Johnson also pushed back on the tech industry’s demand for greater encryption, saying that it hinders the government’s ability to detect criminal activity. The trend toward deeper encryption is an issue that “presents real challenges to those in law enforcement and national security,” Johnson said. “We need your help to find the solution.”
That's the very public stance they're taking in the UK. Cameron went on TV to decry encryption after hebdo, describing it as a tool used only by terrorists, pederasts, and hackers, and he called for an outright ban - until some advisor probably, not for the first time, told him he's a fucking idiot.
Key measures in the Liberal Democrat Digital Rights Bill include:
- Prison sentences for companies conducting large-scale data theft and illegally selling on personal data
- Beefed up powers for the Information Commissioner to fine and enforce disciplinary action on government bodies if they breach data protection laws
- Legal rights to compensation for consumers when companies make people sign up online to deliberately misleading and illegible terms & conditions
- Code of Practice for online services who would by law have to correct information about members of the public where it is inaccurate or defamatory
- Enshrining in law the responsibility of government to defend the free press, including the rights of journalists and citizen journalists to express their views freely online
- Prevent government from watering down cyber-security and encryption measures used by British business
That will last as long as the no increase in student tuition fees did.
For non UK types the Lib Dems (junior partner in the coalition) tend to try and play both sides of the fence ie pitch progressive ideas to Labour supporters and conservative (traditional 18th century Liberal ideas to tory's)
This has been stated a number of times by officials - it's not considered classified or anything. This is 100% absolutely the policy of Washington and has been since before Clinton.
It's worth considering that if everyone is using super-hard encryption, IDing actual secret agents from hostile countries becomes orders of magnitude more difficult.
As unreasonable as that sounds, do you think it is that unlikely? Consider that developers and systems administrators make up only a tiny fraction of all computer users. At the same time, we are the ones most likely to use tools like ssh. Very few run-of-the-mill computer users would have a call to do so.
Also consider that developers and systems administrators (and in general the sorts of people who use ssh) are far more likely to have the technical know-how to launch a sophisticated attack.
Putting all that together, it would not surprise me if the use of ssh were used as an identifying marker by the United States government to single individuals out for increased surveillance. Grant you, if this happens I think it is absolute bullshit, but I think there is some paranoid bureaucratic logic that leads to this conclusion.
"Warfare" in cyberspace doesn't worry me as much as "Mutually Assured Destruction" in cyberspace does. With conventional warfare, MAD is relatively straight-forward: pick a large open area on friendly soil, detonate an impressively large weapon, and make sure your enemies know that you have plenty more where that came from. A similar approach works for missile tests and aircraft, armor, and ships in war games.
It is relatively easy to convincingly demonstrate the capabilities of traditional weapons without causing any collateral damage (well, except for Castle Bravo). The problem, I think, is how does one convincingly demonstrate cyberwarfare capabilities without causing some amount of real harm. For example: we now know that China has the "great cannon" it can use relatively effectively for DDOS attacks, but only because GitHub suffered...and this is just the beginning of the inevitable arms race.
> He urged the next generation of software pioneers and entrepreneurs to take a break from developing killer apps and consider a tour of service fending off Chinese, Russian and North Korean hackers, even as he acknowledged that the documents leaked by Edward J. Snowden, the former intelligence contractor, “showed there was a difference in view between what we were doing and what people perceived us as doing.”
So our 'defense secretary' thinks that being capable of writing ruby on rails apps means that someone knows what a NOP sled is. Fantastic!
Screw all of these idiots in suits. I'm not afraid of North Korean hackers. I've not been afraid of Russian hackers throughout the past decade and I'm not afraid of Chinese hackers now. And even if I was, I can assure you, there's nothing at all that the US government could do to alleviate that.
I think you're slightly off the mark. The defense secretary probably has no idea what Ruby-on-Rails or NOP sleds are. He wants to encourage folks who are clearly intelligent and strongly motivated, with a background in software, to come to the DoD and apply their energies and efforts to learn about electronic offense and defense. Surely they don't expect _everyone_ who enrolls in the Army Corps of Engineering to understand the engineering fundamentals of war machines. They teach it to them on top of their diverse backgrounds in other branches of engineering (water/waste, civilian infrastructure, automotive, etc...). Their background is important to learning the new knowledge quickly -- and they have a gap to fill.
Few folks are born with expertise in design patterns, user analytics, and UI design. They develop those skills with education and practice. The DoD wants those same folks to apply their energy and brainpower to learn and develop a new sector of knowledge.
If they could just hire computer security experts right away they wouldn't be targeting app developers.
Yeah this was an interesting take. One could also argue that if you take a "tour of service" it should be to protect US citizens from their own agencies (personally I'd be more afraid of them than random Chinese cyberterrorists).
I think what he wanted to communicate is "lots of smart people in SV but we can't compete with SV so GOGO patriotism card".
