65 comments

[ 0.18 ms ] story [ 132 ms ] thread
FINALLY. They should have done this since the start, for decades now much of the US military has gotten cyberwar completely backwards by misapplying real world strategies to the digital world (obviously they have not been alone). "The best defense is a good offense" is often true for physical warfare, where limited resources means force concentration can be far more effective then the same resources put into static defenses. But in the digital world where data can be replicated endlessly, advantage is probably better thought of in terms of information gradients, electronic utilization, and societal models.

For gradients, if a society maintains more information than another (the product of lots of resources sunk into R&D say) that translates into technological and effectiveness edge and thus real world advantage. Since information can be replicated perfectly, attacks tend to level the gradient, meaning the attackers gain the value without the same resource expenditure and can put more resources into putting the same stuff into production.

For electronic utilization, computers and networks in a lot of things can improve efficiency a great deal. But that then also opens up opportunities for digital attackers.

And the government digital security efforts should heavily take into account shoring up the weaknesses of the model society follows. For the West in general that has a lot of individualism, free market capitalism generating tons of data, heavy technological dependency to maximize productivity per person rather then throwing bulk cheap labor at a problem, etc. Government needs to help organizations and individuals stand up to state-level threats.

So for America, I'd argue that "the best offense is a good defense" when it comes to cyber war. Like, imagine a world where we had perfect bug free systems and nobody could hack anything, vs a world where there is zero possible security and all information is shared universally. I think in the former America would have a significant advantage over more authoritarian countries for the foreseeable future. I think an open society has an edge in producing valuable knew information. But in the latter scenario I think authoritarians would be ahead. They have more people and a more directed economy, if they could essentially outsource R&D completely they'd gain more than they'd lose from it.

Better late than never though. And it'll take years and years and years to prove that this is really serious and not a flash in the pan, that American defense agencies will actually choose patching over holding onto zero days (thus showing faith in the country) and so on. But I hope this does mark a permanent change where rather then mistrusting by default the likes of the NSA and other TLAs their security advice is appreciated and highly useful. One can hope.

I was wondering about this earlier, part of me wonders if the opposite is true, that the only way to prevent cyberwar is a nuclear like MAD arrangement.
MAD can work for nuclear weapons because:

  1) The set of nuclear powers is well-known.
  2) The barrier to becoming a nuclear power is high enough that only governments can feasibly do it.
  3) You can generally tell who launched a missile at you.
  4) Mutual destruction is considered a bad enough outcome by each of the nuclear powers that it's an effective first-strike deterrent.
Almost none of these factors are true for cyberattacks. Cyberattacks can be done by almost anybody, including literal children. They can be laundered in a way that makes them very difficult to trace. Lots of criminal enterprises wouldn't mind if their own country's infrastructure was crippled in a counterattack to their own attack.
I was under the impression that most of these kinds of attacks are primarily state sponsored and that the state is generally known.
Many ransomware attacks are private profiteers. Some appear to be private criminals who are tolerated or even encouraged as long as they only attack hostile countries, and this provides deniability. But if retaliation becomes a real threat, the players will just pretend to be someone else, and the state actors will be good at that.
NorthKorean #1 Karaoke and Cyber Offensive Outpost Bar and Grill, now with starlink
I suspect there’s more to the argument than than is being analyzed here, but there are some interesting points in terms of who stands to benefit from a closed vs open information ecosystem.

I’d be interested in seeing elaboration on those ideas. I think there’s probably more going on here than a zero sum game of competing geopolitical powers.

A couple things that come to mind:

1. Cultural exchange. Open networks make it easier to gain access to media that may not reflect views one grows up with. I suspect that without broad exposure to different ideas/lifestyles/values, more places would trend towards nationalism.

2. Scientific progress: COVID was an excellent example of the international scientific community coming together to face a global issue. What could similar events look like had we not had pre-existing research agreements or openly available data on a crisis?

Would love to here more on these topics.

> 1. Cultural exchange. Open networks make it easier to gain access to media that may not reflect views one grows up with. I suspect that without broad exposure to different ideas/lifestyles/values, more places would trend towards nationalism.

Until relatively recently, US policy and those involved in it broadly treated free access to information as something that de facto favored the US - as in, it's not that we needed to provide information as propaganda, it's that access to unfiltered information by citizens abroad intrinsically promotes the US's policy goals, in part by supporting accountability against repressive and closed regimes. It's clearly not something that's been promoted in all times and all places, but it's been a tenet of a good amount of foreign policy over time.

