Re: [SC-L] Chinese Hacking, Mandiant and Cyber War
There have been reports about military and industrial secrets and what "ought" to be secrets being sent to China for decades now. It has been clear (at least in these reports) that US companies were required to have their technology built within China inorder to have access to Chinese markets, and the US Government has approved such technology transfers time and again, regardless of concerns for what it does in the long term.I seem to recall this at least as far back as Clinton's time, maybe further. So we are seeing a continuation of a pattern which has been accepted for many years of transfer of knowhow and of aggressive Chinese state support of that transfer. While arguable the time to lock the barn door started decades ago, and continues now, this report should surprise nobody. The economic espionage (and other espionage possibly) is old news and might be better handled by measures to perhaps make some of their take be designed to be dangerous to use. (If for example you steal my avionics, might I not be justified in seeing that what you steal is jiggered so the planes crash now and then? Or happen to hit some unpleasant resonances once in a while?) Such things would make it dangerous to steal... Also is there no counter-espionage going on? At any rate, treating this as a surprise and a reason to prepare for war seems useful only to those who want to create emergencies, perhaps to further diminish our civil liberties. When I was young there was lots of fear about impending nuclear war, but nobody treated spy scandals on either side as reasons for conflict. They did try to reduce exposure. That can be done here too. One thing that might be looked at is whether the "air gap" that was supposed to protect many SCADA systems could not be made to exist in reality, as an alternative to replacing all the old gear in use. New mandates are not needed so much as something like pointing out that the uninsured liability risk of not having such gaps can be rather large, and some public monitoring to find vulnerable sites. As for the worries even DoD has about hidden functions in ICs sourced from abroad, the more such sourcing is domestic only, and enforced so, the more such seems real. Securing infrastructure from spying or outside influence is a huge job, made harder by decades of use of systems not designed to resist attacks (so that only the civilian losses due to untrustworthy actions seem to drive fixes) and failure to use software designed for stronger protection. There are measures that can be taken, but many are not general practice, but are lab work. (Ever consider how much mischief occurs because we don't design our interpreters (hardware or software) to reliably tell data apart from code? This permeates whole classes of attacks. While language purists will point out that type enforcement should imply this, the basic code/data confusion problem alone causes most of the flaws I read about. That ought to suggest generic approaches to anyone who considers it awhile.) On the other hand, if the point of all the sabre rattling is to give excuses for increasing government pervasiveness, and perhaps ventures into wishful thinking that fighting another war like, say, the Korean War, will allow the problems to be solved, it won't do anything useful and is likely to cause great damage, domestically and otherwise. The political folks here really need to be dealing with experts outside their set of Usual Suspects to devise honest fixes, and let those fixes be visible. Talk about how the government in its wisdom will fix things, given how thoroughly it has NOT fixed things over decades now, sounds like subscribing to a 19th century snake-oil salesman to treat a modern epidemic. Maybe some of the above might suggest some other ways... Glenn Everhart On 02/20/2013 09:34 AM, Gary McGraw wrote: hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and
Re: [SC-L] Chinese Hacking, Mandiant and Cyber War
There is an agenda but it's also information that is long overdue - and there is more of it Classified for what many ppl consider no good reason. Also, other reports have indicated faculty and staff at the Unis too. None of which I doubt terribly. For me the bigger issue is that is simply doesn't matter - it's not like this level of nation-state backing is ~required~ for most cyber heists or most security issues. If anything it furthers (on top of other bad perceptions) that competitiveness is increasingly a function of secrecy vs innovation. Oh well - I'm repeating myself. ;-) -Ali On Wed, Feb 20, 2013 at 10:49 AM, Jeffrey Walton wrote: > On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw wrote: > > hi sc-l, > > > > No doubt all of you have seen the NY Times article about the Mandiant > report that pervades the news this week. I believe it is important to > understand the difference between cyber espionage and cyber war. Because > espionage unfolds over months or years in realtime, we can triangulate the > origin of an exfiltration attack with some certainty. During the fog of a > real cyber war attack, which is more likely to happen in milliseconds, the > kind of forensic work that Mandiant did would not be possible. (In fact, > we might just well be "Gandalfed" and pin the attack on the wrong enemy as > explained here: > http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare > .) > > > > Sadly, policymakers seem to think we have completely solved the > attribution problem. We have not. This article published in Computerworld > does an adequate job of stating my position: > http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 > > > > Those of us who work on security engineering and software security can > help educate policymakers and others so that we don't end up pursuing the > folly of active defense. > > > I'm somewhat surprised a report of that detail was released for public > consumption. The suspicion in me tells me its not entirely accurate or > someone has an agenda. There's too much information in there that > would be cloaked under "national security" given other circumstances. > > There also appears to be a fair of FUD-fanning going on: > "Additionally, there is evidence that Unit 61398 aggressively recruits > new talent from the Science and Engineering departments of > universities such as Harbin Institute of Technology." The US > equivalent would be like saying the NSA actively recruits > Mathematicians and Computer Scientists. > > Jeff > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Chinese Hacking, Mandiant and Cyber War
On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw wrote: > hi sc-l, > > No doubt all of you have seen the NY Times article about the Mandiant report > that pervades the news this week. I believe it is important to understand > the difference between cyber espionage and cyber war. Because espionage > unfolds over months or years in realtime, we can triangulate the origin of an > exfiltration attack with some certainty. During the fog of a real cyber war > attack, which is more likely to happen in milliseconds, the kind of forensic > work that Mandiant did would not be possible. (In fact, we might just well > be "Gandalfed" and pin the attack on the wrong enemy as explained here: > http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) > > Sadly, policymakers seem to think we have completely solved the attribution > problem. We have not. This article published in Computerworld does an > adequate job of stating my position: > http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 > > Those of us who work on security engineering and software security can help > educate policymakers and others so that we don't end up pursuing the folly of > active defense. > I'm somewhat surprised a report of that detail was released for public consumption. The suspicion in me tells me its not entirely accurate or someone has an agenda. There's too much information in there that would be cloaked under "national security" given other circumstances. There also appears to be a fair of FUD-fanning going on: "Additionally, there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology." The US equivalent would be like saying the NSA actively recruits Mathematicians and Computer Scientists. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Chinese Hacking, Mandiant and Cyber War
hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___