Has the ‘Cyber Pearl Harbor’ already happened?

Has the ‘Cyber Pearl Harbor’ already happened?

The Russians are picking our pockets, the Chinese are stealing our most vital secrets, and there’s nothing we can do about it – and it’s all going to get worse.

That was the basic conclusion after Friday’s Air Force Association cyber-conference, where speaker after speaker drove home the utter futility and helplessness of today’s cyber climate, all the while warning that the problem will only grow.

Richard Bejtlich, chief security officer for the info-security firm Mandiant, said 100 percent of the high-profile intrusions his company tracks were done with “valid credentials” – meaning the cyber bad-guys had been able to steal a real user’s login and password, obviating the need for more complex attacks.


The typical time between an intrusion and its discovery is 416 days, he said – down from two or three years – and the way most companies find out about them is when they get a visit from the FBI.

The publicly available malware in the so-called “cyber underground” is now so good that you can do a lot of damage without a dedicated team of code-writers coming up with their own stuff, speakers said. In fact, the much-discussed cyber attack against Georgia was carried out mostly with publicly known tools – “there was nothing sacred here,” said National Defense University iCollege chancellor Robert Childs.

Cyber-intrusions and compromise are so endemic, Bejtlich said, that many attackers don’t even bother with the wholesale vacuuming of information that used to characterize cyber-snooping. Now hackers go after very specific pieces of information, often data that is useless on its own, he said.

He described how a company had approached Mandiant befuddled that someone would want to steal a certain proprietary device, because it only worked in combination with a specific chemical formula owned by another company. Naturally, it wasn’t long before the second company discovered it was compromised, and also befuddled because its chemical formula would only be useful to someone who had information about the device manufactured by the first.

Online miscreants are also becoming more sophisticated at a strategic level, Bejtlich said: He described how they might target small companies that were merging with larger ones, to avoid trying to attack the bigger firm’s online security. Instead, by compromising a small company’s computer networks, the bad guys can then get into the new common network after a merger.

This can have profound financial as well as security implications, Bejtlich said – if you’re an aerospace giant and you want to acquire a small firm because its widget is worth $10 million, but then you discover it’s been cyber-stolen and no longer proprietary, the technology might only be worth $10,000, and that could put your shareholders and Wall Street in a bad mood.

And you can’t do anything about any of this. Government officials won’t talk about offensive cyber-attacks, so we can’t go there. Private sector clients in crisis with Mandiant often ask, how can we get back at these guys, or at least, can we destroy the data they’ve stolen, Bejtlich said.

“I’ve never seen somebody execute this, because of legal concerns,” he said. “The CEO says, ‘I wanna get these guys,’ but if there’s a lawyer in the room, what does he say? ‘Absolutely not.’”

Going after data that has been stolen from your network is like following a thief who has stolen your television and then breaking into his house to steal it back, Bejtlich said – “not authorized by our legal code.”

And the law can’t catch up with cyber, as we’ve seen so many times. And by the time the feds knock on your door to tell you about your compromise, it’s too late. And even though officials have been warning about cyber-dangers for more than a decade, the cyber-world has basically just been treading water this whole time, another speaker argued.

“I’ve been at this conference for 15 years,” said Jason Healey, an analyst with the Atlantic Council. He showed government reports warning of “computers at risk” from 1991 and before, and said although the technology involved has gotten much more advanced since then, the cyber doctrine, for lack of a better term, has not.

Healey argued that the U.S. can’t afford to keep being coy with China. It must build a coalition of cyber-victims and formally call out Beijing on the world stage, citing specific examples of Chinese hacking. Healey said Washington has never laid out its cyber-grievances in this way, and suggested that threatening to embarrass China might be one first step.

He also said the cyber-world must dispense with its worries over “attribution” – tracing the origins of attacks. Healey repeated the factoid that 178 countries were “involved” in the 2007 cyber-attack on Estonia: “Who cares?” he said. “That is completely meaningless.” In those situations, if the U.S. is affected, “the president needs to pick up the phone and call the Kremlin.”

(For what it’s worth, Bejtlich said the lines between Russian government and organized-crime cyber-mischief were so blurred as to be nonexistent. As for China, he said that if you want to know if you’ll be a cyber-target, see where your company falls on Beijing’s regular 5-year “industrial priorities” plans – it tracks very closely with hacking victims.)

