U.S. Steps Up Effort on Digital Defenses

A new international race has begun to develop cyberweapons and systems to protect against them.

Comments: 47

  1. They should call it => cybrid <= warfare.

  2. This effort should have been put on the front burner years ago. Hopefully, those in charge will use that magnificant organization, the Strategic Air Command (SAC), as a model when they stand up the Cybercommand.

  3. Wouldn't it be easier - and cheaper - if we just learned how to get along with each other? I'm just saying...

  4. Individuals and nations shy away from the word "war". this is why we have engaged in conflicts since 1950 without formally declaring the word "war". However, as I learned to my concern while watching ABC National News last week, we remain painfully vulnerable to cyberattacks from others who would tacitly undermine our national and international interests. I would urge President Obama and others in our government to pursue all methods necessary to bolster our defenses againt such cyberattacks. A little hint of mutual deterrence in the cyberwars might not be such a bad thing after all.

  5. This is all very dramatic, but it sounds like engineering overkill. The simplest solution to avoiding cyberattacks is physical security - just don't connect vital systems to the Internet. Government and commercial entities can do this easily.

    Another approach is to utilize high-strength "virtual private networks", which encrypt data communications such that only the computers in the designated private group can exchange data with each other.

    A third is to invent completely different communications protocols and communications hardware for use on sensitive computers.

    The government is spending billions on the question of how to protect computers while using the Internet, when the answer is staring them in the face: don't use the Internet.

  6. Nobody has ever really been serious about this. If they were serious, they would have used technologies available since the 1980s and 1990s to secure our infrastructure, but it's easier to talk than do.

    For instance, the following would be in widespread use.

    1) DNSSec (verifiable, unforgeable DNS records)
    2) IPSEC (Secure IP connections)
    3) PGP Signed and encrypted mail (verifiable, secure email).

    Those three alone would have dramatically strengthened security, without undermining the ability of the state to perform legal wiretaps, which could always be pulled off with sneak-and-peek anyway.

    They have been avoided because either nobody cares, or illegal wiretaps are too important to give up, I'm not sure which. There is not now, nor has there been for years, any significant technical challenge to adequate security, the problems have always been political.

    Forgive me if I am skeptical.

  7. I'm sorry to say this, but, all computers should be sold with a private encryption for each user. If this "number" is not in the computer, or if it is taken out, the user cannot interact on the web! That's the only way this can work! And, yes, I know about the privacy issue, but you have to draw the line, when it comes to "warfare"!!!

  8. Like the song says...Paranoia, the "Destroyer"
    Perhaps we should dig underground shelters, in case the computer blows up. Probably a good idea anyway, since the pentagon is always seeming to invent new enemies to justify their existence.
    I like the idea of a seperate internet for the military.
    Perhaps that will limit agression to those who are looking for it.

  9. The time has come to substantially raise the penalties for cybercrimes including those for hackers that penetrate US agencies and US government, military and scientific contractors. Cybercriminals should be treated the same as physical criminals as the damage they do to our national security, financial security and finances, and to the privacy and confidentiality of personal and governmental information is no different than if they broke and entered the buildings and the computers and files they pilfer.

    If American lives are lost or if national secrets are passed on to our enemies or are attempted to be passed on, treason laws and treason penalties, or federal murder statutes should apply.

  10. Finally the US gov't is recognizing that we need to not only defend ourselves but attack the perpetrators behind these malicious attacks on our infrastructure.

  11. The mainstream media gave us an impression that we, the US is at the receiving side of cyber attacks as they frequently report hacks from other countries are trying to infiltrate our governmental, industrial and organizational computers. It is hard to see report like this one on US effort on cyber warfare. Given the history of how this country was engaged in all kind of warfare, conventional, nuclear, chemical, biological, it will be foolish to believe America will be lag behind any country in developing cyber warfare strategies and tactics and have done less in this front. Don't forget CIA and Pentagon have never eased their recruiting effort to hire top computer hacks since the birth of Internet.

