Cold war doctrines on how to respond to nuclear attack need to be applied to the 21st century threats of cyber attacks and espionage, according to former US Homeland Security secretary Michael Chertoff. Chertoff told delegates at the RSA Conference in London that around 100 countries had cyber-espionage and cyber-attack …
Either clean up their act or develop counter counter measures,
Nation A receives attacks from Nation B (which may or may not be controlled by Entity A which could be criminal/national/terrorist/other and may be based in Nation A,B or, C)
Nation B witnesses an attack from Nation A (Nation B may not be aware or may not care about the outbound attack from systems in their terretory)
Nation B retaliates with organised strikes against Nations
Nation A steps up attacks, calls on aid from Alliance A
Nation B calls on aid from Alliance B
All out computer warfare begins. Additional nations use the cover of chaos to launch their own grabs on computer real estates.
It does sound very exciting. I know which country I'd put my money on winning though. Though I don't think it's very likely, but kids need toys to play with and departments need fear to secure budgets.
Sounds like war mongering to me
If you don't want your infrastructure to be attacked get it the hell off our internet. If you don't know how, I'm sure there are plenty of people in other countries who have the skills to help you out.
This guy doesn't really seem to understand that while cyber attacks _can_ be state sponsored as I'm sure the USofA has first hand experience of doing, themselves, the nature of the internet means that one person with a guessed password can wreak just as much havoc. In that case "doctrines" seeking to lash out at countries that america currently doesn't like just won't work - they might find themselves having to bomb the crap out of their own people, in their own country.
As it stands at present, most so-called defences against internet-bourne attacks are little more than a signpost saying "Stop, fine for hacking this computer $1million - if we can find you" whereas the people (yes: people, not countries) who control the DDoS botnets and intrusion probing systems are the equivalent of a division of armour who don't even notice the sign as they roll right into your datacentre - which just happens to have the internet equivalent of a bright neon, flashing bullseye - with the letters ".gov" in the middle - displayed prominently on the roof.
It's no good bleating on about all the badness that "for-ners" represent on the internet and rattling on about "counter-attacks". The military have to realise that they are no longer relevant in preventing cyber attacks and that their 1960's style deterrence is ridiculed by the people (yes, them again) who have even the slightest clue about 21st century networked computing. The only real defence is to do to their infrastructure what they did to their nuclear bunkers and harden them against attack - not with reinforced concrete, but with decent software that has been designed implemented and tested to withstand intrusions and DoS's and with physical separation from the people who might target them.
... if we're telling people to get off our Internet, don't we have to acknowledge that in fact it's kind of their Internet?
I mean, I'm no great expert in networking, but I always thought the USA pretty much ran the show in terms of who can be called what and how everything gets routed.
I may, of course, be entirely wrong, and have my coat already to hand.
They just don't get it, do they? I know it's something of a given that countries are always well prepared to fight the last war, but this is getting beyond a joke. Country boundaries no longer apply, if one country has the capability to perpetrate a cyber attack, then all countries do, because the capability is vested in small, highly mobile, and purchasable groups of people, not in large infrastructure projects and products.
I wonder how much damage the US and other large nation states are going to do to the world before they work this out?
I for one look forward to
receiving the cyber war equivelant of "Protect and Survive":
"In the event of cyber war, download as much of the internet as you can onto 3.5" flopy discs and hide under the stairs."
Duck and Cover
So next time someone at work gets a virus I should hide under my desk with my arms over my head?
Or would the matress + doors against the wall method be better?
"Everyone needs to understand to rules of the game"
The rules of the game are that if you fsck up you're hosed.
This puts pork barrel shops like the DHS at a distinct disadvantage because most software, perhaps especially the most sensitive software* has not been designed with "security" or even "sanitising the input" in mind, and the bulk of that they don't even control. In fact, the whole structure of the "IT security" sector runs on swiss cheese holes and the business model invariably consists of patching said holes with easy cheez. And nothing more structural is ever done.
Of course the big upside for pork barrel shops like that is that it's all the more reason to ask for more budget -- to spend on "security" services in the form of more easy cheez.
You can panic about it, think of fancy plans for pre-emptive strikes and mutual assured destruction, kill switches and whatnot else. But none of that will add substantially to "security".
