
Preparing for Warfare in Cyberspace - miraj
http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html
======
nmj
_Johnson also pushed back on the tech industry’s demand for greater
encryption, saying that it hinders the government’s ability to detect criminal
activity. The trend toward deeper encryption is an issue that “presents real
challenges to those in law enforcement and national security,” Johnson said.
“We need your help to find the solution.”_

Interesting stance to state publicly.

~~~
madaxe_again
That's the very public stance they're taking in the UK. Cameron went on TV to
decry encryption after hebdo, describing it as a tool used only by terrorists,
pederasts, and hackers, and he called for an outright ban - until some advisor
probably, not for the first time, told him he's a fucking idiot.

~~~
robmcm
I wish I could upvote that more.

It's interesting that a few of the political parties are adding digital rights
to their manifestos. [http://www.libdems.org.uk/protecting-your-data-online-
with-a...](http://www.libdems.org.uk/protecting-your-data-online-with-a-
digital-rights-bill)

Key measures in the Liberal Democrat Digital Rights Bill include:

\- Prison sentences for companies conducting large-scale data theft and
illegally selling on personal data

\- Beefed up powers for the Information Commissioner to fine and enforce
disciplinary action on government bodies if they breach data protection laws

\- Legal rights to compensation for consumers when companies make people sign
up online to deliberately misleading and illegible terms & conditions

\- Code of Practice for online services who would by law have to correct
information about members of the public where it is inaccurate or defamatory

\- Enshrining in law the responsibility of government to defend the free
press, including the rights of journalists and citizen journalists to express
their views freely online

\- Prevent government from watering down cyber-security and encryption
measures used by British business

~~~
mauricemir
That will last as long as the no increase in student tuition fees did.

For non UK types the Lib Dems (junior partner in the coalition) tend to try
and play both sides of the fence ie pitch progressive ideas to Labour
supporters and conservative (traditional 18th century Liberal ideas to tory's)

------
jballanc
"Warfare" in cyberspace doesn't worry me as much as "Mutually Assured
Destruction" in cyberspace does. With conventional warfare, MAD is relatively
straight-forward: pick a large open area on friendly soil, detonate an
impressively large weapon, and make sure your enemies know that you have
plenty more where that came from. A similar approach works for missile tests
and aircraft, armor, and ships in war games.

It is relatively easy to convincingly demonstrate the capabilities of
traditional weapons without causing any collateral damage (well, except for
Castle Bravo). The problem, I think, is how does one _convincingly_
demonstrate cyberwarfare capabilities without causing some amount of real
harm. For example: we now know that China has the "great cannon" it can use
relatively effectively for DDOS attacks, but only because GitHub
suffered...and this is just the beginning of the inevitable arms race.

------
nickysielicki
From a linked article in the OP.

> He urged the next generation of software pioneers and entrepreneurs to take
> a break from developing killer apps and consider a tour of service fending
> off Chinese, Russian and North Korean hackers, even as he acknowledged that
> the documents leaked by Edward J. Snowden, the former intelligence
> contractor, “showed there was a difference in view between what we were
> doing and what people perceived us as doing.”

So our 'defense secretary' thinks that being capable of writing ruby on rails
apps means that someone knows what a NOP sled is. Fantastic!

Screw all of these idiots in suits. I'm not afraid of North Korean hackers.
I've not been afraid of Russian hackers throughout the past decade and I'm not
afraid of Chinese hackers now. And even if I was, I can assure you, there's
nothing at all that the US government could do to alleviate that.

~~~
xnull2guest
I too am puzzled by what the defense industry thinks Silicon Valley is going
to be able to produce, but that's the point of Silicon Valley - huge amount of
creative potential and ambition. It's not likely that all of the solutions
will be cyberweapons.

