Note that this news comes from The Epoch Times, which belongs Falun Gong, an anti-PRC organization.
The Chinese government (CCP) declared Falun Gong illegal on 1997. The two parties have been "attacking" each others ever since. Falun Gong once interfered TV satellites in China. And Chinese government has banned all websites related to Falun Gong (using Great Firewall, of course).
All the sites in the screenshot are related to Falun Gong. That's why they are on the "target list". This is not evidence that China is hacking U.S. agencies. I am not saying that China has never done that - I mean even if China is doing that, they will do it secretly and will never disclose it on a propaganda TV program.
I personally think this news is misleading by not disclosing all the information.
The targets are related to Falun Gong (which is explicitly mentioned in the article). More importantly, the source of the attacks is a hacked machine at the University of Alabama.
Sure, all of the politics about China and Falun Gong are not mentioned, but they really aren't completely relevant to the fact that China is using American computers for their hacking.
Given that Falun Gong is led by a fellow who has claimed he can levitate and control people's actions with his mind, I would want some third-party collaboration of their "evidence". Pretty easy to cook up screenshots and such.
Computer hacking as a new battlefield is inevitable if not already a reality.
Much like how at one time in the US there was no Air Force and airplanes were part of the Army, right now there is no Cyber Force and hackers are part of the Air Force. If computers really are a new theater of war, there probably needs to be a new branch of the military to recruit, train, and deploy new kinds of hacker-soldiers.
The hacking operations of the Chinese right now are like American high-altitude spy planes and satellites flying with impunity over the China and the Soviet Union during the Cold War. The longer the US delays to enter the cyber arms race the more it risks conceding dominance for the foreseeable future.
I could actually see a lot of positive economic synergy if the United States were to establish a Cyber Force to recruit and train computer security specialists.
EDIT: I recognize the US does have a Cyber Command. It's in the Air Force. The point is it's under-funded, understaffed, and under-publicized. Recruitment is pretty much limited to a handful of people already in the Air Force with computer backgrounds. There are no commercials on TV or recruitment offices to tell people to join the hacker corps like there are for the other military branches.
Mixing geeks with paratroopers isn't effective. The US needs a new branch that can make its own rules, recruitment standards, and awards to be truly effective in a different kind of war.
The rhetoric of "battlefield" is over-done and unhelpful.
The US National Security Agency is a world leader if not the world leader in signals intelligence. Signals intelligence has been part of military intelligence for a long time (and military intelligence has alway been, uh, part of the military too for what its worth). It's well known how cracking encryption helped the US win WWII. It never stopped after that.
You and I don't know all details of how this works because naturally (for good or ill) that's how they operate (they being the NSA, NRO and the vast multitude of secret agencies out there).
You think someone histrionically describing signals intelligence as "a battlefield", saying "we need a Cyber Force, this is 'War!" makes much of a difference in the massive, massive investment and resources the US is now very actively using??
Signals intelligence and counter-intelligence is a narrow view of how computers can impact the battlefield. While the NSA and CIA may have some capability beyond listening in on enemy communications, I question whether the responsibility to make attacks on foreign targets which could be considered acts of war should be left separate from the military.
Weaponizing computers can have a much broader use that would be appropriate for a Cyber Force in addition to military intelligence operations. For example, today we might want to knock out a communications array, a factory, or a power plant in enemy territory. Our options at the moment are to send in missiles, bomber jets, or an elite ground unit. But those aren't always good options. The missiles and bombs could cause unwanted collateral damage to civilians. Missiles and bombers are crazy expensive and so is the cost to get them to the target. The risks to using an elite ground unit are enormous not only to the unit itself but to foreign policy if they are killed or captured.
But a Cyber Force could electronically disrupt or disable a facility through any number of means. This would be far cheaper in terms of financial and human costs. Even if there are counter measures in place for the facility to run offline on a private grid, such an attack could sufficiently hinder it until it can be disabled more permanently.
This is no different than sending a bomber jet instead of an infantry platoon. The goal is to make a surgical strike, the generals need to choose the right tool for the job. For an increasingly large class of technologically advanced targets in increasingly urban areas the military will more often want to employ hackers instead of bombers.
The point, then, was that this will be equally true for enemies wishing to attack the United States. A dedicated team of hackers can easily cause as much or more damage than a fleet of bombers. And the United States can either be ready for it or watch as enemies walk over them with impunity like the United States air force flies over enemies today.
I imagine this is a very large portion of NSA operations.
