Cyber Attacks an unprecedented threat to U.S. National Security

Posted on August 7, 2013 by

Preface. This post contains extracts from 3 congressional hearings in the House of representatives session on cyber attacks.

Alice Friedemann  www.energyskeptic.com  Author of Life After Fossil Fuels: A Reality Check on Alternative Energy; When Trucks Stop Running: Energy and the Future of Transportation”, Barriers to Making Algal Biofuels, & “Crunch! Whole Grain Artisan Chips and Crackers”.  Women in ecology  Podcasts: WGBH, Jore, Planet: Critical, Crazy Town, Collapse Chronicles, Derrick Jensen, Practical Prepping, Kunstler 253 &278, Peak Prosperity,  Index of best energyskeptic posts

***

March 21, 2013 Cyber attacks: An unprecedented threat to U.S. National security

Mr. Rohrabacher: The type of targets hackers assault are often placed in 2 categories:

1) Strategic targets attacked by military means in a war such as transportation systems, power grids, defense industries, communications, and government centers.

2) Commercial warfare. The scale upon which it is being conducted is beyond anything we have experienced and far exceeds traditional espionage. [Last month the Mandiant report identified a military unit of the Chinese People’s Liberation Army that has been conducting commercial warfare since 2006, hacking business and industry targets.  These attacks cost the American economy $250 billion per year and affect our economy and the balance of power.]

Over the last 10 years the United States trade deficit in goods with China was over $2.4 trillion. Entire industries have been moved across the Pacific to create what we see as the rise of China. We cannot just rely on technology to defend against these type of attacks. We must use diplomacy to deter them by telling Beijing and others in clear terms that we will not allow their hacking to continue without retaliation. We should sanction states that support hacking just as we sanction states that support terrorism or engage in other hostile actions. This war will not just be waged in cyberspace, but across every front and using every lever of American power to defeat an aggressor and to take the profit out of attacking our businesses, our defenses, and yes, our country.

There have been several Congressional hearings on cyber warfare, but most have concentrated on the technology involved and how we can devise defenses to block hackers from breaking into our government and business computer networks. The greatest dangers to our nation are not, however, really about technology. It is about international relations. Foreign governments that employ cyber warriors to attack other countries, or which “allow” hackers to attack other countries should be considered as hostile as governments which support terrorism. These are acts which put our country in severe jeopardy and must be met with the same national security and diplomatic measures that we use to meet any other external threat.

Chinese firms are dominated by state-owned enterprises with ties to Communist Party officials and their families. It is a matrix that not only serves to grow the wealth and power of China but also the personal fortunes of its leaders. The transfer of wealth by the theft of technology and other information vital to the development of industry is then used to gain a competitive advantage in world trade, which brings even more wealth to China.

The people of China are being cheated in that the apparatus that has been set up to protect them is being used to enrich the elite, and at the same time put China into a hostile relationship with the United States and other free countries of the world. And on top of that, the elite in China are using this not to protect China, not to make it more prosperous, but also to repress their own people.  The elite in China, their vanity and their desire for more wealth and power has led China down a wrong path, and I would urge those people in China, which is the vast majority, the people of goodwill there, to push this elite that is running their country that is raping their country and putting us on a path to conflict, to push them out of power.

Yesterday, several banks and broadcast outlets in South Korea were attacked, and apparently the assumption was that the cyber attacks were from North Korea. However, the news this morning is that South Korea is claiming that these attacks were located, the attacker was located in China. [This] raises questions as to whether China and North Korea are cooperating in cyber warfare against people that they think are their enemies.

Duncan: The director of National Intelligence on 12 March, James Clapper, said “there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next 2 years that will result in a long-term, wide-scale disruption of services such as regional power outage.’’

If they are stealing the plans of an F–35 and so we have to send F–35s against a comparable aircraft, that is taking some of that competitive advantage away that we have militarily to protect this country.

