How The Defense Department And NSA Is Hyping Cyberwar To Better Spy On You
from the not-cool dept
We’ve discussed multiple times the massive unsubstantiated hype around the concept of “cyberwar”, which mostly has been led by former government officials who are seriously cashing in on the hype. Yet, every time we mention this, we get people insisting that we just don’t know the “real story” and the “threat” is really big. But we keep waiting for some evidence to support that theory.
Seymour Hersh, over at the New Yorker, who tends to be the most connected reporter around when it comes to getting the inside scoop on what’s happening in the US military, has a (typically) long and worth reading analysis of the whole “cyberwar” concept that effectively agrees with exactly what we’ve been saying all along: it’s totally hyped up beyond reality, in an effort to build the reputations of a few people and to cash in on a trend. People on all sides of the issue all seemed to point out to Hersh that “cyberwar” is blowing things out of proportion. There’s plenty of espionage going on, but that’s quite different (and a lot less sexy when it comes to trying to make money).
But what’s even scarier than the people seeking to get money is the way the Defense Department has been using this to try to basically take control of the whole “cyber defense” aspect. Back in August, we discussed how there was this ongoing fight between the Defense Department (military) and Homeland Security (civilian) to manage the “cyber” threats, with the Defense Department basically using its experience in being incompetent to argue that it knows better.
And, as you look at the details, the Defense Department isn’t just looking at “cyber defense,” it keeps on making the argument that part of “cyber defense” is also “securing” private networks and usage. Jerry Brito, over at the Tech Liberation Front, just had a post questioning whether or not the military should have a role in civilian cybersecurity, and Hersh’s long article gives plenty of reasons why it absolutely should not.
Multiple people note that one of the best ways to make various networks and systems more secure from espionage attacks is to increase (or even mandate) widespread encryption. That would certainly make things more difficult for espionage. But the NSA (part of the Defense Department) doesn’t want that because that makes it much harder to spy on people. In fact, the very same NSA has been pushing the feds to put in place a mandatory backdoor to any encryption so that it can keep on spying.
But, of course, any such backdoor can (and absolutely will) be used by those trying to spy from elsewhere as well. So when you put the NSA in charge of “cyber security,” it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil), rather than actually doing stuff related to actual “cyber security.” We’ve had various pieces of similar stories over the past few months, but Hersh does a great job pulling it all together in a way that makes it pretty clear that this whole thing is a huge boondoggle for most of the players. The ex-gov’t officials screaming “cyberwar” are making tons of cash, while the Defense Department and the NSA are using all that hype to gain more control over the internet and the ability to spy on people — but not necessarily to make anyone more secure.
Filed Under: cybersecurity, cyberwar, defense department, nsa, privacy, security
Comments on “How The Defense Department And NSA Is Hyping Cyberwar To Better Spy On You”
Dear God...
I love it when the real world news coincides with a book query I’m sending out to agents. I think maybe I’ll include a link to this article in the query letter….
Re: Dear God...
Darph Bobo? I thought I smelled vasoline.
Re: Re: Dear God...
You’re about two universes left of where you were aiming for…
Re: Dear God...
I bet you’d sell more books and/or get more responses to your query if you were peddling the “sexy” (as Mike put it) concept of cyberwar threats and not the unsexy concept of typical boring collusion and profiteering.
Re: Re: Dear God...
“I bet you’d sell more books and/or get more responses to your query if you were peddling the “sexy” (as Mike put it) concept of cyberwar threats and not the unsexy concept of typical boring collusion and profiteering.”
Actually, I kind of am, indirectly. The book is about the first ever true all-digital consciousness created by a defense contractor as the prototype for the future digital “soldier”. Did a ton of research on Digital Philosophy Theory and the like for it….
Re: Re: Re: Dear God...
We all know, like Dragons, that the first AI is going to be made by Disney under the guise of entertainment…
Re: Dear God...
pssst – off topic, sorry about marty but thanks for adam.
You say, “The ex-gov’t officials screaming “cyberwar” are making tons of cash” and that you “keep waiting for some evidence to support that theory.”