  12. Where to begin..the average person is and will be in the dark on this subject by it's very nature.
    Large, multinational companies-eg. Microsoft, Intel, all computer companies talk all day about security and have been for years, yet, as soon as their products hit the market a notice is posted that they have discovered a fault...and so it goes.
    The Hollywood movie "romanticized" notion of some madman with a computer trying to destroy the world and the hero at the last second trying to input the code to stop it has been played over and over for many years now..
    Where are all of the cybercops when you need one?

  13. The solutions to web security are really only very difficult for the reasons that relate to issues you mention: every government, not to mention business, wants to be able to breach the security.

    Closing the holes completely is straight forward, but if you want to leave some holes open for yourself, then they are open to everyone.

    It's like spam, bots, re-directions, viruses, etc.: actually these would be very easy to control except that macy's, dell, and every other web site business wants to do it to.

    It's like land line and cell phone tapping: closing this down would be easy if it was closed down to everyone. But governments, the worst offenders, couldn't live without spying.

  14. do we need it? in the end, US is has the ultimate upper hand, it controls the "root" of the entire cyber space, call the "root name server", Uncle Sam can deny service to any part of the internet that it doesn't like and there will only be cyber chaos in that part of the world.

  15. Alert, National Security Agency; CIA; DNI; President of the United States:

    The digital war was lost, when George Bush gave the contract for the Pentagon's major computer to IBM - which was even then owned (literally) by China.

  16. While cyberwar is important, POTUS would be well advised to increase our support capability. The military is vastly short of things like trucks, drivers, warehouse personel, etc. The result is that while our National Guardsmen are sometimes serving their 4th tour downrange, they are not available to handle disasters in the U.S., such as hurricanes and floods.

  17. We fell way behind when the Clinton administration and the republican congress in the 90's made any kind of encryption research into taboo.

    How are we going to have any kind of safe supple network with information safely traversing it, if we aren't advocating a full effort in this field by anybody who cares to contribute?

    As our networks get bought up more and more by cable and phone ISPs who do everything in their power to limit our capabilities, and stingily dole out occasional new technologies they feel won't affect their bottom line, should we be surprised that our networks become more and more vulnerable from all that centralization and stifling of innovation?

  18. It's just not as simple as folks like #5 (Citizen3591) would have it, nor as preventable as #6 (Joey) projects.

    It's just very unlikely that there will be no bridges between the world-wide network and the "segregated" secure network. If you hack the easy side (worldwide access) you have insider access to the secure side, and plenty of opportunity to exploit it. Secret codes and protocols will be useless if you have someone resident in a machine who can gain access to use the secrets via the paths that were designed to use them. Somebody, someplace, will inadvertantly or purposefully open a backdoor into his secure system. It may be to make his system repairable or reachable, or it may happen by accident because of a system backup or something. With the thousands of separate computers necessary to do the secure job, someone, somewhere, will open a door long enough for a cyber warrior to sneak in. Witness the honeypot tests that security companies and agencies use. Unprotected computers are compromised within minutes of being opened to the web.

    The only security is, as the article refers to the air traffic control system, no connection at all, and that defeats the whole purpose of many computer-monitored systems.

    This isn't to say the prospects are totally dour, just that the solutions aren't as simple as some would have them.

  19. I would be happy if I could just block SPAM.

  20. Trust that the designers of computer systems can anticipate all the problems? I'm sorry, but the Y2K situation didn't inspire confidence. And, more reading of science fiction for our leaders, please--we're going to need greater cynicism, a sense of humor, and blasting of functional fixedness.

  21. My God! Rampant paranoia. Increasingly, this is a world run by sociopaths.

  22. Seems like a good idea to step up our efforts... but how much offensive capability can we have without using distributed botnets? And is there a way to built a botnet that doesn't require taking over the computers of civilians? Some of whom will be in America?

  23. An excellent and timely treatment of a subject that cries out for coverage! My plaudits to Messrs. Sanger, Markoff, and Shanker for their due diligence, and to the "Times" for having offered the reading public a glimpse into this new world. Forget about the one reader's nonsensical plea for "getting along"; we need to prepare for the worst, and as R. Reagan once observed: "Trust, but verify." We verify electronically now via spying, period, and everyone will have MAD--mutually assured destruction. Our foes will understand this, and respect us as well.