Mr. STOCKMAN. My district encompasses everything from NASA to petrochemical plants. We were touring some of the plants, and they said they were getting very little cooperation from the government to help deter cyber attacks, which could cripple our nation. Just by turning off a few valves a plant could be blown up.  One plant alone in my district produces about 600,000 barrels a day. If that were to be taken off the market you would see a quick crisis occur. And if you took off several plants it would shut down the United States.

This reminds me of 9/11 when we knew about the Philippines. We picked up documents which showed that they wanted to use planes as weapons, yet we ignored all the signs. I feel like we are ignoring all the signs.  I have plant managers telling me their concerns and I am asking you, is there any kind of game plan to help critical infrastructure?   

The Mandiant report on Chinese APT1-unit cyber attacks

APT1 has:

  • systematically stolen hundreds of terabytes of data from at least 141 organizations, and can steal from dozens of organizations simultaneously.
  • targeted industries China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.
  • a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.
  • revisited victim’s network over several months or years to steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.
  • used tools and techniques not yet observed being used by other groups including two utilities designed to steal email
  • maintained access to victim networks for an average of 356 days and up to nearly 5 years
  • stolen 6.5 terabytes of compressed data from a single organization over a ten-month time period.
  • Compromised at least 17 new victims operating in 10 different industries the first month of 2011 .
  • compromised organizations across a broad range of industries in English speaking countries. Of the 141 APT1 victims, 87% of them are headquartered in countries where English is the native language.
  • maintained an extensive infrastructure of computer systems around the world.
  • controls over thousands of systems in support of their computer intrusion activities.

[And much more is in this document, or see the full Mandiant report]

Mr. Autry: These attacks are not an isolated case of industrial espionage but rather part of an integrated military-economic-cultural assault on America, a nation that China views not as a benefactor and valued trading partner, but rather as an ideological adversary who must be subdued by any means necessary. Chinese senior military strategists have discussed such multidimensional warfare for years. While the Chinese economic assault on the U.S. manufacturing base is painfully visible to our unemployed, the Mandiant report shows that China views this as a military operation. In the process China has debased the Internet, a gift to the world developed at U.S. taxpayer expense.

Why are the Chinese being allowed to get away with this?

I think that the problem is that a lot of American corporations are co-opted by the Chinese regime. They have such a huge interest in the production capabilities and the ability to exploit Chinese labor and the Chinese environment to lower their costs, and they are chasing the delusional promise of this giant market that they are someday actually going to be given access to that they don’t dare offend their Chinese host. They are like the abused partner in an abusive spousal relationship. They are not going to call the cops on the Chinese, and they are really not going to do it when they know that the cops don’t show up and that the cops don’t have any guns, which is the situation that we are in now. This is not a technical challenge, it is a military one. No amount of locks or alarms could protect your home if there was no belief that the police would show up or that the prosecutors would do anything if you had burglars working in broad daylight against whatever security you had put in place.

We should have a ban on the import of any Chinese networking hardware, and specifically I mean Huawei. We need to stop the revolving door at the State, Treasury, and Commerce Departments where officials from those Departments come directly from doing business with China or look forward to doing business with the Chinese as soon as they get out of government service.

Finally, we need to stop educating our adversary. Our computer science departments and engineering departments are full of mainland Chinese students, the majority of whom return to mainland China. Why are we educating these students of a country who are using that technology that we are handing them to oppose our interests?

How does an economist estimate the cost of Chinese cyber warfare?

The evidence suggests these revelations are merely the tip of the iceberg. The FBI admits, “As a result of the inability to define and calculate losses, the best that the government and private sector can offer are estimates.” A full accounting of the damage done to the U.S. is impossible to compile, because most of the victims will never detect the Chinese intrusions or will decline to admit to their losses. The discrepancy between expert estimates and the value of crimes actually reported makes this under reporting obvious. For instance, Symantec estimated 2011 individual and small business cybercrime losses at $388 Billion, while the FBI’s IC3 summary of actual reports that totaled a mere $485million. McAfee even tossed out a $1 Trillion estimate a few years ago. Using the more conservative number only a little more than a tenth of one percent (0.0125%) of these crimes by cost were reported. Even if Symantec overstated the problem by an order of magnitude we still have more than 98% of cybercrimes going unreported.

In any case, how do we place a value on something like Google’s source code? The firm trades at 25 times its annual earnings, suggesting most of its value is in future revenues. Conservatively assuming that half of Google’s market capitalization of $248 billion reflects the value of its technology (other factors might be labor force, brand equity and assets) this implies a property worth $124 billion has been compromised. While assessing the total cost over time has too many unknowns to model, Google has clearly suffered at the hands of its Chinese competitor Baidu. Google has lost $ billions in the Chinese market alone prompting Google’s co-founder Eric Schmidt to brand the Chinese government a “menace.” He has wisely noted that “The disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage.” In other words we don’t cheat and steal well.

Consider that the economic costs of the September 11 attacks (excluding the military reaction) have been estimated at around $175 Billion. The annual cost of Chinese military hacking to the US economy is therefore in the same range as 9/11. Every $100 billion implies a loss of about 1 million American jobs. Chinese military hacking has left millions of American workers unemployed. And although we’ve been spared the specter of horrible televised deaths, the suicide and death rates for the unemployed are substantially higher than the national average. The statistics would suggest that over the years, Chinese military hacking has killed thousands of Americans.

Technical protections against cyber intrusion have consistently proven to be insufficient because most initial system compromises are achieved via exploitation of human beings with “social engineering” tricks like spear phishing. The criminal consequences of getting caught are minimal.

Victims of Chinese cyber attacks are actually helping to conceal the extent of this problem. They wish to avoid public humiliation, negative stock market reaction and the liability associated with the loss of customer data. What makes the silence more worrisome is that most large American corporations have been, for all practical purposes, coopted by the Chinese government. They are so dependent on low-cost production in China and strategically committed to the promise of the “world’s largest market” that exposing the criminal behavior of their notoriously vindictive host is unthinkable. With the noble exceptions of Google and the New York Times, an American Corporation is no more likely to “call the cops” on China than are the victims of abusive relationships likely to testify against their spouses.

Worse, many officials in the departments of State, Treasury and Commerce upon whom we depend to make China play fair come straight from doing business with China or proceed to do so as soon as they leave government.

We are executing an “Asian Pivot” strategy to confront China’s increasingly belligerent military posture in the Western Pacific, while our consumption of Chinese goods finances a massive PLA arms buildup.

Do we believe that China’s corrupt, state dominated economy is actually beating American private enterprise in a fair contest? While Shanghai booms and Chinese billionaires sprout up like rice in the spring, 25% of Americans are unemployed or underemployed. This is the root of our intractable fiscal dilemma. While we cut and tax, the Chinese government can hardly think of enough new things to do with the vast wealth our consumers and corporations transfer to them – from maglev trains and moon missions to a frightening military buildup. This is what losing a 21″ century war looks like.

On page 44 there are a number of remedies proposed, including:

Encourage U.S. Education in Computer Science: Direct the majority of student aid to STEM majors and specifically graduate degrees in computer science and engineering.

Stop Educating Our Adversaries in Military Technology: Ban the admission of computer science student to the U.S. from nations whose militaries engage in cyber attacks against America and her allies. We are educating a massive pool of Chinese talent in our computer science and engineering schools, where they displace tens of thousands of American citizens and allies.

[I like these solutions because I was a systems engineer/architect for 25 years, and saw many of my colleagues replaced by outsourced workers.  Now these outsourced jobs pay more than what an American worker would cost, because once an outsourcer has a company by the balls, they can charge whatever they please, often far more than what an American computer programmer/engineer would be paid. Most foreign workers came in without the necessary skills and were trained on the job – why couldn’t the same training have been given to American college graduates?   I could also do 3 times as much work as an outsourced worker, because I had years of experience and institutional knowledge].

Protect and Reclaim The Internet: The Internet is an invention of the American government funded by U.S. taxpayers. The U.S. government and the U.S. armed forces are reasonably entitled to demand special privileges in its use. Any attempt to transfer further administrative oversight of the Internet to international regulatory bodies must be most strongly opposed. Any opportunity to regain U.S. control of the Internet would be in the interest of all people, most notably the citizens of China. Specifically ICANN and control of the DNS root must remain in the U.S. Root servers currently in the U.S. must remain there. The location of anycast servers should be restricted to friendly nations.

