U.S. not ready to launch offensive cyber attacks, charges Congressman Rogers

“The Russians can flip a switch and their Internet goes down; the Chinese can flip a switch and their Internet goes down. We can’t do that here, nor should we, but it leaves that 85 percent of private-sector Internet vulnerable,” he explained. “We are not prepared if the federal government wants to take an offensive response. The 85 percent is not ready for the retaliation.”■

via U.S. not ready to launch offensive cyber attacks, charges Congressman | Federal Times | federaltimes.com.

China’s strategy: infowar, poliwar, lawfare

Deceive spectrum activity at its finest. It doesn’t have to be all political, after all. So China makes dubious legal claims, convinces people that they are real by creating media illusion, and creating political discontent. This is not new, but apparently the west never gave it any great strategic thought…

Bet we haven’t given any serious thought to economic warfare, either. Economics 101 taught me that communism places the means of production in the hands of the people… What if those people are all in China?

http://www.smh.com.au/world/chinas-new-weapon-for-expansion-lawfare-20140411-zqtir.html

Destroy: Assassination by hacking an automobile – Richard Clarke suggests its been done.

Ok, so where to begin?

Look we all know that hacking is serious now. Control systems hacks are the in thing at the moment, and what is cooler than hacking a 2000 pound mountain of steel and plastic that can barrel down the road at 100 miles per hour? They did it in SnowCrash, and Shadowrun, after all. The singularity must be nigh, right?

This article in the Daily Record suggests that the death of the journalist who exposed General McChrystal was engineered, per Richard Clarke. Now, I’m not generally the kind of guy who believes in ghost stories. Spooks in the wire are the kind of scary tales that con-goers hear each time they show up at B-Sides, heck, I use those kinds of stories to my advantage all of the time. I imagine it could happen, I know its possible. We saw Charlie Miller’s laptop demo on the Prius last year. So we all know its possible. But the idea that its being done actively feels like security theater. It feels like:

We’re going to take out journalists boys… Lets use an enormously advanced hack that will leave a lot more evidence and exposure to scrutiny, instead of simply screwing with his brakes, it will be good practice.

http://www.dailyrecord.co.uk/news/crime/cyber-predators-could-computer-hackers-3100532

So, this is the ultimate Destroy attack. Assassination by computer. At least according to supposition from a former White House advisor. What do you think? Is this the next step in the “cyber-arms race?” Or, is it just speculation to sell newspapers?

Military Budget limits cyber weapons proliferation, except in legitimate BUSINESS SELF-DEFENSE

The Verge reports that the Defense spending bill signed by President Obama back in December, offers funds to help reduce the sale and spread of exploits. The article then uses the term legitimate self-defense, as a valid reason to allow these exploits to continue to be traded. Is this something specific to DIB companies? Is there counter attack from small companies in the future? Can I hire licensed, armed cybersecurity guards, yet?

The $552 billion 2014 military defense budget signed by President Barack Obama will continue to fund high-tech cyber and unmanned aircraft operations. The budget, which grants central Cyber Command $68 million in operational costs alongside more money for research and individual unit operations, instructs agencies to work towards controlling the proliferation of “cyber weapons.” That means stopping the sale or spread of malicious code for “criminal, terrorist, or military activities” while allowing governments and businesses to use it for “legitimate” self-defense.

The Verge – US military sees more drones, ‘cyber weapon’ non-proliferation in the future

Claims that cyberspace is now cyberbattlefield

http://resources.infosecinstitute.com/classified-nsa-exploit-tools-radon-dewsweeper-work/

From the article:

Security expert Bruce Schneier is one of the most authoritative experts who revealed that the NSA has a wide-ranging arsenal of zero-day exploits to use for cyber operations. The revelation isn’t surprising, the security community is aware of the great effort spent by governments on cyber operations. Many intelligence agencies have created dedicated internal units, specialized in hacking for sabotage and cyber espionage. Almost every government is improving its cyber capabilities, in many cases they’re working in the development of cyber weapons.

The article goes on to describe two alleged NSA tools, one using RF to communicate. So, my question is:

Does a government data collection / espionage activity, even one that that has the ability to become malicious, rise to the level of warfare? Espionage is not war. Thats why the US sent a Russian supermodel packing a few years ago, rather than fire missiles on Moscow, back before Anna Chapman appeared in Playboy, or proclaimed her love for Snowden.

Lets be clear, espionage is not war.

But maybe its preparation for it. Right, China, Russia, Israel, DPRK, UK, FRG, Australia, Brazil?

Cyber mass shooter

http://p.washingtontimes.com/news/2013/oct/3/cyber-mass-shooter-poses-future-threat-computer-se/

What a great article. Of course General Hayden’s comments beg the question, how do you stop a criminal, if you can’t defend yourself? This really goes directly to the need to be able to respond to an immediate threat with a proportional use of force in self-defense. Of course, some will argue that it is illegal, and some will say that it invites retaliation, and others will continue the attribution arguments. I will point to the Network Use of Force Continuum, which indicates that if you are not appropriately defending your networks, then it is difficult to justify a more aggressive form of self defense.

From the article:

The fastest-growing cyber threat is from a kind of digital mass shooter, a deranged or outraged hacker able to obtain cyberweapons currently available only to nation-states and organized crime, a former senior U.S. intelligence official said Thursday.

“They’re just mad, they’re mad at the world,” said retired Air ForceGen. Michael Hayden. “They may have demands that you or I cannot understand.”

Mr. Hayden warned that within five years hackers “will acquire the [cyberattack] capabilities that we now associate with criminal gangs or nation states,” such as being able to conduct online sabotage of industrial control systems that run power plants, factories and utilities.

Thanks General Hayden! You set them up and we’ll keeping knocking them down, sir.

Malware Attribution is a Waste of Time

According to Ellyne Phneah‘s piece at ZDNet, Rob Rachwald, senior director of research at FireEye observed that the security industry today is keen on attributing malware to a specific region or group in an effort to assign blame.

[H]e pointed out attribution to malware was not key in combating cybercrime because it did little to improve the state of security and most attribution took a long time and may not be accurate.

via FireEye: Malware attribution not key in cybercrime fight | ZDNet.

When guns are outlawed…

…then only outlaws will have guns. Or so goes the old saying.

The Senate Armed Services Committee wants to get control of those pesky cyber weapons that are available for purchase by just about anyone by establishing an arms control regime along the lines of what’s done for missiles, tanks, and fighter jets.

via The U.S. Senate Wants to Control Malware Like It’s a Missile | Killer Apps.

According to John Reed, writer for the Killer Apps blog at ForeignPolicy.com, the U.S. tried this once before, with crypto, and the cipher punks had a field day with it.