> The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network.
Former government contractor here: Dumbasses need to keep their sensitive data air gapped and inside a SCIF.
If you need to network stuff, there are ways for contractors to implement NSA-approved "type 1" crypto with the appropriate personnel and infrastructure.
Also, I think whoever improperly classified that as not requiring SECRET level protections is going to have a hard time justifying it to their bosses.
There's stupid and then there's "stupid" putting my tinfoil hat on here: maybe they were allowed to steal the data. I mean really? Oh WOOOPS we stored 613 GB of classified data on an unsecured network in the EXACT place hackers would look... aww that sucks, welp we'll try to do better next time.
I call BS, this level of incompetence smells more like treason disguised as stupidity.
A true believer would say the point was to suggest intentionally bad technology (e.g. screen doors!), to retard progress in Chinese submarine design...
Are there penalties written into contracts to address failures like this? ISTR when China got loads of F-35 data, Lockheed was "punished" by getting to spend another year and hundreds of millions more dollars "fixing" the plane.
Wow I really disagree with that. 0-days are a fact of life. If billions of dollars aren't enough to set up a secure supply chain and air gaps, what would be?
No, I wish we didn't spend trillions of dollars on killing machines for no reason. It's pretty difficult to confuse that world with this one.
Your magical phrase "zero-day" doesn't "win this argument" for you... You're imagining some Stuxnet-level pyramid of remote BIOS and NIC firmware hacks when we all know this was just a poorly configured firewall. That's why "TOP SECRET" exists, CYA.
The article states clearly that this was Controlled Unclassified Information. Massive volumes of industrial data fit this description. It does call for special protections, which are outlined in NIST SP 800-171. Nowhere in this document does it imply that CUI data should be kept in a SCIF.
From the article, Cmdr. Bill Speaks, a Navy spokesman, said, “There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.”
This does not indicate the data was or was not classified. Now, at the beginning of the article, "The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network. The officials said the material, when aggregated, could be considered classified, a fact that raises concerns about the Navy’s ability to oversee contractors tasked with developing cutting-edge weapons."
The article suggest the data, in aggregated form, could be viewed as classified. I am quite sure not all the details have been made public nor will they be for some time. I am sure it will take many years for that true nature of the breach to enter public domain. Submarines are the US primary means of nuclear deterrence and any breach to limit that deterrence might be considered harmful.
Are you implying that the US are not actively doing the same against nations they see as a threat? It's basically how and why any intelligence service operates - know your enemy and keep up with their technological advances.
The difference is that China has been stealing in order to copy, while the China itself has nothing that the US want to copy.
This has been true since the birth of the US. But the future may be different. China is advancing very fast through copying, and years from now we might stop thinking of them as a copycat.
Because US is not really condemning spying. It's something what the US does as much as it can. The US has the responsibility to protect its secrets and it failed.
There's a fantastic book called "Blind Man's Bluff" about submarine spying during the Cold War, including a lot of antics like this one. Gripping storytelling, highly recommended read if you're interested in submarines or spying or both.
The US nuclear triad currently rests dangerously on the US Ohio-class submarines. If the Chinese military develops technology that can eliminate these subs in a surprise attack, they would potentially have the ability to take over the world.
Step 1. Target the 1950s era US ICBM fleet in their static bunkers. This only requires making the POTUS hesitate for ~7 minutes to "use or lose" them.
Step 2. Destroy the few dozen 1950s era upgraded B-52s and a few misc aircraft. Some might slip through but maybe not.
Step 3. Take out the ~14 outdated US ballistic missile subs using new supersonic anti-ship missiles.
Hopefully the US military will be able to upgrade the nuclear triad in time to maintain MAD and eliminate this potential threat. But I think the best solution would be for the entire G7 to develop independent MAD systems so there's never any doubt that it remains in effect.
Everything you say is true, but extremely misleading. China's nuclear posture uses what's called the "minimum means of reprisal", which means they have an extremely small nuclear force that is incapable of completing the scenario you outline.
Let me just quote the abstract from Jeffery Lewis's phd dissertation on the topic:
Among the 5 states authorized under the NPT to possess nuclear weapons, China has the most restrained pattern of deployment: The People"s Republic of China (PRC) operationally deploys about 80 nuclear warheads exclusively for usewith land"based ballistic missiles. Its declaratory doctrine rejects the initiation of nuclear war under any circumstance. The PRC does not maintain tactical nuclear forces of any kind, and its strategic forces are kept off alert, with warheads in storage. This posture has been sustained over time and changes in threat perception, suggesting restraint is the result of choice and not expediency.
Furthermore, most of the land based ballistic missiles China has deployed are targeted at India, and not capable of hitting the mainland US.
