different ways, as ecosystems start to emerge around certain platforms. Apple's business model has drawn in and locked down users to the Apple and iOS ecosystem. Amazon and Google have done the same with their offerings, as have China's Alibaba and Tencent, increasingly. As concrete, country-led internet fragmentation occurs, these company-specific ecosystem approaches could come to dominate certain sets of affiliated countries or regions, further fomenting new digital boundaries.

Divided Opinions About Dividing the Internet

The last two years have highlighted the extremely divided international viewpoints about how the internet should be governed. On five different occasions, the United Nations has tasked a group of government experts with establishing rules and norms for global digital governance. After the fifth group failed to do so in July 2017, no sixth group has been created. In November 2018, French President Emmanuel Macron announced the Paris Call for Trust and Security in Cyberspace, a new initiative to establish international norms that was signed by more than 50 nations, 90 nonprofit groups and universities and 130 private corporations including Facebook and Google.

But the United States, China and Russia did not sign the Paris Call initiative, and those three countries also blocked each of the U.N. efforts. After all, the great power competition heating up among the United States, China and Russia extends to cyberspace. The United States has been able to exert enormous amounts of soft power through the internet, and China's rise is now becoming a more important geopolitical threat to the United States in all ways, including digitally. Washington has recently focused heavily on ensuring that international agreements about cyberspace do not introduce the added challenge of making it harder for the United States to compete with its Chinese adversary.

 

The great power competition heating up among the United States, China and Russia extends to cyberspace.

Countries' domestic laws and national regulations reign supreme due to the physical requirements of the current internet, so the United States, China, Russia and others truly can go their own way in cyberspace. That means that global internet governance issues are likely to remain stalled while regional or affinity groups, or extremely nationalistic countries, introduce their own localized regulations, firewalls and, in some cases, domestic internets with a limited connection to the outside world.
A Complex Future Is Already Here

China provides a good case study of how this domestic internet control can affect the dominance of U.S. companies when taken to the extreme. China's Great Firewall and extremely tech-nationalist rules have essentially made it impossible for U.S. companies to operate in the country. The government explicitly bans some companies, while others are subject to so much censorship and surveillance that they simply choose not to pursue the Chinese market. This situation has allowed Chinese companies to dominate inside China, evolving and catering to the domestic market. Even when U.S. companies have tried to compete, they've failed. In the future, this type of domestic dominance may likely emerge in other countries with extreme nationalist internet policies, such as Iran.

Globally this means that businesses — purely internet-based and otherwise — should be prepared to navigate an increasingly complicated minefield of different internet regulations. In the 21st century, almost every sector of the world economy is deeply dependent on quick, seamless connectivity to the internet and data flow, and increasing regulations will slow and disrupt operations in many ways, no matter how large or small a business may be. Indeed, in many niches of the tech sphere, national competitors to formerly dominant international behemoths will emerge. But small companies will also be put at a large disadvantage when trying to expand beyond one or two countries because of the overhead costs of having to comply with different rules and regulations that can vary vastly.

U.S. tech companies will struggle to maintain their global influence in a world of internet fragmentation where national sovereignty reigns supreme.

Ironically, the major U.S. and Chinese companies can most easily afford to comply if they choose to. Yet, this will only reinforce concerns of digital colonialism and privacy — eventually likely provoking an even stronger backlash against large U.S. companies. In the West, this opposition will focus on data privacy and how to treat data, particularly as artificial intelligence and the Internet of Things create even more personal data from our lives.

Looking Forward

U.S. tech companies will struggle to maintain their global influence in a world of internet fragmentation where national sovereignty reigns supreme. For China, on the other hand, that scenario is preferable. Its nurtured giants Tencent and Alibaba, for example, are beginning to export the ecosystems that they've built in China to some of China's neighbors, eating into markets that have traditionally been dominated by U.S. companies. This may drive some backlash against Chinese digital colonization, but since China is new to that particular game, it will still be making progress in its power competition with the United States even if it faces limits and opposition.

The end result is that the next 25 years of internet regulation and changing guidelines about how information flows across boundaries will be far more complicated than the previous 25. The extreme version of the splinternet, in which every country creates its own internet with limited connections to the global internet, is unlikely to come to pass. The requirements of a modern economy simply won't allow that eventuality. Instead, companies will be required to jump through increasingly more hoops, and domestic demands for local ownership or data regulation will grow steadily. Corporate America will still demand an open internet for all — even making massive investments in satellite technology to try to do so — but it will not be able to prevent the inevitable.

The age of the splinternet is at hand.

Matthew Bey is an energy and technology analyst for Stratfor, where he monitors a variety of global issues and trends. In particular, he focuses on energy and political developments in OPEC member states and the consequences of such developments on oil producers and the international oil market. Mr. Bey's work includes studies on the global impact of rising U.S. energy production, the recent fall in oil prices, Russia's political influence on Europe through energy, and long-term trends in energy and manufacturing.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile



Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
GF: Russia regulates the web
« Reply #522 on: May 02, 2019, 09:06:46 AM »
Russia regulates the web. Russian President Vladimir Putin signed into law an internet regulation bill that the Kremlin says will help protect the country from cyber attacks. Under the new law, Russian authorities will have the ability to switch off certain servers and regulate certain types of traffic. Though the law will take effect in November, its more complex components like cryptographic protection and a national domain name system will not be implemented until January 2021. Russia still needs to build out its tech infrastructure if it wants to establish its own internet system, but it seems the Russian public is somewhat hesitant about the new measures. A recent survey conducted by the state-funded Russian Public Opinion Research Center revealed 52 percent of Russians oppose the law and only 23 percent support it. Only about two-thirds of Russians use the internet on a daily basis, while 18 percent do not use the internet at all.

DougMacG

  • Power User
  • ***
  • Posts: 11447
    • View Profile
Re: GF: Russia regulates the web
« Reply #523 on: May 02, 2019, 09:24:42 AM »
Russia regulates the web. Russian President Vladimir Putin signed into law an internet regulation bill that the Kremlin says will help protect the country from cyber attacks. Under the new law, Russian authorities will have the ability to switch off certain servers and regulate certain types of traffic. Though the law will take effect in November, its more complex components like cryptographic protection and a national domain name system will not be implemented until January 2021. Russia still needs to build out its tech infrastructure if it wants to establish its own internet system, but it seems the Russian public is somewhat hesitant about the new measures. A recent survey conducted by the state-funded Russian Public Opinion Research Center revealed 52 percent of Russians oppose the law and only 23 percent support it. Only about two-thirds of Russians use the internet on a daily basis, while 18 percent do not use the internet at all.

Sounds like a third world country to me.  Also it is a lot like regulation the Left has in mind for us.



G M

  • Power User
  • ***
  • Posts: 17009
    • View Profile

ccp

  • Power User
  • ***
  • Posts: 9720
    • View Profile
Re: Cyberwar, Cyber Crime, and American Freedom
« Reply #527 on: May 06, 2019, 04:19:10 PM »
I agree

I don't want everything I do on some sort of network

the fuckers at wall street will be shoving this shit down our throats

eventually they will force us into it whether we like it or not by phasing everything else out.

Its obvious from the ads I see on cable emails phone google searches I am being watched at everything I do.


G M

  • Power User
  • ***
  • Posts: 17009
    • View Profile
Re: Cyberwar, Cyber Crime, and American Freedom
« Reply #528 on: May 06, 2019, 04:25:06 PM »
There are things you can do to mitigate and/or eliminate that.


I agree

I don't want everything I do on some sort of network

the fuckers at wall street will be shoving this shit down our throats

eventually they will force us into it whether we like it or not by phasing everything else out.

Its obvious from the ads I see on cable emails phone google searches I am being watched at everything I do.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
WSJ: The Yeoman work behind 5G
« Reply #529 on: May 12, 2019, 03:01:43 PM »
This seems to be very well informed, but what I get out of this is that the Chinese problem will not be solved by this guy's thinking.
=============================

The Yeoman Work Behind 5G Wizardry
Tomorrow’s wireless world may be a revolution as promised. But Qualcomm’s Dino Flore tells how the tech is forged slowly in a world-wide effort.
By Mene Ukueberuwa
May 10, 2019 7:04 p.m. ET
Illustration: Ken Fallin

San Diego

It took President Trump more than a year to renounce the idea of nationalizing America’s next-generation wireless network after his administration floated it early in 2018. His hesitation might have been inspired by the headlines. From technology blogs to national newspapers, countless articles frame U.S. progress on its fifth-generation, or 5G, network as a race for international superiority, with mortal stakes for national security. The new network depends in part on federal support, so it may not seem crazy to envision 5G as a modern-day Manhattan Project.