What evidence do you have to support your theory? How are they making their “tons of cash?”
I’m all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government’s efforts to actually do something about it…
Re: Re:
“What evidence do you have to support your theory? How are they making their “tons of cash?””
http://www.reuters.com/article/idUSTRE64O6V720100526?feedType=RSS&feedName=technologyNews&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A reuters%2FtechnologyNews %28News %2F US %2F Technology%29 —
“Growing concern about cyber attacks is fueling a market valued at around $30 billion a year, prompting new investments by BAE and other defense companies that are keen to offset an expected flattening in spending on more traditional weapons.”
In other words, they’ve learned from their pharma friends. When profits from one threat begin to wan because that threat is no longer seen as a threat, manufacture another threat, with govt. or NGO help, and sell something for THAT….
http://www.wired.com/dangerroom/2010/05/cyberwar-cassandras-get-400-million-in-conflict-cash/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A wired%2Findex %28Wired%3A Index 3 %28Top Stories 2%29%29 —
“Back in February, for instance, former National Security Agency director and Booz Allen Hamilton executive vice president Mike McConnell declared that “the United States is fighting a cyber-war today, and we are losing.””
That same article details that Booz Allen, subsequent to those comments by an ex-govt. official, signed $400 million worth of “digital defense” contracts to add to it’s already staggering $2.7 billion bank of govt. work.
….is that enough, or do you need more?
Re: Re: Re:
Thing is though that they cyber war argument is entirely circular with little or no reference to reality.
The Great Firewall of China is about as secure as the pay walls around News Corp properties.
Still, as you point out there’s a LOT of money to be made chasing your own tail, it seems.
Interesting, isn’t it, that the British Government wants to drydock virtually all of the Royal Navy, park and store most RAF jets and still, somehow, support what few troops three are in Afganistan but are going to spend a small country’s GDP and cyber warefare.
And still the US NSA dreams of setting up a “secure” domain in cyberspace. Lemme know when they get that done or better yet let me know when you see pigs flying south for the winter of when the Cubs win the World Series.
🙂
Re: Re: Re: Re:
“when the Cubs win the World Series.”
….damn you.
Re: Re: Re:
Touche.
But I still maintain that it would still be more productive if folks crafted solutions. The debate over who should oversee the defense of the networks aside, the external threat to US government systems is real. Adversaries are constantly seeking to exfiltrate data to foreign servers. And the Russian attack on Georgian infrastructure–how would you classify that?
Bottom line: What would you recommend the United States do about it?
Re: Re: Re: Re:
“And the Russian attack on Georgian infrastructure–how would you classify that?”
International espionage. Watch a Bond film. This stuff ain’t THAT new….
“Bottom line: What would you recommend the United States do about it?”
Take the physical security precautions that they can, do some level-headed basic computer security precautions where necessary. None of that costs $30 billion. And fear mongering makes me unimpressed.
My suggestion? To be just as effective, give ME the $30 billion dollars, I’ll dress up like a flamboyantly gay Apache Medicine Man, get myself a Harry Potter wand, and shake it at every govt. computer in America while shouting “Ooga Booga, Ooga Booga!”
Actually, because I’m a patriot, and because I like dressing up like gay versions of indigenous peoples, I’ll do it for $20 billion….
Re: Re: Re:2 Re:
Is this what you had in mind?
