backtop


Print 48 comment(s) - last by johnsmith9875.. on Mar 12 at 4:01 PM


  (Source: Keaitu.com)
Even teenagers can defeat U.S. network security

Will the U.S. government ever step up to the plate and properly defend the nation in cyberspace?  

I. Government Has Already Flunked the Cybersecurity Test

That's the pressing question as Democrats and Republicans in the U.S. Senate bicker over a pair of proposals designed to offer some improvements to the nation's overall extremely poor state of cybersecurity.

Flunking
The U.S. has flunked the "real world" security test. [Image Source: The Evergreen Foundation]

The situation as it stands is dire.  Tech-savvy teens in the last year have humiliated government IT departments, shutting down or hacking government websites, while the government has been unable to find a way to shut down these hackers' homepages, such as "LulzSec".  

Topiary
These days even teens can outwit the U.S. government's internet security.
[Image Source: Financial Times (left); Michael Mayer (right)]

Meanwhile the U.S. is still grappling with the fallout of giving a low ranking private in the U.S. Army complete, virtually unrestricted access to the entire body of U.S. diplomatic cables and a great deal of military footage.  

The soldier -- a teen at the time -- then passed the information on to Wikileaks, a fame and fortune seeking "leaks" brainchild of ex-Australian college professor Julian Assange who resorted to creative Hollywood editing to make U.S. attacks on armed militants look like the murder of unarmed civilians (see the scandal regarding the unedited "Collateral Murder" video).  The loss could well end up costing lives, a prospect that allegedly delights WikiLeaks founder who is quoted by a prestigious British journalist (and supported by several other journalists who were at the meeting) as stating that those who cooperate with U.S. forces in the Middle East are traitors to the their people and "deserve to die" (Assange denies saying this calling the journalists liars).

Leak -- blood
Military secrets leaked and subsequently doctored by Wikileaks have been a massive PR setback for the U.S. military and its allies -- one which may cost lives.

This was just one high profile example in a long string of horrific data losses for the hapless government agencies [1][2][3].

But all of those embarrassments stand secondary to the far more dangerous threat from America's economic superpower rival, China.  At a time when there's strong impetus in the U.S. to downsize the federal government and cut programs, the nation is also grappling with the reality of a Chinese government that has no such concerns and is more than willing to reportedly spend billions on its own cyberoffensive programs.  

While the U.S. government recently drafted strict rules about when it can cyberattack other countries, China seems to have no such scruples.

China hackers
U.S. agencies have proved woefully incapable of protecting their data against Chinese hackers.
[Image Source: Asia Society]

China has stood accused of conducting massive intellectual property thefthacking into financial institutions, stealing government information, and compromising U.S. Department of Defense systems.  The problem is that America is unable to retaliate in any meaningful way. The American economies' is predicated on China manufacturing the goods U.S. companies "design", and hence the nation cannot hope to respond with economic sanctions.  At the same, time its lack of security competence limits its bloodless counter-offensive options.

II. Defending the Nation?  It's Congress's Constitution Duty

Article 1, Section 8 of the U.S. Constitution, the foundation of the U.S. government, clearly grants Congress the power:

U.S. Constitution
[Image Source: EL Civics]

The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;

To raise and support armies, but no appropriation of money to that use shall be for a longer term than two years;

To provide and maintain a navy;

To make rules for the government and regulation of the land and naval forces;

To provide for calling forth the militia to execute the laws of the union, suppress insurrections and repel invasions;

The U.S. Congress has been ineffectual in legislating funding and creating proposals outlining a sensible digital "common Defense" of the nation -- i.e. a "militia" (say, competent contracted security officials) or a digital age army (such as China has built).

In other words, when it comes to their Constitutional responsibility to protect the U.S. against invasions -- including cyberinvasions -- both parties in Congress have failed.  Yet the American people remain largely apathetic of these failures and continue to vote for their party of choice, while doing little to voice public discontent over America's ongoing losses in the global cyberwar.

