
China hacked a Navy contractor and secured sensitive data on submarine warfare - vthallam
https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm_term=.cb0833275b64
======
walrus01
> The data stolen was of a highly sensitive nature despite being housed on the
> contractor’s unclassified network.

Former government contractor here: Dumbasses need to keep their sensitive data
air gapped and inside a SCIF.

If you need to network stuff, there are ways for contractors to implement NSA-
approved "type 1" crypto with the appropriate personnel and infrastructure.

Also, I think whoever improperly classified that as not requiring SECRET level
protections is going to have a hard time justifying it to their bosses.

~~~
jessaustin
Are there penalties written into contracts to address failures like this? ISTR
when China got loads of F-35 data, Lockheed was "punished" by getting to spend
another year and hundreds of millions more dollars "fixing" the plane.

~~~
bb88
So it's not like you're going to take the F-35 and move it over to another
contractor. More likely, you'll just cancel it and start gain.

The other aspect is that it's not really the contractor's fault if the exploit
was done with a zero-day.

~~~
jessaustin
Wow I really disagree with that. 0-days are a fact of life. If billions of
dollars aren't enough to set up a secure supply chain and air gaps, what would
be?

~~~
bb88
You conflate the way the world is with the world you wish it would be.

~~~
jessaustin
No, I wish we didn't spend trillions of dollars on killing machines for no
reason. It's pretty difficult to confuse that world with this one.

Your magical phrase "zero-day" doesn't "win this argument" for you... You're
imagining some Stuxnet-level pyramid of remote BIOS and NIC firmware hacks
when we all know this was just a poorly configured firewall. That's why "TOP
SECRET" exists, CYA.

------
jerkstate
There's a fantastic book called "Blind Man's Bluff" about submarine spying
during the Cold War, including a lot of antics like this one. Gripping
storytelling, highly recommended read if you're interested in submarines or
spying or both.

------
zip1234
Why doesn't the US do something about that? China almost seems overt about
stealing secrets like that.

~~~
kchr
Are you implying that the US are not actively doing the same against nations
they see as a threat? It's basically how and why any intelligence service
operates - know your enemy and keep up with their technological advances.

~~~
ancorevard
The difference is that China has been stealing in order to copy, while the
China itself has nothing that the US want to copy.

This has been true since the birth of the US. But the future may be different.
China is advancing very fast through copying, and years from now we might stop
thinking of them as a copycat.

~~~
vkou
> The difference is that China has been stealing in order to copy, while the
> China itself has nothing that the US want to copy.

The US may not care to copy Chinese submarines, but it would love to get its
hands on all sorts of information surrounding them.

------
bb88
I blame the classifiers in this one. The data should have been classified from
the start.

The key words in the article were:

> The officials said the material, when aggregated, could be considered
> classified

So, the problem is that the material was probably designated as FOUO, but
should have been classified as secret.

The difference is that FOUO is okay to be left on desks and the like, but
confidential and above needs a safe, and document control.

------
aphextron
So it's pretty obvious by now that we are actively at war with China and
Russia on the cyber front. The question is, are we winning? Are we even
fighting back?

~~~
ravenscrow
> So it's pretty obvious by now that we are actively at war with China and
> Russia on the cyber front.

We are actively fighting a cyber war with every country. The nations who we
spy on the most are our allies. And the nations who spy on us the most are our
allies. I know it's counterintuitive but it's international politics,
geopolitics and intelligence 101.

For example, israel, Britain, Canada, germany, japan, south korea, etc spy on
us the most. And naturally we spy on them too.

And taken a step even further, every nation's government spies the most on
their own people. It's almost a certainty that intranational spying makes up
most of the spying budgets of china, russia, britain, israel, US, germany,
etc.

> The question is, are we winning?

Considering we are the epicenter of tech, what do you think? Considering our
intelligence budgets dwarf both china and russia's budget combined, what do
you think?

> Are we even fighting back?

Are you serious? Who do you think invented cyber spying? The internet was a
DARPA project.

Do you really think only china and russia are spying?

~~~
3pt14159
Citations needed.