While the dissertation was written in 2004, essentially nothing substantial has changed since then.
There have been no substantive changes, but of course there have been minor changes. If you're actually interested in learning more, there's a lot of open source information available. Lewis's blog http://armscontrolwonk.com is a great starting point, but covers a much greater scope.
China is short, by an order of magnitude, in the number of nuclear weapons necessary to perform a reliable first-strike against US silo and air-base sites.
Even if you can find and take out a ballistic missile sub, you cannot with any certainty take out all of them. A single one of those Ohio-class submarine, and its 24 MIRVs is perfectly capable of killing hundreds of millions of people, if launched at China's coast.
China's nuclear arsenal, like the arsenals of France, India, Pakistan, and the United Kingdom, is purely defensive. Life is not a Tom Clancy novel. Russia and the United States are the only countries capable of carrying out a first strike against a nuclear state... And neither of them can do so against the other.
China is one of the countries with the most to lose, and the least to gain in a nuclear exchange.
> But I think the best solution would be for the entire G7 to develop independent MAD systems so there's never any doubt that it remains in effect.
Comprehensive MAD would be a wonderful thing, if you had utter certainty that the chance for accidental launch was zero. If the chance is nonzero, you've put a time limit on civilization. How long? A hundred years? Three hundred?
You refer derisively to "1950s-era" technology. And you have a point. I'm agreeing with that point, and using it to make the case for a real chance of accidental nuclear war based on flawed or worn-out technology.
The third book in the list above goes into stark detail about the other danger - that of nuclear war based on flawed human decision-making.
So it's pretty obvious by now that we are actively at war with China and Russia on the cyber front. The question is, are we winning? Are we even fighting back?
> So it's pretty obvious by now that we are actively at war with China and Russia on the cyber front.
We are actively fighting a cyber war with every country. The nations who we spy on the most are our allies. And the nations who spy on us the most are our allies. I know it's counterintuitive but it's international politics, geopolitics and intelligence 101.
For example, israel, Britain, Canada, germany, japan, south korea, etc spy on us the most. And naturally we spy on them too.
And taken a step even further, every nation's government spies the most on their own people. It's almost a certainty that intranational spying makes up most of the spying budgets of china, russia, britain, israel, US, germany, etc.
> The question is, are we winning?
Considering we are the epicenter of tech, what do you think? Considering our intelligence budgets dwarf both china and russia's budget combined, what do you think?
> Are we even fighting back?
Are you serious? Who do you think invented cyber spying? The internet was a DARPA project.
Do you really think only china and russia are spying?
I know some intelligence people. This isn't what they tell me. They tell me that western governments are obsessed with following the law and limiting what their cyber operations touch. It's born out by what I understand from non-classified sources. For example, I read through the source code of Stuxnet when it first came out. There was a ton of guards put in to limit the potential damage it made.
That Canada spies on the USA more than Russia is the biggest bullshit I've ever heard. Read the Snowden leaks and listen to natsec podcasts. The Russians are in a ton of the US infrastructure and the CIA is freaking out about it to the point where they consider cyber to be a bigger existential threat than a nuclear armed DPRK.
> I know some intelligence people. This isn't what they tell me.
I don't believe you know any intelligence people. And even if you did, I doubt they'd tell you anything. People who write "I know some intelligence people" on a web forum, usually don't know anyone.
> That Canada spies on the USA more than Russia is the biggest bullshit I've ever heard.
> The Russians are in a ton of the US infrastructure and the CIA is freaking out about it to the point where they consider cyber to be a bigger existential threat than a nuclear armed DPRK.
You might want to stop watching CNN/Foxnews/media. But of course russia is spying on us. But who do you think would have an easier time spying on us? The russians/chinese or our allies?
Just think. And you'll realize how much more sense it makes that allies should spy on each other more than enemies. But maybe you could ask your "intelligence people".
If Stuxnet being limited to interfering with its intended target is your example of how Western intelligence is over concerned with limits to their operations’ scope, I think you hold our services to a very low standard, both ethically and practically. Would it have been responsible, or in the nation’s best interests, to allow Stuxnet to play with any industrial equipment it found itself on? And further, would such a blatant infection have half a chance of hitting its actual objectives?
You also seem to assume that, however badly the Russians have us over a barrel through infected infrastructure, that we haven’t gotten into their stuff just as badly, or worse. All the regulations that U.S. spooks complain about aren’t a problem once you’re on foreign soil working on foreign targets. Cyberwarfare favors the attacker, just because we’re very vulnerable isn’t a reason to believe we don’t have the upper hand.
(And as noted, the U.S.’s budget for this stuff is way greater than our opponents’. If we’re not decisively on top something is seriously wrong.)
