Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Politics

Obama's Portrait of Cyberwar Isn't Complete Hyperbole 240

pigrabbitbear writes "It's hard to imagine what cyberwarfare actually looks like. Is it like regular warfare, where two sides armed with arsenals of deadly weapons open fire on each other and hope for total destruction? What do they fire instead of bullets? Packets of information? Do people die? Or is it not violent at all — just a bunch of geeks in uniforms playing tricks on each other with sneaky code? Barack Obama would like to clear up this question, thank you very much. In an op-ed published in the Wall Street Journal the president voiced his support for the Cybersecurity Act of 2012 now being considered by the Senate with the help of a truly frightening hypothetical: 'Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud,' Obama wrote, describing a nightmare scenario of a cyber attack. 'Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.' All because of hackers!"
This discussion has been archived. No new comments can be posted.

Obama's Portrait of Cyberwar Isn't Complete Hyperbole

Comments Filter:
  • by acidfast7 ( 551610 ) on Friday July 20, 2012 @12:44PM (#40715263)
    ...and I can't say that about his predecessor.
    • by Anonymous Coward on Friday July 20, 2012 @01:00PM (#40715557)

      "Obama does a good job of facilitating thinking..."

      And I can't say that. At all. I'd be lying.

      This is nothing but fear-mongering to sucker people into increasing the power of the federal gov't. "Oh but it won't be used in that way"... since when has that EVER been true?

    • by sl4shd0rk ( 755837 ) on Friday July 20, 2012 @01:02PM (#40715587)

      and I can't say that about his predecessor.

      His predecessor invoked much thinking as well however much of it prefixed, or suffixed with, "wtf?", "lol" and "lmao"

    • by acidfast7 ( 551610 ) on Friday July 20, 2012 @01:05PM (#40715637)
      I can't say that I agree with his content, but Obama does get Joe SixPack to realize that power plants and trains switches can be inadvertently connected to the internet (and to wonder what else it connected.) Hyperbole it is, but it's useful for the non-specialist.
      • What the hell was a shipment of toxic chemicals that couldn't withstand a train crash doing on a train? Why wasn't the water treatment plant shut down manually when the control systems failed?

        Cyber "war" is just applied mathematics. Get it right, and you're untouchable. Its impact is unreliable and the expenditure is out of all proportion to its impact. Give me what was spent on Stuxnet and I could do far more damage to infrastructure than that ever did.

        • by jpapon ( 1877296 ) on Friday July 20, 2012 @02:22PM (#40716701) Journal

          Give me what was spent on Stuxnet and I could do far more damage to infrastructure than that ever did.

          Woh there, cowboy... put your gun back in its holster. The reason for the expense is that Stuxnet was a subtle, precise strike. The main advantage of which is that it didn't give Iran a clear Casus Belli against Israel. No kidding it would have been cheaper and far less complicated to just drop some bombs on Iran's centrifuges... but that could have led to pretty brutal regional conflict. Why use a baseball bat when you can use a scalpel?

          • That was the thing about Stuxnet that people don't seem to get. It's a brilliant chess move; if you accept the premise that those centrifuges need to go (which frankly I did, but it's up to you), it's hard to argue that the "strike" that destroys every centrifuge without so much as an injury is inferior in any respect to a bomb which is almost certain to kill people.

            But the real thing is that the evidence that it was US/Israel that wrote Stuxnet/Flame only rises to the level of "likely, but rumor", and Iran

        • by Anonymous Coward on Friday July 20, 2012 @03:12PM (#40717349)

          Cyber "war" is just applied mathematics. Get it right, and you're untouchable.

          This is completely backward. Infosec is actually applied anthropology. Humans will get the math wrong. They will get the design, the implementation, the policies, the procedures, the operation wrong. Security is about assuming mistakes will be made and overlapping protections to the extent that the impact of those inevitable fuck-ups is minimized.

      • by nazsco ( 695026 ) on Friday July 20, 2012 @02:39PM (#40716931) Journal

        I can't say that I agree with his content, but Obama does get Joe SixPack to realize that power plants and trains switches can be inadvertently connected to the internet (and to wonder what else it connected.) Hyperbole it is, but it's useful for the non-specialist.

        yeah, but it's not because Americans has too much freedom on the internet. It's because goverment contractors are incopetent with basic security.

