""Intelligence officials say that any legal case could result in exposing American intelligence operations inside China — including the placement of thousands of implants in Chinese computer networks to warn of impending attacks.""
That also sounds like hacking into another country's systems.
The rational move is a massive investment in security technology including strong encryption and the kind of work that the NSA used to do in the 1990s of working to make Windows and Linux more secure for American businesses.
Any attempt by our intelligence services to back door computer systems, instead of working to make everyone more secure, is a grave disservice to the American taxpayer.
> Any attempt by our intelligence services to back door computer systems, instead of working to make everyone more secure, is a grave disservice to the American taxpayer.
And that's what our leaders don't understand. If the NSA has access to backdoors in collusion with vendors, what stops China or Russia from exploiting the same backdoors ? absolutely nothing. If the NSA can hack phones because provider X or Z has setup a "secret" interface for that purpose, well it's going to be exploited by someone else, and foreign hackers will figure it out. How can the NSA be sure that PRISM and co themselves aren't compromised?
Our leaders have a poor understanding of technology. In the Washington Post there was a call for encryption with access for a "golden key". You know, so police, etc. can investigate if needed. They don't realize how that weakens the entire system, making it easier for your adversaries as well.
So everyone is concentrating on the offensive abilities, because that's where the easy pickings are. And you can make flashy presentations about "how we f*cked them over". Flashy presentation about how you probably reduced the risk of a security breach by a few percentage points? Not so much.
Retaliation is a side show. Focus on hardening. The same sets of laws that exist for products and environmental liabilty must be implemented for information liability. Make companies economically liable for hardening their software and hardware and the lawyers will get it done. If there is one thing our overly litigious system is good it... Its extracting economic penalties for failure.
Think of a fort. Forts had defined security controls in the old times. In a fort, you go through a security rotation of making sure the pot of boiling oil tips over on time. You practice your smoke signaling so that the appropriate people are notified in the event of a wall breach. You measure your walls and review their height periodically. You protect transports carrying crown jewels. But the only way to make sure all these worked effectively was to write down their processes down and practice them.
You need a systematic checklist to control your sensitive environment and protect your fort. In an agile environment, keeping all the processes in your head is painful. By prescribing to a series of security rotations (e.g. Code review process, Change control process, Log review process, Key Rotation process, Secure Delete process) you can provide accountability that reasonable steps were taken to build your fort and protect your crown jewels.
1. Boundary Control (e.g. Firewall, Router, Switch)
11. Write current processes (e.g. Code review process, Change control process, Log review process, Key Rotation process, Secure Delete process)
Its writing down current processes (and following them) that's the missing piece to a holistic security program.
The other missing piece to a hardened environment is buy-in from the three primary stakeholders that hold up the fort: Sysadmins, Developers, and Security Officers.
Developers don't realize the importance of Source Code Analysis. Is your code even 80% covered? That's a big part of building up a good defense :).
I couldn't agree more, it's completely ridiculous. The sad part is I believe they actually have a department that was/is in charge of it (NSA), but they've been completely focused on "terrorism" (the kinds where stuff blows up) and offensive work.
To be fair, in the modern international climate, we've seen that wars between developed countries have dropped off drastically because of the development of nuclear weapons and the creation of MAD. There are few truly formidable defensive structures from the past 100 years - the circumvented Maginot Line and the overrun encampments on the beaches of Normandy come to mind.
The point being that it doesn't seem unreasonable to expect that a legion of military minds trained in deterrence as the primary response to threats from rational entities would think first to build the capability to retaliate and second the capability to defend.
I'm not really sure how far the comparison between physical military threat and cyber threat really carries, though.
You're absolutely right, there is no decision, there is no announcement, they even say the White House can't decide how to. NYT needs to add a [RUMOR] tag.
I guess I've developed a (healthy?) distrust for anything I read that at this point reading they have a source is meaningless. Especially when you tie it to a link bait title.
In my opinion, seeing an article like this is a huge display of weakness of behalf of the united states.
