TheGreat Cyberscare
Whythe Pentagon is razzmatazzing you about those big bad Chinese hackers.
重度网络恐慌症——为什么五角大楼又在炒作中国网络黑客大坏蛋
The White Houselikes a bit of threat. In his State of the Union address, Barack Obama wantedto nudge Congress yet again into passing meaningful legislation. The presidentemphasized that America's enemies are "seeking the ability to sabotage ourpower grid, our financial institutions, and our air traffic controlsystems." After two failed attempts to pass a cybersecurity act in thepast two years, he added swiftly: "We cannot look back years from now andwonder why we did nothing in the face of real threats to our security and oureconomy." Fair enough. A bit of threat to prompt needed action is onething. Fear-mongering is something else: counterproductive. Yet too many aparticipant in the cybersecurity debate reckons that puffery pays off.
The Pentagon, no doubt, is the master ofrazzmatazz. Leon Panetta set the tone by warning again and again of animpending "cyber Pearl Harbor."Just before he left the Pentagon, the Defense Science Board delivered aremarkable report, Resilient Military Systems andthe Advanced Cyber Threat. The paper seemed obsessed with making yetmore drastic historical comparisons: "The cyber threat is serious," the task force wrote,"with potential consequences similar to the nuclear threat of the ColdWar." The manifestations of an all-out nuclear war would be different fromcyberattack, the Pentagon scientists helpfully acknowledged. But then theyadded, gravely, that "in the end, the existential impact on the UnitedStates is the same."
A reminder is inorder: The world has yet to witness a single casualty, let alone fatality, as aresult of a computer attack. Such statements are a plain insult to survivors ofHiroshima. Some sections of the Pentagon document offer such eye-wateringlyshoddy analysis that they would not have passed as an MA dissertation in aself-respecting political science department. But in the current debate itseemed to make sense. After all a bit of fear helps to claim -- or keep --scarce resources when austerity and cutting seems out-of-control. The reportrecommended allocating the stout sum of $2.5 billion for its top two prioritiesalone, protecting nuclear weapons against cyberattacks and determining the mixof weapons necessary to punish all-out cyber-aggressors.
Then there are private computer securitycompanies. Such firms, naturally, are keen to pocket some of the government'smoney earmarked for cybersecurity. And hype is the means to that end.Mandiant's much-noted report linking acoordinated and coherent campaign of espionage attacks dubbed AdvancedPersistent Threat 1, or "APT1," to a unit of the Chinese military isa case in point: The firm offered far more details on attributing attacks tothe Chinese than the intelligence community has ever done, and the companyshould be commended for making the report public. But instead of using cockyand over-confident language, Mandiant's analysts should have used Words of Estimative Probability,as professional intelligence analysts would have done.
An example is the report's conclusion,which describes APT1's work: "Although they control systems in dozens ofcountries, their attacks originate from four large networks in Shanghai -- twoof which are allocated directly to the Pudong New Area," the report found.Unit 61398 of the People's Liberation Army is also in Pudong. Therefore,Mandiant's computer security specialists concluded, the two were identical:"Given the mission, resourcing, and location of PLA Unit 61398, weconclude that PLA Unit 61398 is APT1." But the report conspicuously doesnot mention that Pudong is not a small neighborhood ("right outside of Unit61398's gates") but in fact a vast city landscape twice the size ofChicago. Mandiant's report was useful and many attacks indeed originate inChina. But the company should have been more careful in its overall assessmentof the available evidence, as the computer security expert Jeffrey Carr andothershave pointed out.The firm made it too easy for Beijing to dismiss the report. My class incybersecurity at King's College London started poking holes into the reportafter 15 minutes of red-teaming it -- the New York Times didn't.
Which leads to the next point: The mediawant to sell copy through threat inflation. "In Cyberspace, New ColdWar," the headline writers at the Times intoned inlate February. "The U.S. is not ready for a cyberwar," shrieked the Washington Post earlier this week.Instead of calling out the above-mentioned Pentagon report, the paper actuallypublished two supportive articles on it and pointed out that a major offensivecyber capability now seemed essential "in a world awash incyber-espionage, theft and disruption." The Post should have reminded its readers that theonly military-style cyberattack that has actually created physical damage--Stuxnet -- was actually executed by the United States government. The Times, likewise, should have asked tough questions andpointed to some of the evidential problems in the Mandiant report; instead, itpublished what appeared like an elegant press release for the firm. On issuesof cybersecurity, the nation's fiercest watchdogs too often look like hand-tamepuppies eager to lap up stories from private firms as well as anonymous sourcesin the security establishment.
