[A response to my article here: http://www.wired.com/news/politics/0,1283,44742,00.html --DBM] --- Date: Fri, 22 Jun 2001 10:54:08 -0400 Subject: FW: [CS-596] - US Fears Countries, Not Hackers (Finally, some sanity!) From: Richard Forno <rfornoat_private> To: <declanat_private> Declan - Finally there is sanity from the Hill and government on the IW threat...at least acknowledging that the Sky is Not Falling...that in itself is a refreshing breath of air My comments shown below....feel free to use as necessary. Rick infowarrior.org > U.S.: Fear Countries, Not Hackers > By Declan McCullagh > > 6:38 a.m. June 22, 2001 PDT > > Forget the supposed menace of teen hackers causally bypassing the security > of U.S. military computers. > > The real worry isn't a teen like Analyzer -- the alias for an Israeli youth > who penetrated dozens of Defense Department computers -- but foreign > governments, according to a hearing organized by the U.S. Congress' Joint > Economic Committee. > > On Thursday, Sen. Robert Bennett (R-Utah) dismissed malicious hackers as > "nothing more than a nuisance" during a hearing entitled "Wired World: Cyber > Security and the U.S. Economy." > > Even tech-savvy terrorists still pose only "a limited cyber threat" compared > with enemy nations, said Lawrence Gershwin, a science and technology > specialist at the CIA's National Intelligence Council. He said Russia and > China had active programs, as does the U.S. About time that they realized a web vandal or a denial of service incident against a Dot Com is a nuisance. Assuming (key word!) the victim site has good backups and competent system admins, they should be able to quickly recover and remedy the breach/vulnerability with a minimum amount of downtime. Good security is to a large part, great systems administration. Terrorists want media coverage and to make an impact. Taking out a power plant with a truck bomb that rattles windows 2 miles away and leaves a 40x60 crater is much more of a public image than sneaking in thru the Cat-5 at night and planting a virus that does something nasty. They need to remember that the US is more vulnerable. More emphasis from DoD and elsewhere needs to be spent on information PROTECTION and not attacking someone else. Stop thinking inside the box! > > "For the next 5 to 10 years or so, only nation states appear to have the > discipline, commitment and resources to fully develop capabilities to attack > critical infrastructures," Gershwin said. > > The tone was remarkably different from the official line in 1998, when > Deputy Secretary of Defense John Hamre described Analyzer's attacks as > highly disturbing, "organized and systematic" intrusions into unclassified > military networks. Hamre did not have a clue about information operations or the true threat. He saw bad guys hiding behind every hub, switch, and router. I think he got his IW/IO/IA briefings from CNN, Fox, and sensational contractor reports. > > In June, an Israeli court sentenced Analyzer -- whose name is Ehud Tenenbaum > -- to probation instead of jail time. He's currently the chief technologist > for the 2XS security firm. > > This hearing comes after years of high-level discussions, commissions and > debate in Washington about the possibility of so-called cyber attacks that > could be launched against U.S. private or government sites. Warnings of a > looming electronic "Pearl Harbor" prompted former President Clinton to sign > Presidential Decision Directive 63, which created a critical infrastructure > protection plan. Because of the knee-jerk during the Clinton Administration, assisted by the media, script-kiddie web defacements, and certain sensational writers and contractors, PDD-63 only compouned the USG response to this overly-inflated perception of danger. The GAO report last month on NIPC's effectiveness confirms this. There has never been an 'Information War" or "Cyber Terrorist" event....if someone thinks Mafiaboy was a cyberterrorist, or that the Melissa Virus was the "first cyberterror weapon" or that the US and China were engaged in a vicious "cyberwar" they are hyping the threat perception to further sales of whatever product/service they sell, and damn the consequences to national policy. > A draft (PDF file) of the plan published last year warns: "In the next war, > the target could be America's infrastructure and the new weapon could be a > computer-generated attack on our critical networks and systems. We know > other governments are developing that capability. We need, therefore, to > redesign the architecture of our national information infrastructure." > > That's a broad and not very well-defined concept that includes, according to > the document, shielding "defense facilities, power grids, banks, government > agencies, telephone systems and transportation systems" against everything > from Osama bin Laden to a rogue Word macro virus. Well, if it's broad, it can be touted as "all-encompassing" and "a comprehensive plan" to deal with this alleged problem. Problem was that the plan was so comprehensive it was unable to be implemented due to its sheer size, scope, and depth....not to mention the problems of public-private cooperation. NIPC gave the FBI more resources for its national security mission - and another ricebowl mission to claim as their own. Typical government program - inside the box and stovepiped in an organzation least likely to be effective. > Some government officials have even called for the military to be involved > in protecting civilian networks -- presumably Internet peering points and > backbone providers -- against electronic intrusions, a prospect that worries > civil libertarians. Go for it - the National Guard is already being considered in Arizona and elsewhere for information protection missions. That works well because they are state resources and federal resources second - they can thus serve both the state law enforcement mission and federal national security mission already - we don't have to change the laws regarding military support to law enforcement! I proposed that 3 years ago..... they're already doing some work in the area already - web assessment, some light intel work, etc. So far it seems to be effective. > The CIA's Gershwin said that U.S. adversaries "have access to the technology > needed to pursue computer network operations.... Both the technology and > access to the Internet are inexpensive, relative to traditional weapons, and > require no large industrial infrastructure." Duh. But it does take a certain skill to do real damage, and even more skill to do real damage and not be caught. It's easy to be a nusiance threat script kiddie......they are the only ones that really fall into the overused clique of "point, click, hack" category. The adversaries that should concern folks are those that don't need to use GUIs to do their work....who think outside of the box and are brilliant..... > Peggy Lipps, a director at the BITS Financial Services Security Laboratory, > stressed that more international cooperation among police and more laws were > needed. > > "Physical jurisdiction is irrelevant in coping with crimes conducted across > borders," Lipps said. "Several efforts are underway to address the > international dimension of critical infrastructure protection, and the > Congress should be made aware of their implications." Yeah - the Council of Europe Treaty on Cybercrime is a real winner....that treaty, which nobody seems to know about, is a MAJOR problem for the United States citizenry with Consitutional rights and protections......if a US-based website has "Mein Kamf" on it, while its operator has freedom of speech in the US, under the COE Treaty, the French could have the site disconnected and its US citzen owner arrested under French law, since "Mein Kamf" is illegal under French laws. Someone needs to really get the word out on the COE Treaty and it's many unique provisions/problems that face the US citzenry. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jun 23 2001 - 00:28:51 PDT