        That's the 100% false hyperbole that The Man is shoving down your troat.

        He is not saying the truth, it would be "hi citzens, we screwed up wasting all your tax dollars on systems a 5yr old could misuse and then we added insult to the injury by connecting them online. now we are going to prosecute all the bad contracts we made and fix it with secure applications"

        instead he is saying "the internet is dangerous, we will collect information from everyone everywhere and will violate all your privacy, because the internet is dangerous"

        How the hell can i use my mod points on the article? it's clearly flamebait.

    • by cpu6502 ( 1960974 ) on Friday July 20, 2012 @01:18PM (#40715863)

      Obama does a good job of scaring the shit out of people and saying, "Let the government be the solution. Let us spy on your web habits via your ISP, and your cellphone via tracking. And oh yeah, we've decided to expand the TSA's mission to busstops, train stations, along highways, and at pulic facilties like malls and hotels."

      In that respect he's a hell-of-lot-smarter than George "duh" Bush but ultimately it's the same fucked-up destination. Let both the (D) and (R) president burn in hell.

      • by pixelpusher220 ( 529617 ) on Friday July 20, 2012 @01:25PM (#40715959)
        It does make you think. If Bush and the GOP think that Dems are government solution crazy....why in the hell did they start the massive gov't surveillance programs in the first place. Did they not think the Dems would 'improve' upon them?

        I fully believe if Bush hadn't started this dive into moral failure the Dems wouldn't have done it on their own, if only because the GOP would have, rightly, decried the invasions of privacy. But because of 'terrerism' somehow it was ok...

        Bush's fault for starting it, Dems and Obama's for continuing.
        • Re: (Score:2, Insightful)

          by cpu6502 ( 1960974 )

          >>>If Bush and the GOP think that Dems are government solution crazy....why in the hell did they start the massive gov't surveillance programs in the first place.

          Exactly.
          I'm happy to say I never voted for Warmonger Bush.
          Nor Obama the insurance megacorps' best friend.
          Or Romney the corporate prostitute AND warmonger.
          (We just keep getting one lousy president after another.)

          • Only kibbitz I have is Obama made a calculated decision to go with Mandate vs Gov't Single Payer in order to try and get some GOP support.

            In a world without political calculations (& Unicorns!) I think he'd have done away with said insurance megacorps...
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        And why? What the president is saying isn't 100% bullshit, which is a difficult thing to swallow - for me, too, and I voted for him. Of course it isn't nearly the truth, either. The truth lies somewhere in between "nothing will happen" and "The only way to be sure is to nuke it from orbit" and it shifts.

        I will tell you this, not long ago there were some oil pipeline explosions in Russia (not the USSR). The explosions happened just as Russia was starting to make a big dent in middle east oil production and,

    • ...or whomever wrote it for him did.

    • by Johann Lau ( 1040920 ) on Friday July 20, 2012 @01:51PM (#40716317) Homepage Journal

      How so? Obama came into office on "hope" & "change", and he just helped consolidate the police state Bush kicked off even more. Oh, and he went from torture to "kill lists", and he payed banks for being too greedy for their own good. He didn't change a fucking thing, he just lubed it up for you, all nice and sophisticated and bullshit-y.

      No, all he (well, his handlers) did was pulling one on you, and you just sit there and celebrate it with empty phrases like "he facilitated thinking". For fucks sake? What does that even mean? Your BRAIN would facilitate thinking, IF you had one.

      I'm pretty sure they simply implemented the same policies that are chugging along all the time, anyway, and this time with the diction of Tuvok instead of dumb smirks.

      • Re: (Score:3, Insightful)

        by Johann Lau ( 1040920 )

        Actually, you could say they merely applied a different CSS file to the exact same fucking HTML.

        OH LOOK, IT'S A NEW WEBSITE I NEVER SAW BEFORE!

        Gah...

