back to article NSA boss reveals top 3 security nightmares that keep him awake at night

Admiral Michael Rogers, head of the NSA and the US Cyber Command, has told delegates during his keynote address at RSA 2016 the three things that keep him awake at night. His first fear is an online attack against US critical infrastructure, which he said was a matter of when it will happen, not if. Citing the recent Ukrainian …

Anonymous Coward

We'll help defend against the bad guys the second we can stop defending ourselves against the NSA

51
2
Silver badge

The devil within

In fact the NSA is its own worst enemy.

"Citing the recent Ukrainian power grid hack as an example, "

And isn't it interesting that his best example is factually questionable? Seriously, why don't these guys just go back to discussing how many angels can dance on the point of a pin.

17
3
Anonymous Coward

Yawn...

Society blithely building it's networked technology up to a point where any old script kiddie anywhere can turn off its civilisation completely? Oh how dull, who is going care about that?

I always thought that the N in NSA stood for National, so it belongs to the people. So presumably it exists and does what it does purely because the elected representatives think it should, and they'd only be reflecting the overall wishes of their electorate.

2
0
Gold badge
Unhappy

Re: The devil within

"And isn't it interesting that his best example is factually questionable? Seriously, why don't these guys just go back to discussing how many angels can dance on the point of a pin."

Now I'm a bit confused.

Who wrote STUXNET and did that not destroy someones' critical infrastructure?

3
0

So, actually, (3), "the terror-rists" isn't actually a threat, just him worrying that a specific group of people will act on threats (1) and (2).

More importantly, the way to mitigate threats 1 and 2 is strong encryption and data security implemented by private individuals and corporations, which is the exact opposite of what the 3-letter agencies are asking for.

2
1
Coat

Re: The devil within

I thought that Sir Terry (and Neil Gaimen) had established that the number of angels that can dance on the head of a pin was one - as long as it was the gavotte.

1
0
Silver badge

Simplified list

All 3 points come down to one basically: We, as people, have accepted piss-poor security in so many computer applications for years, but now we have put important stuff within an electronic arm's reach of world+dog to have a go if they feel like it.

The current arguments about cryptography for law enforcement, etc, is a stupid distraction flamed by clueless politicians and civil servants and distracts from the above. We have found ways of catching and prosecuting criminals when they talked in person and did not write stuff down for many many years, so while it might be nice to get phone contents, it should not be necessary.

Sadly we need to start making a big deal about businesses and gov departments that expose important stuff (from personnel/medical records, through to infrastructure like power and gas) to the world, and/or collect sensitive stuff they don't really need. Make damn sure that those in charge can face personal prosecution if they fail to manage the process, fail to have a system in place to check and fix things, and fail to get outside support to check its good enough.

40
0
Silver badge
Megaphone

Re: Simplified list

@ Paul Crawford

What are you, some kind of communist? Don't you know that shareholders and corporate execs aren't satisfied with OWNING the oil well, pipeline and gas station? Don't you understand that they need to be able to access the number of barrels coming out of the well every hour, and how much they are making on that, and then how much oil is in the pipeline, and how much they are making on that, and how much gasoline is coming out of the pumps at the gas station, and how much they make on that? The importance of securing this infrastructure so that we don't have pipelines exploding or so ambulances, fire trucks and delivery vans can pull into the gas station and find that the pumps are actually working is unimportant, as long as the endless, on-demand panopoly of lucre is on display!

Our capitalist way of life depends on it!!

7
2
Silver badge

Re: Re: Simplified list @Marketing Hack

Yes, quite so, Marketing Hack, and the defending and promoting of the indefensible and oppressive by the likes of an Admiral Michael Rogers, head of the NSA and the US Cyber Command type [and Blighty is blighting itself with similar clones and drones of the model, as are most probably many more entangled state enterprises] is ...... well, a Titanic Folly identifying the Fools' Tools ....... and in a smarter and getting even smarter age and Live Operational Virtual Environment, are they of zero future value in any Present Marketing Space which refines and defines the Madness and Mayhem in AIMarket Places with CHAOS for Clouds Hosting Advanced Operating Systems.

Such be nature of the current beasting reality and virtual reality ...... IT does not suffer the Folly of Fools either gladly or badly in Advancing IntelAIgent Markets.