You don't see other nations who engage in adversarial ways against the US broadcasting their intentions in public theatre.
If the US and obama administration really wanted to demonstrate power and deter china from cyber attacks, they wouldn't go chatting about all the things they're going to do. They would go do it and it would be heard of after the fact.
Has the concept of the element of surprise been forgotten?
"One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence," said one senior administration official involved in the debate
This sentiment should probably be read as "so as not to appear impotent to the citizens at home" instead.
What you're missing is that this has been publicized by someone inside the administration, who likely thinks the leak is the best way to force the action / inaction they want. It's not "the government" as a monolith showing their hand.
No it hasn't been forgotten. I think you've confused the purpose of the message.
This is meant as a last warning for China, and everyone else, that the US is going to begin aggressively attacking in response, instead of mostly just taking it. I don't think anybody is going to like what's going to come of it. Picture the US military, with its $600 billion budget, treating all global digital infrastructure as its new battlefield.
No, it's not a display of weakness, not even close. It's purely an act of public opinion manipulation. They are trying to steer the public opinion to a certain direction.
I'd guess US would retaliate by releasing information that hurts the Chinese government politically, specifically corruption. I don't think it would escalate into anything other than stealing/releasing information. Full on cyber war is really unlikely as both sides would prefer to stay in power.
"purging corruption" is often times a way of replacing people you don't like with people you like more(or who will owe you more). Corruption will remain, but the hand demanding it will be different.
> While James R. Clapper Jr., the director of national intelligence, said last month that “you have to kind of salute the Chinese for what they did,”...
You have to kind of salute Clapper for what he did, committing perjury and then keeping his job
I think cyber warfare is inevitable. Because systems are so complex, defensive techniques will always fall short. The only effective deterrent is an offensive attack or at least the fear of an attack. The US has to create a catch-22 situation for China so that it fears the repercussions.
Yeah, systems really are not so complex they fall short, its the fact that there are ineffectual non-technical leadership, and they always tend not to listen to their technical people and SME's
I hope not. I think it's like the nuclear arms race. Everyone wants one so that it can deter it's enemies but using a nuclear weapon can be disastrous. Similarly, the US strategy here could be to show China that it's capable of retaliating if it wanted to but doesn't necessarily have to resort to it.
I'm pretty sure that the nuclear arms race was largely driven by adherence to MAD. And what you're describing is exactly the kind of escalate-in-kind deterrence policy that was built on top of the mutually assured destruction philosophy.
Finally a mutually assured destruction where the Germans actually have power. (Just check how much stuff worldwide is using SIEMENS tech, including almost all power grids, train infrastructure, etc)
The Snowden documents showed that the US had already hacked SMSCs and other major communications infrastructure right across China. The notion that China is the aggressor here is laughable.
We could have the US conduct a widespread, multi-day DDOS against Baidu which would be proportional considering the Chinese government used Baidu to conduct a widespread multi-day DDOS of github.
“This is one of those cases where you have to ask, ‘Does
the size of the operation change the nature of it?’ ” one
senior intelligence official said. “Clearly, it does.”
But of course, that doesn't apply to NSA's bulk data collection, right?
If they weren't so conflicted about encryption, the logical response would be to get serious about defensive measures and make sure they're more widely available.
"But in a series of classified meetings, officials have struggled to choose among options that range from......"
Apparently the meetings weren't really all _that_ classified.
Sadly, it has come to a point I don't know what to believe anymore. Whoever released the story has an agenda. Does the agenda in any way mirror factual reality? Beats me.
I'm a westerner. I support the west. My lively hood depends on it. So if they say we've always been at war with Eastasia I guess I don't know enough to say differently.
Looking around at bureaucratic politic filled government agencies and big companies I don't see real protective measure being taken any time soon. The leadership of those places has been filling up for years with ass covers and bullcrappers, and a turn around towards effectiveness isn't going to happen any time soon. So maybe send some drones or something. Oh wait... we can't do that, because those are all reserved for poor Muslims who can't really fight back at any scale. So I don't know. I guess puffing around and taking the lumps is about the only option for now.