  24. The report does not speak of what OS is being attacked. Do the computers contain Microsoft, Mac or Linux software? Is there a fear to mention what is on these computers? A fear of Microsoft by NY Times?

  25. Can't I just run a Norton anti-virus scan on my Windows 95 computer? lol!

    Seriously though. I'd love to see the U.S. step up it's cyberwarfare attack and defense capabilities. We own the internet. We'll take it down just like we brought it into existence.

  26. One more thought--as I believe the proposition that if it can happen, it will, I'll say that attention to consequences is not actually paranoia. A homogeneous system is inherently unstable, and our societies are made up of huge (geographically) specialized populations. I think I've been scooped by Mr. Ramo, whose book is reviewed in this issue, but in conversation I've long argued that the village model is more stable. Diversity is strength, and towns which contain all functions will be less destroy-able. As long as we're subsidizing things like mad, how about an infrastructure which contains those gardens and blacksmiths? "I'm just saying."

  27. #13 Glen hit the nail on the head! "It's like land line and cell phone tapping: closing this down would be easy if it was closed down to everyone. But governments, the worst offenders, couldn't live without spying."

    From the article -

    "After the controversy surrounding domestic spying, Mr. Bush’s aides concluded, the Bush White House did not have the credibility or the political capital to deal with the subject."

    Ahh... So now the domestic spying is hindering National Defense! Priceless!!!

  28. Is it possible to make the cyberspace secure? The answer is unequivocal YES. Will it happened before a complete meltdown? Unfortunately, the answer is NO.

    There is no doubt that if the internet were designed from scratch with the benefit of contemporary knowledge and experience, it would be based on technologies that are far better suited to the job. After all, the intrinsic vulnerabilities of the original internet have been well known and documented for some time now.

    Unfortunately, by the time the scope of the problem was recognized fully, it was already too late to go back and replace the technologies that were at fault; gradual modernization would make sections of the internet incompatible, while universal change is simply impossible, given the scope and the cost of the project.

    The challenge is more than creating new, inherently secure technologies. New technology, no matter how powerful, is useless if there is no way to bring it to the market and put into the hands of the users. The solution to cyber security needs to come in a form that would allow it to be deployed in the background, without major disruption of the existing economy and social structure of the cyberspace.

    This challenge could have been answered years ago, but unfortunately the IT industry had it focus elsewhere. Since the beginning of the internet explosion functionality was the key but the security only a mere afterthought, a boring task that keeps one away from the excitement of creating new hot applications.

    I am afraid it will take a major meltdown to shift the existing technological paradigm away from the mega companies that continue to dominate the market but have proven incapable to provide secure and reliable solutions. Just like the latest financial bubble, the IT industry has been growing in the direction of maximum short term profits, without any serious consideration for building strong and secure infrastructure for communications and commerce.

    Even a brief look at the daily news tells us that we are not only losing the war to protect our privacy and information online, we have not even won any battles of consequence lately. It is no longer a question of “if” or “when” but rather of “how soon” before a perfect storm of cyber crime and cyber warfare may conquer cyberspace. We have grown so dependent on the internet in all aspects of our lives that the effect could be truly catastrophic: not only could it destroy economies, businesses, public institutions and ruin many lives, it could also tear the very fabric of our society and create social unrest on a global scale. The damage would probably be on the order of the global economic meltdown currently underway, with even wider implications that could defy hope of repairing it in any foreseeable future.

    Yet, until it happens, I do not see the IT industry giving up their vested interests in the existing technologies, no matter how outdated and inadequate.

  29. Just give them all Macs...case closed. Next threat, please.

  30. Joey's comment (#6) is on the mark. The core issue is about the widespread understanding and use of encryption and authentication protocols. It's a technical thread that needs to be woven into the social fabric.

  31. Too bad the US is considering another war that can only be lost. Safety on the internet is an essential function of it, and should be developed by the worldwide scientific and engineering community just as global warming can only be solved by worldwide cooperation.

  32. I am an IT security specialist. The U.S. has been lagging behind and playing catch-up to the ever-growing threat that is posed by huge security issues.

