Sheldon Whitehouse: Cybertheft Is [May Be] Biggest Transfer of Wealth in History

/14 Comments/in /by

In an attempt to scare Congress into passing the cybersecurity legislation they failed to pass last year, Sheldon Whitehouse scheduled a hearing on cybersecurity today. In the hearing — and in this op-ed he penned with Lindsey Graham — he repeated a claim he has made before: cybertheft may be the biggest “illicit” transfer of wealth in history.

Almost every facet of American life is threatened when intruders exploit our cyber-vulnerabilities. And the risk is not from China alone. Foreign governments such as Iran and terrorist groups such as al-Qaida seek to worm into national infrastructure and threaten catastrophe here at home. Foreign agents raid companies, stealing plans, formulas and designs. Foreign criminal networks take money out of banks, defraud consumers with scams and sell illicit goods and products, cheating U.S. manufacturers. It may be the greatest illicit transfer of wealth in history. [my emphasis]

I think in the hearing itself, Whitehouse wasn’t as careful to always use that word “might.”

The greatest illicit transfer of wealth in history.

Don’t get me wrong: cyberattacks of all sorts are a real threat. They cost consumers a great deal of inconvenience and, at times, lots of money. They cost defense contractors far more (though of course, some of that is built into our model of defense). They cost sloppy companies as well.

But the biggest illicit transfer of wealth in history?

Ignore recent unpunished giant transfers of wealth in the wake of the financial crisis, which the Senate Judiciary Committee has largely ignored.

I guess the reason I find this so stunning is all the obviously huge transfers of wealth it ignores that were part of slavery and colonization.

Were those licit?

Those were, like Chinese or Iranian or Russian cyberattacks on the US, examples of states (and private entities) taking advantage of vulnerabilities elsewhere. They were certainly considered legitimate at the time, because Europeans got to write the history of colonization, and because they made up claptrap about “civilization” to justify it. But from a distance they look more like the kind of exploitation states often engage in if they’ve got an obvious advantage over another state or organization.

All that’s not to say Montezuma shouldn’t have resisted the Spaniards. That’s not to say we shouldn’t defend against cyberattacks.

But what really makes the US so vulnerable to cyberattacks are 1) that we’re so reliant on the Internet and 2) we’re so reliant on intellectual property (indeed, the very claim that cybertheft is the biggest transfer of wealth relies on a certain understanding of IP as wealth that itself depends on a legal infrastructure that is contingent on our relative world power). And also that so much of our critical infrastructure and IP holders are in private hands and therefore much harder to demand diligence from. That is, our vulnerability to cyberattacks is in part a fragility of our own bases for power (a vulnerability that will probably end up being less lethal than the fact that the immune systems of indigenous peoples hadn’t been exposed to European diseases).

Also, this entire discussion — which danced around the question of an international regime that might limit such attacks — completely ignored the StuxNet attack, the fact that a nation as vulnerable as we are pushed the limits of the offensive capability first. One of the witnesses (I think FBI Assistant Director Jonathan Demarast) even suggested that if our government were chartered to attack the private sector (cough, Echelon) of other countries we’d be damn good at it too — as if our attacks on the public infrastructure of Iran doesn’t count.

I get the value of a good fear campaign (I wish Whitehouse would fearmonger more in his regular addresses on climate change). But there’s fearmongering and there’s absurdity. And I think suggesting that cybertheft is worse than the stealing of entire continents is the latter.

Share this entry

Stephen Cambone, Hacker PWN, Used to Head DOD’s “Intelligence”

/6 Comments/in /by

Stephen Cambone was the first ever Under Secretary of Defense for something called “Intelligence.”

In that role, he oversaw a domestic spying program that targeted hippies and made GOP cronies rich. And then he went on to profit off that domestic spying program at a company called QinetiQ.

Which is why I’m having a hard time summoning much grief that Chinese hackers have pwned another US Defense Contractor — none other than QinetiQ (George Tenet, another noted “intelligence” figure, was there until 2008)!

Here are the kinds of things the hackers accessed, almost unimpeded.

The lengthy spying operation on QinetiQ jeopardized the company’s sensitive technology involving drones, satellites, the U.S. Army’s combat helicopter fleet, and military robotics, both already-deployed systems and those still in development, according to internal investigations.

And here is the kind of access QinetiQ allowed both Chinese and Russian hackers.

In 2008, a security team found that QinetiQ’s internal corporate network could be accessed from a Waltham, Massachusetts, parking lot using an unsecured Wi-Fi connection. The same investigation discovered that Russian hackers had been stealing secrets from QinetiQ for more than 2 1/2 years through a secretary’s computer, which they had rigged to send the data directly to a server in the Russian Federation, according to an internal investigation.