An audience member’s question Friday crystallized all the speakers’ points at the cyber-conference: The much-feared “Cyber Pearl Harbor” has already happened, he said. Global cyber crime is more profitable than the drug trade.  America’s onetime technological advantage is gone; much of its intellectual property secrets have been stolen.

“People just haven’t realized it yet,” the questioner said.

It’s a depressing thesis, but from all the public statements about cyber-losses, it sounds plausible. Unless a true “Cyber Pearl Harbor” — in which bad guys knock out the power grid or the financial system or our telecommunications — happens tomorrow. Even if it doesn’t, Healey proposed a new set of parallels: A “Cyber-Vietnam,” i.e. a prolonged campaign, rather than a single sneak attack; or a “Cyber Battle of Britain,” in which the government appeals to — or impresses — private citizens for help in responding to a major crisis.

Can anything be done? Healey called for “cyber-mindedness,” for users to be that much more careful when they use the network, and for military cyber-units to study their forebears as airmen study MiG Alley or Operation Linebacker.

Maj. Gen. Suzanne Vautrinot, commander of the 24th Air Force, said military networks must be “proactive in defense,” able to monitor intrusions and irregularities and turn them against attackers. She showed the infamous clip of New York Giants bruiser Lawrence Taylor tackling Washington Redskins great Joe Theismann – crushing his leg and ending his career. That’s what cyber-defense has to be, she said.

Bejtlich left attendees with perhaps the most hopeful metaphor: The best organizations turn cyber-security “into a manageable situation,” he said – “they go from being a volunteer fire department to a continuous business process.”

In other words, governments and businesses must treat cyber-security like a chronic disease, a condition that will always be there, but can be managed and even suppressed. Bejtlich said if he could, he’d mandate that everyone did an inspection every 30 days to see where their networks were compromised, then act appropriately once discovering the details.

Turning to the inevitable cyber-football analogy, Bejtlich said defenders have to stop permitting attackers to complete touchdown passes every time. Instead they’ve got to pressure the quarterback and defend downfield, forcing attackers to try for field goals instead.

“The bad guys are going to complete passes, they’re going to compromise your systems, get to your data, try to aggregate it, encrypt it, exfiltrate it, and you want to prevent them from getting to the point of the extrusion,” he said. “If you have fast identification, fast containment, if you can get to them before they complete their mission, it may not matter as much that they’re in your system.”

That, it appears, is the best diagnosis we can hope for. Congress can’t act – which means it can’t pass its own laws or ratify a theoretical international cyber-treaty. If the military and government are getting better at cyber-defense, the private sector remains more or less on its own. Here’s how Twitter user @hal_999999999 put it in a response to @DoDBuzz on Friday:

“It’s the old west, the Roaring Twenties, and the Cold War all rolled into one, w/some wires and CPUs… We’re gonna have to earn it.”

Join the Conversation

Of all of the metaphors used at this conference/in this article, the only one that I think is actually helpful or applicable to understanding cyber threats is the “disease” model. The others strike me as hollow or harmful, as they either a. try to force the debate into a framework that doesn’t really apply (“Cyber Pearl Harbor”) or b. are just unhelpful (the football metaphors). The health idea, though is very helpful, because it more accurately captures the range of actions and countermeasures necessary to deal with the threat, from preventative to pro-active to reactive to management of symptoms.

“And you can’t do anything about any of this.”

*unplugs server from internet*

My idea for cyber-security is sitting outside a server room with a case of beer and a shotgun.

Seriously. The only leak of consequence thus far was Manning, and there wasn’t any Tom Clancy cyber-hooey needed for that; just some early-twenties blue-suiter who thought that getting a seat at the grown-ups’ table meant he was invited to be part of the conversation.

“100% of intrusions involving a username and password were found to involve a username and password”, says security firm who promises that with a $100-million contract from the USAF they’ll be able to fix all the problems forever.

“Maj. Gen. Suzanne Vautrinot, commander of the 24th Air Force, said military networks must be “proactive in defense,” able to monitor intrusions and irregularities and turn them against attackers. ”

See, the problem is that this is not what’s actually happening. This isn’t someone trying to drop bombs on a target; this is more like someone who’s snuck into a doctor’s office and is going through the files. The way to solve the problem is to lock up the damn files.

