This comment reminds me of an awesome episode of Breaking Bad in season 5, I won't ruin it but those who've seen it will know what I'm talking about. Are these passenger trains carrying Methylamine by any chance?
Panetta raises the issue that a combination of attacks could cause loss of life and a new sense of vulnerability among the public. (From the article: "...would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.")
The last time the public had that sudden sense of vulnerability, on 9/11 of course, there was a tremendous and partly counterproductive reaction that we're still dealing with.
It could be smarter to put in place laws to force private companies to report cyberattacks, so the government can understand the scope of the problem, than to pay for the reactive spasms that would follow a successful attack.
The last time the public had that sudden sense of vulnerability, the government did everything in their power to stoke those anaphylactic fires. Panetta wants more money, pure and simple, and he knows that fear of the unknown is the best way to get sound bites and the Congressional ear.
They don't want smart - otherwise we'd already be doing the smart thing.
"government ... stoked": yes, I agree. It's a shame.
I think Panetta partly wants money, but even more, wants laws changed so that privately-operated infrastructure has to have certain security provisions. His agency can't compel it without a law.
History has shown that market forces are not always sufficient to guard against catastrophic events.
He Can always testify before congress...No? Every political fundraising memo is form of "Guy X warns of Doom...Act Now...send your $$$" Where was he for Bhengazi?
Partly? We've managed to destroy two countries, waste billions of dollars, lose essential human rights and fall into a recession. What part of that was productive, exactly?
“I’m not sure they’re going to volunteer if they don’t feel that they’re protected legally in terms of sharing information. So our hope is that ultimately we can get Congress to adopt that kind of legislation,”
Translation: Before we loot their databases, we have to reassure them that they are not liable.
The money wasted on these pork bills and civil rights violations that will probably pass with flying colors regardless of who wins the election could be better spent buying every 0day for sale. Imagine a few billion in a fund just for buying zero days for sale and forcing the companies with the vulnerable product to tell its customers that it had vulnerabilities and that they've now been patched. Heck, tax companies that write insecure software more.
Instead, we'll see some federal guidelines that do nothing but enrich connected defense IT contractors milking the endless cow of defense spending.
I wish that every headline of this type had windows in parentheses ... "Panetta Warns of Dire Threat of (Windows) Cyberattack on U.S."
How many years ago were we up on that stage at defcon while bo2k was demoed ? And 12 years later nation states (Iran) are getting owned by the same old autorun.inf.
What the hell is a "defensive" "cyberweapon"? Are we going to shoot down an incoming SSH session? Poison a compromised SSL session? Like screaming aircraft in space, these people have no idea what cyber warfare looks like.
I'd start with good design and engineering with due diligence, multiple redundancy, identification and delinking of potential failure points and well trained and equipped emergency response teams.
But they'll probably just hire lots of goons and get them to sit on facebook and stalk the insane.
He admitted he is pushing a bill, and in all probability, there is a defense company that is selling some network monitoring, firewall-ing, or anti-virus software has probably asked for his "help" and is "sponsoring" both him and the bill
If you look closely at what they are proposing, the new bills and the new budgets almost always go into "offensive cyber capabilities" not defensive ones. So while they keep the fearmongering about cyber attacks, all they are doing is building better weapons to attack others themselves, and has nothing to do with protection, which also creates a loop where if the US does get attack because the networks are not protected, they get to demand for even more funding, and continue the cycle.
Good network monitoring, clever firewalls, that kind of thing. "Cyberweapon" is a bandwagon, of course, but there are devices and services that you can buy that do tend to make networks more secure, and having more of those is not a bad thing.
My employer sells a device that permits one-way connections only: http://www.fox-it.com/en/products/datadiode/. The "one-way" part is trivial, of course - the clever part is in making standard protocols work over such a link.
I think we can safely assume that these bureaucrats know nothing at all about Cyber-anything. I don't think we even need to ask where this statement ultimately leads. It leads to a total loss of internet anonymity. It may take a generation for that to be a given, but that's clearly the goal. That goal provides about as much value to the nation as the "war on terror." The end of the cold war sure left quite a vacuum. It took about a decade to find something to take its place.
Now taking them off the internet is not going to sell overpriced, over-engineered, ineffective products designed to "fix" these "issues" ;-)
If Panetta is talking about specific "cyber-defense" capability, L3, or Lockheed (etc.) probably already have a product in the making and fulfills some of these requirements. They just need the law to be passed and the purchase order signed.
I get your point but, while offline you could still get infected via physical media USB, CD, FLOPPY.
What I'm trying to say is that if a nuclear facility got hit and their machines where offline (from the internet) its still possibly to infect the rails using the Stuxnet attack vector.
But yes the claims are sensationalist, a better solution would be to increase security protocols and make standards out of those and have companies follow those in a more strict way.
I have a genius plan to protect computers and networks from cyber attacks, I plan on selling it to the Government I really think it's a good idea. My asking price will be at least $1.2 billion for a minimum 10 year contract, but I'd be willing to negotiate a little bit to stay competitive with competitors like Lockheed.
1) Disconnect any computer from the Internet that controls anything that can be compromised.
2) Keep the computers disconnected.