There's no need for "cyber command" to really be part of the military. There's no need to put hackers through boot camp, or make 'em wear uniforms, or salute... it would bring down the average quality of the hackers and the average quality of the military. Far better to fold it under the roof of the intelligence agencies.
On the the contrary. Military discipline developed from the necessity of training reliable soldiers who don't question critical orders. Independent thinking is an admirable trait, but knowing your soldiers wont leak information is crucial.
In Israel there is a mandatory draft. Every soldier goes to boot camp and units like 8200 have strict military structures. (Success is hard to measure, but Israel's high tech industry is some indication of the benefits of military discipline.)
On the the contrary. Military discipline developed from the necessity of training reliable soldiers who don't question critical orders. Independent thinking is an admirable trait, but knowing your soldiers wont leak information is crucial.
The CIA and NSA have... (goes to look it up)... uhh, some large but undisclosed number of employees. They seem to do a perfectly good job of keeping secrets without needing full-on military discipline.
I'm not actually saying that military training would make anyone a worse hacker, though, I'm just saying that the need for military discipline would limit the number of people (especially in that particular demographic) who wanted to sign up. I have no doubt some of the NSA's best hackers are completely unable to do a single chin-up.
Military discipline developed from the necessity of training reliable soldiers who don't question critical orders.
Military discipline was a necessity to get a company, a battalion, and larger units to work together at all. Strict organization is necessity as chaos is unmanageable with traditional communication means.
Modern organizations have moved on from rigid, hierarchal organizational models to network-centric models. Even military organizations have moved to this direction (discipline and military courtesy is still maintained).
Success is hard to measure, but Israel's high tech industry is some indication of the benefits of military discipline.
High tech industry has been proved to benefit from military funding. Israel spends larger portion of its GDP to (military) R&D than any other nation.
Please take this as a quote and as tongue-in-cheek, but during my (very limited, I know that I'm not representative) military services the 'US grunt' was one of the things our superiors made most fun of.
'Follow orders blindly' (which is more or less the thing we're arguing about) was actively discouraged from the leadership.
Is this good? How can I tell.. But since I started out biased (i.e. with a working brain) I did enjoy that part of my service.
I didn't explain myself well. My goal wasn't to suggest that the Israeli army teaches soldiers to blindly follow orders - by all accounts the opposite is true. Rather, I was addressing the grandparent post's derisive comment about teaching soldiers to salute, respect authority, and generally behave in a disciplined manner.
So by this idea, then PFC Bradley Manning is a soldier trained to not leak information? He is the guy who sent wikileaks a large pile of confidential information.
silverstorm, the mandatory draft includes women. (Although exemptions are common in orthodox communities where woman trade army service for two years of mandatory social work.)
Because people who wish you harm for various reasons really exist, and nobody's figured out how to tell the entire world every detail about our defensive capabilities without substantially weakening them in the process.
I'm a little-l libertarian and I'll happily join the calls for "more transparency" where appropriate, but "government should have no secrets", especially in the area of self defense, is not a realistic position. It's an abusable-but-necessary evil.
I don't want to be dragged into politics right now, but
> Because people who wish you harm for various reasons really exist, and nobody's figured out how to tell the entire world every detail about our defensive capabilities without substantially weakening them in the process.
That sounds like you are echoing something you heard once without understanding the reasoning behind it.
security through obscurity usually doesn't make sense WRT computer security because the attacks the computer systems are often subject to are sustained for long periods and can't be stopped (think of someone downloading your software to attack it).
In a military situation you do have the capability to retaliate and/or reinforce. This changes the situation because it makes time a critical factor. In that case, obscurity makes a lot of sense because it slows down the attacker. When you have the ability to change things yourself anything that slows down the attack is useful.
This applies to computer security too - if you can detect an attack, then anything that stops that attack from being successful for long enough that you can neutralize the attack vector is useful. This doesn't imply "security though obscurity", but it does imply that you have defence-in-depth, and you don't give out information about what those lower level defences are. Then if your outer layer is breached there is at least some chance the attacker will trigger some kind of alert while working out what the next layer of defence is. That isn't "security though obscurity", it is "security and obscurity".
no. security and government decency is telling everyone "we spend x billions here and use z and y to encrypt access to it"
what happens is "we spent x billions on toilet seats (to quote an alien movie) and password go over the air unencrypted, but we are not telling you the frequency"
Interestingly I think that anti-government paranoia in the US is largely itself fed by all those movies in which some corrupt US government agency turns out to be the villain.
