Despite
congressional foot dragging, or maybe because of it, most defense and
technology analysts are screaming dire warnings of impending cyber attacks,
whether by Internet hacks or infected thumb drives.
Iran is
ratcheting up "copy cat" cyber attacks on the U.S., and as per a
report soon to be out, China has a vast military infrastructure set up to
launch web-based attacks on foreign infrastructure. And that doesn't even
factor in the 'lone wolf' Anonymous-type hackers who are just in it for the "Lulz."
Yes, folks,
the Cyber War is going on right now, and it's a World War like nothing ever
before seen.
Bill Gertz
of the conservative-leaning Washington Free Beacon reports:
The Project
2049 Institute, an Arlington, Va.-based think tank that focuses on Asian
security issues, concluded that groups operating from Chinese territory have
been “waging a coordinated cyber espionage campaign targeting U.S. government,
industrial, and think tank computer networks.”
This
"coordinated cyber espionage campaign" is waged from a new wing of
the Chinese Military Industrial Complex called the "Beijing North
Computing Center." Gertz goes on to say that analysts are calling this
center another "department" since it's "similar to the United
States National Security Agency, because of its signals intelligence work, its
high-performance computing work, and its linguistic and code-breaking
specialists."
And it's
not just nation-states in the mix, civilian hacking groups from Russia and the
Middle East (The Arab Electronic Army) are also targeting U.S. and foreign targets
around the globe. Less vitriolic and militant, the hacktivist group Anonymous
seems to target anybody whom they perceive to be blocking the "free flow
of information" on the net.
The U.S.
isn't standing down though — even if Congress won't pull the trigger on the
cyber security bill, the military is leading the way in cyber deterrence and
militarization. At the Air Force Academy there is training for permanent
personnel wholly dedicated to fighting cyber wars. Indeed, even the Marine Corps is getting in on the mix, in the hopes that they can weaponize cyber warfare to the point that it can supplement troops on the ground in small unit tactics.
Which
brings the war full circle: as the military invests and Congress (grudgingly)
forces infrastructure companies to update and harden networks, the most likely
culprit in a cyber attack becomes the same culprit in the famous Stuxnet attack
— a thumb drive.
Washington
designed Stuxnet and then waited with bated breath for one of their on the
ground 'assets' to slip it to an unsuspecting Iranian nuclear scientist.
From a
report by Mashable:
The answer turned out to be simpler
than U.S. officials thought, since some plant personnel weren’t very careful
with the thumb drives they were carrying. Thumb drives were “critical” in the
initial Stuxnet attacks — which began in 2008 — although unspecified “more
sophisticated” means were later used.“It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand,” one of the program’s architects said.
If a
network is hardened, and military redundancies, offensive as well as defensive,
are put into place, then the next best option is a manual insertion, like with
Stuxnet. In fact, it doesn't even need to be a thumb drive, it can be a phone
or a PDA.
Recently,
the National Security Agency has begun testing BYOD, or Bring Your Own Device,
and hardening networks as cloud computing begins to take hold in defense
agencies.
"It's
very simple: 'I want one device.' I don't think it's any more complicated than
that," Robert Carey, principal deputy CIO at the Department of Defense.
Carey told TechWorld of the growing demand for BYOD policies. "Balancing
ease of use and security is always the dynamic. Security is the antithesis of
convenience."
What Carey
is trying to say, is that there are gaping holes in security with regard to
storage devices. Employees bringing in mobile devices is exactly where the
Iranians went wrong in terms of Stuxnet.
More from
the TechWorld report:
Carey noted
that the Pentagon is currently running multiple pilot programs to test various
devices from other manufacturers, and working with vendors to harden mobile
operating systems to meet DoD security requirements. But he held RIM, the maker
of the BlackBerry, apart from other device makers for its focus on
enterprise-grade security from the outset, while Apple, Android and other
operating systems began with a consumer-centric approach, and have only been
beefing up security in response to concerns from corporate and government
customers.
"We
have to manage this very carefully as we move into the future and make sure
that these are not additional attack surfaces," Carey said to TechWorld.
"I don't know that we'll quite get to a pure BYOD environment."
Soon, the
weak networks of private American infrastructure companies will become
hardened, if for any reason because the military's cyber skills toughen by the
day — a quote from the Marines' "top cyber warrior," Lt. Gen. Richard
Mills, on Aug. 15 about cyber warfare against the Taliban sums up America's
future web defense:
"I was able to get inside [enemy
networks], and affect his command and control and, in fact, defend myself
against his almost constant incursions to get inside my [cyber] wire to effect
my operations," Mills said.
There are three rules of nationwide cyber
security, laid out to us by Jarno Limnell, a cyber security expert:
1. — Resilience (defense): We must be able to
withstand an attack.
2. — Attribution: We must be able to locate
the attacker.
3. — Offense: We must be able to locate and
destroy the attacker.
So the
likelihood is that a terrorist action, a 'copy cat' terrorist action, by the
Iranians, Chinese or anyone, would take place over a mobile digital storage
device.
The reason
for this is that it eliminates the last two rules: Iran suspected it was the
U.S. and Israel who infected their nuclear sites, but didn't know for sure
until the Obama administration leaked it's responsibility.
Without
knowing attribution, then you can't locate an enemy, and you can't launch an
offense.
That's why
the the next WMD won't be a suitcase bomb, it won't be chemicals wired to blow
in Times Square, it'll be a well-placed thumb drive or a black berry which
contains malicious code, placed by a homegrown terror agent, and brought in by
an unwitting employee.Font: Military & Defense
No comments:
Post a Comment