Hardening security measures should be more important than announcing retaliation like a bunch of angry children. I don't know the nature of all of these attacks but didn't Sony get broken into via simple social engineering? The guy literally walked into main lobby and got ahold of network engineer's credentials or something of this kind. A lot of companies have very little to no basic security awareness, let alone any kind of significant security infrastructure in place.
This will most assuredly end well. I'm sure the Chinese won't respond in kind by escalating even further, thus creating mutual demand in both markets for cyber warfare.
Frankly, I do believe an alternative is to try to minimize long-term damage by being smarter about security and making sure hackers go for the low-hanging fruit that will be easily fixed. For example, make a prediction market for where hackers will hit, and play with difficulty and incentive factors so that you control the game, rather than simply begging the opponent to go for bigger, better (worse) targets, which is what I assume is going to happen with the current course of action.
Well... at one point the loser in the cyber war might decide real bullets can compensate for a loss in cyberspace...
I wouldn't count on China coming out on top at that point.
But more than likely it will stay just short of that and be like a fly that is just annoying enough not to walk inside for the flyswatter. Incidentally, what would China want with personal records of US government employees? Is it going to send them all spam or order stuff on Amazon using their bank accounts or something?
On HN I can assume anyone can make a bullet list of reasons you don't want the Chinese to have unfettered access to American systems. I'll start a short one:
Not that counterattacking is necessarily the best option, but from what I've heard from colleagues in China, the security ecosystem there is far worse than the US. Especially with respect to encryption, many companies and government services rely on poorly designed homebrew solutions.
First of all, China likely has far less cyber surface area than US. Which means US will suffer more damage in the event of a cyber war.
Secondly, it is dangerous to suppress cyber attacks via negotiations, appeals and threats (as opposed to technological means) because then we'll be in the dark as to their capabilities and our exposures, and in the event of an actual war we'll be unprepared and they will cripple us easily.
Instead, we should do what companies such as Google and recently United Airlines have done: reward hackers who find vulnerabilities. Then disarm the opponent by fixing our vulnerabilities as quickly as possible.
China can retaliate by going after American economic interests, but ultimately they'd be cutting off their nose to spite their face. China is not a friendly environment for non-domestic companies, and American companies are going to need to understand sooner or later that this is a dangerous market to pin hopes of growth. Google got out of China and now they're liberated from China's coercion tactics. Retatiation would inflict some short term pain on American companies, but ultimately they'd rebalance and it would be China that would suffer from their economic withdraw.
I wonder if this is how they decided to retaliate...by saying they would? This has the feel of an intentional leak to tell the Chinese that we mean business. If so, why telegraph our actions if we're actually going to follow through?
It leaves a definite calling card, closing off some of the debate about who's doing what. Perhaps removing some of the ambiguity also reduces the chances of unintended political or market fallout.
This is complete speculation, but perhaps an interesting idea. What if the recent turmoil in China's stock market is a direct result of the US retaliation for this incident? Clearly, the US wouldn't admit that, but they might want the implication to exist.
China's growth has been trending down for a decade plus. The fundamentals of their economy continue to get worse by the year. Keeping that picture in mind, their stock market lifted off to insane heights, in a matter of months, for absolutely no good reason other than a flood of margin that was encouraged by the State.
China's stock market crashed because it went up drastically for reasons that were never going to be able to support the new levels (ie not due to growth or general improvement in economic fundamentals).
The US has also not been crashing their real estate market the past year. That too is a mess of their own making.
Given the entire world's financial systems are smoke and mirrors to begin with, that's not a half bad assumption. If people knew were the smoke machine's plug was...
> The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management
Someone tell me what use China has for "personal information" of Americans from the Office of Personnel Management.
Seriously. What do the records contain and what is it to China? Wouldn't China be more interested in the "personal information" of their own peons?
> But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States
So how classified were the meetings if you know what they talked about?
> In public, Mr. Obama has said almost nothing, and officials are under strict instructions to avoid naming China as the source of the attack.