Mr. MAZZA. China sees cyber capabilities as a tool of statecraft to use in the pursuit of national interests. The primary goal of the Chinese Communist Party (CCP), is to stay in power. No longer securing its legitimacy on a foundation of Marxist ideology, the Party now relies on delivering economic prosperity and on its claim to a nationalist mantle to ensure its continued rule.

China’s continued rise is crucial if the CCP is to validate its claim that it and it alone can lead the country back to what it sees as its traditional and rightful place atop the Asian hierarchy. To do so, Beijing must restore sovereignty over territory supposedly wrongly taken from it. Doing so would not only allow Beijing to complete what it sees as an historic mission, but to enhance its own security. Controlling islands in the East and South China Seas would grant China greater strategic depth, allow it to more easily safeguard or control sea lanes, and permit it to more easily access the Pacific and Indian Oceans.

But these waters are also home to our partners. Tensions have been running high in this region, where conflict is most likely to break out because U.S. and Chinese interests clash. Differing visions of what Asian and perhaps global order should like have led China and the United States into what is shaping up to be a long-term strategic competition.

For China, cyber capabilities are tools to be used in waging this competition and in securing its interest in the Asia Pacific. China uses cyber capabilities for three related but different purposes.

1)      Chinese hackers will engage in espionage activities in the pursuit of both strategic and tactical intelligence.

2)      The People’s Liberation Army, or PLA, will use cyber warfare as part of its suite of anti-access/area denial capabilities, or A2/AD. The PLA has been developing systems aimed at keeping U.S. forces distant from Chinese shores, complicating in particular the U.S. Navy’s ability to operate freely in the Asia-Pacific Theater and thus making U.S. intervention in the Taiwan Strait or other conflict more difficult. In the event of a conflict, PLA cyber forces would likely aim to disrupt U.S. military command and communications networks, essentially trying to blind, deafen, and silence U.S. forces.

3)      Most worrisome is China’s development of what might be called strategic cyber weapons. Recent revelations of Chinese cyber intrusions into U.S. critical infrastructure are especially troubling. That an attacker a half a world away could threaten our electrical grid, water supply, financial stability or transportation security is frightening and potentially destabilizing.  Because these weapons lack the ugliness of nuclear weapons-there is no radiation and they don’t immediately and directly cause widespread death and destruction-not to mention the fact that their origin may be difficult to trace, Beijing may come to see them as more “useable” than nuclear weapons. And with such weapons likely to be seen as adding an intermediate step on the escalation ladder-one preceding the use of nuclear weapons-Beijing may come to see armed conflict as less dangerous than it otherwise would have. Conflict would become even more likely if Beijing believes that the American response to a strategic cyber attack would be one that China can tolerate.   Meanwhile, effective espionage would allow China to more accurately predict U.S. actions. to gauge U.S. vulnerabilities, and to speed along its own military modernization. At the same time, theft of IP and trade secrets would be making American companies less competitive, putting a drag on the U.S. economy and putting further budgetary pressures on defense spending.

My comments:

It’s really too late to do much security wise, there are too many millions of lines of code to fix on a system that was originally designed to be open.  The visionaries who created it do so as a way to share information among scientists, as well as to make sure that citizens share information and communicate with each other no matter how corrupt their government was.  That was the philosophy of the founders and that philosophy is embedded down to the very roots of the system.

China is the big loser in the end.  They’ve poisoned their land, air, and water for hundreds of thousands of years.  Computer microchips and other complex  information technology will be one of the first to vanish as Liebig’s law of the minimum kicks in at some point when shortages of key resources vanish, supply chains fail, and social unrest, war, and chaos descend as oil declines and not enough food can be grown and delivered to 7 billion people, more fully described in Peak Resources and the Preservation of Knowledge.