Actually, the bulk of lost usernames and passwords come from the user clicking on a faulty link and getting phished or getting a virus. Malware has replaced Watergate. $1 billion worth of firewalls and antivirus software can be bypassed by one idiot with a mouse click. In the DoD each user is required to take classes annually on social media usage, password protection, wireless security, and phishing awareness. I don’t have statistics on DoD breaches, but a lot of the stuff listed in these articles seem to point at security problems with DoD contractors where the DoD’s network security isn’t present.

Here’s a tip. How about you don’t have all your goddamn computers hooked to the internet? “Hellooo McFly, anybody home?”

Instead of usernames and passwords, government should switch to biometric finger print indientification to get onto networks. Instead of a CAC reader, they would have a finger printer reader. Wouldn’t solve all issues, but I think would be a good step.

Why can’t we simply require more closed offline networks?-That systems are physically incapable of remote access because they physically do not have the hardware to go onto the internet or be remotely accessed.

I say the Government simply take offensive action. If other nations are disavowing these attacks and ignoring us, we should attack those rogue networks… and let who ever it is step forward to civilly sue for damages. If they do, it just gives the Government someone to go after. Even in the instance of attacking the wrong target, its a digital landscape where those potentially taking collateral damage can easily be remedied… “here’s a new computer, you should better protect your network from being taken over next time.” Where that occasional payout while we go through the process of figuring out what’s acceptable, is going to be less than the damages done to our economy and security. It is that low cost to high gain that makes it so advantageous for these criminals; so we can turn that around on them.

We already have that, called the Siprnet.

There are other vulndrabilities besides being plugged into the internet. For example, your computer needs to have its time synced, how is that done?

True, but I would think there are in-house solutions for most of those kind of things… I’d be the first to admit I truly am not an expert on server-security, though. I could very well be talking out my fart-hole, in which case let’s just hope there are some egg-heads out there who get paid good money to come up with great solutions.

The DoD’s networks are already pretty secure. The problems being described are with industry on their corporate networks.

The need is there and its over looked by ”BIG BRASS”. Time to invest in Cyber defense more than JLTV since a Cyber attack can lobotimise the whole nation since it not a BIG project like a weapons system like GCV most Generals dont think its relevant time to convince them otherwise before its too late.

Yes but there are companies like Lockheed, Boeing, Northrop Grumman other defense companies who probably have some classified information on their networks which are probably not as secure as DoD networks

Not really needed if the system is administered properly. You can sync a closed network to the internal DHS which does not have to be connected to the outside world just manually verify drift once a month.

“Government officials won’t talk about offensive cyber-attacks, so we can’t go there.”

What the heck? Why not? It sounds like we need to treat this like nuclear deterrence. We have the best hackers in the world. If we hack them worse than they’re hacking us they won’t hack us anymore and this will force them to negotiate. If anyone hacks us, we’ll need to hack them right back.

Oh Well. When poop is stired it makes a bigger smell but the smell don’t last as long. In times gone by, in history passed we faced the same problem. Not as complicated because there was no world wide web and most of the people then believed the country’s security was more important than thier personal right to do un-godly things. Most of the attacks are motivated by greed, the lust for money and a bigger chance to commit the sins undetected. How it was handled in history back and was not effective in curing the problem but it did give the government time to fix some of the causes of the big problem. Very unpopular. Wage, price, and travel control. Yes. Mr. Tricky Dicky, The Honoralbe Mr. Richard M. Nixon. In his final attemp to fix the problem he broke the law. Still, I never did believe the crap that it was for political reasons it was his final term in office.Anywho, the problem is worldwide greed for money and a lust for power. Jesus said that there would be one sign given, The sign of JONAH. JESUS SAID

right??? or have the data in a constantly drifting in a closed network system.

You shouldn’t need the web for any reason in a closed network system…

You cloud store all the data on solid state drives and keep that as your way to transfer data…

Or just link a bunch of monkey together with type-wrighters and wait for them to come up with a better answers.

Yeah but that biometric would still have a numeric identifier or algorithm stored in the computer, which is the same basic concept. Be nice if it were that simple though wouldn’t it?

Everything we are knowing now is not a cyber Pearl-Harbor. For instance a cyber Pearl-Harbor would be the day when echelon and all the satellites will be brought down into an attack as a first phase offensive attack.