One of the largest and most impressive responses to cyberwarfare to date are
the US's information sharing programs. These programs and formats (STYX, TAXI,
etc) enable patterns from detected cyberattacks to be rapidly shared across
industries so that exploits and tactics, command and control centers and so
forth can't be repeated. This raises the cost to the attackers, aggravates
them, and slows them down. Some of these programs have automated components
with minimal human interaction in the loop.

So I think it is these sorts of solutions the DoD is likely looking for.

~~~
madaxe_again
They're confused old men, for the most part. They probably have bizarre
notions of people duking it out with e-guns and cyberknives in The
CyberVirtualSpace that guy from darpa demo'd in '76.

The ones who are more up to speed are after malware, the more cunning the
better.

------
higherpurpose
Forget the need for technical capabilities, it's the cyber _policy_ that
sucks. They want to "secure the infrastructure against hackers" and then try
to promote weaker systems, remove recommendations for encryption from their
own guidelines for people, and promote crypto backdoors.

That's policy is completely backwards if what they _really_ want is security.
But they _don 't_ want that. What they want is hackers that can hack foreign
states as well as develop malware to infect or spy on everyone. Nothing to do
with security.

Also, screw NYT for promoting this crap. They've been promoting the cyber-
threat sharing legislation as well.

~~~
xnull2guest
Are you speaking here about international or domestic cyber policy?

There's certainly room for improvement in both, but it's starting to look like
the international case is doomed not to be led by US initiatives.

I think one thing that could be done is a sort of cyber disarmament -
countries could declare cyber free hours, then days, then weeks - and they
could trade owned networks with one another like they do today with spies as
shows of good faith. This would be a starting point for collaboration.

------
xnull6guest
A link to the DoD strategy document: [http://cryptome.org/2015/04/dod-cyber-
strategy-2015.pdf](http://cryptome.org/2015/04/dod-cyber-strategy-2015.pdf)

Amid sequestration in discretionary defense spending, cyber capabilities have
been spared the harsh bulk of cuts and the published strategy amounts to what
looks very close to all-in by the USG.

The DoD has begun to build career paths for professional cyber soldiers, is
extending and reinvesting in training programs, is and will invest further in
internet and cyberwarfare simulation, will redouble efforts to acquire
technical capabilities including offense from the private sector, have started
partnering with Venture Capitalists in Silicon Valley to encourage startup
with defensive and offensive technologies and to discourage startups with
consumer encryption solutions, is creating collective cyber defense
partnerships with allied nations, is expanding information sharing programs
both overseas and with US corporations, and will be further refining the
technological capabilities to respond to nations suspected of cyber attacks.

So many things to say about this. Here's two:

One. The US thought that Bush was a fool when he claimed that the US needed to
prepare for cyberwarfare. Because people scoffed at cyberwarfare (it's not
war, they said, making vague references to the absence of explosions) so the
Bush Administration switched to trying to pry support from the public by
waving around the goto boogieman - now it was cyberterrorists - Americans are
afraid of terrorists right? This didn't pass muster either. The image of
hacker at that time was still of neckbearded manchildren renting their parents
basements and people didn't feel like computers could hurt them.

The Bush Administration pursued cyber capabilities anyway, now switching to
the tactic of keeping the discussion out of the spotlight. This proved to be
largely successful, as it tends to be. Without widespread coverage only a few
fringe outlets and advocacy groups followed the legislation.

This, from my short time on Earth, describes my experience of US politics. The
US is an international superpower and just as often as not its legislation is
about what it needs to do internationally to remain top dog (case in point -
TPP). But Americans, by part their own volition, part the determination of a
Washington that thinks it knows better about this complicated subject (and may
very well) and in part because of sheer magnitude and complexity; the public
are not invited to vote on Foreign Policy except in the coarsest of ways. You
want out of the Middle East? No president will do that unless the complicated
set of international stategic circumstances happen to align with American
ideals.