[ Cloud computing is seen as a way to protect small businesses according to the testimony from the staff of these businesses, since the cloud provider has the staff to maintain sophisticated firewalls and keep malware patches up-to-date, back up the data, etc..  But small businesses still need to protect their internal networks, protect their data as it is transmitted from one network to another and protect their network endpoints—their individual PCs—from compromise. If you have or work at a small business, you may want to read all of this 65-page document. I’ve only excerpted a small part of it. ]

U.S. House. March 21, 2013.  Protecting small businesses against emerging and complex cyber-attacks.

Chairman Collins: One reason we are having the meeting is to shine a light on the fact that 77% of small businesses are not even considering [cyber attacks and crime]. They are coming to work every day to make a sale, to have some cash in the bank, pay their bills. It is not on their radar. We want to put it on their radar.

What the internet does for small businesses

Our nation’s digital infrastructure has become an essential component of how small businesses operate and compete in the 21st century. It provides access to a variety of innovative tools and resources to help reduce costs and increase productivity. E-mail, social media, online sales, and global video conferencing are just a few of the examples. A couple of the most dynamic industries that have emerged are cloud computing and mobile applications. It is now easier than ever for small businesses to store and access their information from anywhere in the world without purchasing thousands of dollars in IT equipment. In addition, the boom in mobile applications is a great success story for both entrepreneurs looking to create the next best app and for small businesses that use them. From mobile banking to online marketing there is a plethora of applications available to help small business firms increase productivity.

America’s 23 million small businesses are some of the savviest users of technology by using the Internet to access new markets to grow and diversify. In fact, small businesses are the driving forces behind further technological innovation as they produce about 13 times more patents per employee than other businesses. For the established small business, modern technology can expand a firm’s client base using a company website, social networking, or other forms of online advertising. Firms can utilize voice and video communication as a low cost method to connect with customers around the world and reach previously untapped markets. They can store data online, access office productivity tools, and even improve the energy efficiency of their business.

Threats

40% of all threats are focused on firms with less than 500 employees. Nearly $86 billion is lost, with companies incurring an average of $188,000 in losses.

[There are a] growing number of cyber criminals trying to steal sensitive information, including intellectual property and personal financial information. These attacks can be catastrophic, leaving many small businesses unable to recover. A recent report shows that nearly 60% of small businesses will close within 6 months of a cyber-attack.

20% of cyber-attacks are on small firms with less than 250 employees. Small businesses generally have fewer resources available to monitor and combat cyber threats, making them easy targets for expert criminals. In addition, many of these firms have a false sense of security, and they believe they are immune from a possible cyber-attack. The same report shows that 77 percent of small firms believe they are safe from a cyberattack, even though 87 percent of those firms do not have a written security policy in place.

The sophistication and scope of these attacks continues to grow at a rapid pace. A report by the Office of National Counterintelligence Executive indicated that tens of billions of dollars in trade secrets, intellectual property, and technology are being stolen each year by foreign nations like China and Russia. These are not rogue hackers. They are foreign governments engaged in complex cyber espionage with a mission to steal our trade secrets and intellectual property. As the leader in producing intellectual property, the United States and small businesses will continue to be a primary target for cyber criminals seeking an economic advantage.

McAfee: attacks on the mobile space

[Attacks have increased] 70% the past year. We went from 792 to 37,000 malware threats – with 95% of that increase in 2012. Small business leverages these mobile devices because they are inexpensive in many cases. They are easy. They can do their home transactions, their work transactions all at once. They take them on the road and they leverage it with cloud services because there is very little computing resource on the small device so they can outsource the data storage. The threats to this and mobility, we see those threats of the adversary trying to access that device to get your personal information and/or access your computer network, so the small business that cannot afford necessarily a team to watch this has an even stronger vulnerability because they have so much of their infrastructure dependent on mobile.

What to do: passwords

McAfee, cloud services, and other companies who testified promoted their businesses as solutions to congress.