As a fun exercise, count the number of movies and TV shows in which the CIA is shown in a positive light. The FBI often is, the military usually is, the CIA almost never. Heck, the CIA has such a bad name in American movie land that on the odd occasion they want to show a good American spy (e.g. Die Another Day) they'll put 'em in the NSA instead despite the fact that the activities depicted are much more CIA-like than NSA-like.
Either that or the fact that one minute the President swears to defend the constitution and then the next minute orders unconstitutional wiretaps, torture, invasion, etc.
Or maybe that the country exists because of government tyranny.
Or because the government arrests people just for showing up to the wrong meeting.
Or because they have studied International Relations at Cambridge University and have an understanding of world history. (that one is probably quite rare, but its very effective).
What makes you think they are delaying anything? You think they haven't been doing the same to others? They've been building a cyber division for years.
Every branch of the military has been 'building a force' for years. They all want to be the branch that is more necessary than the others (and therefore gets more funding/prestige). The reality is that 'cyber warfare' is less warfare and more espionage. It's probably already being handled by the NSA/CIA/etc.
I wonder if some of the inventors of the airplane were disappointed to see it used for military purposes, or if it's just my 1990s upbringing that makes me think of the Internet as something beyond the trivial concerns of humanity, and use of it as a battlefield as tragic.
and use of it as a battlefield as tragic Isn't that why it was invented in the first place? Just because it has grown in to something more doesn't mean it has completely cast off its military upbringing.
In terms of publicizing it, I used to see adds for the Air Force Cyber Command on Hulu. It showed pictures of guys in fatigues doing simple things on Windows in cubicles. It didn't look terribly exciting, though they did have red rotating alarm lights in the ceiling at their office.
I think they are putting some effort into it, and they did know what audience to advertise to. You can find a few commercials on YouTube, but I couldn't find the one I saw.
I think sometime in the last year or two this issue has transformed into something that you could argue one way or another to something that's obvious: the Chinese are actively and purposefully trying to break into computers around the world. This is a policy of their government.
Motives are still unclear. Everyone seems to agree on punishing dissidents and suppressing political groups they don't like. Most folks (I think) think it's pretty obvious they're trying to steal U.S. (and foreign) military secrets. Industrial secrets also look high on the list. Perhaps it's all of the above. And more. My money says they're out to steal anything they can.
Now that the discussion is beginning to yield conclusions -- most people agree that this exists and is a problem -- the interesting thing is what to do about it. Maybe I'm wrong, but I don't see a lot happening in the next couple of years. But pressure will increase domestically in democracies to provide some kind of relief from this. Would a new administration in the U.S. be more confrontational? Would we start a more public counter hacking effort? Does this just heat up more and more as both sides escalate without dealing with the underlying problem? Or does one side or another try to get some resolution? If the politicians continue to dodge it, does it at some point just blow up?
This is going to be a fascinating story to watch play out over the next decade or so.
To summarize the whole video:
The Americans have started cyber-warfare long time ago, with militarized cyber-war division. Other countries are also catching up. Our infrastructure is highly dependant on Internet but our ability to defend ourselves is not up-to-par. The government is doing x,y,z to catch up and hopefully able to defend ourselves in the future.
It's funny how this message sounds so familiar, even though I have not followed cctv channels for many many years... right, all you need to do is replace "America" with "China", you will find the American counter-part of Chinese propaganda channels.
Damn, where can I sign up for propaganda-free media?
In my opinion, the motives are very clear: it's significantly cheaper to steal technologies and trade secrets than to develop or license them (for both the commercial and military spaces).
And the burden of security should fall on each individual company and government agency. We don't need a "public counter hacking effort" if these entities implement security correctly and effectively.
This will be a story that will continue to grow in the near future.
I expect that a lot of stuff involving private companies will play out in the civil court system. Asset seizures are more likely than trade sanctions.
Up until now many US companies have been afraid of China and the possibility of losing their ability to do business there. Once you are locked out of that market for other reasons, those fears vanish.
Until we can get our budget under control, nothing will happen. You can't tell the guy paying the electric bill to 'F off' if you still want to have heat in the winter.
The most important reasons for us to get our finances and oil use under control are all national security related. I don't understand how the neocon camp doesn't understand that.
Getting our budget under control is "simple". It just requires some combination of less savings by the US private sector, less savings or higher deficits for state and local governments, and a reduction in the trade deficit, due to the basic accounting identity:
private savings + public savings = trade surplus
Here deficits are negative public savings, so reducing deficits means increasing public savings; the rest follows.