Finally,the intelligence community tags along with the hype because the NSA and CIA arestill traumatized by missing 9/11. Missing a "cyber 9/11" would betruly catastrophic for America's spies, so erring on the side of caution seemsthe rational choice. Yes, Director of National Intelligence James Clapper'srecent testimony was more nuanced than reported and toneddown the threat of a very serious cyberattack. But at the sametime America's top spies are not as forthcoming with more detailed informationas they could be. We know that the intelligence community, especially in theUnited States, has far better information, better sources, better expertise,and better analysts than private companies like Symantec, McAfee, and KasperskyLab. But for a number of reasons they keep their findings and their analysisclassified. This means that the quality of the public debate suffers, asexperts as well as journalists have no choice but to rely on industry reportsof sometimes questionable quality or anonymous informants whose veracity ishard to assess.
The tragedy is that Obama actually has it right: Something needsto be done, urgently. But Washington's high-octane mix of profiteering,protectiveness, and politics is sadly counterproductive for four reasons:
First, the hype actually makes it harder to focus on crucialengineering details. Security standards in industrial control systems and SCADAnetworks -- the networks that control stuff that physically moves around, fromtrains to gas to elevators -- are shockingly low. The so-called ProgrammableLogic Controllers widely used in critical infrastructure are designed to besafe and reliable in tough factory-floor conditions and harsh weather, notsecure against outside attack. This year's S4-conference in Miami Beach, organized by the smalland specialized security outfit Digital Bond, again showcased how vulnerablethese systems are. But Washington is too busy screaming havoc and tooill-informed to do something meaningful about concrete engineering issues. Justsharing information, as the inspector general of the Department of HomelandSecurity recommendedin a report last month, is useful but it will not deliversecurity. Connecting critical infrastructure that was never designed to belinked to the Internet is also not the root of the problem -- the built-insecurity flaws and fragility of these systems needs to be fixed, as DigitalBond's Dale Peterson pointedout last week inresponse to the timid DHS report. The political dynamic behind this logic isclear: The more is declared critical, the harder it becomes to act on thereally critical.
Second, the hype clouds badly needed visibility. A fascinatingproject at Free University Berlin has produced a vulnerability map. The mapuses publicly available data from Shodan, the Google for control systemhackers, and adds a layer of information crawled from the web to geo-locate thesystems that often should not be connected to the Internet in the first place.Red dots on the map show those systems. The United States looksas if it has the measles. But note that the map is incomplete:It is biased towards German products, the project's founder told me. If thatflaw can be fixed, the United States and other countries would look as bloodyred as Germany does already. The U.S. government's attention-absorbing emphasison offensive capabilities means it has very little visibility into what thisvulnerability map would actually look like.
第二,炒作需要得到澄清。柏林自由大学一个引人关注的项目发布了脆弱性地图。地图根据SHODAN(Sentient Hyper-Optimized Data Access Network) 高级优化数据网络的公开可用数据、有关控制系统黑客入侵的搜索数据和从网页获取信息来进行地理定位的系统(不应该连接到互联网),地图上的红点标出了这些系统。
Third, sabotage and espionage arerather different things -- technically as well as politically. SCADA systemsare highly specific kit, often old and patched together over years, if notdecades. That means these systems are highly specific targets, not genericones. Affecting critical operations requires reprogramming these systems, notjust disrupting them; the goal is modifying output parameters in a subtle waythat serves the saboteur's purpose. With Stuxnet, the U.S. government providedthe -- so far -- most extreme and best-documented case study. The operationshowed that successful sabotage that goes beyond just deleting data is far moredifficult than successful espionage: It requires testing and fine-tuning anattack over many iterations in a lab environment, as well as acquiring highlyspecific and hard-to-get target intelligence. Stealing large volumes ofintellectual property from a commercial competitor, by contrast, is atechnically rather different operation -- there is little to no valuable IPhidden inside control systems. To put it bluntly: China and others have a highcommercial incentive to steal stuff, but they have no commercial incentive tobreak stuff. All threats are not created equal. What's needed is nuance,surgical precision, differentiation, and sober analysis -- not funk, flap, andfluster.