Mr. Weber: if I was going to make one recommendation, the thing that hurts our customers more than anything else is using poor passwords. It sounds so basic. You would think that today in 2013 that people would know what they ought to be doing but they do not. They are very dumb about password selection. So today a secure password ought to be at least 12 digits long. It ought to have capital letters, it ought to have lower case letters, and it ought to have a number or two in it. A password like that is not going to be cracked. But small businesses do not want to do that because it feels inconvenient. There are all kind of techniques you can use for generating these passwords and make them easy to remember.

Mr. Freeman: the number one threat we see to customers are when their systems are compromised because a malicious third party has garnered a list of passwords from another service. When you reuse the same password on your Evernote account as your Gmail account and someone is able to hack one or the other, they get a list of the passwords and they are able to use that against all of your infrastructure. And routinely third parties will go out and simply bang against every provider available to see if the same user name and password combination exist.

What to do: Encryption

Businesses need to encrypt their sensitive data, both economically sensitive and regulated data. Encryption really is the only means that has the fundamental integrity with which to protect data. Because systems will be compromised because we cannot guarantee that an intruder will not get access to a system, the only thing we can do is really secure the data that they might get access to, and encryption is far and beyond the gold standard when it comes to that type of security.

Firewalls, up-to-date networks, compliance policies

Mr. Shapero: tip number one advice is make sure that your network is compliant. And when I say compliant, you do not just have anti-virus, anti-malware software, a firewall in place, but you are making sure that all your definitions are up-to-date, meaning that you are up-to-date on what the latest threats are. That your firmware on your firewall is up-to-date so that you have got the latest and greatest to protect yourself from those threats. And also your operating systems. So all those patches that come out on a regular basis. They might seem like a nuisance to many small business owners and it may be a basic thing like passwords, but make sure that you are applying them as recommended by your IT service provider. Encrypting your data is also an important part of ensuring that you have a compliant network. Doing a periodic network scan is something that you should do as part of making sure that you have a compliant network. So there is a whole list of checklists to make sure your network is compliant. The next thing is policies. So you pointed out most companies do not have a written policy for their employees. It might be something like acceptance use for mobile devices in their organization. Am I allowed to have corporate data on my personal device? Am I allowed to have personal data on my corporate device? Because it can get really tricky when a device might be lost or stolen and you are trying to lock down that data if you do not have those policies in place. Policies for what to do in case of a breach. Who do I notify? Which of those 47 states am I required to disclose to when I have lost data from my consumers?

Also training. It is really an educational process, not only for the business owner but for their staff as well.

Ms. SCHNECK.  I agree. This is not just a technology problem; this is a people problem. So a lot of emphasis on the training and education.

U.S. House. April 26, 2012. Iranian cyber threat to the U.S. homeland

Some excerpts from this 52-page document:

The threat of cyber warfare may be relatively new, but it is not small. Iran has reportedly invested over $1 billion in developing their cyber capabilities, and it appears they may have already carried out attacks against organizations like the BBC, and Voice of America. There have been reports that Iran may have even attempted to breach the private networks of a major Israeli financial institution. Iran is very publicly testing its cyber capabilities in the region, and in time, will expand its reach.

Stuxnet may be proof of Iran’s vulnerability and the effectiveness of other nation’s state cyber arsenals. However, it would also be possible for Iran to gain some knowledge of creating a Stuxnet-like virus from analyzing its network effects. This leads to fear of reverse engineering leading to a capability of the types of cyber attacks on U.S. critical infrastructure that could rise to the level of a National security crisis. We must be prepared for such rogue actions and be prepared on the National defense level, as well as protecting our critical business operations, vital infrastructure functions, and frankly, our daily lives.

Law enforcement officials have also observed a striking convergence of crime and terrorism, a trend highlighted, I might note earlier this week by Defense Secretary Panetta, and further reinforced by SOUTHCOM Commander General Fraser. Hezbollah’s nexus with criminal activity is greater than that of any other known terrorist group. These links, including with gangs and cartels, generate new possibilities for outsourcing, and new networks that can facilitate terrorist travel, logistics, recruitment, and operations, and I might note, including cyber.

the good news is that if you were to rack and stack the greatest cyber threats in nations, Iran is not at the top of the list. Russia, PRC, and others are. The bad news is is what they lack in capability, they make up for in intent, and are not as constrained as other countries may be from engaging in cyber attacks or computer network attacks. Given Iran’s history to employ proxies for terrorist purposes, there is little, if any, reason to think that Iran would hesitate to engage proxies to conduct cyber attacks against perceived adversaries.