With budget of less than 0.5bln I don't think anyone can argue that DoD is taking cyber-anything seriously.
That's just the white budget
If only they'd beefed up defense of the beef supplier
So you're advocating for a socialist takeover of the meat supply? /s
No, just a bad joke related to the other (currently) front page story about a cyber attack impacting the beef industry https://news.ycombinator.com/item?id=27359515
To beef fair, the title was begging for it.
I hear a lot of people talk about the current administration not doing enough, but I was pretty sure that companies were free to have whatever bad infrastructure they think they can get away with. These ransomware things are rarely something that I would consider national security. For instance, it looks like a good opportunity for a company to take over this company and do their systems correctly.
I would really like to see a move toward purpose built systems and actually software engineering. General purpose operating systems really speed up development time, but I am not sure we need critical infrastructure to be capable of playing Doom or running generic ransomware. In the same vein, it would be nice for the people who built these systems to be able to provide tolerances and document failure cases. This would be mandating memory safe languages, understanding dependencies, mandatory penetration tests, mandatory fuzz testing. We have standards for building bridges but not for computing systems.

Another policy point would be data de-risking. It has been shown time and time again that companies cannot protect their own data, not to mention user data. I think we should make it very costly to be breached and lose PII. It would raise the bar a lot for who could do what, but I do not think companies have really demonstrated that they can handle this data responsibly. These data losses have even become a national security risk. [1]

1. https://foreignpolicy.com/2020/12/21/china-stolen-us-data-ex...

Critical infrastructure is not the devices being hit by ransomware attacks. They are encrypting corporate networks, which do need to be able to run Outlook and use a web browser.
Laws need to be passed which mandate that critical infrastructure continues to function safely, without corporate comms networks.

If your billing and tracking system breaks tough, that's the cost of picking poor software and not training employees.

I assune you have to be pretty incompetent to be damaged by randsomware. It cant hurt you if you have backups, and i dont understand how you could run a major company without backups.
The ransomware hurts if the ransom is to keep the hackers from posting your documents.
Maybe, but is that the situation that the fuss is about. That sort of scenario surely doesn't involve a business shutdown.
Taking down a system to reflash it with backups can take significant time that translates often in big companies to 10x-100x the ransom cost.

That's also why there are tensions between big companies / victims and law enforcement agencies because they have divergent interests: keeping the business running vs prosecuting and blocking criminals

Did you give data protection job a go? They're heavily recruiting people who can really make a difference. But it looks often easier than it is ;-)

Ironically enough, sometimes it might be other laws that necessitate those systems to be running in order to continue operations. Critical infrastructure is often fairly regulated for other reasons (depending on what it is), and those systems might be used to meet some other compliance/regulatory requirements.

I have found myself working on these kinds of systems professionally, although we were able to air-gap them.

I guess you could say that inability to comply with those other regulations is also a “too bad, you should have thought of it” scenario, but those are not always laws we’d want them to break. (Safety, etc)

And at some level, critical infrastructure is no more of an expert at preventing cybercrime than a shopkeeper is at preventing shoplifting. I do think we need the government to stand up a bit here and help to prevent this crime in the first place.

I feel there's probably a benefit to general purpose systems. Most non-general purpose machines I encounter are IoT or PLC devices and the S in those acronyms is for security. At least with a general purpose system I can implement hardening guidelines like DISA STIGs and automatically scan to be sure that they're enforced.

Maybe you get away from that with real software engineering, but that seems a bit like no-true Scotsman to me.

"Real" software engineering is just a way to justify adding artificial scarcity to the SWE labor pool.
I think it is more so a way to recognize the actual scarcity in the SWE labor pool. I am sick of using apps implemented by the CEOs nephew who is learning to program. I am sick of developers who don't understand a memory corruption vuln. I am sick of people not managing, updating, or auditing dependencies. There is scarcity of talent and we need to stop letting people accumulate and then lose personal data.
Right now congress is debating how to spend 1 trillion in infrastructure, and I feel that most of it will go to pointlessly laying more concrete across the continent. I would like to see some kind of secure citizen-network, separate from the internet, restricted in functionality to just basic services, a business directory, and a message board that requires a crypto cert to identify yourself so you can make a post/comment. Solve the misinformation problem, the cybersecurity problem, train a generation in tech, kickstart the local supply chain AND stimulate economy all at once!
Why would anyone use the Governet, when the Internet is so much better?
Functioning roads and bridges that don't have cracked load-bearing beams are a bit higher priority than a BBS and digital yellow pages.
I doubt that will solve misinformation people are happy to spread complete nonsense under their real names on Facebook all the time. Plus if it's run by the government basic things like moderation get tricky due to 1A.
How would cryptographically verified identities solve the misinformation problem?

