FC: Feds fret about "cyberattacks" from governments, not hackers

From: Declan McCullagh (declanat_private)
Date: Sat Jun 23 2001 - 08:52:14 PDT

  • Next message: Declan McCullagh: "FC: Response to WSJ on Jeffrey Rosen's op-ed on Kyllo decision"

    [A response to my article here: 
    http://www.wired.com/news/politics/0,1283,44742,00.html --DBM]
    
    ---
    
    Date: Fri, 22 Jun 2001 10:54:08 -0400
    Subject: FW: [CS-596] - US Fears Countries, Not Hackers (Finally, some
    	sanity!)
    From: Richard Forno <rfornoat_private>
    To: <declanat_private>
    
    Declan -
    
    Finally there is sanity from the Hill and government on the IW threat...at
    least acknowledging that the Sky is Not Falling...that in itself is a
    refreshing breath of air
    
    My comments shown below....feel free to use as necessary.
    
    Rick
    infowarrior.org
    
    
     > U.S.: Fear Countries, Not Hackers
     > By Declan McCullagh
     >
     > 6:38 a.m. June 22, 2001 PDT
     >
     > Forget the supposed menace of teen hackers causally bypassing the security
     > of U.S. military computers.
     >
     > The real worry isn't a teen like Analyzer -- the alias for an Israeli youth
     > who penetrated dozens of Defense Department computers -- but foreign
     > governments, according to a hearing organized by the U.S. Congress' Joint
     > Economic Committee.
     >
     > On Thursday, Sen. Robert Bennett (R-Utah) dismissed malicious hackers as
     > "nothing more than a nuisance" during a hearing entitled "Wired World: Cyber
     > Security and the U.S. Economy."
     >
     > Even tech-savvy terrorists still pose only "a limited cyber threat" compared
     > with enemy nations, said Lawrence Gershwin, a science and technology
     > specialist at the CIA's National Intelligence Council. He said Russia and
     > China had active programs, as does the U.S.
    
    About time that they realized a web vandal or a denial of service incident
    against a Dot Com is a nuisance. Assuming (key word!) the victim site has
    good backups and competent system admins, they should be able to quickly
    recover and remedy the breach/vulnerability with a minimum amount of
    downtime. Good security is to a large part, great systems administration.
    
    Terrorists want media coverage and to make an impact. Taking out a power
    plant with a truck bomb that rattles windows 2 miles away and leaves a 40x60
    crater is much more of a public image than sneaking in thru the Cat-5 at
    night and planting a virus that does something nasty.
    
    They need to remember that the US is more vulnerable. More emphasis from DoD
    and elsewhere needs to be spent on information PROTECTION and not attacking
    someone else. Stop thinking inside the box!
    
     >
     > "For the next 5 to 10 years or so, only nation states appear to have the
     > discipline, commitment and resources to fully develop capabilities to attack
     > critical infrastructures," Gershwin said.
     >
     > The tone was remarkably different from the official line in 1998, when
     > Deputy Secretary of Defense John Hamre described Analyzer's attacks as
     > highly disturbing, "organized and systematic" intrusions into unclassified
     > military networks.
    
    Hamre did not have a clue about information operations or the true threat.
    He saw bad guys hiding behind every hub, switch, and router. I think he got
    his IW/IO/IA briefings from CNN, Fox, and sensational contractor reports.
    
     >
     > In June, an Israeli court sentenced Analyzer -- whose name is Ehud Tenenbaum
     > -- to probation instead of jail time. He's currently the chief technologist
     > for the 2XS security firm.
     >
     > This hearing comes after years of high-level discussions, commissions and
     > debate in Washington about the possibility of so-called cyber attacks that
     > could be launched against U.S. private or government sites. Warnings of a
     > looming electronic "Pearl Harbor" prompted former President Clinton to sign
     > Presidential Decision Directive 63, which created a critical infrastructure
     > protection plan.
    
    Because of the knee-jerk during the Clinton Administration, assisted by the
    media, script-kiddie web defacements, and certain sensational writers and
    contractors, PDD-63 only compouned the USG response to this overly-inflated
    perception of danger. The GAO report last month on NIPC's effectiveness
    confirms this. There has never been an 'Information War" or "Cyber
    Terrorist" event....if someone thinks Mafiaboy was a cyberterrorist, or that
    the Melissa Virus was the "first cyberterror weapon" or that the US and
    China were engaged in a vicious "cyberwar" they are hyping the threat
    perception to further sales of whatever product/service they sell, and damn
    the consequences to national policy.
    
     > A draft (PDF file) of the plan published last year warns: "In the next war,
     > the target could be America's infrastructure and the new weapon could be a
     > computer-generated attack on our critical networks and systems. We know
     > other governments are developing that capability. We need, therefore, to
     > redesign the architecture of our national information infrastructure."
     >
     > That's a broad and not very well-defined concept that includes, according to
     > the document, shielding "defense facilities, power grids, banks, government
     > agencies, telephone systems and transportation systems" against everything
     > from Osama bin Laden to a rogue Word macro virus.
    
    Well, if it's broad, it can be touted as "all-encompassing" and "a
    comprehensive plan" to deal with this alleged problem. Problem was that the
    plan was so comprehensive it was unable to be implemented due to its sheer
    size, scope, and depth....not to mention the problems of public-private
    cooperation. NIPC gave the FBI more resources for its national security
    mission - and another ricebowl mission to claim as their own. Typical
    government program - inside the box and stovepiped in an organzation least
    likely to be effective.
    
     > Some government officials have even called for the military to be involved
     > in protecting civilian networks -- presumably Internet peering points and
     > backbone providers -- against electronic intrusions, a prospect that worries
     > civil libertarians.
    
    Go for it - the National Guard is already being considered in Arizona and
    elsewhere for information protection missions. That works well because they
    are state resources and federal resources second - they can thus serve both
    the state law enforcement mission and federal national security mission
    already - we don't have to change the laws regarding military support to law
    enforcement! I proposed that 3 years ago..... they're already doing some
    work in the area already - web assessment, some light intel work, etc. So
    far it seems to be effective.
    
     > The CIA's Gershwin said that U.S. adversaries "have access to the technology
     > needed to pursue computer network operations.... Both the technology and
     > access to the Internet are inexpensive, relative to traditional weapons, and
     > require no large industrial infrastructure."
    
    Duh. But it does take a certain skill to do real damage, and even more skill
    to do real damage and not be caught. It's easy to be a nusiance threat
    script kiddie......they are the only ones that really fall into the overused
    clique of "point, click, hack" category. The adversaries that should concern
    folks are those that don't need to use GUIs to do their work....who think
    outside of the box and are brilliant.....
    
     > Peggy Lipps, a director at the BITS Financial Services Security Laboratory,
     > stressed that more international cooperation among police and more laws were
     > needed.
     >
     > "Physical jurisdiction is irrelevant in coping with crimes conducted across
     > borders," Lipps said. "Several efforts are underway to address the
     > international dimension of critical infrastructure protection, and the
     > Congress should be made aware of their implications."
    
    Yeah - the Council of Europe Treaty on Cybercrime is a real winner....that
    treaty, which nobody seems to know about, is a MAJOR problem for the United
    States citizenry with Consitutional rights and protections......if a
    US-based website has "Mein Kamf" on it, while its operator has freedom of
    speech in the US, under the COE Treaty, the French could have the site
    disconnected and its US citzen owner arrested under French law, since "Mein
    Kamf" is illegal under French laws.
    
    Someone needs to really get the word out on the COE Treaty and it's many
    unique provisions/problems that face the US citzenry.
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Jun 23 2001 - 00:28:51 PDT