Cyber basically levels the playing field. It provides asymmetry that can give small groups disproportionate impact and consequence. Whereas they may not have the capability, they can rent or buy that capability. There is a cyber arms bizarre on the internet. Intent and cash can take you a long way, and that is what I think we need to be thinking about.

Last summer a hard-liner Iranian newspaper affiliated with the Revolutionary Guard, warned the United States, that America no longer has the ‘‘exclusive capability in cyber space and it has underestimated the Islamic Republic,’’ and now needs to worry about ‘‘an unknown player somewhere in the world attacking a section of its critical infrastructure.’’

Anonymity, who is behind that clickety-clack of the keyboard breaking into your system? Are you dealing with a pimply kid, or are you dealing with a foreign intelligence service, an organized crime, an economic competitor? You simply don’t know much of the time at the breach itself. So attribution, while we are making progress, smoking guns are hard to find in the counterterrorism environment; smoking keyboards are that much more difficult. I would also note that cyber space is made, I mean, it is made for plausible deniability. [This was in the context of how would we know it was Iran vs China vs Russia].

I am concerned about the Russias and the Chinas is we have seen a sophistication level that is very high. But they are in the business right now of computer network exploits to steal secrets. If their intent changes, they could just flip the switch and it becomes an attack tool. I might note that what we have seen that I think is most concerning is we have seen adversaries map critical infrastructures.  I don’t see what that intent could be other than to potentially use in a time of crisis.  It is just that they haven’t flipped the switch. Right now it is obtaining information, but they haven’t turned it in a proactive sense into delivering some kind of an attack.

Mr. LUNGREN. When we talk about asymmetric warfare it is interesting because one way of looking at it is that the small less powerful guy who has an opportunity to do harm to a stronger adversary for less capital investment and manpower, et cetera. It seems to me we ought to look at asymmetric warfare in the terms of the war on terror; that is, asymmetric warfare with the purpose of doing what? Not just destroying property but causing psychological damage to the adversary.

So when we talk about critical infrastructure, one of the things that comes to mind with me is our health system is a critical infrastructure. If I were to attack the United States one of the things that would be very effective in an asymmetric way would be to attack the health system. If you could invade the information systems of several health systems of the United States such that no one could depend on the accuracy of the information, such as someone lying on a surgical table and getting the wrong blood type, etc. If you did that in a series of attacks, you wouldn’t have to be successful with too many of them to cause a psychological damage to the United States.

CILLUFFO: One of the biggest missing elements of our strategy is we don’t have a cyber deterrent strategy. We need to clearly articulate one, we need to identify bright red lines in the sand or maybe in the silicon more apt and we need to identify what is unacceptable. Oh, by the way, we can’t firewall our way out of this problem.

CASLOW: If Iran were to target a hospital and take down the nearby electric grid and attack the water system, i.e. parts per million of chlorine goes up down but no one knows because the read-outs are fine — all of a sudden we have hundreds of thousands people sick from an area where we have troops deployed overseas. The ultimate end-game here is not to make those people sick. The ultimate end-game is to terrorize our troops overseas so that our Marines who are deployed in combat zones can no longer do their mission because they are worried about their children, their wives, their grandmothers, whatever, who are now ill back on the home front because they are communicating with them and now they know they are sick.

CASLOW: the data flows, the internet can go everywhere. I can still go to a dark reading room on the internet and download any number of very bad, nasty little critters that are out there and then use those same critters to attack a network or system. I can buy those capabilities, I can download some of them for free.

Related articles

Electric Grid

This entry was posted in China and War, Cyber, CyberAttacks, U.S. Congress Infrastructure and tagged , , , . Bookmark the permalink.

Comments are closed.