3
0
Bronze badge

Re: Simplified list

People say they want secure, bug-free systems; but will they pay for them? Hell, no!

4
0
Silver badge

And all three of those absolutely require strong crypto with no backdoors.

28
0
Silver badge
Meh

Item 2

> Number two on his insomnia list was data tampering.

And a good mitigation against tampering is strong encryption. Can anyone see the irony here?

//straight face icon

27
3
Bronze badge

Re: Item 2

@ 2+2=5 "And a good mitigation against tampering is strong encryption. Can anyone see the irony here?"

From the article; "Rogers, who is on the record as supporting strong crypto..."

3
1
Happy

Re: Item 2

Yes, but not for you

6
2

Re: Data tampering

This is a real problem in industry databases, as managers come, redefine terms or scope, and go. It is a kind of revisionism, and over time can degrade a company's history. It reduces the useful life of basic infrastructure systems, accelerating their replacement time to every 10 - 20 years. Mergers, legislation and reorganisations speed the decay.

Equating company management to non-state terrorists is a bit heavy though.

0
0
Headmaster

Is that American Dad?

Hint: None of them are Apple

None of them IS Apple

FTFY

12
4
Bronze badge

Re: Is

None has been singular or plural since at least the ninth century. I'm not a grammar boffin so I am not qualified to say that you are wrong but I will say that you are not exclusively right.

11
0
Silver badge

Not so fast: English is an analytic language; not a synthetic one.

I draw your attention to the note halfway down this page:

In recent years, the SAT testing service has considered none to be strictly singular. However, according to Merriam-Webster's Dictionary of English Usage: "Clearly none has been both singular and plural since Old English and still is. The notion that it is singular only is a myth of unknown origin that appears to have arisen in the 19th century. If in context it seems like a singular to you, use a singular verb; if it seems like a plural, use a plural verb. Both are acceptable beyond serious criticism."

Note the emphasis I have added.

8
0
TRT
Silver badge

Re: Not so fast: English is an analytic language; not a synthetic one.

None of IT is Apple.

None of THEM are Apple.

The singular/plural lies in what you are excluding.

Or, considering none to be a contraction of "not one", not one would always have to be plural (zero being considered as plural). But "not one of it are Apple" doesn't sound right.

I wish I hadn't automatically upvoted the grammar nazi simply on the basis the American Dad title made me laugh.

2
1

Re: Not so fast: English is an analytic language; not a synthetic one.

Ya'll be trippin'. If youse people could get past your collective arse and focus, puh-lease!

2
0
Silver badge

Re: Not so fast: English is an analytic language; not a synthetic one.

@TRT

Both "none of it" (absence of a single, probably continuous, entity or trait) and "none of them" (absence of multiple, probably discrete, quantities) are ways of saying nothing; the subject of both sentences is zero. And, anyway, if we use the object of an of-clause to determine plurality, then my phrase "the subject of both sentences is zero" would have to be rewritten "the subject of both sentences are zero" While, if your theory about zero being plural is true, wouldn't we'd say "Nothing are due to Apple"?

There just isn't a right way on this one. We can delete the qualifying of-clause and still argue about whether it's "none is Apple" or "none are Apple." Both are in widespread use.

1
3
TRT
Silver badge

Re: Not so fast: English is an analytic language; not a synthetic one.

Not really.

"the subject of both sentences is zero" is correct because the "is" refers to the first definite noun in the sentence; "the sentence". None is an indefinite pronoun. "Them" and "it" are definite pronouns.

"Nothing" is a contraction of "No" and "Thing". "Thing" is singular, which is why "Nothing are due to Apple" sounds wrong. I was talking about "none" which, from Mirriam-Webster, means "Not any", "Not one", "No part", and comes from a contraction of "Not one", in Middle English pronounced "nan". It's the same in the Oxford and Cambridge dictionaries.

It's not my idea that zero is a plural; I checked before I posted and got it from quora.com, Mirriam-Webster and BBC's language section. Apparently the French treat "zero" as a singular.

I was wondering why the thing about "none" being singular arose when "not one" is the same as the definition of "plural" anyway. Is it from French, where zero is a singular? Sounds kind of pretentious. Though I persist in using "data" in the plural and steadfastly refuse to budge from this position, even though the authoritative sources appear to have given up the fight on that one and say it can be either.

1
0
Silver badge

Re: Not so fast: English is an analytic language; not a synthetic one.

> Or, considering none to be a contraction of "not one"

Full etymology here:

<http://www.worldwidewords.org/qa/qa-non2.htm>

0
0
Bronze badge
Big Brother

US critical cyber infrastructure?

"Admiral Michael Rogers .. first fear is an online attack against US critical infrastructure"

Don't connect US critical infrastructure to the Internet?

"Citing the recent Ukrainian power grid hack as an example"

Technicians on the ground have stated no 'cyber' attack took place. The Ukrainian power grid was taken down by explosives.

"Number two on his insomnia list was data tampering"

Implement a full irrevocable audit trail on the data and don't put your secret records on the Internet.

"His third nightmare was down to the actions of non-state terrorist groups"

I think he means anyone who criticizes US foreign policy.

21
1
Anonymous Coward

Re: US critical cyber infrastructure?

"Don't connect US critical infrastructure to the Internet?"

To the best of my knowledge, it doesn't (directly).

However, since there are requirements for remote parties to send in billing data, this kind of thing is usually handled by site to site VPN's over the internet.

The billing systems are usually set in a secure position further into the security layer, usually accessible via proxies and you can bet there will be IDS/IPS taps etc.

There will always be a need for *some* connectivity between the critical networks and these internal secure services (such as billing etc.) - so whilst there is no *direct* path from the internet to these SCADA networks, there is a daisy chain of systems that can be followed if you know what you are doing etc.

The exercise for the owners of these networks then becomes a question of layers, monitoring and incident response.

1
0
Megaphone

Re: US critical cyber infrastructure?

@walter bishop

Implement a full irrevocable audit trail on the data and don't put your secret records on the Internet.

We can start with the websites of governments, newspapers and corporations.

The last few decades has seen the "blurring" of what used to be fact via the update process.

Scientific results we can (mostly) reproduce - historical facts we cannot.

Is it not enough that we have ISP's and other data inter-mediaries rewriting webpages?

P.

1
0
Silver badge
Facepalm

So...

... basically none of the things that our politicians are using to scare us into accepting that they should have the ability to snoop on everything we do and every website we visit and everyone we talk to and...

(Need a Big Brother slapping forehead icon!)

8
0
Anonymous Coward

Re: So...

Should?

Why are you talking in a conditional future tense when Distopia has been withj us for at least the last 10 years?

3
0
Anonymous Coward

Summary

Essentially, what his three bogeypeople are:

(1) Russia or China - make that Russia because China is just building over the South China Seas, and they will want to reuse infrastructure,

(2) Volkswagen - because they make better cars no one buys American any more and this has impacted the economy, and

(3) Daesh.

Interesting choice of targets.

1
5
Silver badge

One more thing to keep him awake at night

The things that the paranoid worry others are doing usually turn out to be the things that they themselves are doing, and are afraid of being caught at.

11
1

Re: One more thing to keep him awake at night

The psychological term for that is "projection".

If someone is worried about people gossiping about them, that's because that's what they do. If a business person is worried about folks stabbing him in the back, that's what he/she is doing. If our government is worried about cyber attacks, well..

10
0
Anonymous Coward

Re: One more thing to keep him awake at night

You mean like it getting oiut that they already have rear entrances into all of the publically approved Encryption schemes and Tim Cook?

0
0

Re: One more thing to keep him awake at night

LOL...just like an episode of Steve Wilkos. :p

0
0
Angel

Re: One more thing to keep him awake at night

Yes, thieves think everyone else is a thief

4
1
Silver badge

Smart grid. For one thing.

How does an increasingly complex power network spread across a few hundred thousand square kilometers respond quickly and intelligently to sudden fluctuations in the grid -- without relying on a com network which is at some level exposed to attack? I don't know that it can be done. And realistically, building the infra for a dedicated secure network would bust the chops of most power companies.

I'm not arguing that it isn't a fine idea to keep everything important disconnected from all other networks. I might suggest, humbly, that it won't happen in the real world. Or not very often, anyway.