  • Who cleans up (Score:5, Insightful)

    by codepigeon ( 1202896 ) on Friday July 20, 2012 @12:45PM (#40715281)
    I keep wondering who will be responsible for cleaning up the thousands or millions of pc's that get infected (or re-infected) years after a "cyber" war is over. I have never heard an answer to that.
    • by Anonymous Coward on Friday July 20, 2012 @12:50PM (#40715369)

      I have an answer . . . MyCleanPC!!!1! I just installed it on my PC and I'm re++--_#*$NO CARRIER

    • by ethanms ( 319039 )

      I wonder who will be responsible for cleaning up the physical damage after some of these incidents? Halliburton, or other major contractors? Perhaps they'd be happy to have these things happen...

    • by pr0t0 ( 216378 ) on Friday July 20, 2012 @01:08PM (#40715685)

      That will fall to people like you and me. Do you have what it takes? Remember, service guarantees citizenship.

    • by jo42 ( 227475 ) on Friday July 20, 2012 @01:17PM (#40715851) Homepage

      Send clean up bill to:

      Microsoft Corporation
      One Microsoft Way
      Redmond, WA 98052-7329
      USA

    • by tool462 ( 677306 )

      I'm going to start a company called Hackerburton and position myself to pick up all those juicy post-cyberwar reconstruction contracts. I'll hire another contractor called Blackhatter to be in charge of my team members' security.

    • I keep wondering who will be responsible for cleaning up the thousands or millions of pc's that get infected (or re-infected) years after a "cyber" war is over.

      Oh, that's a simple one. No need to worry about "after", just assume it'll never be over.

      The worst things can't be fixed. A restore won't make your corporate discoveries secrets again. Your system use experience might even remain as delightful as ever with you left unaware that anything has happened.

      It's a bit silly to talk about maintenance issues when the real consequences are from data compromise or from the malfunction of something that matters.

      We should ask if we are secure, or do we just maintain a

  • by rot26 ( 240034 ) on Friday July 20, 2012 @12:48PM (#40715323) Homepage Journal
    Obama's Portrait of Cyberwar Isn't Complete Hyperbole

    No, it's only 99.8% hyperbole. Someone has calculated the half-life of the current set of "crises", and decided that we need another urgent problem to address.
    • Re: (Score:2, Funny)

      by Moheeheeko ( 1682914 )
      I think its more along the lines of he watched the movie Hackers and thought you could actually do ANYTHING they do in that movie.
        • I never said things dont get hacked, but what really happens is data gets stolen, not changing the show on the tv station you are watching or sinking an oil tanker (thats the shit they do in the movie).
          • by zlives ( 2009072 )

            but... but... they do that in "leverage" all the time... it must be true, just like House can fix any medical issue and ......

          • by asylumx ( 881307 )
            Ya! Hackers could never do something like write a virus that is engineered to seek and disable nuclear centerfuges... (http://en.wikipedia.org/wiki/Stuxnet)
      • by MozeeToby ( 1163751 ) on Friday July 20, 2012 @01:12PM (#40715773)

        Oh for crying out loud. Stuxnet managed to damage equipment and all but shut down a nuclear weapons research program, and that was attacking secured PCs that were on a closed network. Do you have any idea how poor security is at your communities local infrastructure? If a single virus, by all accounts written by no more than a half dozen people over the course of a year, can do significant damage to a secured computer network, why is it ridiculous to imagine that a foreign nation could shut down water treatment plants at dozens of places in the US? Please explain, what exactly is the difference between programming a centrifuge to spin at a rate outside it's safety margin and programming a rail switching station to reroute trains randomly?

        • by zlives ( 2009072 )

          "secured PCs that were on a closed network"
          stuxnet was propagated by usb keys which fail the closed network test.

          "security is at your communities local infrastructure"
          probably pretty low, however a closed network would be designed to not allow outside connection via the net or physical media. Even then for physical media it becomes a physical sabotage scenario rather than cyberwarfare.

          • Stuxnet was still cyberwarfare. Just because it used a social engineering tactic to bridge the air gap doesn't change that fact. Just like having fighter jets doesn't make the navy not a navy.