BAM! no Internet connection, no cyber-security threat. Now if you'll excuse me, I'm just going to fire up my Ubuntu terminal and derail a passenger train full of chemicals whilst simultaneously breaking down a dam wall in another terminal window.
Seriously though, I think we're all doomed if dams, nuclear reactors, airports and passenger train networks are as accessible from the Internet as Panetta says they are in the first place...
I thought the exact same thing as you after posting and re-reading my comment. If they come after me, I guess I'll have to open up another terminal window and hack into their car computer system and make them drive in the wrong direction, after I hack all traffic lights to slow them down of course ;)
Unfortunately, it's not that simple. Stuxnet showed us that offline networks can be attacked and have real-world consequences (e.g., exploding enrichment plants).
Almost all of our critical infrastructure is offline, and many of our infrastructure companies air-gap their critical networks. Yet we are all still vulnerable simply because we are using computers.
I have a friend who works for Saudi Aramco. They tried to play down the effects of the attack, but they had to replace 30,000 hard drives. My friend's work for the past year was wiped out. The only people who were saved were those who made local back-ups on USB drives which were not connected. In most large companies, there are strict rules about connecting personal hard drives to the company's network, but in this case, those who violated the rules were able to survive the attack best. Back-ups were compromised as well. It is not clear why Aramco did not have back-ups which were offline and accessible.
This article appears to expose a serious violation against the International Olympic Committed by the inappropriate use of "Olympic Games".
While it is possible that a proper license was obtained, it seems extremely unlikely that the IOC would permit there trademark to be used for an operation instigating a terrorist attack against one of its members countries and I am currently unaware of the IOC adopting hacking as a completive sport.
The article states "Mr. Obama ordered sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment plants, according to participants in the program. He decided to accelerate the attacks, which were begun in the Bush administration and code-named Olympic Games,"
42 comments
[ 4.4 ms ] story [ 108 ms ] threadWhy are passenger trains loaded with lethal chemicals in the first place?
(And BTW, trains derail even without evil cyber hacker criminals. First YouTube result: http://www.youtube.com/watch?v=xCbOUgr_r-E)
Panetta raises the issue that a combination of attacks could cause loss of life and a new sense of vulnerability among the public. (From the article: "...would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.")
The last time the public had that sudden sense of vulnerability, on 9/11 of course, there was a tremendous and partly counterproductive reaction that we're still dealing with.
It could be smarter to put in place laws to force private companies to report cyberattacks, so the government can understand the scope of the problem, than to pay for the reactive spasms that would follow a successful attack.
They don't want smart - otherwise we'd already be doing the smart thing.
I think Panetta partly wants money, but even more, wants laws changed so that privately-operated infrastructure has to have certain security provisions. His agency can't compel it without a law.
History has shown that market forces are not always sufficient to guard against catastrophic events.
Partly? We've managed to destroy two countries, waste billions of dollars, lose essential human rights and fall into a recession. What part of that was productive, exactly?
Translation: Before we loot their databases, we have to reassure them that they are not liable.
Instead, we'll see some federal guidelines that do nothing but enrich connected defense IT contractors milking the endless cow of defense spending.
How many years ago were we up on that stage at defcon while bo2k was demoed ? And 12 years later nation states (Iran) are getting owned by the same old autorun.inf.
How do they expect to defend against it?
Wait, no. I'd call tptacek.
I'd start with good design and engineering with due diligence, multiple redundancy, identification and delinking of potential failure points and well trained and equipped emergency response teams.
But they'll probably just hire lots of goons and get them to sit on facebook and stalk the insane.
My employer sells a device that permits one-way connections only: http://www.fox-it.com/en/products/datadiode/. The "one-way" part is trivial, of course - the clever part is in making standard protocols work over such a link.
Why the heck are they on the internet in the first place?
If Panetta is talking about specific "cyber-defense" capability, L3, or Lockheed (etc.) probably already have a product in the making and fulfills some of these requirements. They just need the law to be passed and the purchase order signed.
What I'm trying to say is that if a nuclear facility got hit and their machines where offline (from the internet) its still possibly to infect the rails using the Stuxnet attack vector.
But yes the claims are sensationalist, a better solution would be to increase security protocols and make standards out of those and have companies follow those in a more strict way.
1) Disconnect any computer from the Internet that controls anything that can be compromised.
2) Keep the computers disconnected.
BAM! no Internet connection, no cyber-security threat. Now if you'll excuse me, I'm just going to fire up my Ubuntu terminal and derail a passenger train full of chemicals whilst simultaneously breaking down a dam wall in another terminal window.
Seriously though, I think we're all doomed if dams, nuclear reactors, airports and passenger train networks are as accessible from the Internet as Panetta says they are in the first place...
Almost all of our critical infrastructure is offline, and many of our infrastructure companies air-gap their critical networks. Yet we are all still vulnerable simply because we are using computers.
While it is possible that a proper license was obtained, it seems extremely unlikely that the IOC would permit there trademark to be used for an operation instigating a terrorist attack against one of its members countries and I am currently unaware of the IOC adopting hacking as a completive sport.
The article states "Mr. Obama ordered sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment plants, according to participants in the program. He decided to accelerate the attacks, which were begun in the Bush administration and code-named Olympic Games,"