Conservative elites which believe it is necessary to fabricate some external evil to preserve social order are historically willing to engage in obscurantism and spread lies under their real names.

The monopolization of farm land by domestic land lords is fault of foreign powers for not allowing enough living room, attempts to end feudalism in south america are Russian plots to establish Stalinist regimes on southern border of United States, UFOs are not domestic military projects but nefarious extraterrestrials, Soviet Union is not collapsing but actually developing undetectable super weapons, Iraq has weapons of mass destruction, etc.

(comment deleted)
> I would really like to see a move toward purpose built systems and actually software engineering.

We've tried bespoke systems for all sorts of components. That's how we end up with multi-billion, multi-year sole source contracts where $beltwaybandit prints money and it takes multiple years to support now-common functionality/capabilities because it wasn't in the initial meticulously-specified, waterfall-driven design plan enshrined in the contract 5 years ago. And that contract itself was an extension to an extension to an extension from a contract a decade before that.

Excuse me, I'm having flashbacks now.

> I do not think companies have really demonstrated that they can handle this data responsibly.

Neither have governments. The entire OPM (Office of Personnel Management) background check database was breached and thoroughly compromised for years. And that system is effectively the blackmailer's wet dream. I wrote about that almost 6 years ago here:

https://caseysoftware.com/blog/why-this-security-breach-is-w...

And that was before the NSA had all their best hacking tools stolen..

What is the responsible thing to do here?

Should a government announce to the people that everybody within it is potentially operating under foreign influence?

Cyber COP, Experian Cyber services, and the like have provided fairly perm accounts paid for by the government due to breaches and mistaken disclosures of PII. While the above mentioned incident is one of the more notable, it ain't the first and isn't even the most recent.
If you think that is even an attempt at a solution, then I’m pretty sure you don’t understand how this information is used.
> purpose built systems

You can see the benefits and limitations of this approach by considering commodities where "purpose built" is economical.

One common purpose built device is the dumb gigabit network switch. It has a well defined and stable specification, and for performance reasons the switching fabric is implemented in a dedicated ASIC which cannot be reprogrammed or remotely disabled. This makes it very stable and difficult to attack directly.

The limitation is that this rock-solid infrastructure only shifts the attack surface to a higher layer in the stack. The same switch that can't be attacked directly will happily deliver an email that tricks a human into assisting a hacker's scheme, like installing a virus onto their accounting PC.

Sure, you could implement your accounting software in an ASIC as well, but unfortunately, the requirements upon accounting change much more frequently than the gigabit 64b/66b waveform spec; if the government is allowed to issue new regulations then it will always be more economical to build the accounting system on a general purpose machine.

Your gigabit network switch runs Linux. Even the securities exchanges' gigabit switches run Linux (on a FPGA).
I am sure that spending multiples of $100M on cyber offense is providing ample justification to state-sponsored adversaries of all kinds to stage attacks of their own. Especially combined with Snowden-type revelations which makes the US look like an evil monopoly conspiring to aggressively exploit its dominance to eliminate all competition.
State actors who do this aren’t looking for justification. They just do it because they can. Same with independent (non-state) actors.

It’s not like they were being goody two shoes and suddenly with the Snowden revelations they turned.

Let me put it this way. You're not likely to cut your R&D budget when your competition is increasing it.
The one thing you can be certain about is that the US is absolutely not cutting its cyber offensive spending or reducing its offensive capabilities. That's all increasing, by a lot.

Under no scenario will cuts to offensive capabilities happen, it doesn't matter which party or person is in the White House.

Real US cyber offensive spending is buried inside of the three letter agencies and buried in classified spending segments within the budget (the $50b to $100b black budget), not out in the open in the supposedly transparent defense budget. It's very silly anybody would believe the US would cut its spending on cyber offense, while it's deep into a never-to-end cyber conflict with Russia and China; a conflict which none of the parties are much attempting to keep hidden at this point.

What are examples of cyber offense launched by the US? I haven't even heard about this before.
That's kind of the point?
Hmmm. The Russians and Chinese don't go advertising their cyberwarfare exploits, but we know of them because targets will be vocal. Our targets would be vocal too. So, I don't think we're doing as much as the other guys in terms of causing random havoc. We generally do "surgical" tits for their tats, as far as I understand. You don't hear Sinopec going off-line or GazProm.
You don't hear Sinopec going off-line or GazProm.