            Yes, a hypothetical secure closed network could be designed to not allow connections via the net or physical media. But the point is, even if your local water treatment plant or BNSF switching yard was on a closed network, the chances of there being at least one PC on that network with a working USB port is pretty damn

    • Richard Clarke would disagree with you.
    • Comment removed based on user account deletion
    • by geekoid ( 135745 )

      SCADA systems all over the country are constantly being probed and attacked. Avery day.
      IT's not hyperbole at all. This isn't physical warfare. A small team of people could attack everything he mentions at the same time.
      It would be a cheap attack, it would be an effective attack, and probably very successful.

      • by Uberbah ( 647458 ) on Friday July 20, 2012 @01:49PM (#40716301)

        SCADA systems all over the country are constantly being probed and attacked. Avery day.
        IT's not hyperbole at all.

        It's total hyperbole. If it was so easy to crash major systems it would have happened already. Then there's the fact that, as with many facets of war, the United States is the first one to use the weapon it pretends it needs defense against. Like nukes, ICBM's, and now "cyber warfare", in Iran with the stuxnet virus.

        • the United States is the first one to use the weapon it pretends it needs defense against. Like nukes, ICBM's, and now "cyber warfare", in Iran with the stuxnet virus.

          ICBMs??

          When did the USA use an ICBM?

          Or did you mean "develop the fist ICBM (the R-7)"?

          Yah, that guy we had develop the R-7, Sergei Korolyov was one smart cookie, wasn't he?

          What's that you say? He was Russian?

          My bad...so, we didn't use an ICBM first, we didn't develop the first one, what exactly did we do "first" with an ICBM?

          Hmm, use on

  • by medcalf ( 68293 ) on Friday July 20, 2012 @12:48PM (#40715329) Homepage
    I think it would be an excellent idea to harden our infrastructure and make our social and political systems for responding to change more resilient. That does not mean that spinning tales of disaster that can only be averted through legislation is anything other than hyperbole, though. I have yet to see anything about this cybersecurity bill that does not involve centralization (reducing resilience) or regulation (reducing diversity and thus making attacks more effective because more widespread), and so far nothing that really looks like it would actually harden our information infrastructure in any meaningful way.
    • Because corporate america doesn't want to spend money on security.
    • by Calibax ( 151875 ) * on Friday July 20, 2012 @01:19PM (#40715875)

      It's not likely that anything will be done to harden the US infrastructure without legislation. The necessary work requires money to be spent and neither public nor private organizations will do that unless there is some sort of legal requirement that they do so.

      People who think the president was "over the top" have little imagination - I'm quite certain there are some very bright people in various countries working to create a series of Stuxnet type products to attack the infrastructure of Western nations. Be in no doubt, no nation has a monopoly on brains or computer technology. Access to details of of Western infrastructure is either openly available or have already been stolen. Figuring out the weak spots and how to attack them probably isn't that hard.

      However, it's not obvious exactly how to solve the problem. It's not obvious that the current cybersecurity bill will help. The sad fact is that it's been written by lawyers and politicians who have no idea about the technological challenges and how to resolve them, so they are doing what they know - add bureaucracy. Until computer scientists and engineers are taking the lead nothing worthwhile will be done.

      • Critical infrastructure is very likely 'regulated' infrastructure. We already have all the enforcement mechanisms we need.
    • regulation (reducing diversity and thus making attacks more effective because more widespread),

      Regulation does not necessarily lead to this. Suppose, for example, that infrastructure services were required to use systems that have been rated EAL4+ (essentially the highest level that typical commercial products receive), and that they were required to develop RBAC or MLS/MCS policies to secure their systems -- this is not a substantial loss of diversity, and it would go a long way toward security. Similarly, minimum key sizes for common crypto algorithms, and the use of cryptography could be manda

    • "I have yet to see anything about this cybersecurity bill that does not involve centralization (reducing resilience) or regulation (reducing diversity and thus making attacks more effective because more widespread),"

      Mod parent up!

  • by gmuslera ( 3436 )
    you don't understand the current important cyberthreats, and we don't care about them neither, but lets paint an improbable/impractical scenario with big explosions and use that excuse steal even more privacy/control from all of you to benefit our sponsors.
  • 'Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud,' Obama wrote, describing a nightmare scenario of a cyber attack. 'Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.' All because of hackers!"