But what is happening right now is not going this way, it’s much more futile, progressive and vicious than a classical military strike a la Pearl-Harbor.

I think that smartcard are already widely used, and there are viruses specifically targeting them.

Usually those system are usually storing that information into a TPM chip. That’s a good step forward, but it have its limitation, and does not avoid to hijack the OS elsewhere.

>Be nice if it were that simple though wouldn’t it?

Yeah that would be nice, but it would not make me feel so good. ;-)

1. DO NOT buy anything manufactured or assembled in these countries!
2. Time to prosecute the “ANONYMOUS SOURCES” that leak information!

Can you give more details about this 2 part security?

I doubt it can stand against any capable attacker. For instance lockheed had countered an attack where some ISP were hacked and what seemed to be SecurID token compromised; that was few month after EMC (RSA security) got hacked.

Intrusions & internal, undiscovered “viewing” have been occuring for decades. Nothing new there. Funny, though, that folks in our government are just now acknowledging these intrusions when the NSA has been tracking this stuff for a very long time; they can’t or won’t do anything about it for fear their own real capabilities (and intrusions?) will become known. Rest assured, The Enemy doesn’t want to shut down any of our intelligence or electronic systems cuz then they’d lose their advantage over us … knowing what we know and acting on it before we do. As for Facebook? Heck, that’s a wide-open screen door.

So if Blizzard can come up with a very affordable device for 2 part security (key fob + user ID & password), why can’t the federal government?

Maybe they should get a contract with Blizzard!

The only cyberwar going on now is the attack on the American taxpayer by shonky cyberwar consultants selling snake oil for non-existent problems.

On what are you basing your claim? What is your arguments?

cruise missile to the source of attack. Boom. End of that particular problem. That’s going on the offense.

Non-existent problems? Guess you didn’t read a single word in the article. Industrial espionage has been around for as long as humans have invented things. This is just the latest avenue.

How about a “second” internet for military purposes? have lines leading from every major military base or contractor in the states, and have vital information transmitted outside the states by satellite to a receiver station on the second internet? We’ve done this before: it was called “MILNET” in the ‘80s.

We already do for Secret level information.

Isn’t it rather strange that all of a sudden ALL of our Computer Experts and Knw HOw have been compromised? Isn’t it more strange that we have admitted being helpless, unable to correct, or stop, this Computer invasion?
What has placed our nation’s Security Future in this hell hole of impossiblities? Someone has to be accountable, or does that not matter in today’s Administration??? Why is Our Country at everyone’s mercy since this current Administration came into Our White House?

While i see your point, the first paradigm we must change is cyber understanding of our users. If that means putting the situation into sports terms just so they can begin to wrap their minds around it, so be it. Not everyone knows the cycle of chronic disease management just as not everyone understands sports. We cannot limit ourselves from leveraging our users as a layer of defense in depth because they think cybersecurity is “beyond me. That’s for the computer guys to handle.” That’s the sort of thinking that got us into this mess.

Actually, that’s a gross oversimplification of the problem. You’re leaving out the biggest vulnerability of those files; the people that access them. How do you lock the young exec’s mouth when he’s being chatted up by the pretty redhead at the local watering hole down the street from the office (see Anna Chapman).

How do you monitor the social media accounts of every single employee to make sure they aren’t telling tales out of school? Do you throw someone in jail for 30 years because they were human and forgot to lock their computer before they went to the rest room?

What about your security guards that are making minimum wage and are barely trained to carry a gun, hate all the “suits” that can’t even be bothered to say “good morning” when they open the door and the company they work for wasn’t properly vetted because they were chosen by the purchasing department based solely on price?

Proper cybersecurity takes far more than locking the servers or unplugging from the internet.

So what happens when you nuke China only to find out the attack was merely routed through them to make them look responsible, but was actually perpetrated by a splinter faction of cyberterrorists from within our own country? And while Mr. Clancy makes good money writing about this subject, it’s not as difficult to do as you may think.

Hey Steve it is not just the current admin: this all started as far back as Dewhite “IKE” became president and has rolled along as business as usual.

We cover this cyber war scenario in a novella called Cyber Styletto. Richard Stiennon was the technical adviser so you know the technology is accurate.