Read the whole thing — you won’t know whether to laugh or cry.

Meanwhile, the government seems more intent on violating my privacy to fix this kind of wholesale hacking, rather than blackballing those contractors who are incapable of securing their networks.

The State Department, which has the power to revoke QinetiQ’s charter to handle restricted military technology if it finds negligence, has yet to take any action against the company.

[snip]

In May 2012, QinetiQ received a $4.7 million cyber-security contract from the U.S. Transportation Department, which includes protection of the country’s critical transport infrastructure.

The same company that let China hack at will for years is being paid millions for cybersecurity.

That about says it all.

Share this entry

Hackers Penetrate Freedom; The Ship Has Already Sailed

/3 Comments/in /by

Reuters has a report I found sort of punny, about how white hat hackers had managed to break into the computer systems of the lead ship of the Navy’s Littoral Combat Ship program, the USS Freedom.

A Navy team of computer hacking experts found some deficiencies when assigned to try to penetrate the network of the USS Freedom, the lead vessel in the $37 billion Littoral Combat Ship program, said the official, who spoke on condition of anonymity.

The Freedom arrived in Singapore last week for an eight-month stay, which its builder, Lockheed Martin Corp., hopes will stimulate Asian demand for the fast, agile and stealthy ships.

It may be ironic that Lockheed had a ship get hacked just before it sent the ship out on a sales trip to Asia. (Asia! Where our most fear hacking-rival is!)

But … um, Lockheed?

Lockheed, of course, couldn’t keep the F-35 program safe from hackers either, and that time it wasn’t white hats doing the hacking.

Before the government imposes fines for companies unwilling to sacrifice the security of their systems to program in a backdoor, as the WaPo reports is being debated …

A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.

[snip]

Susan Landau, a former Sun Microsystems distinguished engineer, has argued that wiring in an intercept capability will increase the likelihood that a company’s servers will be hacked. “What you’ve done is created a way for someone to silently go in and activate a wiretap,” she said. Traditional phone communications were susceptible to illicit surveillance as a result of the 1994 law, she said, but the problem “becomes much worse when you move to an Internet or computer-based network.”

Marcus Thomas, former assistant director of the FBI’s Operational Technology Division, said good software coders can create an intercept capability that is secure. “But to do so costs money,” he said, noting the extra time and expertise needed to develop, test and operate such a service.

… Maybe we ought to instead focus on Lockheed’s apparent inability to keep the hundreds of billion dollar weapons systems it produces safe from hackers?

Share this entry

A Partial Defense of Bill Keller’s Column on Manning

/25 Comments/in , , , , , /by

Late Sunday, former New York Times Executive Editor Bill Keller put up an op-ed column at the NYT website on the state of Bradley Manning’s case, his perception of Manning’s motivations and what may have been different had Manning actually gotten his treasure trove of classified information to the Times instead of WikiLeaks. The column is well worth a read, irrespective of your ideological starting point on Mr. Manning.

Bradley Manning has ardent supporters and, predictably, they came out firing at Keller. Greg Mitchell immediately penned a blog post castigating Keller for not sufficiently understanding and/or analyzing the Manning/Lamo chat logs. Kevin Gosztola at Firedoglake also had sharp words for Keller, although, to be fair, Kevin did acknowledge this much:

It is an interesting exercise for Keller. Most of what he said is rational and, knowing Keller’s history, he could have been more venerating in his description of how the Times would have handled Manning.

Frankly, many of the points Mitchell and Gosztola made, which were pretty much representative of a lot of the chatter about Keller’s op-ed on Twitter, were fair criticism even if strident. And part of it seems to simply boil down to a difference in perspective and view with Keller, as evidenced in Keller’s response to inquiry by Nathan Fuller, where he indicates he simply views some things differently.

This is all healthy give and take, difference in view and sober discussion by the referenced Read more

Share this entry

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

/9 Comments/in , /by

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

•  Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

•  Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Read more

Share this entry

DOD Uses Sequester to Excuse 5 Year Delay in Implementing Basic Network Security

/3 Comments/in , /by

More than 22 months ago, I wrote a post analyzing Congressional testimony describing the gaping holes in DOD network security 3 years after a nasty malware infection and a year after the publication of Collateral Murder by WikiLeaks.

Almost two years later, Assistant Secretary of Defense Zachary Lemnios says sequestration might hold up improving network security on classified and unclassified networks.

Zachary J. Lemnios, the assistant secretary of defense for research and engineering, was asked by Sen. Rob Portman (R-Ohio) to describe the “most significant” impacts on cybersecurity that could follow from the anticipated cuts to the Pentagon’s budget.

Mr. Lemnios replied that “cuts under sequestration could hurt efforts to fight cyber threats, including […] improving the security of our classified Federal networks and addressing WikiLeaks.”

This is news not just for the specific details offered about how bad DOD’s network security remains (click through for more details). But also for the tacit admission that 3 years after a breach DOD considers tantamount to aiding the enemy, and 5 years after a malware infection that badly affected DOD’s networks in Iraq, DOD still hasn’t completed security enhancements to its networks.

Share this entry

What if China Not Just Hacked — But Sabotaged — the F-35?

/24 Comments/in , , , /by

Screen shot 2013-02-24 at 10.24.35 AM

Over the last week, two perennial stories have again dominated the news. China continues to be able to hack us — including top DC power players — at will. And the F-35 has suffered another setback, this time a crack in an engine turbine blade (something which reportedly happened once before, in 2007).

The coincidence of these two events has got me thinking (and mind you, I’m just wondering out loud here): what if China did more than just steal data on the F-35 when it hacked various contractors, and instead sabotaged the program, inserting engineering flaws into the plane in the same way we inserted flaws in Iran’s centrifuge development via StuxNet?

We know China has hacked the F-35 program persistently. In 2008, an IG report revealed that BAE and some of the other then 1,200 (now 1,300) contractors involved weren’t meeting security requirements; last year an anonymous BAE guy admitted that the Chinese had been camped on their networks stealing data for 18 months. In April 2009, WSJ provided a more detailed report on breaches going back to 2007.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into.

Read more

Share this entry

Jane Harman Now Targeting Individual CyberTargets with Drone Court

/15 Comments/in , /by

Jane Harman’s advocacy for a drone court suffers from the same problem I touched on here (and will lay out at more length in the next day or so): before you can have a Drone and/or Targeted Killing Court, you need some law the court will apply. Harman seems to envision just applying the standards the Executive — not Congress — came up with, which isn’t how Schoolhouse Rock taught me the government is supposed to work.

Congress, in her model, would just be fully apprised of what goes on in the Drone and/or Targeted Killing Court, not write law to limit what can be approved.

But I’m more interested — alarmed, really — by the way Harman seamlessly adds cybertargeting to her advocacy.

The FISA court, renamed the CT Court, could also oversee drones and cyber. A FISA court application must show that specific individuals are connected to a foreign power – which is defined, in part, as a group engaged in international terrorism. Drone and cyber applications could (1) list the individual/cyber target against whom the lethal operation is directed and (2) submit a finding of probable cause that the individual/cyber target is connected to a foreign power, is in a senior operational capacity and poses an imminent threat of violent attack against the United States.

Approved applications for drone strikes and cyberattacks would need to be renewed after a certain period, and discontinued if evidence is presented that the targets no longer meet the criteria. [my emphasis]

Granted, it would have been nice if the government had had to go to a court to explain why a publisher like WikiLeaks should be targeted with a persistent DNS attack, assuming that’s what happened. But given that both our FISA targeting and our targeting killing targeting probably allow for far too much abuse of the First Amendment, I’m not convinced the FISA Court would have noted the problem with that incident of prior restraint.

More generally, though, isn’t Harman’s neat inclusion of cyber targeting here a hint that our cyberattacks have gone beyond just Iran and WikiLeaks?

Share this entry

Why So Surprised? CIA, U.S. Military Knew Chinese Hackers Expected Since 1999

/11 Comments/in , /by
Cover, Unrestricted Warfare via Wikimedia

Cover, Unrestricted Warfare via Wikimedia

The breathless reporting about the alleged Chinese hacking at The New York Times is truly annoying because of the shock it displays. The surprise any major government or private corporate entity shows at this point about any network-based security breach that appears to originate from China should be treated as propaganda, or a display of gross ignorance.

In 1999, the CIA’s Foreign Broadcast Information Service published a white paper entitled Unrestricted Warfare, written by the PRC’s Col. Qiao Liang and Col. Wang Xiansui. The publication outlined the methodologies a nation-state could deploy as part of an asymmetric war. Further, the same work outlined the U.S.’s weaknesses at that time were it to confront such asymmetric warfare. It did not focus any other nation-state, just the U.S.*

The colonels acknowledged that the U.S.—at the time of the paper—had considered using a range of tools in response to conflicts:

“…There’s no getting around the opinions of the Americans when it comes to discussing what means and methods will be used to fight future wars. This is not simply because the U.S. is the latest lord of the mountain in the world. It is more because the opinions of the Americans on this question really are superior compared to the prevailing opinions among the military people of other nations. The Americans have summed up the four main forms that warfighting will take in the future as: 1) Information warfare; 2) Precision warfare [see Endnote 8]; 3) Joint operations [see Endnote 9]; and 4) Military operations other than war (MOOTW) [see Endnote 10]. This last sentence is a mouthful. From this sentence alone we can see the highly imaginative, and yet highly practical, approach of the Americans, and we can also gain a sound understanding of the warfare of the future as seen through the eyes of the Americans. Aside from joint operations, which evolved from traditional cooperative operations and coordinated operations, and even Air- Land operations, the other three of the four forms of warfighting can all be considered products of new military thinking. General Gordon R. Sullivan, the former Chief of Staff of the U.S. Army, maintained that information warfare will be the basic form of warfighting in future warfare. For this reason, he set up the best digitized force in the U.S. military, and in the world. Moreover, he proposed the concept of precision warfare, based on the perception that “there will be an overall swing towards information processing and stealthy long-range attacks as the main foundations of future warfare.” For the Americans, the advent of new, high-tech weaponry, such as precision-guided weapons, the Global Positioning System (GPS), C4I systems and stealth airplanes, will possibly allow soldiers to dispense with the nightmare of attrition warfare. …”

The rise of military tools like drones for precision-guided stealth attacks was predicted; quite honestly, the PRC’s current cyber warfare could be a pointed response to Gen. Sullivan’s statement about information warfare.

But in acknowledging the U.S.’s future use of MOOTW, the colonels also offered up the most likely approaches in an asymmetric assault or response: trade war, financial war, new terror war in contrast to traditional terror war, ecological war. Of these, they cited a specific example of new terror war entity and attacks: Read more

Share this entry

Enjoy A Valentine’s Day Sampler

/3 Comments/in , , /by
Made just for you via cryptogram.com

Made just for you via cryptogram.com

It’s difficult lately for me to sit down and spend time on a blogpost. I manage a handful of minutes here and there to do reading or research. An email may take hours to draft.

But there’s too much juicy stuff floating around deserving more attention. I’m going to gather content as I see it and aggregate it into a post when I have time, rather than let them slip by. Perhaps you can make more of them than I can.

•  MIT Technology Review acknowledges the dawn of a new age in Welcome to the Malware-Industrial Complex. I’m rather surprised at the tone of this piece; it’s not au courant, rather a bit behind the times since the MIC launched more than a handful of years ago. Two important points emerge: 1) Zero-day exploits are being traded like weaponry–think very hard about the source of these exploits and ask yourself why they are tolerated in government computing environments, let alone any other production environment; 2) This new age is the military face of the paradigm shift from the industrial to the information age. Weapons are information; they are no longer separate from the weapons themselves. With this in mind, the last two grafs of this article display the already-anachronistic thinking of the author and his sources.

•  Syracuse University MA/PhD student Seth Long performs a rather fascinating analysis on alleged cop killer Christopher Dorner’s manifesto. But equally fascinating is his earlier analysis on Ted Kaczynski’s Unabomber manifesto. Compare the two assessments, and then ask yourself what any blogger’s online writings might say about them if Long’s analytical process is eventually automated with algorithms. Scary, hmm?

•  Really great long read at Bloomberg Businessweek on the unmasking of a Chinese hacker by a Dell Computers malware expert. This is a snapshot of asymmetric warfare in progress; it’s not as if China has not told us rather candidly (and more than a decade ago) they would engage us in this manner as well as in other non-internet battlefields. Any surprise on the part of U.S. government officials at this point is utterly ridiculous–it’s either feigned or it’s should-get-another-day-job stupidity.

•  I’m so annoyed by this long read in Aeon Magazine–a really great mag, by the way–that I may yet muster the time to write something longer. Author Damien Walter is rather specious in his identification of a new “creator culture” and its necessity to society’s continued success. The problem isn’t that we need to adopt and nurture a new creator culture; it’s that we killed the one we had quite willingly over the last 25-35 years by offshoring production and the subsequent commodification of goods. We allowed corporations and their one-percenter shareholders to tell us that getting our hands dirty through craftsmanship and in manufacturing was bad (mostly bad for their profit margins). We’ve become a culture that doesn’t fix anything; we buy replacements made overseas in third world countries. We’ve lost our can-do spirit along with this shift, and only recently have both the economic crisis and a new hipster-hobbyist ethos encouraged a resurgence of the do-it-yourself handyperson. Unless we’re conscious of our role in killing creativity, nurturing it again through supporting Etsy and Maker Faires is merely temporary relief from the crush of profit-driven consumerism.

•  But perhaps all of this will be moot tomorrow if the cosmos decides to make a bank shot with asteroid 2012 DA14. This “small” asteroid will fly within 17,200 miles of earth tomorrow afternoon. This is awfully bloody close–close enough that scientists say disruption of cellphone and other satellite service is not impossible, but unlikely. That’s a whisker’s breadth, in cosmic scale. Best to check in tomorrow afternoon after 3:00 pm CST to see if we’re still here. See you then.

Share this entry