III. U.S. Senate, House Can't Agree on What to do

In the Senate U.S. Senator Harry Reid (D-NV) has proposed a broad bill that would pay for improvements to the government security infrastructure.  The bill would authorize the Department of Homeland Security (DHS) to both crack down on IT incompetence in the various federal agencies.  It also would authorize the DHS to crack down at similar poor practices at U.S. government contractors, such as Lockheed Martin Corp. (LMT) whose F-35 Lightning II fighter program was infiltrated by foreign spies.

The bill has strong Democratic support.  Other co-sponsors include Sens. John D. "Jay" Rockefeller IV (D-WV) and Dianne Feinstein (D-CA).  But the bill also has a degree of bipartisan support as it is co-sponsored by Sens. Joseph Lieberman (I-NH) and Susan Collins (R-ME).  Sen. Collins' mentor is Sen. Olympia Snowe (R-ME), who recently announced that she would not seek reelection as should could not stand the partisan conflict that has infected Washington D.C.

That conflict threatens to sink the Reid bill, as strong opposition from the Republican majority is overwhelming the minority in the party who support the measure.  Senator Saxby Chambliss, Jr. (R-GA), states [press release], "More government is seldom a solution to any problem."

Sens. Chambliss and former 2008 presidential candidate John McCain (R-AZ), along with 6 other high-ranking Senate Republicans have sponsored an alternate bill [press release].  Reuters describes the bill as "softer".  That bill would not provide any additional funds to U.S. cybersecurity or authorize increased DHS oversight of IT/contractors.  Instead, it would step up "information sharing" efforts between the U.S. gov't agencies and contractors regarding threats.

John McCain
Sen. John McCain opposes the Reid bill to fund cybersecurity. [Image Source: kwout]

Sen. McCain lauded the bill as implement far less regulation than Sen. Reid's proposal.  He states, "We believe that ensuring our nation's cybersecurity is critical. We have a bill that would do plenty to meet current challenges."

It should also be noted that Sen. Reid's bill also includes proposals to increase information sharing.  Responding to the criticism, he stated, "I look forward to a debate on the Senate floor that will ensure this bill and other proposals get a fair hearing, and which will allow thorough consideration of amendments to improve the legislation."

While the Republicans are in the minority in the U.S. Senate, they do have strong support on the bill from the telecommunication industry, which is wary of increased regulatory powers to the DHS in the Democratic bill.  

Industry officials also enjoy a close relationship with the bill's sponsor, Senator McCain.  AT&T, Inc. (T) America's second largest mobile carrier and major ISP has provided free service to Sen. McCain's ranch complex in Ariz.  And Telecoms/ISPs have heavily financed Sen. McCain's Senate and Presidential runs raising millions for him, favors he returned with hundreds of millions of dollars in tax cuts and tax holidays.

USTelecom President Walter McCormick offered glowing praise for the McCain measure, stating, "We can support the bill introduced today because it pursues those objectives without creating new bureaucracies or regulatory mandates that would erode, rather than enhance, the ability of network providers to provide nimble and effective responses to cyber threats."

The question is whether "information sharing" would do enough to improve the ineffectual cyberdefenses of the U.S. nation against threats from the Chinese and others to water supply, electric grid, financial networks, and transportation infrastructure.

The U.S. House of Representatives' efforts are still in their earlier stages, but a bill similar to Sen. McCain's Senate proposal authorizing the Pentagon to conduct two-way sharing of information with ISPs and contractors regarding threats.  The bill passed a procedural vote by the House's Permanent Select Committee on Intelligence and will be headed to a vote on the House floor sometime later this year.

Congress Buillding wide
Congressional cybersecurity efforts have stalled. [Image Source: U.S. Congress]

But the Democratic minority in the Republican-controlled House is expected to be crafting their own counterproposal.  Thus partisanship may stall legislative efforts in the House, much as the rancor is currently sinking the Senate bills.

In the last five years similar bills have been proposed and slowly died.