    All of Microsofts operating systems are rife with huge security vulnerabilities. Even Adobe's Acrobat (8.1.0) had issues that our testing verified - an issue that pushed us to Acrobat 9.

    The NSA has been working on Cyber-threat issues for decades - but they are swimming against the stream. Everytime Microsoft or anyone else for that matter, launches a new version of their product we discover holes that is simply the result of products that were pushed out too quickly due to the every growning need to create revenue - inspite of security needs. The marketing gurus push to have products ready - and rely on "security" or "stability" patches to be releases AFTER a product is launched onto the market to plug these problems.

    Sloppy - Would you buy a car without all of the mandated safety features? Features that would save your life, or the life of a loved one in the event of an crash?

    In other words - all of us are "beta" testers.

    Until congress or someone with REAL clout mandates that software adhere to a clear and understandable set of rules - Rules that guarentee quality of the product - the issue of security will not go away.

    We have our homes inspected during construction to ensure our safety.

    We have our food supply inspected and tested for quality.

    We have our water tested for purity.

    We licence the Doctors, Dentists, and Lawyers who serve us.

    But we have ZERO regulation regarding the quality of the applications - products that are often custom-made - that guide the nations air travel, secure our private financial data, or regulate the air, water, or safeguard our personal medical information.

    I am afraid that only after a huge catastrophy will anything concrete be done about this issue. I hope that I am wrong.

  33. For decades we have been subjected to scare stories about computer security. Yet no disaster ever happens. Occasionally, someone gets some social security numbers (So what? Since when are they a military secret?) or credit card numbers, leading to some small frauds. If this were a major problem the credit card companies would raise their fees to cover their losses. They spend more on postage---I receive offers nearly daily---than they lose by fraud.

    When computer security is actually important (CIA, military, etc.) you put an "air gap" (no electronic connection) between the systems you want to protect and the outside internet. That is unbreakable. The real threat is trusted people going bad (spies). They can get their hands on information, whether or not computers are involved, precisely because they are trusted. Benedict Arnold stole vital secrets without the aid of computers.

    In everyday life, for unclassified (home, business, and even non-sensitive military and intelligence agency) computers the solution is to use Linux or Unix operating systems. They have proven secure in practice. If you use Microsoft software, you have only yourself to blame for the consequences, just as if you left your files in an unlocked filing cabinet out on the street.

  34. Re: #18

    > somebody, someplace, will inadvertantly or purposefully
    > open a backdoor into his secure system. It may be to
    > make his system repairable or reachable"

    While I agree with some of your points, if you know what you're doing then you can pretty much lock down your network very tightly.

    On your point of remote admin access, don't use the default ssh port & don't respond to unsuccessful logins (read: bots, script-kiddies etc). That said, you can point your default ssh port to an internal "reverse honey-pot" that may contain viruses that create a back door (trojan horse) to the attempted "cracker" (true term unlike "hacker").

    There are many opensource unix/linux tools available for "deep packet processing" & admins should learn how to use 'em. Also, many admins don't realise that MitM (man in the middle) attacks have successfully been demonstrated over ssl vpn by spoofing as the host to the browser (read: use 2 way certificates).

    Perhaps the solution is really to ban microsoft products? :)

  35. America deserves this plague.

  36. Starting in 2002 we gave away our dominance in software technology to other nations. The policy of China was to subsidize tens of thousands of students studying in the computer sciences. In 2002 American companies subsidized this policy of China by shipping over American jobs so that Chinese students could gain the necessary and hard to obtain experience of working on real systems. American programming jobs were shipped to India, China, and Russia and subsidized these nations in their ability to build expertise in software technology.

    Now very few American students are enrolled in the computer sciences departments of America to provide the expertize necessary for threats to American computer systems, while other nations have tens of thousands that can obtain all of the benefits of software technology. American students will not enroll in the computer sciences when the policy of America is simply to ship programming jobs overseas.

    Now many American systems are dependent upon offshore foreign programmers.

    There have already been incidents where offshore foreign workers were bribed to provide account information on bank customers.

    The reality is that major American system may have already been compromised by bribes to offshore foreign workers to insert malicious code into the American systems where they have direct access.

    Hollywood movies show complex schemes and supposedly sophisticated attacks to access computer system when the reality is that you can simply walk in the front door with a bribe and have complete access.

    It is meaningless to protect these systems from attacks over the internet when they may already have been seriously compromised.

  37. We should first build up our cyperwarfare capability, and go onto negotiation table with the Bear and alike to draft up a cyperspace version of "Nuclear Non-Proliferation Treaty" and rule of engagement.

  38. Well, given that now we have a pandemic and we are told that it is too late to do anything to stop it, why should we think that the US government will not waste money in preparing for these cyberattacks? Will we be told too that when a virus is crippling our computer infrastructure that it is too late to stop it from spreading?

    Security in cyberspace begins at the end-user, with secure OS and practices. But I am sure that this cyberwarfare stuff will end up feeding US government contractors fat and wealthy, but that if a problem ever comes to pass, all of this will prove ineffective.

  39. Re: #28

    > Is it possible to make the cyberspace secure? The answer
    > is unequivocal YES.

    I'm sorry but I'm going to have to disagree with you :)

    Computer hardware & software is created by humans, of which have many flaws, one being - "complacency".

    Like I already posted, there's been crackers using MitM & take on ssl-vpn & win. They didn't need to concern themselves about having an infinite amount of processing power to break the encryption, they just looked for weaknesses in the authentication method b/w the host & browser. Similar things have also been done over ssh tunnels.

    A couple of months ago I read of a South Korean hooker that managed several times to get past Japan's biometric passport/customs system by using a new passport with a different name, fake fingerprints & contact eye lenses. And to think that a few years ago this was the stuff of Hollywood movies :)

  40. @#37

    That's the e-quivalent (or is it iQuivalent?) of what North Korea is doing, building a nuclear bomb so they have something to negotiate with.

  41. The Chinese are a million times smarter and stronger than we are. When the we do go to war with China, the United States will be totally defeated within seventy two hours. China will rule the world for a thousand years.

  42. Cyberwar would be impossible if people wrote with fountain pens. These new-fangled technologies have left us vulnerable to all sorts of miscreants and malefactors whose capacity for mischief has increased many-fold with the advent of computers.

  43. They're not watching American Idol in China. They're making plans to destroy America, and we've handed them all the tools and resources to do it. I hope I'm not around to see it. God Bless the United States of America.

  44. # 29,

    Not sure if your comment was supposed to be funny or serious. Please advise. I'm thinking you were just being sarcastic.

  45. How many Americans work in the Chinese military industrial complex? NONE. They don't even let us in the country. How many Chinese nationals work in the American military industrial complex? Thousands--- and they're all spies for the communist chinese military. The Chinese have approximately five thousand front companies working in the U.S. to conduct espionage and sabotage. We hire anybody who knocks on the door. We're so stupid.

  46. I have an iMac and can, and do, encrypt all sensitive files with a program called goSecure. What is needed is a better OS and a way to encrypt all email that is transparent to end-users. This is a two-edged sword, as this would mean terrorists could do this as well. Since we are at "war" [there should be such a declaration by Congress] civil rights be damned. Maybe an NSA approved encryption system should be adopted and made mandatory for national use. We already know NSA reads our email and monitors our phone calls at its pleasure. So be it.

    Once there was PGP, which worked beautifully, but for all practical purposes it seems to have vanished and I don't think this is accidental. Anyway, we need to have the ability to crush all cyber systems in China and Russia as they are distinct threats to our security, for the same reason we need nukes. Nukes saved us in the Cold War and our national brain trust could, and should, provide a nation wide secure computer system - now!! All the chicken littles went ape yesterday when AF One flew over NYC. Downing the WTC is trifling compared to what destroying the Internet would do to America, We are at war and should act accordingly.

  47. G. Andrews, NYC:
    "The Chinese are a million times smarter and stronger than we are."

    I disagree with you on this. But it will be really dumb (as most Americans do) trying to find someone else to blame every time one has problem of his/her own, because one can never learn in this way.