Just because the microcosm that your contacts happen to see within our compartmentalized and super secret intelligence agencies happens to (supposedly, through two levels of rumor) be on the up and up, doesn't make that a rule for these organizations.
In fact, most everything published besides your testimony suggests the opposite.
I'm happy to change my view when I encounter new evidence, but I see absolutely no evidence that the Canadians (or anyone else outside of Russia / China) have hacked the shit out of the entire USA.
Simply bar them from defense department work/contracts for 5 years and put any current contracts on hold. The other contractors will get the hint. Nothing ever gets done about this stuff, so the status quo remains.
Compare this to Facebook effectively selling a Chinese firm the entire social graph. Not any firm, a firm the US Government indicated should be regarded with caution.
That social graph will pay dividends decades after these missiles are decommissioned.
Conversely, if DoD contracts are sufficient, why aren't Facebook contracts? China doesn't care about contracts in either case. If you think a Chinese firm is going to honor a contract with an American company, you need to look up the Organization Department.
45 comments
[ 0.23 ms ] story [ 115 ms ] threadFormer government contractor here: Dumbasses need to keep their sensitive data air gapped and inside a SCIF.
If you need to network stuff, there are ways for contractors to implement NSA-approved "type 1" crypto with the appropriate personnel and infrastructure.
Also, I think whoever improperly classified that as not requiring SECRET level protections is going to have a hard time justifying it to their bosses.
I call BS, this level of incompetence smells more like treason disguised as stupidity.
Of course not. Which is why this crap keeps happening.
The other aspect is that it's not really the contractor's fault if the exploit was done with a zero-day.
Your magical phrase "zero-day" doesn't "win this argument" for you... You're imagining some Stuxnet-level pyramid of remote BIOS and NIC firmware hacks when we all know this was just a poorly configured firewall. That's why "TOP SECRET" exists, CYA.
This does not indicate the data was or was not classified. Now, at the beginning of the article, "The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network. The officials said the material, when aggregated, could be considered classified, a fact that raises concerns about the Navy’s ability to oversee contractors tasked with developing cutting-edge weapons."
The article suggest the data, in aggregated form, could be viewed as classified. I am quite sure not all the details have been made public nor will they be for some time. I am sure it will take many years for that true nature of the breach to enter public domain. Submarines are the US primary means of nuclear deterrence and any breach to limit that deterrence might be considered harmful.
This has been true since the birth of the US. But the future may be different. China is advancing very fast through copying, and years from now we might stop thinking of them as a copycat.
The US may not care to copy Chinese submarines, but it would love to get its hands on all sorts of information surrounding them.
There has been a huge setback in US espionage in China...
It's good not to let yourself be hacked. It's better to let your enemies think you can be hacked.
Step 1. Target the 1950s era US ICBM fleet in their static bunkers. This only requires making the POTUS hesitate for ~7 minutes to "use or lose" them.
Step 2. Destroy the few dozen 1950s era upgraded B-52s and a few misc aircraft. Some might slip through but maybe not.
Step 3. Take out the ~14 outdated US ballistic missile subs using new supersonic anti-ship missiles.
Hopefully the US military will be able to upgrade the nuclear triad in time to maintain MAD and eliminate this potential threat. But I think the best solution would be for the entire G7 to develop independent MAD systems so there's never any doubt that it remains in effect.
Let me just quote the abstract from Jeffery Lewis's phd dissertation on the topic:
Among the 5 states authorized under the NPT to possess nuclear weapons, China has the most restrained pattern of deployment: The People"s Republic of China (PRC) operationally deploys about 80 nuclear warheads exclusively for usewith land"based ballistic missiles. Its declaratory doctrine rejects the initiation of nuclear war under any circumstance. The PRC does not maintain tactical nuclear forces of any kind, and its strategic forces are kept off alert, with warheads in storage. This posture has been sustained over time and changes in threat perception, suggesting restraint is the result of choice and not expediency.
Furthermore, most of the land based ballistic missiles China has deployed are targeted at India, and not capable of hitting the mainland US.
While the dissertation was written in 2004, essentially nothing substantial has changed since then.
Based on what evidence?
Even if you can find and take out a ballistic missile sub, you cannot with any certainty take out all of them. A single one of those Ohio-class submarine, and its 24 MIRVs is perfectly capable of killing hundreds of millions of people, if launched at China's coast.
China's nuclear arsenal, like the arsenals of France, India, Pakistan, and the United Kingdom, is purely defensive. Life is not a Tom Clancy novel. Russia and the United States are the only countries capable of carrying out a first strike against a nuclear state... And neither of them can do so against the other.
China is one of the countries with the most to lose, and the least to gain in a nuclear exchange.
Minuteman III is 1970s era.