This brings me to the second point. That time is now. The US is trying to
'rebalance' away from the Middle East. Not for high minded reasons mind you -
and it will invariably maintain a presence. But now is an era where the US is
undergoing fundamental transformation. It is shifting from its peacekeeping
role in Europe and as a garunteur of energy security by interventionism and
neocolonialism in the Middle East. It is moving to invest in the Asia-Pacific
and to contain China from becoming a hegemonic power there (this is US grand
strategy, both two decades ago by the Wolfowitz Doctrine and this decade by
its reassurtion in the Bush Doctrine). New challenges face her: space and
hypersonic delivery vehicles for nuclear warheads, air denial around the world
by the proliferation of anti-air capabilities (sold by Russia, China), very
effective propaganda campaigns on US citizens by foreign states fake blogs and
newspapers, decrepit alliances and infrastructure, and having the softest
underbelly in new sophisticated levels of cyberwarfare.

America's cyberstrategy can only be understood in context of its broad
strategy to both contain its competition beneath a level where physical
warfare can break out and to prevent balances of powers and alliance systems
that could similarly challenge her.

The problem for us is that an all-in in cyber is a canary. It means that
diplomacy and other forms of coercion, influence and sabotage haven't been
enough to address the issue - and it foretells of conflict, at least for the
meantime in the information domain.

~~~
Sevrene
_to discourage startups with consumer encryption solutions_

How does this defend the country against cyber attacks? Surely it just makes
it easier. Have I misunderstood you?

Also, on a side note, I really dislike how the word cyber is now ingrained in
our vocabulary.

~~~
xnull6guest
The US exports technology around the world and the US is also wary about
domestic threats (they will not admit this). Widespread access to E2E
encryption thwarts global surveillance and legitimate law enforcement (imagine
insider trading), both inside and outside the country, and weakens America's
national power. She feels she needs every advantage right now.

Here's one article that mentions E2E encryption:
[https://foreignpolicy.com/2015/04/23/defense-department-
sili...](https://foreignpolicy.com/2015/04/23/defense-department-silicon-
valley/)

~~~
happyscrappy
>She feels she needs every advantage right now.

There are a lot more advantages that could be taken if necessary, the actual
problem is that the US is too powerful and the world needs more balance.

~~~
xnull2guest
> the actual problem is that the US is too powerful and the world needs more
> balance

Whether or not this is the actual problem, this isn't what the US government
thinks and we are analyzing the US governments behavior by examining what she
thinks.

------
randomfool
The number of flaws in software running critical infrastructure is terrifying-
very very little of it was ever designed or implemented with serious threats
in mind.

If you look at what was done at Natanz then think of what that group could
have done against your local power grid, or water supply, or grocery store
supply chain, it is scary.

As an American, our current wars are all fought in distant lands- out of sight
and mostly out of mind. The next generation of warfare will strike home.

~~~
xnull2guest
It is a lucky fact that for the past 10 years huge investments have been made
in securing infrastructure inside the United States. That's not to say we
aren't assailable (look at Natanz - it was an air gapped network; or better
yet look at the attacks on US infrastructure we _do_ know about).

Washington has compared cyberwarefare to Basketball rather than Soccer. In
Soccer the offense and defense are mostly matched and the team to score those
few big shots take the victory. Cyberwar isn't like that. Cyberwar is like
Basketball. The defense can only slow the offense - and the victor is the team
that scores more points, more often.

I do not know about the implication about wars being fought on the homefront.
As far as kinetic warfare it seems less likely - but yeah when it comes to
cyber essentially every country has a home there.

One more note. The military, from this year onward, is investing in something
known as red teaming as a standard process for military R&D. Red teaming is
the active no holds barred exercise where hackers are set loose on a target
while a blue team tries to detect, mitigate and expunge them. Red teaming will
now until forever be featuring in the development of new US weapon systems.
Everything from RPGs to tanks and helicopters to drones to radar to radios.

~~~
m0dc
A relevant quote from Chris Inglis, former NSA Deputy Director:

"If we were to score cybersecurity the way we score soccer, the tally would be
462-456 twenty minutes into the game."

~~~
rjaco31
On the other hand, it's his job to promote FUD in order to get more funding
for his agency..

------
chubot
Which private companies will benefit from new government policies on cyber
warfare? What about new companies that need to be created?

