
Chinese Hackers Breach U.S. Navy Contractors - propman
https://www.wsj.com/articles/u-s-navy-is-struggling-to-fend-off-chinese-hackers-officials-say-11544783401
======
drblast
Not surprising at all. What's surprising is that it's taken this long to
appear in the news.

While in the shipyards for maintenance I would stand watch and was responsible
for letting people on/off a large ship. Most were contractors. The only
requirement was that they had a contractor badge. How did we tell this was a
valid badge? Good question. You'd think there would be some sort of master
list of people with badges we could check and verify.

Not quite. Every contractor had their own style of badge and we had no way of
knowing if any particular badge was real or not. Want a "valid" badge? Buy a
badge printer. You're in.

We had people we didn't even know just show up to install systems on board
that nobody was able to verify were supposed to be there or not. It was a
little better with the classified systems, but you can imagine that any
verification of contractor IT systems was non-existent.

~~~
WrtCdEvrydy
I can't believe it, but I also can believe it - Me, ever since doing CyberSec
2 years ago.

------
killjoywashere
A non-trivial bit of the problem is the highly fashionable attitude of
refusing to do work that helps the Department of Defense. The fact that
skilled labor is a limited resource for both nations, which means refusing to
help is at least similar to aiding foreign powers, which are statistically
dictatorships of one kind or another, seems to not factor into the set of
moral ethoses that such folks espouse.

Remember, it's not just China. It's North Korea, Russia, Iran, Isreal; any
country facing significant military threats is interested in US weapons
technology.

You live in a constitutional democracy on a planet where the mean, median, and
mode country is a dictatorship? And don't want to defend that government?
Really?

~~~
mikeash
“And don't want to defend that government?“

Well, here’s the problem. How much of what the DoD does is actually defending
our government, versus going off and killing far-away people who pose no
threat to us for various murky reasons?

Do I want to contribute to keeping foreign armies off our soil? Sure! Do I
want to contribute to drones blowing up weddings? Not really.

Maybe if our government would stop abusing our military so horribly, it would
find more American experts willing to support that military.

~~~
killjoywashere
The issue is that what you end up defending is the right of _more_ malicious
actors to acquire technology from the US below cost through low-cost, high-
yield hacking.

~~~
mikeash
Do I? Or do I just not help to murder civilians on the other side of the
planet? How can you be so sure that I’d only be helping the good side of the
DoD?

~~~
killjoywashere
Let's assume there is no good side of the DoD. Let's assume that the military
is 100% teeth-gnashing devil dogs with nuclear weapons. Which is what they
aspire to, I assure you.

Two things, 1) whether they have a $700 budget or $700B budget, the DoD
executes the orders of elected civilians.

2) Don't you still want to make it as expensive as humanly possible for other
countries to get the plans to those weapons? Even if you live in Paraguay,
rouge states with nuclear weapons increase the cost of international economic
collaboration and thus decrease your quality of life. Securing the US
Government's weapons information is in your best interest.

~~~
mikeash
You didn’t answer my questions at all.

~~~
killjoywashere
I did answer your questions. Perhaps I didn't convince you to reject your
previously held views, but I did answer your questions.

> How can you be so sure that I’d only be helping the good side of the DoD?

I answered this by asserting your premise, the DoD has a good side, is
unnecessary. I further allowed for the possibility you're not even American.

> Do I [end up defending the right of more malicious actors to acquire
> technology from the US below cost through low-cost, high-yield hacking]?

I answered this by posing the leading counter-question, "Don't you still want
to make it as expensive as humanly possible for other countries to get the
plans to those weapons?" And that appear to be the fairly strong position it
is, considering I rejected your requirement of there being anything good about
the DoD, and further rejected any implication that you're even American.

~~~
mikeash
Then you’ve superficially answered the literal questions without actually
getting at the underlying point.

The point is this: if I help them, how can I ensure that this help goes
towards things like preventing other countries from obtaining nuclear weapons,
and not blowing up weddings?

~~~
killjoywashere
It's offense vs defense, and in this situation, those are highly separable
domains.

Concretely, blowing up weddings is a failure of guidance systems, that's an
offensive problem. Those are avionics and fire control problems, not network
security problems. Avionics and fire control are highly specialized domains.
You don't accidently write some code that helps with those problems. They have
their own languages, their own compilers, their own chip architectures. The
developers work in places you hear about on the History channel, like China
Lake.

Conversely, the defensive work of improving the network security that protects
the plans and software for offensive systems, including those avionics and
fire control software repositories, is good for everyone not just the rabid
dogs of the DoD.

------
resters
Hackers breaching US Navy contractors tells us one important thing: That the
US Navy is not doing adequate due diligence on the firms it allow to be
contractors.

This story is part of the campaign to present China as an unethical, capable
adversary and threat. In reality, China wants to trade peacefully with the US
and the aggression is nearly 100% on the US side and is meant to garner all
the benefits of threat-oriented chest pounding for US politicians.

The #1 rule of being a citizen should be "don't let them tell you who to fear
or who to hate". Sadly, the NYT, Bloomberg, and the WSJ are all telling us to
hate and fear China, when it's obvious that the US has domestic political
motives in mind.

In the US, leaders need an enemy or the conversation might turn to things like
"why do we have poisonous drinking water?" or "Why has there been a trend of
downward mobility?" or "Why didn't anyone get punished for Snowden's
revelations or for the lies that led to the Iraq war?"

~~~
mindslight
> _In reality, China wants to trade peacefully with the US and the aggression
> is nearly 100% on the US side_

You don't need to make this claim to support the rest of your point. I agree
with the gist of your comment but think this point makes it easier to attack
the overall message.

Personally, I think China is trading with the goal of jump starting their
economy, and then seeing where they end up. China's incentives aren't to _act
within_ our paradigm of free trade, but to attempt to _operate on it_. If free
trade is truly a Schelling point, then we'll remain there. Otherwise at the
end of the day, holding currency or title to imaginary property won't matter,
but where the factories are located will.

But that isn't really relevant to the larger point that all this finger
pointing at China (or Russia, depending on the month) is just basic
scapegoating to cover the asses of negligent contractors and corrupt
government.

~~~
resters
> You don't need to make this claim to support the rest of your point.

True

------
syspec
> The victims have included large contractors as well as small ones, some of
> which are seen as lacking the resources to invest in securing their
> networks.

That does not compute. If they want to become a defense contractor, it stands
to reason not spending resources on securing their network (and educating
their employees against phishing attacks) is a non-starter.

~~~
kasey_junk
Why? You can be a “defense contractor” as a one person show out of your
garage.

The requirements for selling _a toilet_ to the navy were written at a time
when these issues didn’t exist. That the biggest bureaucracy on earth doesn’t
respond well to new threats seems _ecpected_ not odd.

~~~
rhodysurf
Exactly. Legit anyone can bid on these contracts and the DOD is finally
starting to crack down on “Confidential Unclassified Information” and the
contractors that handle that data. It’s wild how many small companies have no
security infrastructure

------
curt15
Do procurement contracts have clauses that discount the purchase price when
proprietary information is lost to reflect the diminished value of the
product?

~~~
dx87
I wouldn't be suprised. I've done some unclassified govt contracting and it
wasn't uncommon for them to include clauses in software purchase contracts
that they had to be re-imbursed a certain amount of money any time a security
vulnerability was discovered in the purchased software. The reasoning was that
they had to spend money identifying, reporting, and updating systems, so the
vendor had to pay for wasted resources.

------
azinman2
At what point will the gov actually do something meaningful here? I know
security is hard, but so is putting a man on the moon. This is insane the
amount of hacks without consequences.

------
metacritic12
Is this a surprise? I imagine many powerful countries' cyberespionage groups
are going after the other side.

------
tivert
Paywall workaround: [http://archive.is/KMi5Y](http://archive.is/KMi5Y)

------
golem14
A slightly different headline would be "Navy has lousy security practices
especially regarding contractors"

I'm pretty sure the CIA and NSA do their utmost to spy as much as they can on
the Chinese and Russian Navy.

~~~
psychedictic
@snowden sold us out to china when he fled in 2013, by revealing details about
our spying operation on them. apparently they bolstered their defenses after
this, due to this information, meanwhile stepping up offensive attacks against
the United States

~~~
rhegart
According to the NYTimes they also killed over a 100 CIA assets in China. So
we went in the dark for a while as the whole batch was compromised. We didn’t
retaliate either. The Snowden thing wasn’t the cause of that but I bet the
Snowden thing compromised other assets.

~~~
wybiral
It's interesting how much people still talk about metadata collection
(protected behind the requirement of itemized FISA court approval) because
"big mean US is evil" while ignoring events like this.

~~~
vkou
Events like what? That people committing capital crimes for money are being
caught, and convicted of... Said capital crimes?

If you don't want to do the time, don't do the crime. You don't just stumble
into being an informant for a foreign power.

~~~
wybiral
> Events like what?

Killing dozens of people in secret without a proper trial.

And the fact that it isn't an uncommon occurrence.

~~~
clubm8
>Killing dozens of people in secret without a proper trial.

To be fair, they also executed some of them in public ;)

[https://www.nytimes.com/2017/05/20/world/asia/china-cia-
spie...](https://www.nytimes.com/2017/05/20/world/asia/china-cia-spies-
espionage.html)

>From the final weeks of 2010 through the end of 2012, according to former
American officials, the Chinese killed at least a dozen of the C.I.A.’s
sources. According to three of the officials, one was shot in front of his
colleagues in the courtyard of a government building — a message to others who
might have been working for the C.I.A.