But a man with a much closer view describes the matter very differently. “You have to understand this is a huge human endeavor, and actually the nation is kind of marginal,” says Dino Flore, vice president of technology at Qualcomm , a leading maker of equipment that connects mobile devices to the cellular network. Rather than a coordinated public initiative, he says, the new systems for cellular communications arose from “years of big R&D, planning and design, then standardization”—all led by private developers like Qualcomm and the wireless carriers that operate the network.

True, the U.S. has reason to be careful about foreign participation in its domestic 5G rollout. But Mr. Flore stresses that commercial cooperation across borders is a key part of creating the technology. “There’s thousands of companies” setting common design standards in what he describes as “a truly global initiative.”

On a sunny San Diego afternoon, Qualcomm’s palm-tree-lined campus feels a world away from the political, policy and press buzz of the East Coast. Mr. Flore, 43, is even further removed. Based in Barcelona, where he oversees 5G products in Europe, the Middle East and Africa, he visits headquarters wearing a hooded sweatshirt and jeans. Yet neither he nor Qualcomm quite fits the personality of a Silicon Valley software firm. Instead of high-minded rhetoric about connecting the world, he offers straightforward descriptions of the hardware systems that actually do so. He’s worth listening to, having helped design that technology for nearly two decades.

Mr. Flore recalls that “the first formal act” in creating international 5G standards “was a workshop in September 2015, which I chaired.” “About every 10 years,” he explains, “there is a need for a new platform, which is much more powerful and flexible than the previous one.” Developers plan each generation of cellular technology on a prearranged timeline, and 5G will gradually replace the increasingly strained 4G architecture.

“Today we have about eight billion cellular connections” world-wide, Mr. Flore notes, “which is a scale unprecedented, actually, in human history.” But as more users come online in the developing world and wealthy nations adopt more connected products, “we are talking about expanding that to tens of billions. So the scale—it’s unimaginable.”

Now that 5G hardware is available, carriers are racing to create more coverage so they can entice consumers to upgrade their devices. Deployment of 5G in the U.S. began this year with trials in select cities, but America is lagging far behind China, where telecom firms Huawei and ZTE have built about 10 times as many new cell sites. This advantage in 5G activation could allow Chinese companies to gain an edge in designing the next generation of wireless devices.

Security is one main reason for the gap. The state-supported Chinese firms offer the best and cheapest core-network infrastructure, but have been suspected of using their systems to bug communications on Beijing’s behalf, as in Britain’s 2014 expulsion of Huawei from certain government offices. As a result, the four major U.S. carriers reached an informal agreement with the Federal Communications Commission to exclude Chinese hardware from their domestic 5G networks. With no American company building core cellular hardware, that leaves U.S. telecoms dependent on Europe’s Nokia and Ericsson, which some analysts suggest are about a year behind the Chinese in releasing high-quality 5G systems.

Each major component of 5G is meant to increase the strength of wireless signals, and the system’s capacity to broadcast simultaneous signals. Qualcomm and the carriers eagerly advertise the new network’s theoretical benefits for devices “beyond the smartphone,” as Mr. Flore puts it, including “the Internet of Things, connected cars, augmented reality and virtual reality.” One study—which Qualcomm commissioned—found that 5G will spur about $12 trillion of global economic output over 15 years.

But in the first two to three years of 5G rollout, users will see the simpler benefit of far better speed and reliability on 5G-enabled phones and computers. The first step toward these improvements, Mr. Flore says, was “working with mobile operators over the years to enhance network capacity by adding new spectrum.”

When you make a call or load a webpage, your phone emits a signal at a particular frequency to connect with your carrier’s nearest cell tower. “There has been an exponential growth of data consumption,” Mr. Flore says. That clogs the current frequency bands, causing failures and delays. So he and his fellow 5G developers focused on “unlocking a large amount of new spectrum in the high frequencies,” commonly called millimeter waves. The FCC is auctioning off this mostly unused spectrum for cellular use.

Millimeter waves can help only so much. Signals in those frequencies “don’t propagate from outdoor to indoor,” Mr. Flore explains, “so it doesn’t cross brick walls, or concrete walls.” Same for organic matter like foliage—or the human body: “Even the simple fact that you hold the phone with your hand creates some blockage.” That means carriers like Verizon, which originally teased a nationwide millimeter-wave network, now say they’ll deploy high frequencies mostly in dense urban environments. Mr. Flore says millimeter waves will also serve certain indoor uses through “the placement of small cells”: pillow-size transceivers that can be mounted on rooftops to send signals into high-usage buildings like factories and offices.

For the broader 5G network serving people on the go, better signal quality will come from an increase in sheer capacity. Think of the wireless spectrum as a highway: The easiest way to increase the speed of traffic is to raise the speed limit. “When we did LTE,” Mr. Flore says—referring to “Long Term Evolution,” the prevailing high-speed standard—“we kept evolving the data rate, because it’s easier.” But when the road has too many cars, the only way to prevent traffic jams—network congestion, in the telecom analogy—is to add more lanes. Today most cell towers have between three and 15 antennas. With 5G, “you will gain, easily, 10 times more capacity,” Mr. Flore says, as towers will have as many as 128 antennas. Open frequency lanes will let neighbors watch videos smoothly over the air.

Putting more antennas on a single tower is possible because of the last key capacity-boosting technology, beamforming. “It’s really the ability to create beams, which direct the energy toward specific users,” says Mr. Flore. Most current antennas broadcast over a wide field, with an angle of either 120 or 90 degrees. Certain 5G antennas will be able to “direct different beams to different users, without interference.” That will allow carriers to “reuse spectrum over and over again with multiple users at the same time.”

Mr. Flore began his career working on many of these technologies at a time when they seemed like far-fetched dreams. Raised in Ostuni, a town near the Adriatic coast on Italy’s heel, he came to the U.S. in 2000 to join a Bay Area startup, ArrayComm. It was the height of the dot-com bubble, but the firm harked back to Silicon Valley’s earlier era by focusing on hardware. With an eye on the maturing cellphone market, the company envisioned cellular systems Mr. Flore believes foreshadowed 5G: “many antennas, and beamforming.”

But ArrayComm and other telecom startups lacked the scale to turn their ideas into workable products. So after four years, Mr. Flore moved down the California coast to join his friend and countryman Lorenzo Casaccia at Qualcomm. “I said, ‘I’ll go for a startup and I’ll change the world,’ ” Mr. Flore recalls of his decision to join ArrayComm. “But the startup failed, and Lorenzo said, ‘OK, come. Enough playing with changing the world—come with me and change it for real.’ ” (Mr. Casaccia is still with Qualcomm, where he’s vice president of technical standards.)

Mr. Flore describes Qualcomm as “an R&D engine, fundamentally—as much as we are a maker of chips and so on.” Sales of that chip technology have caused controversy lately: The Federal Trade Commission is suing Qualcomm over its licensing methods, and last month the company settled a suit brought by Apple on the same issue. From Mr. Flore’s perspective, those licensing fees support “R&D in all of these vectors of innovation in big cellular systems.”

Even a research giant like Qualcomm can’t drive cellular technology on its own. To ensure that a given device can access the network anywhere in the world, every company in the business must accord with a set of shared technical specifications. To “keep things evolving, at the pace of every year or year and a half,” Mr. Flore says, Qualcomm and hundreds of other firms collaborate through the 3rd Generation Partnership Project. Founded in 1998, 3GPP is the organization that devises standards for cellular communications across the world’s major markets: North America, Europe and Asia.

“It’s kind of a huge human endeavor, with thousands of people involved,” Mr. Flore says. Eighteen working groups with hundreds of engineers meet about six times a year in cities around the world. “Usually not in tier-1 cities, as they are expensive,” Mr. Flore notes. “But that makes it fun. I have visited cities in the Midwest or in the middle of China I would have probably never seen otherwise.”

Inevitably 3GPP features frequent conflict. Engineers disagree about the best technical solutions, and firms jockey to give their own systems an advantage. In one recent dispute, Huawei and other Asian companies pushed a technique called polar coding, in which they have led development, while Qualcomm preferred low-density, parity-check coding, a method pioneered in North America and Europe. “Both LDPC and polar codes have been included in the standard” says Mr. Flore, who wasn’t directly involved in the matter. Yet analysts describe the outcome as a win for Huawei, because polar codes have never filled such an important and lucrative role.

