Monday, October 29, 2012

The Next Weapon Of Mass Destruction Will Probably Be A Thumbdrive.





Despite congressional foot dragging, or maybe because of it, most defense and technology analysts are screaming dire warnings of impending cyber attacks, whether by Internet hacks or infected thumb drives.
Iran is ratcheting up "copy cat" cyber attacks on the U.S., and as per a report soon to be out, China has a vast military infrastructure set up to launch web-based attacks on foreign infrastructure. And that doesn't even factor in the 'lone wolf' Anonymous-type hackers who are just in it for the "Lulz."
Yes, folks, the Cyber War is going on right now, and it's a World War like nothing ever before seen.
Bill Gertz of the conservative-leaning Washington Free Beacon reports:
The Project 2049 Institute, an Arlington, Va.-based think tank that focuses on Asian security issues, concluded that groups operating from Chinese territory have been “waging a coordinated cyber espionage campaign targeting U.S. government, industrial, and think tank computer networks.”
This "coordinated cyber espionage campaign" is waged from a new wing of the Chinese Military Industrial Complex called the "Beijing North Computing Center." Gertz goes on to say that analysts are calling this center another "department" since it's "similar to the United States National Security Agency, because of its signals intelligence work, its high-performance computing work, and its linguistic and code-breaking specialists."
And it's not just nation-states in the mix, civilian hacking groups from Russia and the Middle East (The Arab Electronic Army) are also targeting U.S. and foreign targets around the globe. Less vitriolic and militant, the hacktivist group Anonymous seems to target anybody whom they perceive to be blocking the "free flow of information" on the net.
The U.S. isn't standing down though — even if Congress won't pull the trigger on the cyber security bill, the military is leading the way in cyber deterrence and militarization. At the Air Force Academy there is training for permanent personnel wholly dedicated to fighting cyber wars.

Indeed, even the Marine Corps is getting in on the mix, in the hopes that they can weaponize cyber warfare to the point that it can supplement troops on the ground in small unit tactics.

Which brings the war full circle: as the military invests and Congress (grudgingly) forces infrastructure companies to update and harden networks, the most likely culprit in a cyber attack becomes the same culprit in the famous Stuxnet attack — a thumb drive.
Washington designed Stuxnet and then waited with bated breath for one of their on the ground 'assets' to slip it to an unsuspecting Iranian nuclear scientist.

From a report by Mashable:
The answer turned out to be simpler than U.S. officials thought, since some plant personnel weren’t very careful with the thumb drives they were carrying. Thumb drives were “critical” in the initial Stuxnet attacks — which began in 2008 — although unspecified “more sophisticated” means were later used.
“It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand,” one of the program’s architects said.

 If a network is hardened, and military redundancies, offensive as well as defensive, are put into place, then the next best option is a manual insertion, like with Stuxnet. In fact, it doesn't even need to be a thumb drive, it can be a phone or a PDA.
Recently, the National Security Agency has begun testing BYOD, or Bring Your Own Device, and hardening networks as cloud computing begins to take hold in defense agencies.

"It's very simple: 'I want one device.' I don't think it's any more complicated than that," Robert Carey, principal deputy CIO at the Department of Defense. Carey told TechWorld of the growing demand for BYOD policies. "Balancing ease of use and security is always the dynamic. Security is the antithesis of convenience."
What Carey is trying to say, is that there are gaping holes in security with regard to storage devices. Employees bringing in mobile devices is exactly where the Iranians went wrong in terms of Stuxnet.

More from the TechWorld report:
Carey noted that the Pentagon is currently running multiple pilot programs to test various devices from other manufacturers, and working with vendors to harden mobile operating systems to meet DoD security requirements. But he held RIM, the maker of the BlackBerry, apart from other device makers for its focus on enterprise-grade security from the outset, while Apple, Android and other operating systems began with a consumer-centric approach, and have only been beefing up security in response to concerns from corporate and government customers.

"We have to manage this very carefully as we move into the future and make sure that these are not additional attack surfaces," Carey said to TechWorld. "I don't know that we'll quite get to a pure BYOD environment."
Soon, the weak networks of private American infrastructure companies will become hardened, if for any reason because the military's cyber skills toughen by the day — a quote from the Marines' "top cyber warrior," Lt. Gen. Richard Mills, on Aug. 15 about cyber warfare against the Taliban sums up America's future web defense:
"I was able to get inside [enemy networks], and affect his command and control and, in fact, defend myself against his almost constant incursions to get inside my [cyber] wire to effect my operations," Mills said.
There are three rules of nationwide cyber security, laid out to us by Jarno Limnell, a cyber security expert:

 1. — Resilience (defense): We must be able to withstand an attack.

 2. — Attribution: We must be able to locate the attacker.

 3. — Offense: We must be able to locate and destroy the attacker.

 So the likelihood is that a terrorist action, a 'copy cat' terrorist action, by the Iranians, Chinese or anyone, would take place over a mobile digital storage device.
The reason for this is that it eliminates the last two rules: Iran suspected it was the U.S. and Israel who infected their nuclear sites, but didn't know for sure until the Obama administration leaked it's responsibility.

Without knowing attribution, then you can't locate an enemy, and you can't launch an offense.
That's why the the next WMD won't be a suitcase bomb, it won't be chemicals wired to blow in Times Square, it'll be a well-placed thumb drive or a black berry which contains malicious code, placed by a homegrown terror agent, and brought in by an unwitting employee.


Font: Military & Defense

No comments:

Post a Comment