.. But it's alright for the New York Times to declare to the world that China is being naughty?
> unless the United States finds a way to respond to the attacks, they are bound to escalate
Yeah, pretty soon the Chinese government will be hacking PayPal for Americans' credit card numbers! You know, for extra revenue and all.
> In the Sony attack, the theft of emails was secondary to the destruction of much of the company’s computer systems, part of an effort to intimidate the studio to keep it from releasing a comedy that portrayed the assassination of Kim Jong-un, the North Korean leader.
Why the hell would the Chinese government give a flying fuck about a comedy about Kim Kong-Un? Let alone to the extent of "destroying Sony's computer systems", whatever that's supposed to mean? How do you destroy computers by hacking them remotely?
> The Justice Department is exploring legal action against Chinese individuals and organizations believed responsible for the personnel office theft
So assuming these people were working for the Chinese government, the US would have to extradite/kidnap them from China to get them convicted. How's that for "escalation"?
If kidnapping isn't in the plans, why would they "explore" legal action, knowing it would be a waste of time? Why would they publicize their plans for legal action? Do they just want to make themselves look stupid?
In reality, this article is just Cold War 2.0 propaganda. Who knows if any hacking even happened? It makes no sense for China to hack Sony over a movie, so why wouldn't this be bullshit too?
> Someone tell me what use China has for "personal information" of Americans from the Office of Personnel Management.
> Seriously. What do the records contain and what is it to China? Wouldn't China be more interested in the "personal information" of their own peons?
From what I've read, these files can potentially contain very sensitive information. As part of the background check for some government positions, many dark secrets are unearthed and documented. Why? So that the government has a heads-up on how its employees may be compromised by foreign adversaries. So if the Chinese had such files on 20 million people, they would have a treasure trove of information to use as leverage against US citizens.
> Why the hell would the Chinese government give a flying fuck about a comedy about Kim Kong-Un?
They don't, and the article never implies that they did. "Admiral Rogers made clear in a public presentation to the meeting of the Aspen Security Forum last week that he had advised President Obama to strike back against North Korea for the earlier attack on Sony Pictures Entertainment. Since then, evidence that hackers associated with the Chinese government were responsible for the Office of Personnel Management theft has been gathered by personnel under Admiral Rogers’s command, officials said." The DPRK is associated with the Sony hack, and PRC with the OPM one.
> So assuming these people were working for the Chinese government, the US would have to extradite/kidnap them from China to get them convicted. How's that for "escalation"?
"Legal action" could be sanctions, warrants, etc. Why do you jump to kidnapping so suddenly? (Not that I would put it past this government...)
> In reality, this article is just Cold War 2.0 propaganda.
You are not wrong, however, I would have a hard time believing the NSA would hack a personnel database, and then sell social sec info and personal info to the highest bidder. I have no problem believing the chinese would.
The PRC is a state, not a criminal gang. They have the second largest GDP after the USA. Why on Earth would they sell the information? The more people have the blackmail material gathered by hacking the OPM the less valuable it is.
I really think if the US wants to retaliate they can just make it legal for US citizens to hack china's targets. Then just wait for the phone call "Prease make it stop!"
I was wondering about this. What recourse would the Chinese government have if you sabotaged some of their systems? Stealing their data would be the best move but causing some problems wouldn't be too difficult.
The mix up of "r" vs "l" thing is a Japanese problem, not a Chinese one. Are you saying that if the US hacks China, the Japanese will call the US to stop? Be a little smarter and do a little more research next time when trying to be cute.
WW3 would be too devastating. Something like Cold War 2.0 is more likely. Imagine sanctions on China, couldn't happen both our economies would suffer horribly.
That also sounds like hacking into another country's systems.
The rational move is a massive investment in security technology including strong encryption and the kind of work that the NSA used to do in the 1990s of working to make Windows and Linux more secure for American businesses.
Any attempt by our intelligence services to back door computer systems, instead of working to make everyone more secure, is a grave disservice to the American taxpayer.