The structure of 3GPP allows cooperation to emerge among competitors. Chairmen are chosen by secret ballot “so that people elect someone they trust,” and “delegates do not always go with the company guidance for voting.” The influence of government is similarly limited. “Of course 3GPP has to comply with local regulations,” Mr. Flore says, and “some governments put their own security requirements.”

But he adds that market incentives go a long way toward ensuring secure designs. “It would be very, very tough if everybody made a huge investment, and then after three years somebody breaks the security of a 3GPP system.” Mr. Flore says security has “worked very well in the past, but we don’t take it for granted.” As “a massive amount of things are connected around us,” engineers have devoted increasing effort to “the security and integrity of the systems.”

Now in the hands of the carriers, 5G deployment will unfold at an uneven pace, and game-changing applications will come in bursts. Under his unzipped hoodie, Mr. Flore’s T-shirt announces: “5G is here.” But he’s the first to admit no one knows exactly what that will mean. “There’s lots of discussion,” he says, “about what’s going to be the ‘killer app.’ But I have a great track record, like everyone else in the industry, of being wrong 90% of the time.”

As a wireless developer, Mr. Flore sees his role as merely to make a “more powerful, flexible platform” for an endless range of product makers to build on. Instead of great leap forward, expect 5G to provide incremental improvements, and remember that the wireless industry has always developed, as Mr. Flore says, “in such an unpredictable way.”

Mr. Ukueberuwa is an assistant editorial features editor at the Journal.

ccp

  • Power User
  • ***
  • Posts: 9720
    • View Profile

G M

  • Power User
  • ***
  • Posts: 17009
    • View Profile
Re: City of Baltimore
« Reply #531 on: May 23, 2019, 04:52:42 PM »


DougMacG

  • Power User
  • ***
  • Posts: 11447
    • View Profile
Re: China to drop Microsoft?
« Reply #533 on: May 31, 2019, 07:07:17 AM »
Does that mean they will stop pirating their software?

There were estimates some years ago that if China paid for all the software, music and movies they stole from the US there would be no trade deficit.
« Last Edit: May 31, 2019, 07:08:51 AM by DougMacG »

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Russian Trolls
« Reply #534 on: June 03, 2019, 05:10:58 PM »

ccp

  • Power User
  • ***
  • Posts: 9720
    • View Profile




Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Stratfor: US Cyberweapons
« Reply #539 on: July 05, 2019, 05:48:23 PM »
The U.S. Unleashes Its Cyberweapons
An executive order by U.S. President Donald Trump has shifted the focus of the Pentagon's cyberwar doctrine from defense to offense.


    The United States has made a strategic shift toward a more aggressive stance of conducting offensive cyberattacks to achieve strategic and tactical objectives.
    The change has been years in the making, shaped by the unique architecture of cyberspace and on continued cyberattacks that have necessitated a shift in strategy by several Western powers toward incorporating offensive capabilities.
    With the United States increasingly viewing the world through the lens of competition with China and Russia, the shift in strategy to incorporate the increasing use of offensive cyberoperations is likely to be permanent.

In late June, an Iranian missile knocked a U.S. unmanned aerial vehicle (UAV) on a reconnaissance mission out of the sky and into the Gulf of Oman. The shootdown sent ripples of concern throughout the Persian Gulf that the incident could lead both countries down a path to greater conflict. But the U.S. military response barely made a splash. That's because instead of a conventional airstrike against Iranian forces, the U.S. response came in the form of a cyberattack targeting missile command and control systems of the Islamic Revolutionary Guard Corps.

That response heralded a fundamental shift in the U.S. approach to cyberwarfare. The likely tactical objective of the retaliation was to degrade Iran's ability to carry out similar attacks. It also had a strategic component — deterring it from similar actions. Significantly, the response appeared to mark a first for the United States under new rules meant to streamline the approval process for cyberattacks.

The Big Picture

Over the past three years, the United States has substantially refocused its defense posture to deal with emerging threats from what the White House calls "revisionist" powers Russia and China. One critical piece of the puzzle has been a shift in U.S. cybersecurity strategy to prioritize the response to threats from its near-peers and other state actors.

Whether the response achieved U.S. tactical objectives isn't clear; future Iranian actions will provide a measure of the success of its strategic goals. Whatever the outcome, the U.S. response itself marks a shift in the country's cyberwar strategy. The White House has not been shy about expanding the U.S. cyberwar capabilities, nor has it shied from the idea of taking the offensive in cyberspace. This was, after all, a central part of the 2018 National Cyber Strategy; such considerations will outlive the administration of U.S. President Donald Trump.

A Shift Years in the Making

Over the past two decades, the U.S. approach to cyberspace has evolved in parallel with the emergence of the technology as a key defense and commerce platform for state and nonstate actors alike. The rising stature of the U.S. Cyber Command tracks with the increasing focus on cyberspace at the Pentagon. The organization, which originated as a joint task force, became a subunified command under U.S. Strategic Command in 2009. In May 2018, U.S. Cyber Command was split off into its own separate unit. That was, in part, a culmination of U.S. thinking about exactly how cyberspace fit into its overall defense strategy. Historically, the primary U.S. concern centered on protecting the country's critical infrastructure – both civilian and military — an understandable objective. Indeed, the overall strategy in cyberspace pursued under former President Barack Obama had three pillars: raising the level of U.S. cyberdefense, deterring malignant cyberactivity aimed at the United States, and developing effective response and recovery from attacks. This paradigm is based on the concept of defending the United States, not on executing attacks abroad.

That said, the United States has not refrained from cyberspace offensives in the past, nor has it neglected to develop its offensive capabilities. The United States is strongly suspected of involvement in the 2010 Stuxnet virus attack that crippled the Iranian nuclear program. It also was rumored to have explored ways to use cyberwar techniques to sabotage the North Korean ballistic missile program. By their nature, classified programs such as these are difficult to verify, and there are often strategic reasons that the United States would refrain from publicizing such an attack. It would, for example, be more advantageous to allow the Iranians or North Koreans to believe that their own error caused the failure of a nuclear centrifuge or a missile test.

It has become quite clear to many strategists that the classical concept of strategic deterrence has its limitations in cyberspace.

For the most part, however, the U.S. posture toward cyberspace was more defensive in nature and focused on strategic deterrence. The United States calculated that the perception of its retaliatory capabilities would make adversaries think twice before launching significant attacks targeting it. Leaks by National Security Agency contractor Edward Snowden detailing U.S. cyberactivity and the tools that the agency has at its disposal only reinforced the views of U.S. capabilities. In many ways, the split of U.S. Cyber Command away from Strategic Command, which oversees strategic deterrence, is emblematic of the shift in U.S. posture in cyberspace from defense toward what has been described as "persistent engagement."

In its 2018 Command Vision, the cyber command lays out its objective that the United States must "defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage." This belief was reinforced in the Trump White House's first full National Cyber Strategy released in September. If fully implemented, the strategy would entail frequent cyberactivity against aggressors in cyberspace — and in the case of the response after Iran's downing of the UAV, a willingness to retaliate for physical attacks through cyberwarfare.

A Change in Global Dynamics

While it may be easy to connect the more aggressive cybersecurity posture of the United States with Trump's America First strategy, multiple drivers have pushed the country in that direction.

It has become quite clear to many strategists that the classical concept of strategic deterrence has its limitations in cyberspace. While U.S. adversaries certainly calculate that a significant cyberattack against the United States could draw a U.S. response, they also know the difficulties of attributing those attacks to a specific state actor. That's why countries with such intent in cyberspace, including Russia, Iran and China, often employ nonstate actors to carry out offensives against the United States and its allies, giving them a higher degree of plausible deniability. This makes it difficult to rely on strategic deterrence, in which an adversary desiring to launch a cyberattack must first assess the probability of counterattack. This is why disruption, as opposed to deterrence, has become a more appealing option for U.S. strategists.