Perhaps it might be productive to focus instead on a single-purpose, hardened OS, and not run industrial automation on Windows. OpenBSD on hard lockdown, sort of.

Or, more likely, I'm just as much in cloud-cuckoo-land as the worst of them.

7
0
Silver badge

Re: Smart grid. For one thing.

"And realistically, building the infra for a dedicated secure network would bust the chops of most power companies."

It shouldn't bust the chops of most telecoms companies. What do you think the power companies used before they had the internet to do their coms?

Nevertheless something other than Windows wouldn't be a bad choice. Dependence on an OS that can be obsoleted at will by a vendor isn't good.

6
0
Anonymous Coward

Re: Smart grid. For one thing.

> How does an increasingly complex power network spread across a few hundred thousand square kilometers respond quickly and intelligently to sudden fluctuations in the grid

As I understand it (from visiting a potential customer who does this stuff), the processing is localised, very high performance, and triple-redundant. Since any comms network is at risk of outages, my understanding is that the controller of the grid connection cannot depend on messages from "mission control" & instead samples the connected HT lines and analyses the data to work out for itself what the grid is doing.

I think the customer was going to use QNX or VXworks on the SBC; though the real-time control is all embedded stuff on an enormous FPGA.

2
0
Anonymous Coward

I've got one...

Along with everything else in America, why not just outsource the security project to the Chinese.

-A bad beginning makes a bad ending.

2
1
Anonymous Coward

Re: I've got one...

Don't laugh, because whilst China probably isn't in that mix, some of it at least is being outsourced to Indian firms.

1
0
Bronze badge

Re: I've got one...

And that worked out well for TalkTalk

2
0
Silver badge

Right...

So the head of a bunch of secretive spooks is a keynote speaker and we're supposed to trust a word of what he says? Come on, it's basic social engineering to push an agenda.

6
1

Re: Right...

I wonder these days what this Agenda is......! I fear it may not have our best interests at heart, at least in the short-term, who knows about the long-term. Perhaps they know something more than we do and are actually benevolent. Till then,.....hmmmmm

1
0
Devil

Re: Right...

its evidence for Alien infiltration, or they found that Vampires and werewolves exist and need some method to ID them - its all for our own good you know

1
0
Silver badge

Strong crypto is the answer to his fears

Let's look at his three fears from the viewpoint of strong cryptography:

1) Attacks on Infrastructure

Properly used, strong cryptography is going to make this harder for the attackers; possibly to the point of making it not worth trying.

2) Data Tampering

Strong cryptography is definitely the answer here; if you don't have the keys, you can't get at the data.

3) Hostile Action

Hostile action, against infrastructure or data, will only be hampered by strong cryptography; and the opposite is true, "our" back-doors become vulnerabilities for "them" to exploit.

So, in summary, the Admiral's nightmares will only be worse in a world of government mandated weak cryptography; turns out he should be on our side after all.

7
0

Re: Strong crypto is the answer to his fears

No. 2 may occur based on foreign intent but executed from within.

The article's context may well suggest contamination on a grand / bulk scale and is valid. But I for one would be just as vexed over internal, subtle and directed attacks.

Eternally vigilant etc. What's not to like in our future utopia .. I like the flavour exemplified in Brazil myself.

2
0
Anonymous Coward

Re: Strong crypto is the answer to his fears

The Film or the Country?

0
0
Anonymous Coward

Re: Strong crypto is the answer to his fears

Get real - we have "strong crypto" now but it keeps letting us down (well, the implementation does, or it gets misused, or ignored). How many times has Open SSL turned out to be flawed, how many dodgy certificate authorities are out there, etc, etc, etc.

To use encryption to allow stuff to happen and keep the bad guys out and be 100% confident about it to protect everything, we'd have to throw out everything we have now and do it all again, properly. Which would involve also solving the trustable identity problem, for which we have only very poor solutions at the moment.

0
1
IT Angle

Eh?

"What happens when they use cyber for destruction?" he asked

... What? That sentence reads like it was an excerpt frrom the Daily Mail.

4
1
Silver badge
Facepalm

Re: Eh?

Arrg! Cyber!!

Kill it with fire!!

What is wrong with these people...?

1
0
TRT
Silver badge

Re: Eh?

In my world, 'cyber' is the request you make for your fifth and above pint.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017