>Destroy the few dozen 1950s era upgraded B-52s and a few misc aircraft.
That's actually incredibly hard.
>Step 3. Take out the ~14 outdated US ballistic missile subs using new supersonic anti-ship missiles.
Target subs with AShMs!? Come again?
I consider MAD to be a greater threat. We are talking about extinguishing all human life.
Some reference material:
https://www.goodreads.com/book/show/16884.The_Making_of_the_...
https://www.goodreads.com/book/show/6452798-command-and-cont...
Just recently published: https://www.goodreads.com/book/show/25663779-the-doomsday-ma...
> But I think the best solution would be for the entire G7 to develop independent MAD systems so there's never any doubt that it remains in effect.
Comprehensive MAD would be a wonderful thing, if you had utter certainty that the chance for accidental launch was zero. If the chance is nonzero, you've put a time limit on civilization. How long? A hundred years? Three hundred?
You refer derisively to "1950s-era" technology. And you have a point. I'm agreeing with that point, and using it to make the case for a real chance of accidental nuclear war based on flawed or worn-out technology.
The third book in the list above goes into stark detail about the other danger - that of nuclear war based on flawed human decision-making.
We are actively fighting a cyber war with every country. The nations who we spy on the most are our allies. And the nations who spy on us the most are our allies. I know it's counterintuitive but it's international politics, geopolitics and intelligence 101.
For example, israel, Britain, Canada, germany, japan, south korea, etc spy on us the most. And naturally we spy on them too.
And taken a step even further, every nation's government spies the most on their own people. It's almost a certainty that intranational spying makes up most of the spying budgets of china, russia, britain, israel, US, germany, etc.
> The question is, are we winning?
Considering we are the epicenter of tech, what do you think? Considering our intelligence budgets dwarf both china and russia's budget combined, what do you think?
> Are we even fighting back?
Are you serious? Who do you think invented cyber spying? The internet was a DARPA project.
Do you really think only china and russia are spying?
I know some intelligence people. This isn't what they tell me. They tell me that western governments are obsessed with following the law and limiting what their cyber operations touch. It's born out by what I understand from non-classified sources. For example, I read through the source code of Stuxnet when it first came out. There was a ton of guards put in to limit the potential damage it made.
That Canada spies on the USA more than Russia is the biggest bullshit I've ever heard. Read the Snowden leaks and listen to natsec podcasts. The Russians are in a ton of the US infrastructure and the CIA is freaking out about it to the point where they consider cyber to be a bigger existential threat than a nuclear armed DPRK.
http://www.spiegel.de/international/germany/cover-story-how-...
https://www.cnn.com/2017/01/05/opinions/limiting-israel-espi...
> I know some intelligence people. This isn't what they tell me.
I don't believe you know any intelligence people. And even if you did, I doubt they'd tell you anything. People who write "I know some intelligence people" on a web forum, usually don't know anyone.
> That Canada spies on the USA more than Russia is the biggest bullshit I've ever heard.
https://www.thestar.com/news/canada/2015/03/03/canada-turfed...
> The Russians are in a ton of the US infrastructure and the CIA is freaking out about it to the point where they consider cyber to be a bigger existential threat than a nuclear armed DPRK.
You might want to stop watching CNN/Foxnews/media. But of course russia is spying on us. But who do you think would have an easier time spying on us? The russians/chinese or our allies?
Just think. And you'll realize how much more sense it makes that allies should spy on each other more than enemies. But maybe you could ask your "intelligence people".
You also seem to assume that, however badly the Russians have us over a barrel through infected infrastructure, that we haven’t gotten into their stuff just as badly, or worse. All the regulations that U.S. spooks complain about aren’t a problem once you’re on foreign soil working on foreign targets. Cyberwarfare favors the attacker, just because we’re very vulnerable isn’t a reason to believe we don’t have the upper hand.
(And as noted, the U.S.’s budget for this stuff is way greater than our opponents’. If we’re not decisively on top something is seriously wrong.)
In fact, most everything published besides your testimony suggests the opposite.
I'm happy to change my view when I encounter new evidence, but I see absolutely no evidence that the Canadians (or anyone else outside of Russia / China) have hacked the shit out of the entire USA.
That social graph will pay dividends decades after these missiles are decommissioned.
Conversely, if DoD contracts are sufficient, why aren't Facebook contracts? China doesn't care about contracts in either case. If you think a Chinese firm is going to honor a contract with an American company, you need to look up the Organization Department.
The key words in the article were:
> The officials said the material, when aggregated, could be considered classified
So, the problem is that the material was probably designated as FOUO, but should have been classified as secret.
The difference is that FOUO is okay to be left on desks and the like, but confidential and above needs a safe, and document control.