From an empirical perspective, the concept of deterrence hasn't held up in recent years, as the United States has faced dozens of state-backed cyberattacks from virtually every one of its adversaries. For Russia, online disinformation campaigns, of which its activities during the 2016 U.S. general elections are but one example, are extensions of its decades-old military strategy. But it does not limit its cyberspace activities to the shaping of perceptions. Its other cyberwar operations include a series of attacks testing the defenses surrounding critical U.S. infrastructure, including operations, still likely ongoing, targeting the U.S. electricity grid and its operators. While China has yet to carry out the same level of sophisticated disinformation campaigns as Russia, Chinese cyberattacks against U.S. infrastructure and network probes continue to be a key U.S. concern – although publicly released information detailing its activities is understandably rare. The simple fact is that, short of preventing a significant loss of life or economic activity, China's and Russia's actions show that the U.S. doctrine of deterrence has not held at the lower and middle levels. This same dynamic persists for North Korea and Iran – both of which have pursued actions targeting the United States in cyberspace despite the threat of retaliation. As the United States repositions its national strategy to focus more on the competition with other peer or near-peer powers like Russia and China, a shift in thinking on cyberspace has become almost a necessity. Both have shown a repeated willingness to take on the United States in cyberspace, making it necessary for the Pentagon to develop a holistic strategy to counter their actions. And in the event of a war, the United States will need to have offensive cybertools at its disposal. Malware, backdoors and other code needed to implement a cyberattack can't necessarily be developed and deployed on the fly. So if the United States wants to tap that option at a moment's notice, it will need to preemptively probe its adversaries' defenses and install the needed components before the outbreak of conflict.

Although Iran is not a true U.S. peer in the sense of equal international power, it should come as no surprise that offensive U.S. cyber doctrine is extending to the Islamic republic. The U.S. cyberattack on Iran was clearly designed to degrade its capability to launch future attacks. This is thought to have been the first publicly acknowledged attack under new guidelines that the Trump administration put into place last year to streamline the approval process for conducting cyberattacks on U.S. adversaries, and it came just hours after the UAV was shot down — a testament to the Trump-era policy regarding cyberoffensives.

In August 2018, Trump issued an order reversing an Obama-era policy establishing intricate rules for an interagency process that must be followed before the United States could launch a cyberattack. After the reversal was publicly acknowledged, U.S. national security adviser John Bolton trumpeted the fact that the United States was no longer limited in its ability to carry out cyberoffensives. He has since delivered not-so-subtle messages aimed at Russia and China that the United States would go on the offensive in cyberspace. Trump's new marching orders, as outlined in the secret National Security Presidential Memorandum 13, are thought to grant the Pentagon greater authority to conduct cyberattacks – and to conduct hacks to set up those attacks – while reducing oversight by other U.S. agencies, like the State Department. That memo is also thought to give the Defense Department greater authority to act without presidential approval – a tactical necessity in a future hypothetical conflict between the United States and a near-peer power. While the cyberattack on Iran was publicly acknowledged, other U.S. efforts in this area have not been. The New York Times reported in June that the United States has stepped up attempts to penetrate the cybersecurity surrounding Russia's electric power grid, although U.S. officials have denied it.

The United States is not the only Western country developing its offensive cybercapabilities. In January, France unveiled a strategy shifting its own posture away from an "active defense" to incorporate offensive cyberoperations. It also announced a budget increase to expand its cyberwarfare force and said that France will not be scared of using offensive cyberoperations in the future. In 2018, The United Kingdom announced plans to create a new 2,000-strong offensive cyberforce to, in part, deal with the emerging threat from Russia. In 2013, the United Kingdom became the first Western country to announce that it had developed offensive cyberweapons. NATO, which indicated it will not conduct offensive cyberoperations itself, has said that that it would integrate and coordinate the activities of its member states.

In announcing the cyberattack in retaliation for Iran's kinetic attack on a U.S. drone, the United States has announced to the rest of the world that it will make full use of its cyberspace capabilities and will carry out offensive operations if need be. The rules and norms governing such activity in cyberspace among the United States, Russia and China will continue to evolve over time. This will invariably lead to the question of how such norms will be established, but thus far, the three leading cyberpowers have shunned the idea of talks over the topic, even grinding Europe-led and U.N.-led processes for establishing them to a halt. It is unlikely that even a clear set of norms governing cyberspace — much less a broad treaty — will occur, unless they are narrowly focused (such as a promise to refrain from attacks targeting one another's nuclear command and control systems). So with a click of the mouse, the United States has shown that it is now willing to take the gloves off in cyberspace.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
Stratfor: Security and the Holographic Society-- serious read
« Reply #540 on: July 12, 2019, 05:57:26 AM »
Security and the 'Holographic Society'
By Eric B. Schnurer
Board of Contributors
Eric B. Schnurer
Eric B. Schnurer
Board of Contributors
A NATO training center conducts an exercise on cyberwarfare and security on June 22, 2017, in Bydgoszcz, Poland.
(JAAP ARRIENS/NurPhoto via Getty Images)
Contributor Perspectives offer insight, analysis and commentary from Stratfor’s Board of Contributors and guest contributors who are distinguished leaders in their fields of expertise.

Highlights

    The very distinction between the virtual and physical worlds is itself dissolving. Is it time we started thinking about security in the physical world as we do in cyber?
    Successful attacks cannot be entirely prevented but can be survived by building multiple pathways so the enemy cannot take down the entire system.
    Every point in the network has access to the information, so it can, as a practical matter, never be destroyed or altered, something like a hologram. In that way, blockchain essentially models the logic of “defense” as dispersion and redundancy.
    "Distributed" rather than concentrated systems are more survivable and secure in the real world, not just the virtual: To the extent that our concern is purely physical survival, even then, the more dispersed or redundant a population, an economy or a culture, the less a physical attack on it will make any sense.

Cyberattack is slowly becoming the preeminent form of international engagement, so much so that it's simply been assumed that current U.S. retaliation against Iran includes cyberattacks. That just makes it part of an ongoing, "larger pattern of cyber exchanges" between the two adversaries, as Brandon Valeriano and Benjamin Jensen phrased it recently in The Washington Post — and of the growing presence of cyber operations in global conflict.

The cyber world is dissolving distinctions between war and non-war, between what's "inside" a country and what's outside it, between the state and society. In fact, the very distinction between the virtual and physical worlds is itself dissolving. So perhaps we ought to be thinking about security in the physical world as we do in cyber.

North Korea's hack of Sony, the U.S.-Israeli Stuxnet attack on Iran's nuclear centrifuges and Russia's shutting down a civilian Ukrainian power plant through hacking as part of its invasion of Crimea all produced real-world, physical damage. Russia and the Islamic State have penetrated U.S. computer systems to explore the possibility of hacking dams to implode them or nuclear plants to explode them. Additionally, The New York Times recently reported that the United States is striking an increasingly offensive cyber stance by implanting sleeper code deep into the control systems of the Russian grid in case of future hostilities. Simply knocking out the internet, without any other direct physical violence, would disrupt practically every aspect of modern life, causing untold deaths and physical suffering. In sum, it's not at all clear that there's a meaningful distinction to be made anymore between "security" and "cybersecurity" — or "defense" and "cyberdefense."

One result is that cyberwar and cyberdefense are not just military, or even public sector, issues. As Benjamin Wittes and Gabriella Blum argue in The Future of Violence, the technology democratizing threats also democratizes defense, "distributing" the nation-state's activities across a wider range of actors — notably private sector providers of the "pipes," both traditional utilities and information technology, upon which modern society now depends. "It's very difficult to draw the line," Liina Areng, who helped oversee the cybersecurity of the entire cyber-dependent Estonian government, told me. Technology has not just expanded the battlefield to all actors in all places, as Wittes and Blum describe, destroying the distinctions between what's a military and a nonmilitary asset — and what's "inside" a country and what's not — it has also diluted time, making every moment an opportunity for, and threat of, conflict. Because cyberattacks can occur without invoking the same responses as physical attacks and incursions, they are occurring right now between global combatants, constantly, as you read this.

Virtual conflict, in short, is occurring everywhere, all the time.
A Lesson From a Former Soviet Republic

Once a small independent country until forcibly incorporated into the Soviet Union in the mid-20th century, Estonia reestablished its independence in 1991 as the Soviet Union imploded. It found itself, like many former Soviet republics, with a moribund economy and antiquated infrastructure. But, fatefully, Estonia set a goal of becoming the world leader in information technology by the end of the decade. Today, Estonia has the world's fastest and most widespread Wi-Fi, and almost the entire economy and all government services — from elections to tax collections, to the national health care plan — are online. Its "e-resident" program allows it essentially to export its government worldwide to virtual Estonians.