IV. Will Someone Who Cares, Please Step up

Howard Schmidt, the White House cybersecurity policy coordinator, is hopeful that Sen. Reid's measure passes.  But amid the partisan rancor he's not counting his digital eggs before they hatch.  He instead is pushing government agencies to reinterpret current authorization bills and work to promote self-dense of the private sector, aware that Congress may not be able to reach the compromises necessary to defend the nation.

In that way the White House may try to sneak increased cybersecurity regulation "in the back door" via existing programs.  But such efforts stand a strong chance of winding up in court, as contractors may sue the federal government if it adopts what they view as unauthorized regulation.

Cybersecurity wide
No one seems interested in solving America's cybersecurity problems. [Sen. Collins]

Ultimately at the end of the day all parties involved -- the majority of U.S. businesses and the U.S. government -- are lukewarm on providing strong cybersecurity.  That's not to say their half-hearted efforts have come for free.  Both the government and private sector pay a lot for cybersecurity.

While an overt attack by China is unlikely -- they are as economically dependent on the U.S. as the U.S. is on China.  However, China appears to be instead opting to use its steady cyberattacks on the U.S. for financial and technological gains.  The nation has made tremendous progress in its stealth fighter and space programs, progress many U.S. officials believe was fueled by stolen U.S. government secrets.

But in an era where China is conducting almost open for-profit cyberwar against the U.S. and amid a string of embarrassing security breaches to amateur attention-seekers, the efforts are clearly not enough.  The problem is that few seem willing to pay the high cost of providing a strong security solution.

At the end of the day, this means that until something changes, the embarrassments for the U.S. government will likely continue.  And, China will enjoy a faster path towards its goal of displacing the U.S. as the number one global financial power.

And for skeptics eager to smash that analysis as alarmism, listen to Sen. McCain [press release]:

All of us recognize the importance of cybersecurity in the digital world. Time and again, we have heard from experts about the importance of possessing the ability to effectively prevent and respond to cyber threats. We have listened to accounts of cyber espionage originating in countries like China; organized cyber criminals in Russia; and rogue outfits with a domestic presence like ‘Anonymous,’ who unleash cyber-attacks on those who dare to politically disagree. Our own Government Accountability Office has reported that over the last five years, cyber-attacks against the United States are up 650 percent. The threat is real.

He's certainly right about that.

Sources: John McCain [press release], Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: But Democrats
By JasonMick (blog) on 3/2/2012 4:27:26 PM , Rating: 2
(To finish my thought with point 2.)

* In an era where a bright individual can be a one man army online , we must recruit and reward financially the best and brightest, NOT imprison them .

China realizes this -- that's part of why it's cyber efforts are so hard to pin on it. It hires talented black hats and then sicks them on the U.S. for its own gains.

I think the U.S. is being too soft-hearted in preferring not to mass-employ its cyber-criminals. When these rogues are more powerful (skilled) than the government's paid IT employees in terms of intrusions, you need to be recruiting these valuable weapons (in an official capacity) and setting them to work against your enemies, not punishing them.

(Though perhaps psych profiles for potential recruits are in order to make sure their past transgressions were out of greed/curiousity/attention-craving, not just pure insanity. Lunatics make poor employees for positions of trust.)


RE: But Democrats
By Reclaimer77 on 3/2/2012 4:39:42 PM , Rating: 2
I agree with everything you said. But I don't see this happening under this Administration. Obama seems to think that any aggressive move, even to defend ourselves, simply invites more aggression. When we know the truth is quite the opposite.

I like your ideas. Peace through strength, my old standby :)

quote:
I think the U.S. is being too soft-hearted in preferring not to mass-employ its cyber-criminals. When these rogues are more powerful (skilled) than the government's paid IT employees in terms of intrusions, you need to be recruiting these valuable weapons (in an official capacity) and setting them to work against your enemies, not punishing them.