Finally, hype favors the offense over the defense. The offenseis already sexier than the defense. Many software engineers who consider acareer in public administration want to head north to the dark cubicle at FortMeade, not bore themselves in the Department of Homeland Security -- if theyare not working happily in the Googleplex on bouncing rubber balls already. Ifthe NSA sucks up most of the available talent and skill and puts it to work onthe offense, the defense will continue to suffer. By overstating the threat,and by lumping separate issues into one big bad problem, the administrationalso inadvertently increases the resistance of powerful business interestsagainst a regulatory over-reaction.
As President Obama mentioned in his State of the Union address,if we look back years from now and wonder why we did nothing in the face of realthreats, the answer may be straightforward: too much bark, not enough bite.
MarkPelham
Um, you areaware that it is pretty easy to trace locations for IP addresses right? Especially if you have the skills for complex code writing/reading andcyber security. I don't think you guys properly understand the technologyassociated with what's been going down. More on a policy side of things,what is somewhat amusing and myopic is the fact that the Chinesemilitary was so obviously aggressive. It leaves them wide openfor cyber attacks moving forward and all our government is going to say inreturn is "you started it."
ed_robinson
This piecereally got me reading on words of estimative probability. That's reallyinteresting.... fair to say that I won't be bothering with further commentaryby Rid or his book though.
andao
A decentarticle, but it completely ignores the potential effects ofindustrial espionage in the weapons industry. I think this is afar, far greater threat than foreign hackers blowing up a nuclear power plant.
Foreign countryX steals terabytes of data on F-22 weapons systems and develops a radar systemthat can easily detect it. Foreign country then provokes somehow, F-22'sare scrambled, and promptly blown to smithereens. This isn't alegitimate threat?
Further,industrial espionage in the "long game" is also devastating. A nation's military is only going to be strong if it's economy can affordit. It's well established that China hacks foreign companies,steals their IP, and gives it to their own state owned enterprises. Theseenterprises then can sell the same product worldwide for cheaper, since theyhave no R&D investment. Since the only the the US makes any more isIP, this is really the whole ballgame.
I agree that theMandiant report isn't as conclusive as news outlets have been saying, but Ithink it would be relatively easy to comprise US weapons systems with all thedata that's been stolen. I haven't seen a convincing argument that thisisn't a big problem.
bing520
The US alsosteals the weapon secrets of a foreign country so as to upgrade our weapons.The US sends her spies all over the world. I am sure China has her spiesin the US. We don't start a war with China because of Chinese spiestrying to stealing data on Patriot missile. Nor would China shoot usbecause of our spies.
There should bea set of rules governing cyberespionage. I don't know what type ofrules yet, but I doubt the US wants some rules restricting the use of ourcyberweapons, which are far superior. Chinese government has been callingfor such rules but we simply ignore. Obama talked about threat but the USrefuses to even recognize our use of cyberweapons.
It isa reasonable strategy to say nothing about our cyberespionage game, not totie our own hands. The less our opponents know, the better off weare. Then, we can't deny Chinese are going to do everything it can tocatch up. How do you hone in your cyber-skills? I would say,"Do it every day until you master it."
Cyberthreat is a real problem. We should constantly improve our defense andoffense. That's all we should do. No reason toover-react. Our intelligence officials are excellent inkeeping a low profile, but our citizens are getting angry and fail tounderstand the advantage of being silent. Cyber weapons are unlikenuclear bomb. You can't use the same attack virus over and over again..
Al28
US hacking all the world from many many years by different excuses and suckingtheir resources and if china didn,t hack them also US need excuse to keepbejing down and take some advantage on trade or others issue.MR USA your timegone and now look what this world do with u as u did with world before Sorry USA
and keep calm still more will come!!!!!!