Being the most virtual country in the world, however, also made Estonia the most vulnerable to a virtual attack. Such an attack, widely regarded as the world's first, came in early 2007, with Russian hackers disrupting the country's public and private sectors for several days before order was restored. Estonians still anticipate further attacks from Russia — including outright invasion. The government, therefore, has placed all its operations on servers throughout the world — and is looking to move them to satellites beyond earth — so that it could continue operating as a country "in the cloud" without a physical foothold in Estonia. For all these reasons, Estonia has become the world leader in cybersecurity and home to NATO's cyber defense center of excellence.

Successful attacks cannot be entirely prevented but can be survived by building multiple pathways so the enemy cannot take down the entire system.

Both military and civil defense, Areng said, "are really about resiliency, building redundancy and information-sharing." In our conversation, Areng returned repeatedly to redundancy and resiliency as the keystones of both cyber and physical security: the idea that successful attacks cannot be entirely prevented but can be survived by building multiple pathways so the enemy cannot take down the entire system.

This concept, now common in the cyber world, goes back to the Cold War: The U.S. telecommunications system stood out as a likely target in the event of war with the Soviet Union. The traditional approach called for "hardening" the target — for instance, investing in "a nuclear-resistant buried cable network (costing) $2.4 billion," writes Andrew Keen in his book, The Internet Is Not the Answer. However, a young Rand analyst named Paul Baran had a different idea, a "user-to-user rather than … center-to-center operation," a "distributed network" that "would be survivable in a nuclear attack because it … would have no heart, no hierarchy, no central dot."

The answer was the internet, the title of Keen's book notwithstanding. Societies tend to conceptualize their worlds based on their technologies: In an age of increasingly precise machinery, social and economic activity was conceived as mechanistic, and both corporate and government entities came to reflect the factory; in the postwar era, not just the technology of the computer but a philosophy of computer-like analysis increasingly gained ascendance over economic and political decision-making and structures. The internet and, consequently, the economics of networks, networks as decision-making systems and netwar as the framework of conflict, structure today's thinking.
Rendering an Attack Pointless

The next model is, likely, blockchain technology, in which information is distributed across millions of computers — every point in the network has access to the information, so it can, as a practical matter, never be destroyed or altered, something like a hologram. In that way, blockchain essentially models the logic of "defense" as dispersion and redundancy. Increasingly, then, dispersion — making potential targets "softer," or more ephemeral and diffuse, rather than "harder" — is becoming the modern strategy to render attack pointless.

Physical destruction matters less and less in an increasingly virtual economy. Killing people and occupying their territory are not the most productive economic or military objectives anymore. Many future-of-war theorists believe that conflict will rarely involve the physical any longer, but rather attempts to "win" by controlling virtually either their rivals' politics (as Russia has arguably succeeded in doing to the United States since 2016) or their economies without seizing direct physical control over people and territory. As Lauri Aasmann, chief of the NATO cyberwar center's law and policy branch, told me, "there's a disincentive for taking down an entire cyber system." As an aggressor, eventually "you want to use it (yourself) for propaganda and espionage purposes."

"Distributed" rather than concentrated systems are more survivable and secure in the real world, not just the virtual: To the extent that our concern is purely physical survival, even then, the more dispersed or redundant a population, an economy or a culture, the less a physical attack on it will make any sense.

American culture, values and economic products are increasingly difficult to destroy. The United States is the epitome of the "holographic" society.

Can one, in any event, actually "virtualize" or "distribute" a country? Estonia is sure trying. But to a greater extent than we generally appreciate, the United States already has done so: American culture and values are ever more broadly dispersed, having essentially conquered the world. The great global conflict today is not between countries so much as between two cultures that cross, and coexist within, existing national borders — one culture is as fluid and amebic as the technology on which it rests, while the other is based on "harder" technologies and harder borders and is reacting against the spread of the former. The United States is not only the nation most enmeshed in this emerging supranational world: It is the one that has done the most to create and shape it — and has done so largely in its own image.

A physical attack on the United States might lower the quality of cinema worldwide, depending on whether the gap is filled primarily by France or Bollywood, but it's hard to see how it would stop all the other ways in which "America" largely dominates the world. Even if the United States were destroyed as a physical or governmental entity, American culture, values and economic products are increasingly difficult to destroy. The United States is the epitome of the "holographic" society.

In the siege mentality sweeping much of the world, including President Donald Trump's "American carnage" worldview, safety lies only within territorially defined, demographically homogeneous nations with autochthonous economies and not just firm, but also largely impenetrable, borders that keep all threats at bay. This outlook may have it backward, however, putting America and its interests at greater risk. Physical security as well as cybersecurity in the 21st century increasingly lie not in becoming a fortress nation, but in doubling down on being a holographic one: promoting greater global integration, sending our people and products abroad more aggressively, and welcoming a more diverse array of the rest of the world's peoples and products within our national borders.

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile




National Security Concerns Threaten Undersea Data Link Backed by Google, Facebook
U.S. firms and Chinese partner have sunk hundreds of millions of dollars into Los Angeles-Hong Kong cable project
The U.S. has never denied an undersea cable license on national security grounds. Above, a SubCom cable-laying ship. Photo: SubCom
By Kate O’Keeffe and
Drew FitzGerald in Washington and
Jeremy Page in Beijing
Updated Aug. 28, 2019 10:15 am ET

U.S. officials are seeking to block an undersea cable backed by Google, Facebook Inc. and a Chinese partner, in a national security review that could rewrite the rules of internet connectivity between the U.S. and China, according to people involved in the discussions.

The Justice Department, which leads a multiagency panel that reviews telecommunications matters, has signaled staunch opposition to the project because of concerns over its Chinese investor, Beijing-based Dr. Peng Telecom & Media Group Co., and the direct link to Hong Kong the cable would provide, the people said.

Ships have already draped most of the 8,000-mile Pacific Light Cable Network across the seafloor between the Chinese territory and Los Angeles, promising faster connections for its investors on both sides of the Pacific. The work so far has been conducted under a temporary permit expiring in September. But people familiar with the review say it is in danger of failing to win the necessary license to conduct business because of the objections coming from the panel, known as Team Telecom.

Team Telecom has consistently approved past cable projects, including ones directly linking the U.S. to mainland China or involving state-owned Chinese telecom operators, once they were satisfied the company responsible for its U.S. beachhead had taken steps to prevent foreign governments from blocking or tapping traffic.

If the U.S. rejects Pacific Light’s application, it would be the first time it has ever denied an undersea cable license based on national security grounds, and it could signal regulators are adopting a new, tougher stance on China projects.

The threat of a failed approval process reflects growing distrust of Chinese ambitions and comes amid escalating tensions between China and the U.S., part of a broad rivalry between the world’s two largest economic powers. A prolonged trade conflict has each side affixing tariffs on hundreds of billions of dollars in goods flowing between the two countries, while Washington has sought to blunt Beijing’s ambitions to expand military and economic influence in Southeast Asia, the Pacific, Africa and elsewhere.

A number of U.S. officials—as well as some from allied countries—also have been waging a high-profile campaign to exclude China’s Huawei Technologies Co. from next-generation mobile networks, and to limit its role in the undersea cable networks that ferry nearly all of the world’s internet data.

The Pacific Light project cost at least $300 million to build based on its route, according to consultants who advise companies on subsea cable construction. Companies like Google and Facebook have spent the past decade funding similar cables to handle ever-growing network traffic between the U.S. and Asia. The new link to Hong Kong would give them greater bandwidth to a major regional internet hub with links to growing markets in the Philippines, Malaysia and Indonesia as well as mainland China.

While U.S. security officials have openly targeted Huawei’s operations in the airwaves, they have been less vocal about another potential security threat: its undersea cables. Experts say in theory these cables could enable China to spy. Photo: George Downs/The Wall Street Journal

Team Telecom’s concerns over Pacific Light include Dr. Peng’s Chinese-government ties and the declining autonomy of Hong Kong, where pro-democracy protesters have been holding massive demonstrations for months against Beijing’s efforts to integrate the territory more closely. Dr. Peng is China’s fourth-biggest telecom operator. Listed in Shanghai, the private firm serves millions of domestic broadband customers. In the past, a cable link to Hong Kong would have been viewed as more secure than one to mainland China, but the distinction is becoming less relevant, these people say.

Proponents of the project say its approval would give the U.S. better oversight over the data that flows through the cable because Team Telecom could advise the FCC to force the companies to agree to certain conditions to protect security. Even if the U.S. thwarts this particular cable, the need for greater data capacity will still exist, and that data will just find its way through other cables that aren’t necessarily within the U.S.’s jurisdiction, they say.
The Internet’s Undersea Arteries
Roughly 380 active submarine cables carry almost all the world’s intercontinental internet traffic via about 1,000 landing stations.


Team Telecom last year reversed its long-held stance on Chinese applications to provide telecom services through U.S. networks, and recommended for the first time the denial of an application based on national security and law-enforcement concerns. In May, the Federal Communications Commission adopted the recommendation that came after years of deliberation, voting unanimously to deny an application from China Mobile Ltd. ’s U.S. arm even though it had previously approved applications from fellow state-owned operators China Telecom and China Unicom .

Though the FCC makes the final decision on whether to grant a license for the Pacific Light project, it has historically deferred to recommendations from Team Telecom after its members coalesce around a unified view. The ad hoc group has no resolution mechanism in the event of a dispute. It isn’t known how strongly other members of the team, including the Defense and Homeland Security Departments, feel about the issue.

Should the Justice Department hold firm in its opposition and win support from other Team Telecom members, the group’s negative view would likely kill the project. If other team members decide to fight the Justice Department on the issue—and it refuses to back down—any approval could be delayed indefinitely, leaving the project in limbo. It is possible regulators might extend the temporary permit in the interim. Team Telecom, meanwhile, could still recommend the FCC approve the project if the Justice Department changes its position.

Pacific Light Data Communication Co., the Hong Kong company managing the cable project, said it has already installed more than 6,800 miles of the cable system, which will be ready for service by December or January. Senior Vice President Winston Qiu said he hadn’t heard of any U.S. regulatory problems. “We didn’t hear any opposition,” he said.
Share Your Thoughts

What are your thoughts on the U.S. citing national security concerns as a reason for possibly stopping this venture? Join the conversation below.

Dr. Peng didn’t respond to emailed and faxed requests for comment. Repeated calls to its offices and those of its subsidiaries and biggest shareholder went unanswered.

A Google spokeswoman said the company has “been working through established channels for many years in order to obtain U.S. cable landing licenses for various undersea cables. We are currently engaged in active and productive conversations with U.S. government agencies about satisfying their requirements specifically for the PLCN cable.” A Facebook spokeswoman declined to comment.

A Justice Department spokesman declined to comment on the project and said its reviews and recommendations are “tailored to address the national security and law enforcement risks that are unique to each applicant or license holder.” The Pentagon referred questions to the Justice Department as the team’s lead agency. Spokesmen for the Department of Homeland Security and the FCC declined to comment.

The Pacific Light project has taken an atypical path. Google owner Alphabet Inc. teamed up with Facebook in 2016 to provide its U.S. financing, adding to the tech companies’ growing inventory of internet infrastructure. Google took responsibility for its U.S. landing site. The Hong Kong end fell to a company controlled by a mainland Chinese real-estate magnate that had only recently entered the telecom sector.

The Chinese partner later sold its majority stake in the project to Dr. Peng, a company with interests in telecom, media and surveillance technology. In 2014, Dr. Peng signed a strategic cooperation agreement with Huawei to jointly research cloud computing, artificial intelligence and 5G mobile technology, according to an exchange filing. Dr. Peng’s website lists Huawei as a partner.

Dr. Peng’s chairman, Yang Xueping, is a former Shenzhen government official, according to the company’s website, and its subsidiaries have worked on several projects with government entities, including building a fiber-optic surveillance network for Beijing police, its website and filings show. Last year, Dr. Peng said in an exchange filing that two wholly owned subsidiaries had been fined 2 million yuan ($279,000) after some of their executives were convicted of bribing Chinese officials in connection with Beijing police projects.

—Xiao Xiao in Beijing contributed to this article.

Write to Kate O’Keeffe at kathryn.okeeffe@wsj.com, Drew FitzGerald at andrew.fitzgerald@wsj.com and Jeremy Page at jeremy.page@wsj.com

Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
WSJ: Cyberwar: Norks got game
« Reply #542 on: September 16, 2019, 10:38:47 AM »
U.S. Targets North Korean Hacking as Rising National-Security Threat

For Pyongyang, cyber prowess is crucial source of revenue, political leverage
North Korean leader Kim Jong Un’s willingness to talk about denuclearization may stem from a belief that the country’s cyber arsenal can partially supplant its weapons as a threat to other nations. Photo: KCNA/KNS/Associated Press
By Ian Talley and
Dustin Volz
Sept. 15, 2019 7:00 am ET

WASHINGTON—New U.S. sanctions against North Korean hackers and revelations about North Korean malware show how Pyongyang’s cyber operations have become a crucial revenue stream and a security threat that soon could rival its weapons program, U.S. and industry officials say.

North Korea’s hacks of financial systems and critical infrastructure world-wide reveal sophisticated cyber capabilities developed to counter global sanctions and expand Pyongyang’s geopolitical power, according to these officials.

The U.S. Treasury Department, in blacklisting the three hacking groups allegedly run by North Korea’s primary intelligence service, said Friday they collectively were responsible for operations across 10 countries, stealing hundreds of millions of dollars from banks and cryptocurrency exchanges, pilfering military secrets, destabilizing infrastructure and intimidating adversaries.

Attacks that cyber experts suspect were orchestrated by North Korea are becoming more frequent.

Treasury says one collective, called Lazarus Group, and two subsidiaries, known as Bluenoroff and Andariel, have stolen around $700 million in the last three years and have attempted to steal nearly $2 billion.

U.S. security officials and cyber experts say those sums of money likely underrepresent the amount of cash Pyongyang’s hackers have secured. United Nations investigators last month tallied proceeds from all reported operations, including those carried out by other North Korean hacking groups, at $2 billion in recent years. Some thefts likely aren’t reported to authorities for fear of embarrassment and exposure, a senior U.S. official said.

North Korean officials didn’t respond to a request for comment but historically have denied accusations of engaging in malicious cyber activity.

Treasury said it also has been working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, as well as with the U.S. military’s Cyber Command in recent months to disclose malware samples to private industry. Last week, under its North Korean malicious cyberactivity rubric “Hidden Cobra,” the administration issued a public alert about a new version of malware dubbed “ELECTRICFISH” that burrows into victims’ computers to steal data.

Senior administration and industry officials say that many reported, but not publicly disclosed, attacks on banks and other companies bear hallmarks of North Korean involvement.

“Though these operations may fund the hackers themselves, their sheer scale suggests that they are a financial lifeline for a regime that has long depended on illicit activities to fund itself,” said John Hultquist, director of intelligence analysis at the U.S. cybersecurity company FireEye Inc.

Cyber Command ranks North Korea’s capabilities along with China, Russia and Iran as top strategic threats to U.S. national security.

Underscoring the geopolitical leverage its hacking abilities give Pyongyang, industry experts say North Korean leader Kim Jong Un ’s willingness to at least talk about denuclearization over the past year may be from a belief that the country’s cyber arsenal can partially supplant its weapons as a threat to other nations.
U.N. investigators and members of a North Korean defectors group in South Korea say the North’s hackers are carefully selected and groomed at an early age by the military and secret services and given specialized training. Photo: Wong Maye-E/Associated Press

“North Korea’s cyber operations broaden the Kim family regime’s toolkit for threatening the military, economic, and even the political strength of its adversaries and enemies,” said Mathew Ha and David Maxwell, North Korean experts at the Foundation for Defense of Democracies, a Washington nonpartisan think tank, in a report.

With the U.N. and U.S. squeezing traditional high-value revenue streams such as North Korean coal exports, the hacking operations appear to be so lucrative for the cash-hungry regime that cybersecurity experts say it is unlikely Pyongyang will be pressured through sanctions into curtailing its malicious behavior.

U.S. officials say their investigations show that some of the money from cyber-theft is channeled into Mr. Kim’s nuclear weapons and ballistic-missile programs. Cyber-enabled heists also have become an essential source of revenue keeping the regime in power and insulating the economy from the global sanctions meant to force Pyongyang into giving up its weapons of mass destruction, U.S. and U.N. officials say.

In addition, North Korea’s cyberattacks generate income in ways that are harder to trace than many of its other illicit activities, U.N. officials said in a report last month. The U.N. is investigating at least 35 reported North Korean cyberattacks across five continents targeting banks, cryptocurrency exchanges and mining companies.

