[ISN] Asymmetric cyber threat

From: InfoSec News (alerts@private)
Date: Wed Nov 14 2007 - 23:06:28 PST


http://washingtontimes.com/apps/pbcs.dll/article?AID=/20071113/COMMENTARY/111130013

By James A. Lyons Jr.
November 13, 2007

One asymmetric threat to our military forces and the nation is "cyber 
terrorism." Our advanced technologically based military forces  
dependent on our satellites, critical infrastructure computers, the 
Internet, secure software programming, computer-driven 
telecommunications, air traffic control centers and other sophisticated 
sensor systems  are tempting targets for cyber terrorism.

Not only do we use our satellite and communication technology to support 
our military forces, but it has also become a key link in all aspects of 
our complex economic society. Banking, control of electrical grids, 
stock markets, telecommunications and a vast array of computer networks 
are part of our everyday life. Microprocessors and soon nanoprocessors 
have been built into our social fabric.

The control mechanisms at our nuclear power plants rely on performance 
analysis not by operators but by micro-processors. The flow of oil 
through thousands of miles of pipelines is adjusted by computers at 
valve sites remotely managed with communication systems vulnerable to 
interference and disruption. Railroad switches often are controlled the 
same way.

Experts have said 80 percent of successful intrusion into our government 
computer systems can be attributed to software errors or poor software 
quality. Many software products have poorly written or have poorly 
configured security features. Computers and networks without operating 
firewalls, up-to-date virus and password protection are invitations for 
disasters. DHS computers were subjected to penetration by Chinese 
hackers because we failed to install and monitor the necessary 
"intrusion-detection systems."

Compounding the problem, offshore outsourcing provides a programmer 
overseas the chance to secretly insert a "Trojan Horse" or other 
trapdoor into a new software product. Oracle, a major database software 
vendor and a supplier to U.S. intelligence agencies, has contracted for 
software development in India and China. It is to be noted that U.S. 
agencies are not permitted to use unsupervised development of software 
from untrusted sources.

Using untrusted software in critical commercial infrastructure is the 
major problem. Other countries that have received outsourced software 
work are Malaysia and Indonesia as well as possibly Pakistan, Russia, 
China and Israel.

Software outsourcing is only part of the problem. The Chinese mega 
corporation Lenovo bought IBM PC's production unit. There was great 
concern that they would have access to IBM's sensitive technology. 
Nonetheless, the U.S. State Department has placed an order for 15,000 
Lenovo PCs. How will State ensure the Chinese have not placed bugs and 
other devices in these PCs? This is too tempting a target for the 
Chinese to pass up.

We have been conditioned mentally to accept the ubiquitous "civilian 
hacker." Internet security companies such as Akamai in Boston track 
thousands of attacks against the U.S. government and corporate computer 
systems every day. The single biggest source of those attacks is China. 
According to Richard Clarke, former National Security Council member, a 
Chinese general has said they would reach out through cyberspace and 
turn off our electric power grids before any conflict with the United 
States. I would thank that Chinese general for the "strategic warning."

It has also been reported that Chinese "military hackers" have prepared 
a detailed plan to disable our aircraft carrier battle groups with what 
they hope would be a devastating cyber attack, according to one Pentagon 
report. That will not happen because of the redundancy built into our 
carrier battle groups.

In a previous briefing before Congress, the former CIA director said at 
least a dozen countries  including China, Libya, Russia and Iran  are 
developing programs to attack other nations' information computer 
systems.

Cyber attacks on our military forces, computer networks and critical 
infrastructure would be more than isolated acts of terrorism. The Carter 
administration considered nation-state-sponsored terrorism a "police 
problem." We cannot fall into that trap. The National Infrastructure 
Protection Center (NTPC) in the Department of Homeland Security defines 
cyber terrorism as "a criminal act perpetrated through computers, 
resulting in violence, death and/or destruction, and creating terror for 
the purpose of coercing a government to change its policies." But when a 
nation-state launches or sponsors such attacks either directly or 
through proxies, it is more than a criminal act, it is an "act of war." 
For those potential nation-state enemies, we need to fire a "shot across 
the bow" to make the consequences perfectly clear to them before they 
start down that path.

As part of our national policy, we need to declare now that a cyber 
attack by a nation-state or its proxies against our military forces or 
our critical infrastructure will be considered "an act of war" against 
the United States.

-=-

James A. Lyons Jr., U.S. Navy retired admiral, was commander in chief of 
the U.S. Pacific Fleet, senior U.S. military representative to the 
United Nations, and deputy chief of naval operations, where he was 
principal adviser on all Joint Chiefs of Staff matters.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Wed Nov 14 2007 - 23:23:03 PST