I know some intelligence people. This isn't what they tell me. They tell me
that western governments are obsessed with following the law and limiting what
their cyber operations touch. It's born out by what I understand from non-
classified sources. For example, I read through the source code of Stuxnet
when it first came out. There was a ton of guards put in to limit the
potential damage it made.

That Canada spies on the USA more than Russia is the biggest bullshit I've
ever heard. Read the Snowden leaks and listen to natsec podcasts. The Russians
are in a ton of the US infrastructure and the CIA is freaking out about it to
the point where they consider cyber to be a bigger existential threat than a
nuclear armed DPRK.

~~~
acct1771
Just because the microcosm that your contacts happen to see within our
compartmentalized and super secret intelligence agencies happens to
(supposedly, through two levels of rumor) be on the up and up, doesn't make
that a rule for these organizations.

In fact, most everything published besides your testimony suggests the
opposite.

~~~
3pt14159
Just saw this.

I'm happy to change my view when I encounter new evidence, but I see
absolutely no evidence that the Canadians (or anyone else outside of Russia /
China) have hacked the shit out of the entire USA.

------
staunch
The US nuclear triad currently rests dangerously on the US Ohio-class
submarines. If the Chinese military develops technology that can eliminate
these subs in a surprise attack, they would potentially have the ability to
take over the world.

Step 1. Target the 1950s era US ICBM fleet in their static bunkers. This only
requires making the POTUS hesitate for ~7 minutes to "use or lose" them.

Step 2. Destroy the few dozen 1950s era upgraded B-52s and a few misc
aircraft. Some might slip through but maybe not.

Step 3. Take out the ~14 outdated US ballistic missile subs using new
supersonic anti-ship missiles.

Hopefully the US military will be able to upgrade the nuclear triad in time to
maintain MAD and eliminate this potential threat. But I think the best
solution would be for the entire G7 to develop independent MAD systems so
there's never any doubt that it remains in effect.

~~~
jackpirate
Everything you say is true, but extremely misleading. China's nuclear posture
uses what's called the "minimum means of reprisal", which means they have an
extremely small nuclear force that is incapable of completing the scenario you
outline.

Let me just quote the abstract from Jeffery Lewis's phd dissertation on the
topic:

 _Among the 5 states authorized under the NPT to possess nuclear weapons,
China has the most restrained pattern of deployment: The People "s Republic of
China (PRC) operationally deploys about 80 nuclear warheads exclusively for
usewith land"based ballistic missiles. Its declaratory doctrine rejects the
initiation of nuclear war under any circumstance. The PRC does not maintain
tactical nuclear forces of any kind, and its strategic forces are kept off
alert, with warheads in storage. This posture has been sustained over time and
changes in threat perception, suggesting restraint is the result of choice and
not expediency._

Furthermore, most of the land based ballistic missiles China has deployed are
targeted at India, and not capable of hitting the mainland US.

While the dissertation was written in 2004, essentially nothing substantial
has changed since then.

~~~
JPKab
Nothing has changed in 14 years with China's nuclear arsenal?

Based on what evidence?

~~~
jackpirate
There have been no _substantive_ changes, but of course there have been minor
changes. If you're actually interested in learning more, there's a lot of open
source information available. Lewis's blog
[http://armscontrolwonk.com](http://armscontrolwonk.com) is a great starting
point, but covers a much greater scope.

------
cronix
Simply bar them from defense department work/contracts for 5 years and put any
current contracts on hold. The other contractors will get the hint. Nothing
ever gets done about this stuff, so the status quo remains.

~~~
killjoywashere
Compare this to Facebook effectively selling a Chinese firm the entire social
graph. Not any firm, a firm the US Government indicated should be regarded
with caution.

That social graph will pay dividends decades after these missiles are
decommissioned.

Conversely, if DoD contracts are sufficient, why aren't Facebook contracts?
China doesn't care about contracts in either case. If you think a Chinese firm
is going to honor a contract with an American company, you need to look up the
Organization Department.

------
horsecaptin
If China did then so did Russia. But let's give Putin a seat at G table.