The only way to get more security is not to try and buy it, but to go out and get it, and then don't fsck up. And that only ever gets more complicated with all the layers upon layers of software we insist on stacking on top of each other. But you never hear that from the talking heads.
Meaning, in turn, that regardless of how much money you throw at these "gurus", all you get is more fearmongering at the next conference. Nothing substantial will get done.
* because proprietary and made by the lowest bidder utilizing underpaid crackmonkeys to write it
OpenBSD it and all its source code are free.
OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there). Our open software development model permits us to take a more uncompromising view towards increased security than Sun, SGI, IBM, HP, or other vendors are able to. We can make changes the vendors would not make. Also, since OpenBSD is exported with cryptography, we are able to take cryptographic approaches towards fixing security problems.
as taken from their website http://openbsd.org/security.html
While it's certainly better to make sure the fundaments of your software stack are sound --and we should, we must--, if the application has holes in it big enough to drive a state circus through, you're still hosed. That's the problem with security: Just patching holes isn't good enough. You'll never find them all. So you have to engineer everything you have, use, and make, to contain as little holes as possible. "Due dilligence" as the banks practice it with their tiger teams and stuff is very slightly better than not doing anything at all, but in the greater scheme of things it's still laughably futile. What openbsd does is fairly useful, but now do that with every critical application in use. That is simply not going to happen.
But the point is that the DHS does not, in fact, have control over what software the rest of the country runs. So they can do little more than raise a little awareness and hope people will demand and make better software. Yet they don't do that, they're mumbling things about cold war tactics and whatnot else. It's bare chested putin language, but of little consequence.
In fact, laughably so, especially because it reeks of cargo culting. "We did this with the nuclear standoff, so if we do superficially similar things in this entirely different domain we'll get those good times back."
As someone else mentioned, as long as governments believe in this "cyber" thing, they're mainly deluding themselves. They can do little else because countries are all but irrelevant there. They can make themselves a good solid nuisance, even a deadly nuisance at times, but in the end what nation state you belong to doesn't matter on the internet. At best you'd get "optional" countries; be german in the morning and a jap at midnight. And what self-respecting government wants to be optional?
The obvious solution...
...is that anything critical should NOT be connected to the Internet no matter how pressing a reason the salesmen or accountants make for doing it. Systems that should never be connected to the Internet include but are not limited to *all* SCADA systems as well as vital data networks, i.e. military, ATC, inter-bank (CHAPS, SWIFT, Fedwire, and ATM networks). Preferably none these networks should use TCP/IP, since using other protocols makes accidental or inadvertent connection that much less possible.
Cost is no excuse for doing nothing: X.25 exchanges were pretty cheap in the 90s and must be even cheaper today and there's plenty of dark fibre out there - or so we're told. In any case, the cost of cleaning up after a successful attack would most likely dwarf to cost of separate networks. Besides, most critical systems have their own networks already and the cost of ripping out cable linking their nodes to the Internet is approximately zero.
Any PHB who says otherwise should be instantly sacked for gross incompetence.
"Preferably none these networks should use TCP/IP, since using other protocols makes accidental or inadvertent connection that much less possible."
Hey, pointy-haired boss.
Your sandwich, sir.
Cold war doctrine
We all know how effective cold war doctrine was right?
Does this ass clown have any other ideas?
The Horror. The Horror...
"Cold war doctrines on how to respond to nuclear attack need to be applied to the 21st century threats of cyber attacks and espionage"
Sounds like a convenient excuse...
...to physically attack whoever it is that you've been lusting to attack. (In Chertoff's case, probably Iran, maybe Venezula).
Just say you've been cyber-attacked and that you've traced it back to the servers of --insert name of desired target here--, then make sure some of your "smart bombs" take out their servers and claim that the evidence was destroyed in the counter-attack.
"Would you like to play a game"?
If the shoe fits...
The rules of the game...
are really very simple: "if it's meant to be secure, don't connect it to the internet".
If you put something secret or safety-critical online and it gets stolen - that's your fault, not Iran's and not Wikileaks'. Don't go bombing, framing or ruining people just to cover your own incompetence.