I think this would be a tough sell in Congress. Because you're basically talking about exposing our most secret networks to, literal, criminals. And once they are plugged in and doing their thing, it would be literally impossible to make sure they are doing their jobs and not more seedy endeavors. Like you said, they're smarter than our own IT experts for the most part. Hard to track and monitor and keep tabs on.

Notice I said Congress would rip the idea apart, so would the media. I personally think it's worth the risk.


RE: But Democrats
By JasonMick (blog) on 3/2/2012 4:41:22 PM , Rating: 2
quote:
I think this would be a tough sell in Congress. Because you're basically talking about exposing our most secret networks to, literal, criminals. And once they are plugged in and doing their thing, it would be literally impossible to make sure they are doing their jobs and not more seedy endeavors. Like you said, they're smarter than our own IT experts for the most part. Hard to track and monitor and keep tabs on.

My notion would be to have some sort of ambiguous money pool e.g. perhaps by bumping the CIA budget and letting them funnel it.

Don't give your new "friends" access to your networks or government hardware. That's the LAST thing you should be doing. Just give them CASH and basic instructions about the target and leave the rest to their creativity. A cash "signing bonus" should get them started with all the equipment they need.

Have them give you files of what they obtain or damage they do for analysis and then pay them bonuses (say in the $100K-$1M USD range) for each major success.

That's likely the model China is using, if I had to speculate.

Of course there's the risk of the Chinese or others trying to lure them, so the CIA or whoever is involved will need to carry out some monitoring of their connections.


RE: But Democrats
By JasonMick (blog) on 3/2/2012 4:45:41 PM , Rating: 2
And let me be noted I said the CIA because it is a government agency that is neither authorized nor does it have an extensive history of spying on U.S. citizens. Thus it'd be a relatively safe point to inject funds.

Unlike the DHS.

A bill could be proposed in Congress under the premise of cybersecurity with ambiguous language that obfuscates the true purposes as long as the President and a handful of trusted Congresspeople know what is going on.

It'd be a wise move if the President "had the balls" to do it.


RE: But Democrats
By Reclaimer77 on 3/2/2012 5:19:26 PM , Rating: 2
Ohh a black project. Now you're talking. I must have misunderstood. Politically it's risky though if this gets out in the press or Congress gets a wiff of it.

I like it. Sounds like a great idea for a book too. If it hasn't been done already that is.

quote:
That's likely the model China is using, if I had to speculate.


Well except for the high pay and bonuses and freedom to operate on their own, yeah. I get the feeling China's approach is more likely "Good job, we WONT shoot you today. And you've earned a pee break!" :P


RE: But Democrats
By wifiwolf on 3/2/2012 9:42:10 PM , Rating: 2
It will be know (there's still wikileaks). But just because everyone will be screaming "The horror" doesn't mean they won't do it anyway when they need to.


RE: But Democrats
By bah12 on 3/5/2012 12:48:08 PM , Rating: 2
That's good in theory, but haven't we learned anything from history? Providing your enemy's enemy with weapons/resources almost never helps in the long run. Think Iraq/Afghanistan. There it was physical guns, but the concept is the same. Arm the bad guys because they are a little less bad than then immediate threat.

Problem is your "plan" has a fatal flaw. Immediate short term gains at the risk of long term pain. What happens when your plan is successful? Do the hackers just retire and burn all the shiny new super computers they've bought. Or do they hire their services out to the lowest bidder?

They are anarchists,by the very definition of the word they cannot or will not submit to "control" via any means. Their ideology would certainly have no issue taking your funds to use against you. Any control you may think you have would be nothing more than an illusion.

The other flaw in your argument is that the only place to find "smart" people is via the criminal element. There are plenty of smart law abiding IT people out there. That is not the issue, the issue is the political BS and red tape that prevents them from doing what needs to be done. Like many jobs security holes exist not because of a lack of IT talent, but a lack of IT authority. IT is almost always an afterthought, and good forbid the CEO not be able to see that youtube post on his iPhone.


“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki