Fighting wars that target computer networks is fraught with risks that don't exist in traditional warfare, raising the stakes for future conflicts, a retired US general told security professionals Thursday. “You guys made the cyber world look like the north German plain, and then you bitch and moan because you get invaded," …
"The inherent geography of this domain – everything plays to the offense. There's almost nothing inherent in the domain that plays to the defense."
I'm not sure I get the premise, of course there are things that can be done to improve defenses, not that the government is doing them necessarily.
First of all, no critical systems should use unencrypted traffic, these should be secured through VPNs.
No critical systems should use security by obscurity, which is all too prevalent in proprietary control applications.
The entire network needs more redundancy, in particular critical services should not be in control of one entity (read "government" or organization) which could become infiltrated or compromised.
Software mono-cultures are devastating in the field due as they enable attacks which are massively scalable. Sourcing components from a single vendor should be discouraged.
Critical systems and security practices need to be audited by third parties.
The right time to build up defenses is now, before an incident occurs. However we know that motivation is rather unlikely until afterwards. Given this reality, it's important to have a plan on how to best react after the fact when preventable attacks are successful to minimize damage.
"of course there are things that can be done to improve defenses...
"...not that the government is doing them necessarily."
I think that's the point he's trying to make! Every time we hear of data being stolen or left on a laptop or sent on an unencrypted CD through the post shows a fundamental failure of understanding of basic security by Governments and Corporations.
And how many companies produce software which then require multiple patches to fix gaping holes in their security?
What is needed is a fundamental shift in attitude, rather than the "let's get the data or write the software and then fix the problems later."
As you say: "The right time to build up defenses is now, before an incident occurs", but at present too many stable doors are being locked and bolted long after the horse is over the horizon.
Re: failure of understanding
"Every time we hear of data being stolen or left on a laptop or sent on an unencrypted CD through the post shows a fundamental failure of understanding of basic security by Governments and Corporations."
Indeed. This is espionage, as noted by the speaker in the article. This happens all the time. The fact that it may only occur through "negligance" is luring tangent from the point.
If you lose/damage a piece of your employer's property (hardware or data), that's lack of responsibility on the person that did it. Of course, its all lumped into "security", because placing blame can get routed back to unintended sources...
There is defense
just because defense is hard doesn't mean there isnt any defense... if you have a public API someone is scraping it doesnt matter if its against TOS is up to you to be smarter than them... google created on time access tokens so you can pass a secret to lookup one call and one call only
yes its easier to break then build duh... you have to find 1 hole and we are trying to find and plug all the small leaks in the dam that may lead to the catastrophic failure and total breech
tell me im wrong... im @cartercole and id love to argue with you :)
surely bandwidth is king....
Actually, defence has the edge. If you reduce the bandwidth to zero, and lock the system in a safe, how can anyone attack you?
I have already seen the myth that attackers need one hole to be successful in the comments. Thats the case with eggshell networks. Thats why security should be layered, audited, validated, and above all, not trusted.
Want to know whats happening on your network, run wireshark. Seeing all the IPv6 routing and tunnelling traffic for the first time is a bit of an eye opener.
Saying that reducing your bandwith to zero is a viable defense stratergy is in many cases a bit like saying allowing Germany to Annex the UK would be a WW2 defense strategy - its just capitulaton, giving them what they want.
If I were to host say, a contraversial website with numerous classified documents freely avaialble to all comers, shutting down my connection is exactly what my potential governmental/religous attackers want.
That's exactly where he's misunderstood. You're talking field defenses - trenches, minefields, barbed wire, guard posts etc. He's talking strategic defense, where the layout of an entire region is facilitation or hindering campaigns. No amount of field defenses can make up for a mountain range, it's something completely different. DNSSEC is the first kind of strategic defense feature I've seen in a long time. We need more of whatever-it-is, I just can't see right now what we're going to build that makes electronic attack as difficult as getting an army into Switzerland or through the Pripyet swamps...
Using the wrong meaning of defense
I thin the above posters, @cartercole and @lou may be reading the word "defense" incorrectly
The person quoted is a general, he doesn't mean "firewalls and making sure your PHP is safe" sort of defense, he is talking about the military meaning of the word
In other words, you fight an enemy offensively or defensively. When fighting defensively you may allow them to come to you, and pound themselves against your walls or trenches and you kill them there
Obviously, in cyberwarfare, allowing hackers to attack your site deliberately to "kill" them as they do so isn't going to do anything.... You "must" fight offensively, seek their strong holds out and kill them where they live.
"The person quoted is a general, he doesn't mean 'firewalls and making sure your PHP is safe' sort of defense, he is talking about the military meaning of the word"
Maybe that's what he meant, but either way anyone who is an authority on network security should apply the terminology as a network security specialist would. Metaphors between the physical and internet worlds are often fraught with error.
"Obviously, in cyberwarfare, allowing hackers to attack your site deliberately to 'kill' them as they do so isn't going to do anything."
I guess your talking about an immediate directed retaliation, but generally the hackers will have better defenses than their target. One could throw honeypots into the mix, which are designed to deter from real targets, and collect information about the attackers.
The fact that he talked about rivers and hills as natural defenses shows that he was not talking about offensive or defensive fighting. He was talking about larger defense structures than firewalls. These are comparable to, say, city walls - a last defense maybe, but not enough to deter attacks, because attacking is easy, breaching only slightly less so. He was talking about structures that would make the *attack* itself harder. But the internet is largely flat - like the North German plains. No rivers or hills to pass - it's TCP/IP everywhere, the same hardware, the same software.
it was videos of your soldiers torturing their prisoners that you wanted to suppress.
ceci n'est pas un title
Talking of setting yourself up like the north european plain; our glorious govt is thinking of installing smart meters throughout the land. As part of the civil service's megalomania it is proposed that these will give TPTB the ability to switch the juice off remotely.
As is pointed out at http://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf this gives an attacker the ability to inflict a denial of service attack with consequences of nuclear proportions, at a fraction of the cost of the real thing. Better yet, the infrastructure is left standing, your only problem is that you inherit a nation with umpty squillion bricked electricity meters!
Re: ceci n'est pas un title
Interesting read, thanks!
Lessons of War
The US Army, in the Cold War days, left the North German plain to other people. They were more immediately concerned with the Fulda Gap, which was a relatively unobstructed east-west route to the Rhine. So, yeah, they're used to the idea that geography matters, and there isn't any on the net.
Maybe the US Navy should be running cyber war? They're used to fighting battles with fixed objectives (Midway Island) surrounded by a featureless battleground (The Pacific Ocean). But don't push that analogy too hard. Naval warfare has generally been near coasts, where shipping movements become easier to predict. Deepwater battles have been incredibly rare.
And the tactical battle doesn't often take advantage of local terrain, it's not like being in a tank.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide