back to article NSA boss reveals top 3 security nightmares that keep him awake at night

Admiral Michael Rogers, head of the NSA and the US Cyber Command, has told delegates during his keynote address at RSA 2016 the three things that keep him awake at night. His first fear is an online attack against US critical infrastructure, which he said was a matter of when it will happen, not if. Citing the recent Ukrainian …

Page:

  1. Anonymous Coward
    Anonymous Coward

    We'll help defend against the bad guys the second we can stop defending ourselves against the NSA

    1. Ole Juul Silver badge

      The devil within

      In fact the NSA is its own worst enemy.

      "Citing the recent Ukrainian power grid hack as an example, "

      And isn't it interesting that his best example is factually questionable? Seriously, why don't these guys just go back to discussing how many angels can dance on the point of a pin.

      1. John Smith 19 Gold badge
        Unhappy

        Re: The devil within

        "And isn't it interesting that his best example is factually questionable? Seriously, why don't these guys just go back to discussing how many angels can dance on the point of a pin."

        Now I'm a bit confused.

        Who wrote STUXNET and did that not destroy someones' critical infrastructure?

      2. fedoraman
        Coat

        Re: The devil within

        I thought that Sir Terry (and Neil Gaimen) had established that the number of angels that can dance on the head of a pin was one - as long as it was the gavotte.

    2. Anonymous Coward
      Anonymous Coward

      Yawn...

      Society blithely building it's networked technology up to a point where any old script kiddie anywhere can turn off its civilisation completely? Oh how dull, who is going care about that?

      I always thought that the N in NSA stood for National, so it belongs to the people. So presumably it exists and does what it does purely because the elected representatives think it should, and they'd only be reflecting the overall wishes of their electorate.

    3. James Micallef Silver badge

      So, actually, (3), "the terror-rists" isn't actually a threat, just him worrying that a specific group of people will act on threats (1) and (2).

      More importantly, the way to mitigate threats 1 and 2 is strong encryption and data security implemented by private individuals and corporations, which is the exact opposite of what the 3-letter agencies are asking for.

  2. Paul Crawford Silver badge

    Simplified list

    All 3 points come down to one basically: We, as people, have accepted piss-poor security in so many computer applications for years, but now we have put important stuff within an electronic arm's reach of world+dog to have a go if they feel like it.

    The current arguments about cryptography for law enforcement, etc, is a stupid distraction flamed by clueless politicians and civil servants and distracts from the above. We have found ways of catching and prosecuting criminals when they talked in person and did not write stuff down for many many years, so while it might be nice to get phone contents, it should not be necessary.

    Sadly we need to start making a big deal about businesses and gov departments that expose important stuff (from personnel/medical records, through to infrastructure like power and gas) to the world, and/or collect sensitive stuff they don't really need. Make damn sure that those in charge can face personal prosecution if they fail to manage the process, fail to have a system in place to check and fix things, and fail to get outside support to check its good enough.

    1. Marketing Hack Silver badge
      Megaphone

      Re: Simplified list

      @ Paul Crawford

      What are you, some kind of communist? Don't you know that shareholders and corporate execs aren't satisfied with OWNING the oil well, pipeline and gas station? Don't you understand that they need to be able to access the number of barrels coming out of the well every hour, and how much they are making on that, and then how much oil is in the pipeline, and how much they are making on that, and how much gasoline is coming out of the pumps at the gas station, and how much they make on that? The importance of securing this infrastructure so that we don't have pipelines exploding or so ambulances, fire trucks and delivery vans can pull into the gas station and find that the pumps are actually working is unimportant, as long as the endless, on-demand panopoly of lucre is on display!

      Our capitalist way of life depends on it!!

      1. amanfromMars 1 Silver badge

        Re: Re: Simplified list @Marketing Hack

        Yes, quite so, Marketing Hack, and the defending and promoting of the indefensible and oppressive by the likes of an Admiral Michael Rogers, head of the NSA and the US Cyber Command type [and Blighty is blighting itself with similar clones and drones of the model, as are most probably many more entangled state enterprises] is ...... well, a Titanic Folly identifying the Fools' Tools ....... and in a smarter and getting even smarter age and Live Operational Virtual Environment, are they of zero future value in any Present Marketing Space which refines and defines the Madness and Mayhem in AIMarket Places with CHAOS for Clouds Hosting Advanced Operating Systems.

        Such be nature of the current beasting reality and virtual reality ...... IT does not suffer the Folly of Fools either gladly or badly in Advancing IntelAIgent Markets.

    2. Primus Secundus Tertius Silver badge

      Re: Simplified list

      People say they want secure, bug-free systems; but will they pay for them? Hell, no!

  3. Christoph Silver badge

    And all three of those absolutely require strong crypto with no backdoors.

  4. 2+2=5 Silver badge
    Meh

    Item 2

    > Number two on his insomnia list was data tampering.

    And a good mitigation against tampering is strong encryption. Can anyone see the irony here?

    //straight face icon

    1. Kurt Meyer

      Re: Item 2

      @ 2+2=5 "And a good mitigation against tampering is strong encryption. Can anyone see the irony here?"

      From the article; "Rogers, who is on the record as supporting strong crypto..."

    2. Anonymous Coward
      Happy

      Re: Item 2

      Yes, but not for you

    3. Britt Johnston

      Re: Data tampering

      This is a real problem in industry databases, as managers come, redefine terms or scope, and go. It is a kind of revisionism, and over time can degrade a company's history. It reduces the useful life of basic infrastructure systems, accelerating their replacement time to every 10 - 20 years. Mergers, legislation and reorganisations speed the decay.

      Equating company management to non-state terrorists is a bit heavy though.

  5. g00se
    Headmaster

    Is that American Dad?

    Hint: None of them are Apple

    None of them IS Apple

    FTFY

    1. Uffish

      Re: Is

      None has been singular or plural since at least the ninth century. I'm not a grammar boffin so I am not qualified to say that you are wrong but I will say that you are not exclusively right.

    2. Brewster's Angle Grinder Silver badge

      Not so fast: English is an analytic language; not a synthetic one.

      I draw your attention to the note halfway down this page:

      In recent years, the SAT testing service has considered none to be strictly singular. However, according to Merriam-Webster's Dictionary of English Usage: "Clearly none has been both singular and plural since Old English and still is. The notion that it is singular only is a myth of unknown origin that appears to have arisen in the 19th century. If in context it seems like a singular to you, use a singular verb; if it seems like a plural, use a plural verb. Both are acceptable beyond serious criticism."

      Note the emphasis I have added.

      1. TRT Silver badge

        Re: Not so fast: English is an analytic language; not a synthetic one.

        None of IT is Apple.

        None of THEM are Apple.

        The singular/plural lies in what you are excluding.

        Or, considering none to be a contraction of "not one", not one would always have to be plural (zero being considered as plural). But "not one of it are Apple" doesn't sound right.

        I wish I hadn't automatically upvoted the grammar nazi simply on the basis the American Dad title made me laugh.

        1. JeffreyJames

          Re: Not so fast: English is an analytic language; not a synthetic one.

          Ya'll be trippin'. If youse people could get past your collective arse and focus, puh-lease!

        2. Brewster's Angle Grinder Silver badge

          Re: Not so fast: English is an analytic language; not a synthetic one.

          @TRT

          Both "none of it" (absence of a single, probably continuous, entity or trait) and "none of them" (absence of multiple, probably discrete, quantities) are ways of saying nothing; the subject of both sentences is zero. And, anyway, if we use the object of an of-clause to determine plurality, then my phrase "the subject of both sentences is zero" would have to be rewritten "the subject of both sentences are zero" While, if your theory about zero being plural is true, wouldn't we'd say "Nothing are due to Apple"?

          There just isn't a right way on this one. We can delete the qualifying of-clause and still argue about whether it's "none is Apple" or "none are Apple." Both are in widespread use.

          1. TRT Silver badge

            Re: Not so fast: English is an analytic language; not a synthetic one.

            Not really.

            "the subject of both sentences is zero" is correct because the "is" refers to the first definite noun in the sentence; "the sentence". None is an indefinite pronoun. "Them" and "it" are definite pronouns.

            "Nothing" is a contraction of "No" and "Thing". "Thing" is singular, which is why "Nothing are due to Apple" sounds wrong. I was talking about "none" which, from Mirriam-Webster, means "Not any", "Not one", "No part", and comes from a contraction of "Not one", in Middle English pronounced "nan". It's the same in the Oxford and Cambridge dictionaries.

            It's not my idea that zero is a plural; I checked before I posted and got it from quora.com, Mirriam-Webster and BBC's language section. Apparently the French treat "zero" as a singular.

            I was wondering why the thing about "none" being singular arose when "not one" is the same as the definition of "plural" anyway. Is it from French, where zero is a singular? Sounds kind of pretentious. Though I persist in using "data" in the plural and steadfastly refuse to budge from this position, even though the authoritative sources appear to have given up the fight on that one and say it can be either.

        3. 2+2=5 Silver badge

          Re: Not so fast: English is an analytic language; not a synthetic one.

          > Or, considering none to be a contraction of "not one"

          Full etymology here:

          <http://www.worldwidewords.org/qa/qa-non2.htm>

  6. Walter Bishop Silver badge
    Big Brother

    US critical cyber infrastructure?

    "Admiral Michael Rogers .. first fear is an online attack against US critical infrastructure"

    Don't connect US critical infrastructure to the Internet?

    "Citing the recent Ukrainian power grid hack as an example"

    Technicians on the ground have stated no 'cyber' attack took place. The Ukrainian power grid was taken down by explosives.

    "Number two on his insomnia list was data tampering"

    Implement a full irrevocable audit trail on the data and don't put your secret records on the Internet.

    "His third nightmare was down to the actions of non-state terrorist groups"

    I think he means anyone who criticizes US foreign policy.

    1. Anonymous Coward
      Anonymous Coward

      Re: US critical cyber infrastructure?

      "Don't connect US critical infrastructure to the Internet?"

      To the best of my knowledge, it doesn't (directly).

      However, since there are requirements for remote parties to send in billing data, this kind of thing is usually handled by site to site VPN's over the internet.

      The billing systems are usually set in a secure position further into the security layer, usually accessible via proxies and you can bet there will be IDS/IPS taps etc.

      There will always be a need for *some* connectivity between the critical networks and these internal secure services (such as billing etc.) - so whilst there is no *direct* path from the internet to these SCADA networks, there is a daisy chain of systems that can be followed if you know what you are doing etc.

      The exercise for the owners of these networks then becomes a question of layers, monitoring and incident response.

    2. phil dude
      Megaphone

      Re: US critical cyber infrastructure?

      @walter bishop

      Implement a full irrevocable audit trail on the data and don't put your secret records on the Internet.

      We can start with the websites of governments, newspapers and corporations.

      The last few decades has seen the "blurring" of what used to be fact via the update process.

      Scientific results we can (mostly) reproduce - historical facts we cannot.

      Is it not enough that we have ISP's and other data inter-mediaries rewriting webpages?

      P.

  7. Graham Marsden
    Facepalm

    So...

    ... basically none of the things that our politicians are using to scare us into accepting that they should have the ability to snoop on everything we do and every website we visit and everyone we talk to and...

    (Need a Big Brother slapping forehead icon!)

    1. Anonymous Coward
      Anonymous Coward

      Re: So...

      Should?

      Why are you talking in a conditional future tense when Distopia has been withj us for at least the last 10 years?

  8. Anonymous Coward
    Anonymous Coward

    Summary

    Essentially, what his three bogeypeople are:

    (1) Russia or China - make that Russia because China is just building over the South China Seas, and they will want to reuse infrastructure,

    (2) Volkswagen - because they make better cars no one buys American any more and this has impacted the economy, and

    (3) Daesh.

    Interesting choice of targets.

  9. Captain DaFt

    One more thing to keep him awake at night

    The things that the paranoid worry others are doing usually turn out to be the things that they themselves are doing, and are afraid of being caught at.

    1. Ammendiable to persuasion..

      Re: One more thing to keep him awake at night

      The psychological term for that is "projection".

      If someone is worried about people gossiping about them, that's because that's what they do. If a business person is worried about folks stabbing him in the back, that's what he/she is doing. If our government is worried about cyber attacks, well..

      1. Anonymous Coward
        Angel

        Re: One more thing to keep him awake at night

        Yes, thieves think everyone else is a thief

    2. Anonymous Coward
      Anonymous Coward

      Re: One more thing to keep him awake at night

      You mean like it getting oiut that they already have rear entrances into all of the publically approved Encryption schemes and Tim Cook?

    3. JeffreyJames

      Re: One more thing to keep him awake at night

      LOL...just like an episode of Steve Wilkos. :p

  10. Palpy

    Smart grid. For one thing.

    How does an increasingly complex power network spread across a few hundred thousand square kilometers respond quickly and intelligently to sudden fluctuations in the grid -- without relying on a com network which is at some level exposed to attack? I don't know that it can be done. And realistically, building the infra for a dedicated secure network would bust the chops of most power companies.

    I'm not arguing that it isn't a fine idea to keep everything important disconnected from all other networks. I might suggest, humbly, that it won't happen in the real world. Or not very often, anyway.

    Perhaps it might be productive to focus instead on a single-purpose, hardened OS, and not run industrial automation on Windows. OpenBSD on hard lockdown, sort of.

    Or, more likely, I'm just as much in cloud-cuckoo-land as the worst of them.

    1. Doctor Syntax Silver badge

      Re: Smart grid. For one thing.

      "And realistically, building the infra for a dedicated secure network would bust the chops of most power companies."

      It shouldn't bust the chops of most telecoms companies. What do you think the power companies used before they had the internet to do their coms?

      Nevertheless something other than Windows wouldn't be a bad choice. Dependence on an OS that can be obsoleted at will by a vendor isn't good.

    2. Anonymous Coward
      Anonymous Coward

      Re: Smart grid. For one thing.

      > How does an increasingly complex power network spread across a few hundred thousand square kilometers respond quickly and intelligently to sudden fluctuations in the grid

      As I understand it (from visiting a potential customer who does this stuff), the processing is localised, very high performance, and triple-redundant. Since any comms network is at risk of outages, my understanding is that the controller of the grid connection cannot depend on messages from "mission control" & instead samples the connected HT lines and analyses the data to work out for itself what the grid is doing.

      I think the customer was going to use QNX or VXworks on the SBC; though the real-time control is all embedded stuff on an enormous FPGA.

  11. Anonymous Coward
    Anonymous Coward

    I've got one...

    Along with everything else in America, why not just outsource the security project to the Chinese.

    -A bad beginning makes a bad ending.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've got one...

      Don't laugh, because whilst China probably isn't in that mix, some of it at least is being outsourced to Indian firms.

      1. EnviableOne Bronze badge

        Re: I've got one...

        And that worked out well for TalkTalk

  12. heyrick Silver badge

    Right...

    So the head of a bunch of secretive spooks is a keynote speaker and we're supposed to trust a word of what he says? Come on, it's basic social engineering to push an agenda.

    1. FromTheRoot

      Re: Right...

      I wonder these days what this Agenda is......! I fear it may not have our best interests at heart, at least in the short-term, who knows about the long-term. Perhaps they know something more than we do and are actually benevolent. Till then,.....hmmmmm

      1. Anonymous Coward
        Devil

        Re: Right...

        its evidence for Alien infiltration, or they found that Vampires and werewolves exist and need some method to ID them - its all for our own good you know

  13. Anonymous Blowhard

    Strong crypto is the answer to his fears

    Let's look at his three fears from the viewpoint of strong cryptography:

    1) Attacks on Infrastructure

    Properly used, strong cryptography is going to make this harder for the attackers; possibly to the point of making it not worth trying.

    2) Data Tampering

    Strong cryptography is definitely the answer here; if you don't have the keys, you can't get at the data.

    3) Hostile Action

    Hostile action, against infrastructure or data, will only be hampered by strong cryptography; and the opposite is true, "our" back-doors become vulnerabilities for "them" to exploit.

    So, in summary, the Admiral's nightmares will only be worse in a world of government mandated weak cryptography; turns out he should be on our side after all.

    1. The Islander

      Re: Strong crypto is the answer to his fears

      No. 2 may occur based on foreign intent but executed from within.

      The article's context may well suggest contamination on a grand / bulk scale and is valid. But I for one would be just as vexed over internal, subtle and directed attacks.

      Eternally vigilant etc. What's not to like in our future utopia .. I like the flavour exemplified in Brazil myself.

      1. Anonymous Coward
        Anonymous Coward

        Re: Strong crypto is the answer to his fears

        The Film or the Country?

    2. Anonymous Coward
      Anonymous Coward

      Re: Strong crypto is the answer to his fears

      Get real - we have "strong crypto" now but it keeps letting us down (well, the implementation does, or it gets misused, or ignored). How many times has Open SSL turned out to be flawed, how many dodgy certificate authorities are out there, etc, etc, etc.

      To use encryption to allow stuff to happen and keep the bad guys out and be 100% confident about it to protect everything, we'd have to throw out everything we have now and do it all again, properly. Which would involve also solving the trustable identity problem, for which we have only very poor solutions at the moment.

  14. DasWezel
    IT Angle

    Eh?

    "What happens when they use cyber for destruction?" he asked

    ... What? That sentence reads like it was an excerpt frrom the Daily Mail.

    1. hplasm Silver badge
      Facepalm

      Re: Eh?

      Arrg! Cyber!!

      Kill it with fire!!

      What is wrong with these people...?

      1. TRT Silver badge

        Re: Eh?

        In my world, 'cyber' is the request you make for your fifth and above pint.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019