The Trump administration previously has blamed the Lazarus Group for the WannaCry worm, which was unleashed in 2017, infecting more than 300,000 computers in more than 150 countries, crippling banks, hospitals and other companies. The Justice Department last year charged a North Korean operative, Park Jin Hyok, and unnamed co-conspirators, tying them to the WannaCry work, the 2014 hack on Sony Pictures and the $81 million stolen from Bangladesh’s account at the Federal Reserve Bank of New York in 2016.

It was only a typo in the Bangladesh heist that prevented the hackers from stealing $851 million they planned to transfer, officials say.

Since the beginning of 2019 alone, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million heist from an institution in Kuwait, according to the U.N.

U.N. investigators and members of a North Korean defectors group in South Korea say the North’s hackers are carefully selected and groomed at an early age by the military and secret services and given specialized training.

North Korean cyber collectives often use a variety of different schemes for revenue generation, as well as lay the groundwork for future hacks, according to experts on North Korea and cybersecurity.

U.S. intelligence, security companies and North Korea watchers say that while they believe many of the freelance operations are largely for revenue-generation purposes, they also represent a major threat because of their infiltration of Western security systems.

They do so by working as software programmers who contract their services through freelance platforms, concealing that they are North Korean agents.

Many companies rely on the freelance software platforms where “there’s no vetting process or validation to ensure you’re not working with sanctioned entities,” said a top official at a private technology company that sells its products to the U.S. government and other Western allies.

Write to Ian Talley at ian.talley@wsj.com and Dustin Volz at dustin.volz@wsj.com



Crafty_Dog

  • Administrator
  • Power User
  • *****
  • Posts: 48105
    • View Profile
War Against Chinese Tech
« Reply #545 on: October 12, 2019, 12:35:16 PM »

In the War Against Chinese Tech, the U.S. May Go It Alone
By
Phillip Orchard -
July 8, 2019
Open as PDF

Summary

The United States has been on a crusade to block Chinese tech firms out of the development of 5G networks. Its allies, big and small, are reluctant to fall in line as they weigh the potential political and military costs of bucking Washington’s demands against the dollars-and-cents cost of excluding tech companies like Huawei. Ultimately, few countries are likely to adopt a blanket ban on Chinese tech. But it may not matter if the U.S. proves willing and capable of crippling Chinese tech firms unilaterally.

For much of the past half a decade, the U.S. has warned that trouble awaits countries that build their fifth-generation, or 5G, mobile networks with Chinese technology. Fearing that the proliferation of Chinese telecommunications infrastructure would give Beijing unprecedented cyberespionage and network sabotage capabilities, the Trump administration has since tightened the noose, moving gradually to ban Chinese software and equipment – and even foreign tech made or designed in China – from U.S. networks. It wants friends and allies across the globe, on whose telecommunications networks the U.S. military relies, to follow suit. Using Chinese tech was always risky, but the U.S. has threatened to raise the stakes, saying countries that use it could face a future without U.S. military and intelligence cooperation.

This kind of absolutist approach by the U.S. speaks both to just how alarmed it is by China’s creeping telecommunications dominance and how little credence it gives to claims that such threats are manageable. Yet, widespread reluctance to comply with U.S. pressure has raised the question of whether the U.S. is really willing to walk away from the multilateral network of friends and allies it has been cultivating since World War II, with profound potential implications for the global system. But the U.S. won’t have to make this call any time soon. It’s not yet settled whether a blanket ban on Chinese 5G-related tech is really necessary. And U.S. moves to take matters into its own hands and stop Huawei’s rise may well put the whole issue to rest.

Why Other Countries Aren’t Falling in Line

Thus far, the U.S. campaign has found at best mixed success. Only Australia and, to a lesser extent, New Zealand, Japan, Taiwan and Vietnam have come anywhere close to a blanket ban on Chinese telecommunications tech. Elsewhere, responses have ranged generally from “We’re exploring other options, but don’t force us to take an overtly anti-China position” (see: Singapore, South Korea) to “Partial restrictions and careful vetting will be sufficient” (Europe) to “We’ll use as much Huawei tech as we darn well please, so stop nagging us about it” (Malaysian Prime Minister Mahathir Mohammad). Skeptics include the U.K. and Canada – fellow members of the crucial Five Eyes intelligence-sharing network (none of whom, inexplicably, are home to a major Huawei competitor); countries hosting or pursuing major U.S. military bases like Germany, South Korea and Poland; and nominal allies familiar with Chinese aggression like the Philippines. Even the African Union, whose Huawei-wired headquarters reportedly leaked a torrent of data to servers in China every night for five years, recently signed a new cooperation agreement with Huawei.

This reluctance is rooted, above all, in matters of dollars and cents. The physical requirements of 5G make rollouts breathtakingly expensive. It’s not just about upgrading existing cell towers. 5G will operate primarily on high frequency spectrum, which will unleash blistering data processing speeds with exponentially higher traffic capacity, but only at very short range. To ensure network stability and minimize latency, then, it will require a vast and dense network of base stations and antennas, plus millions of miles of new fiber-optic cable. Little of what 5G promises – driverless cars, automation, artificial intelligence, “smart cities,” “the internet of things” and so forth – can be realized without major capital expenditures.

Huawei and ZTE can make the leap to 5G less painful. Just three competitors – Finland’s Nokia, Sweden’s Ericsson and South Korea’s Samsung – are currently capable of delivering a similarly comprehensive suite of network equipment. (The United States’ Cisco and other smaller players will be competitive in narrow segments of 5G systems.) None have Huawei’s ability to achieve economies of scale and its levels of state backing, so it can often undercut its rivals by 20-30 percent. (It’s not a matter of sacrificing quality, either; some Huawei tech is considered the best in the business.) Moreover, the initial phases of 5G rollouts in all but a few countries will be built largely on existing 4G infrastructure – which, in many countries, is already built with Huawei tech. Ripping out all the existing Huawei equipment before upgrading would make the process even more expensive. Vodafone UK, for example, says it would need to replace some 6,000 base stations, costing hundreds of millions of pounds. It would also add costly delays, putting domestic industries behind the curve in developing profitable 5G applications. Germany’s Deutsche Telekom, the largest telecommunications operator in Europe, said a blanket ban on Huawei would set back its 5G roll outs by at least two years.

Poorer and less densely populated countries will benefit the most from Huawei’s cost advantages, of course, but even highly urbanized countries – those best-equipped to develop and reap the economic benefits of 5G applications, and with perhaps the most to lose from delays – aren’t immune. The race to roll out 5G networks is not a winner-take-all contest, despite how it is often portrayed. Still, there are certainly first-mover advantages in the development of new 5G applications, influence over international standards and securing new patents. Even outside the tech world, a firm in any sector – from heavy industry to manufacturing to transportation to healthcare – primed to harness 5G’s power could reap cost and quality advantages over foreign competitors effectively stuck in what might feel like the digital stone age. Add to this the costs associated with potential Chinese economic retaliation and other forms of coercion, and it’s easy to understand why countries insist on exploring protective measures before deciding whether to assume the costs of an all-out ban.

Is a Blanket Ban Really Necessary?

Skeptical governments have relied on four main arguments to explain their reluctance to fully ban Chinese telecommunications firms. Two are falling on deaf ears; two may ultimately gain traction.

The first is that the U.S. has not provided any evidence that Huawei has installed “back doors” into its existing overseas networks or knowingly facilitated state-sponsored cyberespionage. (The U.K.’s Huawei Cyber Security Centre Oversight Board did find defects in Huawei source code and concluded that the firm failed to address security issues in the past, but this doesn’t prove that the company has acted with malicious intent.) Absent evidence, they say, the U.S. is acting primarily on suspicion rooted in its own strategic and trade-related tensions with China – ones that other countries may not share. If the U.S. was really worried about cybersecurity, they say, it wouldn’t have abandoned an Obama-era push to include cybersecurity measures in international 5G technical standards. Nor would the Trump administration be so quick to ease pressure on Huawei and ZTE in the interest of reaching a trade deal with China.

The second argument is that, with proper vetting and oversight, security vulnerabilities in Chinese tech can be detected, obviating the need for a costly ban. To enhance this argument, Huawei has opened up its source code to inspection at security labs it’s established in Brussels, Bonn and the U.K.

To Washington, these two arguments miss the mark. This is, in part, because back doors are largely indistinguishable from common coding errors in network software or firmware, making it nearly impossible to obtain smoking gun evidence of malicious intent. The sheer scale of 5G architecture will also make vetting too slow and expensive, considering the frequency of software and firmware updates involved, to be done thoroughly and regularly. (Modern software testing processes aren’t particularly good at detecting carefully designed back doors, anyway.) Moreover, the full spectrum of potential vulnerabilities with 5G won’t become known for years to come, until its myriad potential applications are developed and until, as expected, tens of billions of “smart devices” are linked into the system. By then, countries may have effectively locked themselves into partnerships with the Chinese. The costs of reversing course would be prohibitive.