Reducing private savings is mostly what we did to keep the deficit down in the 90s. I'm not sure how feasible it is as a strategy now, given that private savings in the US have been so low for so long; people can't really keep spending more than they make.
Which means that what really needs to happen is a reduction in the trade deficit. This is also known as having a lower dollar (and in particular, a higher-against-the-dollar renmibi).
The good news is that getting the renmibi to rise against the dollar is also "simple": just get the PBoC to stop buying US assets (that includes US government bonds) to artificially hold the renmibi down. That will both help the US employment situation (giving us more headroom in terms of private saving) and increase US exports while decreasing US imports.
Basically, at the moment China is using currency intervention to export unemployment and government budget deficits to the US via the trade deficit. To get the US economy to rebalance and be sane, that needs to stop.
Of course we could keep the trade balance as now while cutting government spending and increasing taxes, the way we seem to be headed. That exactly corresponds to reduced private savings. We could do that for a bit perhaps, but it's really not sustainable as things stand.
If you constitue a significant amount of the electric guy's revenue, and he already has a massive amount invested in you, then actually yes, you might very well be able to tell him to temporarily F off and still get heat in the winter so long as he thinks you'll become profitable again one day.
That being said, I do agree it's a good idea to get your finances under control.
Could the US create a "digital moat" isolating China's internet? Would that be considered an act of war if the network was disconnected on US soil (e.g. MAE-West)?
that is unfortunately double-edged proposition as severing the Internet connection would also mean that US couldn't spy on China as well. The goal of Internet war isn't to avoid it, the goal is to win.
Later in the video that this article talks about there is a picture of a "US hacker", running "hack.bat" in a Windows 2000 command prompt. hack.bat copies "ph0rce.jpg" out. There is an IP address visible which looks like 209.134.176.39, that resolves to a subdomain of iss.net, an IBM security site. Not really sure what to make of the combination of the bizarre "hacking" and the real IP addresses.
Some more translated bits and pieces from 03:46 in the video, when it starts talking about US capabilities:
* US first to introduce the concept of network warfare, also first to put into practical use
* In 2002 the US army established the world's first hacker unit, and in 2006 officially made this unit a core part of the airforce capabilities, with a general leading it and an operational remit consisting of 541 locations
* The unit has 3000 to 5000 experts in network warfare, and 80000 soldiers. The training of the unit started officially in 2007.
* Army, navy, and air force all have computer response squadrons to maintain network security.
* The US is the pacesetter in computer technology, so its economy relies on this technology more than other countries, meaning it pays particular attention to network security.
* Other countries such as South Korea, Japan, India, UK also have network warfare units
I think it's important, when viewing anything put out by the chinese government, to take the information with a huge dose of skepticism.
This shows a simple GUI with a list of Falun Gong targets and an "Attack" button. There's no reason to believe this is an actual tool, or to believe that the Chinese government _accidentally_ allowed this to be filmed and published. This is almost certainly a propaganda effort, intended to show the Chinese people that the government is ready and willing to attack the technological infrastructure of its enemies. There are very few Falun Gong sympathizers inside China, and the majority of the population would view this video snippet with pride.
The screenshot does not show any IP addresses at all. The drop down does say something about Falun Gong and the buttons do say what the article claims (about "Attack" and what not) but aside from that, the rest is just hearsay.
So we have a screenshot of a window that could be created by anyone, reported by the Epoch Times (a Falun Gong media outlet). That fails the smell test.
As much as I don't like the Chinese government's position with regards to what it views as dissident organizations, the evidence is not there and this sort of article runs the risk of being a "must be true because I don't like 'em" sort of thing.
For anyone interested, CNBC recently produced a "special" called "Code Wars: America's Cyber Threat"[1], which talks about cyber attacks against American interests.
In my opinion, the show was technically weak and seemed more concerned pushing fear-uncertainty-doubt than factual information (on actual cyber attacks against American interests). For example, the show referenced the "Northeast Blackout of 2003" as an example of the potential damage hacking an energy utility could do ... except, as the show quickly (and a little more quietly) pointed out, the event was caused by mechanical failure.
Overall, cyber attacks are a concern, but not necessarily more so than other threats and certainly not as great as some would like you to believe.
At the point where hacking isn't really considered an act of war. Obviously neither side actually does consider it an act of war, or else they wouldn't dare. If "hacking is considered an act of war" were ever a bluff, then it has been thoroughly called long ago.
Anyone enthused about going to war against China about this? Anyone? Anyone? Nope. I guess it's not going to happen then.