Re: Re: Re:3 Re:
Almost exactly….except gayer…
Re: Re: Re:4 Re:
Oh, it’s ON! You find a photo of a gayer Indian than that! (I hope you succeed, that would be awesome)
Re: Re: Re:5 Re:
http://www.google.com/imgres?imgurl=http://www.stonewallvets.org/images/dave_west_memoriam_hp.jpg&imgrefurl=http://current.com/news/89226367_native-american-tribe-legalises-gay-marriage.htm&usg=__fdlVBQSJ5_wTlTkbI4S2tOSa8es=&h=457&w=345&sz=58&hl=en&start=0&sig2=eNRWCL1_BjFsy9peFDoVfQ&zoom=1&tbnid=OGzrXSSoUnmk4M:&tbnh=149&tbnw=112&ei=MFDJTKbYIcP_lgf01tzhAQ&prev=/images%3Fq%3Dreally%2Bgay%2Bnative%2Bamerican%26um%3D1%26hl%3Den%26safe%3Doff%26rlz%3D1G1GGLQ_ENUS304%26biw%3D1280%26bih%3D576%26tbs%3Disch:1&um=1&itbs=1&iact=hc&vpx=127&vpy=53&dur=2991&hovh=258&hovw=195&tx=154&ty=155&oei=ElDJTPe_MIO88gbU0YGUAQ&esq=7&page=1&ndsp=23&ved=1t:429,r:0,s:0
…..I win.
Re: Re: Re:6 Re:
No only do you win, but the accompanying article (About the The Coquille Indian Tribe in Oregon) was interesting as well. I live in Oregon and I didn’t know about that.
Re: Re: Re:7 Re:
Depending on the pronunciation, the name of that tribe that is now allowing open homosexuality is….unfortunate….
Re: Re: Re:8 Re:
From ‘Source’ Article: http://www.pinknews.co.uk/news/articles/2005-8768.html
From The Coquille Indian Tribe Website: http://www.coquilletribe.org/documents/TheCoquillesfinal050809.pdf
So not as ‘Unfortunate’ as it could have been…
Re: Re: Re:6 Re:
Pure awesome!
Re: Re: Re:2 Re:
http://www.wired.com/dangerroom/2010/10/despite-scare-talk-attacks-on-pentagon-networks-drop-in-2010/
“because I’m a patriot…”
Patriot, indeed.
Re: Re: Re: Re:
The problem is not a lack of solutions. There are plenty of solutions, most of which have been well-known, well-understood, and well-tested for somewhere between “years” and “decades”.
The problem is that these solutions do not make billions in profits for consultants and contractors. They thus have every reason to scrupulously avoid them, and to instead undertake hideously-expensive and not-quite-ineffective alternatives. (Which “not quite”? Because if they work too well, then no more gravy train. But if they work too badly, not more gravy train either. The trick is to walk the fine line and thus ensure next year’s revenue.)
I strongly recommend reading Marcus Ranum’s essays/rants, which are some of the most insightful things written about security in the last 40 years. In particular, “The Six Dumbest Ideas in Computer Security”, “The Anatomy of Security Disasters”, and “Stupid about Software” are good places to start.
If you read those and grasp them fully, then one of things that you will realize is that attacking the IT security problem as it currently stands is NOT a matter of “doing something”: it’s a matter of ceasing to do quite a few things that are known failures.
But that’s not sexy and doesn’t make headlines and doesn’t sell books and doesn’t make billions and doesn’t look good on a PowerPoint and oh, yeah, is far beyond the feeble comprehension of nearly every management critter on the planet. So it won’t happen.
Nope, instead there will be initiatives and plans and reviews and standards and yadda yadda yadda for the foreseeable future. And the cash register will ring — and if not enough, well, then some additional “cyberwar” fear mongering should do the trick.
Re: Re: Re:2 Re:
Completely off topic here but thanks for the Marcus Ranum info. Hadn’t read his stuff. Looks good.
Re: Re: Re: Re:
“external threat to US government systems is real.”
Yeah, and there are WMDs in Iraq ….
“Bottom line: What would you recommend the United States do about it?”
Stop using MS Windows and use Linux …
Hold companies responsible for poor software design …
Re: Re: Re:
Sounds to me like they are building capability… Anytime you build something, people make money. I don’t see the problem.
Re: Re: Re: Re:
Maybe we should build a bridge from LA to Hawaii. Some people would make money from that.
Re: Re:
The evidence is sitting in the office next to me…
…and his suit does not match … and that’s bothering me a lot right now. This is corporate america now, bud, at least turn on the light while you are getting dressed.
Re: Re:
“What evidence do you have to support your theory?”
There was never an cyber attack that resulted in loss of life was there, can you cite one?