To the U.S., then, it’s perfectly rational to want to deprive an adversary of capabilities that might prove dangerous – and to kneecap a company that might act on that government’s behalf. Lack of trust and competing strategic interests have everything to do with it. After all, in the 2000s the U.S. compelled its own tech firms to facilitate government surveillance in the service of national security. It would be naive to expect China to behave any differently, even if you ignored Beijing’s history of coercive activities abroad, the abundance of China-linked cyberattacks, the autocratic nature of the Chinese regime and its national security law requiring firms like Huawei to cooperate.

The other two arguments hint at a possible way for the U.S. and its allies to meet in the middle. One is that, if Chinese tech is limited to the periphery of 5G networks, any damage Beijing could do could be tightly contained. 5G networks consist of a tightly protected “core,” where servers and software execute the most sensitive and crucial functions, and the radio access network equipment (towers, masts, small cells inside buildings and along streets, and so forth) on the “edge” that connect wireless devices to the core.

(click to enlarge)

If China could slip back doors into the core, where encryption keys are stored and authentication functions take place, it could gain unprecedented snooping power and even the ability to shut down key parts of a network altogether. As the dependency of critical infrastructure (including power grids and hospitals) on 5G networks increases, so too would Beijing’s capabilities to conduct crippling sabotage attacks. By comparison, if a Chinese firm slips a backdoor into edge components like, say, the base station or antennas outside your house or the operating system of the phone in your pocket, it could potentially monitor unencrypted data and encrypted metadata or infect user devices with malware, posing a small-scale espionage problem (especially if you happen to be a high-level intelligence target). But it’s doubtful that edge equipment could be used to conduct mass espionage or to bring down large parts of the network.

At this point, governments in France, Germany and the U.K. all plan to ban cheaper Chinese tech from the core but not the edge. Since the edge is where the bulk of new capital investment will be required – and where most Huawei equipment is located in Western 4G networks – this ostensibly makes it possible to harness Chinese cost advantages without incurring Chinese risks. But others, including the U.S. and Australia, say the decentralized nature of 5G networks will erode the distinctions between the core and the edge over time, with edge devices taking on more and more “smart” computing power and sensitive functions. To them, the only sure solution is a blanket ban. Skeptics of this argument say components in an even more decentralized core will still be distinct and protected from edge components.

The final argument is basically that supplier-inserted back doors are just one of a dizzying array of cyber threats facing 5G, and fixating on who makes the equipment addresses the problem too narrowly to justify the cost of a blanket ban. Indeed, this approach could make some cybersecurity challenges harder to address. Any network equipment, whether manufactured in Shenzhen, Silicon Valley or Sarawak, will inevitably be laced with exploitable security flaws, and the biggest threats will still be familiar ones like spearfishing and malware-infected software inadvertently downloaded by users. It’s certainly easier for a malicious actor to hack a system if it built in a backdoor itself. But ultimately, the best way to prevent espionage is widespread adoption of sound end-to-end encryption practices and use of other tools like virtual private networks. And the best protection against network sabotage is system redundancy. This means additional spending on backup network infrastructure from multiple suppliers. Cutting out one of the few major telecommunications suppliers available (and the cheapest one, to boot) would make redundancy harder.

The debate is clearly far from settled. But if the U.S. can be persuaded that the distinction between the edge and core will hold, and if protective measures like end-to-end encryption can be adopted widely enough (no small feat, considering that billions of connected devices will need to be configured to operate on secure channels), the U.S. may be willing to compromise and adopt a more tailored approach to Chinese tech.

Is the U.S. Bluffing?

There’s another, largely unspoken reason countries are resisting U.S. pressure on the issue: They think the U.S. might be bluffing on its threats to sharply curb military and intelligence cooperation. Consider the potential costs. The U.S. currently has troops in dozens of countries. Its warships stop in dozens more. Its critical logistics networks crisscross the globe. Its intelligence-sharing agreements allow it to act nimbly and entrench its partnerships. It would be one thing if there were enough strategically located countries shunning Huawei that the U.S. could keep its global operations humming. But there are not. So, to make good on its threats, the U.S. would have to dramatically scale back its global military footprint and deprive itself of access to vital intelligence flows, potentially putting the global balance of power in flux. It defies imagination to see how the risks of 5G outweigh these costs.

(click to enlarge)

To be sure, the proliferation of Chinese 5G tech could indeed pose extraordinary new challenges to U.S. intelligence and military operations abroad, especially if its arguments about the network security risks prove valid – and particularly when operating in or with countries that allow Chinese access to the network core or fail to adopt prudent network security practices. The battlefield implications could likewise be dramatic; China could realistically shut down military communications, disrupt critical supply lines, collect and exploit signals intelligence, and so forth. The U.S. will need to become ever more judicious about how and where it sets up logistics networks, with whom it shares sensitive information, and how much it can afford to rely on next-generation weapons systems that depend on unhindered connectivity. It will probably need to develop more sophisticated and secure communications systems and consider helping partner governments bear the expense of ensuring network diversity and redundancy.

To an extent, the nature of these challenges isn’t new. The U.S. has long been a global superpower well practiced in handling adversaries keen to steal U.S. secrets, frustrate its best-laid plans and exploit asymmetric capabilities to blunt inherent U.S. advantages. And it’ll certainly be able to exploit these same capabilities itself. (A leaked National Security Agency document from 2014 claimed the agency had penetrated Huawei networks so thoroughly that it didn’t know what to do with all the data it collected.)

The scale and complexity of the new risks are too much for the U.S. to ignore. Yet if it can’t pressure the world to shun Chinese tech or make peace with available security measures, it won’t blow up its alliance network. Washington will instead try to make the whole debate moot by taking matters into its own hands. The U.S. already started this process in earnest in May, when it announced a ban on exports of U.S.-made component parts and software to Huawei, ZTE and other Chinese firms. Last week, to restart negotiations with Beijing on a trade deal, Trump signaled a willingness to relax the ban, though exactly how much remains unclear. But it remains an enormously powerful measure that the U.S. will likely return to eventually. U.S. firms no longer dominate as many sectors of the telecommunications industry as they once did, but they do dominate some of the fundamental building blocks such as semiconductors and mobile chips. This means any foreign firm in Huawei’s supply chain whose products contain these components also has to comply with the ban, lest it be sanctioned by the U.S. (Huawei’s own research and development into semiconductors and microchips is widely believed to be inadequate for its needs.) Whether a ban would kill the company, or just weaken the quality of some of its tech and force it to scale back its product offerings, is impossible to say. U.S. pressure has already damaged Huawei’s reputation and revenue streams. At minimum, even the continued threat of a ban will make some countries think twice about partnering with a company that may not be able to continue to innovate.

There’s also a risk that the move would backfire by eventually accelerating China’s pursuit to develop indigenous components and ushering in an era of Chinese tech parity. Yet the U.S. has enormous incentives to follow through. A ban wouldn’t just hit the Chinese telecommunications sector; it would also hamper China’s broader drive to dominate high-tech industries, its breakneck military modernization, and its sprawling diplomatic ambitions. The U.S.-China strategic rivalry isn’t going away anytime soon, and the U.S. has an opportunity to cement its alliance structure and strike at multiple dimensions of Chinese power with a single blow. In other words, this is one of the few cases in which the U.S. may be better off acting alone.

    TAGS
    5G
    China
    Huawei
    tech war
    Trade war
    United States

Facebook
Twitter
Linkedin
Email
Phillip Orchard
Phillip Orchard
Phillip Orchard is an analyst at Geopolitical Futures. Prior to joining the company, Mr. Orchard spent nearly six years at Stratfor, working as an editor and writing about East Asian geopolitics. He’s spent more than six years abroad, primarily in Southeast Asia and Latin America, where he’s had formative, immersive experiences with the problems arising from mass political upheaval, civil conflict and human migration. Mr. Orchard holds a master’s degree in Security, Law and Diplomacy from the Lyndon B. Johnson School of Public Affairs, where he focused on energy and national security, Chinese foreign policy, intelligence analysis, and institutional pathologies. He also earned a bachelor’s degree in journalism from the University of Texas. He speaks Spanish and some Thai and Lao.