And of course I think we can only assume that the US is hacking 'em back.
It's like spying. It's officially against "the rules", and everybody acts shocked, shocked when they catch foreign spies within their country, but everybody is constantly doing it to everybody and everybody knows it.
"Hacking" is like "terrorism"; it's not an end state. It's "spying" when it's done for "spying". It's an "act of war" when it's done to shut down the power grid.
Nowhere. It's already generally understand by the U.S. government/military that anything on any computer connected to the Internet is public. Unless they decide to crash our power grid or meltdown some of our nuclear reactors then no one is going to do anything, unless it becomes politically convenient for propaganda purposes at some point in the future.
So what in the video "proves" it's a live situation? Probably half the countries in the world have some giddy geeks in bunkers demoing their their own LOIC clones.
> "it seems like there's nothing America can do to defend itself."
We could consider a legal requirement to disclose security breaches. If every firm that failed its customers had to admit it to the market, I would think financial pressure would move us toward more effective security fairly quickly.
It has to be considered that effective security has significant costs financially and non-financially. (An example of a non-financial cost is a overly difficult registration process for a web application that requires long, complex passwords with multiple security questions and answers.)
I was thinking more about the systems for major banks, defense contractors, industry suppliers, etc.
And effective security wasn't meant to imply the best thing you can think of. It would be a huge step forward if more people simply did the things we all know we should be doing: e.g. policies of accounts not having more access than necessary, network security not 100% focused on the firewall, etc.
It would be a huge step forward if more people simply did the things we all know we should be doing...
That's what I mean by "effective security".
Although security breaches at banks should fall under such laws (especially since they have personal identifiable information), I do not believe defense contractors, energy concerns, industrial suppliers, etc, should even acknowledge such breaches simply because of national security.
That stuff doesn't cost all that much more. It's non-trivial, sure. But it's not going to make a huge impact on the bottom line. A demand for it would end up costing enterprise software suppliers quite a bit in one-time costs to clean up their code-bases and standard install practices.
> "I do not believe defense contractors, energy concerns, industrial suppliers, etc, should even acknowledge such breaches simply because of national security."
Perhaps not to the general public, but certainly they should be required to disclose to their clients.
You don't think we hack them? We're far more proficient than they are, the only difference is that Chinese systems are more difficult for your average script kiddie to hack due to the language barrier.
Seems to me like it correlates with economy more than anything else. The best American (and to a lesser extent western european) programmers are making six figure salaries working on world class products and/or getting funding for their own startups. The best Russian and Chinese programmers are doing ... Google Code Jam.
The logical counter-response would be to encourage the sort of unrest present in the "Jasmine Revolution". This would present China with the same sort of dilemma...they might suspect (or even know) that we were stirring up trouble, but would probably be reluctant to go to war over it.
Who said anything about helping them? I was responding to a comment that suggested we had no useful counter-strategy to hacking, since it's difficult to respond to a cyber attack via conventional means. They know this, which is why it's relatively safe for them to engage in targeted hacking of US targets.
China is vulnerable to social unrest, and stirring up that social unrest puts them in a similarly difficult position...it's not something that they'd likely be willing to go to war over, but causes them great inconvenience. Developing/distributing vpn or other software that would bypass the great firewall would be useful here.
The funny part is, that youtube video in TFA, in the first several minutes it's been keep blaming US being the first and lead in cyber offence/defence warfare.
seems like there's nothing America can do to defend itself
Well that's ridiculous. Just install McAfee. Disconnect yourself from the network. ;-)
Seriously, computer security is a big business. Money is being made. Something is being secured out there.
Edit: Please read the other comments and calm yourself down.
I don't see how this proves state collusion in hacking rather than just some individual working on their on behalf? While we all know this is likely, I don't get the "proving" claim. Did I miss something in the story?
Yes, because the title of the software says "Denial of Service Network Attacking Tool, By Chinese P.L.A. Electronic Engineering Institute, Version 1.0"
The Chinese government (CCP) declared Falun Gong illegal on 1997. The two parties have been "attacking" each others ever since. Falun Gong once interfered TV satellites in China. And Chinese government has banned all websites related to Falun Gong (using Great Firewall, of course).
All the sites in the screenshot are related to Falun Gong. That's why they are on the "target list". This is not evidence that China is hacking U.S. agencies. I am not saying that China has never done that - I mean even if China is doing that, they will do it secretly and will never disclose it on a propaganda TV program.
I personally think this news is misleading by not disclosing all the information.