All my searches are only turning up the most recent news about the most recent pipeline hack, but I seem to recall reading that the US hacked/sabotaged an eastern European oil or gas pipeline decades ago.

???

State actors have objectives. Even if that objective is just to test their capabilities.

It seems rediculous to suggest state actors are just doing it for the lulz.

Wow, cyber operations budget is tiny compared to overall military budget. Why is this such a low priority?
A datacenter and a bunch of computers costs less than an airport and a bunch of fighter jets?
You can't infer priority from budget size, because different military activities have different equipment requirements.

Need the capability to send a few guys in a helicopter to attack an enemy physically? You are looking at hundreds of millions for the helicopter and weapons.

Need to have a few guys remotely hack a foreign website? A few computers, a good internet connection, and some comfortable chairs.

No matter how high you prioritize those kinds of cyber ops you aren't going to need a budget anywhere what even a modest fleet of aircraft or ships or tanks needs.

Sometimes there may be a need to blow up something or physically sabotage something in another country to facilitate some cyber ops goal, but that would be carried out by the people with drones or planes or by special ops, depending on what the relationship is between the US and the country the operation will be in and so how discrete the US needs to be, and the money to support such capabilities would show up on their budget rather than the cyber ops budget.

There's a large black budget that is unattributed. And, IIRC, the Vault 7 leaks implicated shell companies in the maintenance of CIA infrastructure.
Tbh, I prolly wouldn’t going around publicly disclosing my budgets for offensive capabilities (or at least in it’s entirety). Let the enemies keep guessing
In a democracy, the people need to have a say as to how money is spent. The detailed capabilities can be hidden (and will be), but I think it's a good idea to shift to defense, and the shift in focus should be openly debated.

Besides, cyber offense isn't a means of defense, because you'd need to figure out how to retaliate against and tit for tat escalation of attacks would be a disaster.

There is no shift happening what-so-ever. They're hiding the offensive spending for plausible deniability purposes, and to keep some information from US enemies.

It's trivially easy to shift expansion in the cyber offensive spending to the black budget segment, so US enemies can't get a clean idea of what the US is spending or not spending in that area. The US does this as a matter of routine in defense spending, and has across most of the post WW2 era.

All the three letter agencies in the USA have burned all their trust regarding secrecy. Better (re:public opinion, funding) to be truthful
Democracy does not require military spending transparency.
For people in this field, are we seeing any movement towards smaller, decentralized intranets that would be physically impossible to hack without physical penetration? It seems like the issue with a lot of these hacks of critical systems is that they exist on the open internet, where a team of security researchers in Russia can access them conveniently from home. If more things were gapped, it seems like the security benefits would be huge, and convenience costs could be worked around in various ways.
> where a team of security researchers in Russia can access them conveniently from home

...or a team of your employees, who for one reason or another couldn't make it to the office every day since March of last year.

In other words, VPNs. These are the smaller intranets you are talking about. Of course they still need to be capable and privileged enough to allow your employees to do their jobs, and this same requirement is the reason why ransomware can strike so effectively.

We did manage to run power stations and military installations before the internet came along. I'm sure there would be inconveniences but it seems a small price to pay to keep critical infrastructure running.
Seems clear to me: move offensive stuff in the 3-letter agencies and black budgets, where they belong.

Then we're officially the good guys, too :)

I think I am going to get downvoted to hell. So be it.

I don’t think there’s any reasoning with the Putin’s or the Xi’s of the world when it comes to this cyber Cold War. They both have highly skilled and motivated state-sponsored hacking divisions of their respective military or intelligence agencies. They’re simply far, far outside American reach. Not to mention the cypher pirates that operate on their soil and attack countries like the US that they turn a blind eye to.

Bolstering our tech best practices to focus on being secure and training workers to better understand what phishing looks like etc., but I think the solution is more proactive than that.

I think the solution is clandestine operations conducted by say the CIA to either infiltrate these ranks and turn would be hackers into allies or it’s straight up murder of the hackers by some US spy and have it look like a common crime in that country.

These attacks will only escalate and I fear they boil over into a full blown war. If diplomacy doesn’t work, if turning our would be attackers into allies doesn’t work, then what other option do we have if cyber defenses aren’t enough (the best defense is always one step behind a smart and adaptive attacker)?