We swore to protect against all enemies foreign and domestic. We know that Islamic based theological cyber threats are an external enemy as well as Russian and Chinese, but moreso, Chinese. Why? Because their philosophy is long-term warfare in economics, strategic and tactical operations, personal, and other means. As the Russians play chess, the Chinese play a form of Japanese ‘GO’. We have sworn by decree to support S. Korea and Japan against attacks but will we modify that to mean economic and other forms and not purely military? Cyber-warfare is just that. Don’t think inside the computer, but outside the case (as in outside the box). EMP by data burst may be possible, so may virus’ that are human borne literally. Take hardware itself that may originate from companies overseas that could place ‘fail’ chips or embeds that would cause an F-22 to quit working under combat conditions, or a simple child’s programming from one child friend (who turns out to be an adult in xxxxx). Irregardless, we are great as a nation to react, but poor to anticipate or plan for contingencies that do hit us. We plan and practice but it is often what comes in the front door, not the window or back door as expected. We rely much too much on computers, tek, and creating too many agencies and departments to counter threats. A handful of select dedicated counter-hackers would accomplish more than an organization of bureaucrats. Another enemy we face is that of domestic terrorism in they way of budgets. Congress may oversee financial and political matters but have no grounding in cyber-isms. If they equate a military weapon with ‘real’ war, then something they can’t see in cyber weaponry may not have an impact in their minds. So foreign attacks will come outside our border, domestic will come from financial. Will we fight the next war with C-64s while the enemy has a Cray…

I would set up fake accounts and provide misinformation leading the Chinese to get incorrect information– These accounts and misinformation should have a clue that would help US personnel determine if the information is fake or real set up so many of these you stress the Chinese into committing many mistakes — Remember when the Allies during WW2 set up a plane crash in which an “intelligence agent” carrying “top secret documents” on where the allies would invade Europe. The intelligence agent was some poor dead guy they strapped to a plane that was forced to ditch in France. This piece of misinformation and many other ruses similar to this forced Hitler to delay from moving his panzers to shore up the defenders in Normandy — Just a Thought

The fact remains that the easiest way to violate a system is often a simple break-in, and stolen laptops seem to be treated like “we are not allowed to comment” problems. The russians never trusted a foreign (non-russian) agent unless they took money, yet most corporations underpay the people who have high-security access (the clerks who maintain the secured assets lists), and don’t enforce security rules on executives with MAJOR access and miserable records for controlling their own assets. By the time someone is knocking on your servers to get in, the damage has already been done. And who in the government discussed Lockheed’s pension/health care strike with them, as if it was a security issue? It’s more important for a corporation making major bucks to be able to nickel-and-dime their own employees than to maintain work on a critical national project?

Here did you ever get the idea that “they’re” the only ones doing this? the Navy’s favorite trick was dumping off SEAL teams to take underwater pictures of submarines. The oldest trick in the world is having a hooker taking inventory of a senior officer’s desk. Or have you forgotten why we had the high card at Midway: “reading someone else’s mail…” Grow up, sparky„,

You mean “we can’t throw our country into a mineshaft gap”? Or “trapdoor rifles were good enough for our grandfathers”? Or “let’s nail that pissant general who’s criticizing our zeppellin policy”? Or Big Jim McClain hunting down Communists for HUAC? How about one side of the government hunting for spies among the people who another side of the government are using to feed the enemy misinformation?

One reason why security was not so much an issue with the C64 was that it could cold boot in seconds, so people would turn them off when they weren’t using them…

There’s a simple problem with your logic. Yes, companies are constantly looking for ways to make their files more secure, but there are two things that always pop up…

1. By the time a company has rolled out increased network security measures, the hackers already have more effective tools with which to enter said network.

2. The majority of intrusions into corporate networks were accomplished through the use of valid and legal username/password combinations which were acquired in previous intrusions.

So, mainly looking at #2 — which is the common occurrence right now — how do you propose to keep someone out of your house when they keep stealing your key no matter how many times you change your locks?

Hi Mike, where can I get the novella Cyber Styletto? http://​www​.slovak​-translator​.com/​s​l​o​v​a​k​-​i​n​t​e​r​p​ret

*required

NOTE: Comments are limited to 2500 characters and spaces.

By commenting on this topic you agree to the terms and conditions of our User Agreement

AdChoices | Like us on , follow us on and join us on Google+
© 2014 Military Advantage
A Monster Company.