    That's like a hacker's day-dream from the 80s.

    • Re:wow (Score:5, Informative)

      by oh_my_080980980 ( 773867 ) on Friday July 20, 2012 @12:57PM (#40715469)
      In the '80s the United States sent oil pipeline controls with a trojan in it to the Soviet Union....it's not far fetched.
      • Re:wow (Score:5, Informative)

        by Jah-Wren Ryel ( 80510 ) on Friday July 20, 2012 @01:33PM (#40716071)

        In the '80s the United States sent oil pipeline controls with a trojan in it to the Soviet Union....it's not far fetched.

        Subtle but important difference - the story is that the russians were known to be stealing control software [wikipedia.org] so the CIA arranged for the copy that they stole to contain sabotaged code.

      • by hoggoth ( 414195 )

        So at this point there have been two real world examples of government sponsored hackers targeting a specific foreign government's infrastructure via trojans and viruses.
        1) The United States attacked Soviet oil pipeline controls.
        2) The United States and Israel attacked Iranian nuclear facilities.

        Hmm... there seems to be a common element...
        I'm not saying it was a bad thing to stop the Iranians; But it is an interesting fact to note that in CyberWar just as in Nuclear War there is only one nation that has eve

    • Re:wow (Score:4, Insightful)

      by UnknowingFool ( 672806 ) on Friday July 20, 2012 @01:06PM (#40715659)
      Stuxnet is one example of what is possible. Stuxnet however was designed to be highly targeted and controlled. Most security experts believe it was designed against Iran's nuclear program. It also was designed to delete itself after a while. Yet this highly focused attack was able to damage an estimated 1100 centrifuges. Image what an indiscriminate attack would do.
      • An indiscriminate attack would not be able to do anything.

        Have you looked at Stuxnet at all? It required tailoring for the setup of the Iranians, if you'd wanted to attack their train system, you'd have needed to create a separate attack for that. You can't just make a hack and hope it will destroy everything it comes across, these are specialized controllers.
        • by zlives ( 2009072 )

          yes but didn't some once hack the alien ship with a mac... in a couple of minutes...

        • I'm sorry, "Independence Day" showed you can hack alien super ships with a quick virus. Duh ;-)
        • Stuxnet took advantage of a flaw/setup for a Siemens PLC controller. Even then it searched for the exact configuration that the Iranian centrifuges had. Stuxnet sent commands to ramp up the centrifuge speeds past safety limits and send out false readings to the control consoles. Siemens PLC controllers are in many, many places running many, many motors. Mimicking the same behavior but removing the check for Iranian centrifuges would make it dangerous.
  • by Hatta ( 162192 ) on Friday July 20, 2012 @12:55PM (#40715435) Journal

    Bankers have already pulled off a caper far worse than the unlikely scenario described here. Obama can direct his justice department to hold these bankers responsible under laws that already exist. How serious can he be about protecting America when he refuses to prosecute criminals who have damaged our national security so thoroughly?

    • Re: (Score:2, Funny)

      Somewhere in there there's a coherent thought...you just need to work on it a little.
      • by Hatta ( 162192 ) on Friday July 20, 2012 @01:04PM (#40715607) Journal

        Obama wants new laws to protect us against a hypothetical threat. But he has failed to use the laws he already has against those who have already damaged this country more than a foreign enemy could hope to. The only explanation is that Obama is not concerned about protecting America at all.

      • Right back atcha. His comment was sensible with a side of correct.

    • by miknix ( 1047580 )

      THIS!

      The scenario was much worse because it didn't touch only America but also the rest of the world.

    • True, but hackers aren't giving campaign money to politicians.

    • Protecting the wealthy, the influential and campaign contributers is a major, unsung component of protecting America.

  • These scenarios are pure fantasy as related to "cyberwar". The "cyberwar" term is only used to create fear and get more money. Sure, if IT security in critical infrastructure is really on an utterly pathetic level (and some is), somebody could cause a lot of damage. But that is more an individual, like a disgruntled ex-employee, not any kind of military term on the other side.