~~~
xnull2guest
Fireeye, Cloud (Microsoft, Amazon and Google), Facebook, RSA, CloudFlare, IBM,
Intel, chip manufacturers, pentesting companies... lots of new companies...
actually the list is quite long...

------
fapjacks
> as well as North Korea’s 2014 attack on Sony Pictures

Oh, no...

~~~
xnull2guest
The attack on SONY pictures will deter other companies from working with the
US government to craft propaganda or other ventures - from the US perspective
the SONY attack was pretty horrible.

~~~
pjc50
Has this been definitively attributed to NK by independent sources, or is this
the cyber-Gulf of Tonkin incident?

~~~
xnull2guest
This is definitively NK. They did it because the US State and Defense
Department were involved with the creation of the interview (this can be seen
easily in the email leaks).

~~~
fapjacks
No, it is definitively _in Sony 's email_ but _not_ definitively North Korea
that did the hacking. The US government has zero credibility here, and most of
the independent security researchers that are trustworthy think that it was
not at all North Korea. That was the purpose of my original comment, because
it's "so clearly" _not_ North Korea that perpetrated the attacks on Sony. I
have yet to see convincing evidence from a trustworthy source saying
otherwise.

~~~
xnull2guest
Did you read the analysis from Fireeye or Symantec? Their analysis seemed
pretty solid to me. The people questioning it asked good questions, but these
questions were answered quite well by the forensic reports.

Either way, we do know that the State Department and CIA cooked The Interview
from the leaked emails. We know from the Guardians of Peace that they are NK
sympathizers (be they from NK or elsewhere).

~~~
fapjacks
But "NK sympathizers" !== "North Korea"

------
BorisMelnik
Awesome writeup, I crave this type of content.

My question to sec enthusiasts and pros: isn't the whole point of security to
disclose as little as possible? Security through obscurity?

I realize that most of this information is public knowledge and there are all
kinds of double agents, but this really seems like a lot of information!

It just seems to me as though we have everything wrong. China raises children
to be hackers and hires criminals to do their bidding, or subs it out to
whoever while you can't even get a government job if you have a DUI?

~~~
diminoten
> My question to sec enthusiasts and pros: isn't the whole point of security
> to disclose as little as possible? Security through obscurity?

Security through obscurity is considered a bad idea, not a good one.

~~~
philtar
Security through obscurity is good. Security through obscurity only, is bad.

~~~
BorisMelnik
crazy that I get 2 answers that differ 100% completely, with zero to data to
back it up yet my question is the one that gets downvoted, twice.

~~~
diminoten
You shouldn't use HN as a place to gain knowledge itself; Google is much more
useful for that. HN is best seen as a place to expand one's awareness _of_
knowledge.

For example, people here have provided their thoughts on "security through
obscurity" \-- a clear controversy exists! Your next task would be to Google
the phrase, and read the Wikipedia article[1] that comes up. Then, if you
still have questions, check out the references the Wikipedia article
cites[2][3][4][5], or perhaps visit other results from your Google
search[6][7][8].

In other words, Internet social media sites are terrible places to learn --
use the greater web to do actual learning. Use social media sites like HN and
Reddit to expand your awareness of ideas.

    
    
        [1] http://en.wikipedia.org/wiki/Security_through_obscurity
        [2] http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
        [3] https://www.schneier.com/crypto-gram/archives/2003/0815.html
        [4] http://tech.slashdot.org/story/01/07/23/2043209/when-security-through-obscurity-isnt-so-bad
        [5] http://catb.org/jargon/html/S/security-through-obscurity.html
        [6] http://users.softlab.ntua.gr/~taver/security/secur3.html
        [7] http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=7
        [8] https://danielmiessler.com/study/security_and_obscurity/