Re: Re:
I’m all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government’s efforts to actually do something about it…
But privacy is security in a very real sense. You want solutions? Ok…. I’ll give it a stab
1. Encrypt everything
2. Use intelligent multi-layered defenses based around Intrusion Detection and Intrusion Prevention throughout key points of the network
3. Make sure these are algorythmic/holistic in nature rather than signature based to better stop zero-day exploits
4. Make sure that you have a security plan that covers every device that may connect to your services be it mobile phone memory stick, laptop or smart washing machine.
4. Make sure everything is logged and audited, including changes to logging and auditing processes
5. Make sure the physical security of access to your resources is considered and likelwise monitored.
6. And this one’s really really important…. Make sure you consider the human element. Training and education to reduce social engineering attacks and plain stupidity.
and of course 7. Don’t let anyone governmental or otherwise deliberately put a hole in those defenses no matter what excuse they have
Follow all that and you still won’t stop every attack, but I guarantee you you’ll be a damn sight better off that letting the goverment “handle” it.
“Cyber war” could be done technically with lax security on many networks, but making it worse by centralising the vulnerability is hardly the answer. The things you’d be worried about being taken down aren’t in government hands so educationa and encouragement of security improvement in a distributed way is what reduces the “threat”, not hyperbole and posturing by politicians.
Re: Re: Re:
holistic
Pretty sure I meant Heuristic there………
Re: Re: Re:
AKA: Computer Security Best Practices -or- the stuff that every IT/CompSec Professional WANTS to do but is prevented from doing by governmental and/or managerial incompetence.
Re: Re: Re: Re:
AKA: Computer Security Best Practices
Yeah… it’s not like I invented it solely for the purposes of answering a post 🙂
As I said it’s number 6 that’s the kicker….. the number of people who claim “security is someone else’s department – nothing to do with me.” is scary.
That’s probably why it’s so tempting to let believe the Government can sort it out.
Cut to: Larson Farside cartoon…. party full of sheep, dog at door. Caption, hostess sheep saying “Oh Vernon the party’s a disaster, no-one knows whether to sit, stand, eat, drink… Oh thank God! Here comes the border collie”
response: Further Larson cartoon… field full of sheep, 1 standing on hind legs front legs raised, a look of revelation, caption “Wait! We don’t have to be sheep!”
Not just including domestic
“it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil)”
I would say that it’s not just “including domestic spying”, rather focused primarily on domestic soil.
Foreign gov’ts and corps will simply not use flawed encryption tech, and develop their own sans “NSA ENTER HERE EVERYONE ELSE GO AWAY” backdoor.
Hence, this opens domestic networks to everyone, including the NSA, but will have zero effect on foreign surveillance.
Re: Not just including domestic
Many NGOs and small governments use AES for international communication. This includes NGOs like major drug cartels operating in our south of the border DoD and DoJ proving-grounds established by Bush Sr.’s war on drugs. Read the executive order if you like. Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients. An independent and open encryption solution would solve this problem if it had proper market saturation, of course cooperation by Apple Inc. Microsoft and Google’s android would be required at minimum.
Re: Re: Not just including domestic
An independent and open encryption solution would solve this problem if it had proper market saturation
TLS and SSL, the standard communication encryption protocols, use RSA, an open-source encryption algorithm. So we have that part solved at least.
Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients.
Any bank that doesn’t already use secure communication should be completely avoided.
Re: Re: Not just including domestic
Wow, didn’t realise my point would be missed.
The only entities who will knowingly use encryption with a backdoor are entities who have no choice.
The only entities the US Gov’t can force the choice on are entities that exist within the US.
Hence, if the US mandates this, it will have an effect on domestic surveillance, but none on foreign. Drug cartels south of the border, for example, will use encryption without a backdoor.
Sounds like the real “cyberwar” is being waged by the government against the internet’s anonymous nature. Fortunately, like the RIAA before them, they’re too stupid to realize that the internet evolves in response to such threats.
It’s impossible for them to achieve the totalitarian control they’re trying for. The best they can do is push people to start using VPNs, which would result in them getting even less intel.
Of course, they’re not going to sober up anytime soon. As such, let’s look forward to watching over the coming months as they grasp at the shadow and lose the substance.
Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)
Yes, its funny how Mike goes to so much effort to discredit other people claims, but never provides his own facts or proof to support his ‘argument’.
“Sure, they are wrong, but I cant provide anything that shows Im right”.
It least these groups are trying to work out who and how to work on this cyber security threat. Mike you just claim it does not exist !!.
And if you think cyber security issues do not exist you are the LAST person who is qualified to comment on said security.
You are in denial..
NSA and HS are saying “there is a problem, it is clear, so what can we do about it to try to mitigate that problem’.
Mike says “You’re stupid and waisting money, there is no problem, your chasing shadows”.
And ofcourse Mike has so much more skills, expertise and technical knowledge of these issues than the NSA or Homeland security.
Ofcourse to Mike, there is no legions of script kiddes and wouldbe hackers, botnets dont exist, and the .gov and .mil domains are not attacked hundreds of thousands of times a day.. There are no hacker convention, and hacking “WELL IT REALLY IS NOT A PROBLEM”.
Great mike, way to boost you ‘reputation’ as someone informated.
Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)
Not a suprising take on the article considering…. but also unsuprisingly a different interpretation exists.
I read it as “Oh look. Government is hyping up a threat that’s been there for years and decided suddenly to appear to ‘Do Something About It’, except that the actual aim seems to be something that can’t possibly help and in fact will hinder the stated aim. But oddly the approach manages raise lots of cash, fear, and give much more domestic control. Don’t you think that’s a bit dodgy?”
Of course that would make the other interpretation pretty much a non-sequitur of a post so it’ll probably turn out that I’m in DeNile too…. that’s fine – I fancy Africa this time of year.
Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)
darryl claims a lack of factual material in the post, and then provides none himself – Brilliant!
Facetious fortune cookie
Facetious fortune cookie say, “You need not worry if you are not doing anything wrong.”
Re: Facetious fortune cookie
Facetious fortune cookie say, “You need not worry if you are not doing anything wrong.”
Facetious indeed 🙂 Except in this case even that tired old platitude that you are correct will probably be trotted out isn’t applicable.
Even if I were dumb enough to accept it as a valid reason for violating privacy, in this case we’re not just talking about privacy the government. I think I can 100% guarantee with no fear of being wrong that if a “backdoor” is engineered into every system “for the NSA”, the NSA won’t be the only ones walking through it. I may have “done no wrong” but what about the million other people you just let into my network? Do I have anything to fear from them?
Oh Look it gets better the CIA is fighting the CyberWar too?
From our friends at /.
From the linked Article: “Silver Tail Systems, a provider of fraud prevention solutions for Web sites, received solid validation of its products and business model this week. The company has entered into a strategic investment and development agreement with In-Q-Tel (IQT), the not-for-profit, venture capital arm of the CIA.“
HaHaHaHaHaHahahahahahaa…….
Ok I’m done now.
The internet is to be treated as an enemy. It is not the mall to hang out in and meet cool people. It has turned into a commercial nightmare. So I say spy, spy, spy all you want. I will encrypt my emails and if necessary assign myself a private socket on our network and do my browsing that way. Treat it like it is an enemy and you don’t get hurt.
Of course it is but what’s the scope? There’s a real possibility of me being elected the first President of a United Statesof Europe. It just doesn’t seem too likely.
The internal threats seem to be even more real, but I’d be more concerned about the threats to the companies actually running infrastructure including on behalf of the government if I were you. And by threat I mean basic open holes in security for undirected malicious code, rather than worry so much about a specific targeted “cyber war attack”.
Never attribute to malice that which can easily be explained by stupidity.
Eh, those that say things like “you dont know the whole story” probably have a point that we may not know exactly the threats we face.
Hence, if the US mandates this, it will have an effect on domestic surveillance, but none on foreign. Drug cartels south of the border, for example, will use encryption without a backdoor.