    The fix is not to have another dysfunctional military buildup, the fix is to make those responsible for critical infrastructure, dang

    • Because the United States does so well at punishing corporations....."0.0025 percent of corporate revenue on average is spent on information-technology security"

      We have a problem. It's not hyperbole. It's something that needs to be taken seriously. Agreed we don't need to exponentially increase the defense budget in the name of cyber security but we do need to make it a priority and we do need to get corporations that control our infrastructure to invest in security.
      • by gweihir ( 88907 )

        Just what I am saying. However, calling it "cyberwar" is counterproductive, as with this term all the money will go to the military and none of it will actually improve IT security anywhere.

  • by Nkwe ( 604125 ) on Friday July 20, 2012 @01:02PM (#40715581)
    "It's time to strengthen our defenses against this growing danger" is how the op-ed ends. I agree. I would assume that most would also agree as well.

    The challenge of course is agreeing in what does "strengthen our defenses" mean. To me it means disconnecting critical systems from the Internet. Yes, that means that it will take more people to operate those systems and it means less centralization. These things will make it cost more; but security has always (and will always) have a cost in terms of money / resources and convenience. In the case of critical infrastructure, these costs are worth it.
  • by ethanms ( 319039 ) on Friday July 20, 2012 @01:06PM (#40715657)

    A straight-forward set of solutions to some of these potential problems:

    - A human being with a brain is left still ultimately responsible for the operation of trains, planes, etc... "the computer gone haywire" scenario becomes one of inconvenience and slow-downs vs. disaster and death

    - Double checking of automated processes... the treatment plant is not a "set and forget" operation, humans should be monitoring the quality of the drinking water and the output of the treatment plants using manual devices--these are double checks for any automatic monitoring

    - Disconnect critical systems from public (and sometime even private) networks. There is no reason to allow remote operation of many of these plants and facilities, so that's first and foremost (if it doesn't NEED to be remote controlled, then don't allow it). Second, for many of these systems simply making sure that they are connected only to secure and private networks would do wonders for preventing outside hacking, and while you're at it eliminate gateways between public and private networks.

    At the end of the day it comes down to the human factor. Keep human's located at the equipment, and properly trained in it's operation (and recognition of malfunction) and these disasters will be easily averted.

  • Any substantial cyberwar will turn into a substantial shooting war within a matter of days.

    Put that in your policy think tank and smoke it.

  • by account_deleted ( 4530225 ) on Friday July 20, 2012 @01:19PM (#40715877)
    Comment removed based on user account deletion
  • by Johann Lau ( 1040920 ) on Friday July 20, 2012 @01:34PM (#40716087) Homepage Journal

    Is it like regular warfare, where two sides armed with arsenals of deadly weapons open fire on each other and hope for total destruction?

    Not even regular is like that. Regular was is two or several sides having people who are armed and those who get to pay and suffer.

    Let's say for example, China and America had an all out war: in that case the common American citizen and the common Chinese citizen have a LOT more in common than the common American or Chinese citizen have in common with their leaders.

    The whole thing of equating the policy of war profiteers with the people in a country is fascist bullshit. It's usually, and certainly often when America is involved, not "country A fighting country B", it's "group X (elites in countries A and B) fighting group Y (the people in countries A and B)".

    Seriously, pay some fucking attention already.

  • The real question is how government will respond to this perceived threat. They could push for better software and system security. Instead, they'll likely use the fear of this threat to increase their size and find yet another way to restrict people's freedoms.

  • Try because of extreme negligence. How many supposed hacks are because the admin password was 'password' or equivalent? When are we going to demand that due diligence is required when it comes to computer systems? Oh wait, never mind, that might cut into corporate profits, we can't have any of that.

  • outsourcing leads to stuff like being on line so it can be controlled remotely

  • I'm worried about this. We're seeing too many attacks and persistent threats that seem to be laying the groundwork for something. Viruses and worms used to do something actively hostile. Now, there are ones that just slowly take over machines and wait for further instructions.

    There's a lot of infrastructure which used to have big maintenance forces, but no longer does. Water systems, pumping stations, power substations, cell sites, air conditioning, and railroad signalling are all remotely controlled, a

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...