I too am puzzled by what the defense industry thinks Silicon Valley is going to be able to produce, but that's the point of Silicon Valley - huge amount of creative potential and ambition. It's not likely that all of the solutions will be cyberweapons.
One of the largest and most impressive responses to cyberwarfare to date are the US's information sharing programs. These programs and formats (STYX, TAXI, etc) enable patterns from detected cyberattacks to be rapidly shared across industries so that exploits and tactics, command and control centers and so forth can't be repeated. This raises the cost to the attackers, aggravates them, and slows them down. Some of these programs have automated components with minimal human interaction in the loop.
So I think it is these sorts of solutions the DoD is likely looking for.
They're confused old men, for the most part. They probably have bizarre notions of people duking it out with e-guns and cyberknives in The CyberVirtualSpace that guy from darpa demo'd in '76.
The ones who are more up to speed are after malware, the more cunning the better.
I didn't know what a NOP sled was so I looked it up: turns out that I did know what it was (a sequence of instructions that do nothing so that you can be more flexible in where your pointer overflow hits) I just hadn't heard that name before.
That said I doubt it would be that difficult to teach a bright rails guy how to attack applications, especially not web apps.
But knowing that you will be forced to spy on your own people and serve as a tool for evil, why would you sign up? To defend against the Chinese, fine. To keep Putin at bay, fine. That isn't what the NSA does most these days.
> So our 'defense secretary' thinks that being capable of writing ruby on rails apps means that someone knows what a NOP sled is. Fantastic!
Very recently the gap between those shrunk by quite a large margin. Anyone with some programming ability can play through a few of the Starfighter challenges; if they succeed, they will indeed know what a NOP sled is (and, more importantly, have coded one!)
Forget the need for technical capabilities, it's the cyber policy that sucks. They want to "secure the infrastructure against hackers" and then try to promote weaker systems, remove recommendations for encryption from their own guidelines for people, and promote crypto backdoors.
That's policy is completely backwards if what they really want is security. But they don't want that. What they want is hackers that can hack foreign states as well as develop malware to infect or spy on everyone. Nothing to do with security.
Also, screw NYT for promoting this crap. They've been promoting the cyber-threat sharing legislation as well.
Are you speaking here about international or domestic cyber policy?
There's certainly room for improvement in both, but it's starting to look like the international case is doomed not to be led by US initiatives.
I think one thing that could be done is a sort of cyber disarmament - countries could declare cyber free hours, then days, then weeks - and they could trade owned networks with one another like they do today with spies as shows of good faith. This would be a starting point for collaboration.
Amid sequestration in discretionary defense spending, cyber capabilities have been spared the harsh bulk of cuts and the published strategy amounts to what looks very close to all-in by the USG.
The DoD has begun to build career paths for professional cyber soldiers, is extending and reinvesting in training programs, is and will invest further in internet and cyberwarfare simulation, will redouble efforts to acquire technical capabilities including offense from the private sector, have started partnering with Venture Capitalists in Silicon Valley to encourage startup with defensive and offensive technologies and to discourage startups with consumer encryption solutions, is creating collective cyber defense partnerships with allied nations, is expanding information sharing programs both overseas and with US corporations, and will be further refining the technological capabilities to respond to nations suspected of cyber attacks.
So many things to say about this. Here's two:
One. The US thought that Bush was a fool when he claimed that the US needed to prepare for cyberwarfare. Because people scoffed at cyberwarfare (it's not war, they said, making vague references to the absence of explosions) so the Bush Administration switched to trying to pry support from the public by waving around the goto boogieman - now it was cyberterrorists - Americans are afraid of terrorists right? This didn't pass muster either. The image of hacker at that time was still of neckbearded manchildren renting their parents basements and people didn't feel like computers could hurt them.
The Bush Administration pursued cyber capabilities anyway, now switching to the tactic of keeping the discussion out of the spotlight. This proved to be largely successful, as it tends to be. Without widespread coverage only a few fringe outlets and advocacy groups followed the legislation.
This, from my short time on Earth, describes my experience of US politics. The US is an international superpower and just as often as not its legislation is about what it needs to do internationally to remain top dog (case in point - TPP). But Americans, by part their own volition, part the determination of a Washington that thinks it knows better about this complicated subject (and may very well) and in part because of sheer magnitude and complexity; the public are not invited to vote on Foreign Policy except in the coarsest of ways. You want out of the Middle East? No president will do that unless the complicated set of international stategic circumstances happen to align with American ideals.
This brings me to the second point. That time is now. The US is trying to 'rebalance' away from the Middle East. Not for high minded reasons mind you - and it will invariably maintain a presence. But now is an era where the US is undergoing fundamental transformation. It is shifting from its peacekeeping role in Europe and as a garunteur of energy security by interventionism and neocolonialism in the Middle East. It is moving to invest in the Asia-Pacific and to contain China from becoming a hegemonic power there (this is US grand strategy, both two decades ago by the Wolfowitz Doctrine and this decade by its reassurtion in the Bush Doctrine). New challenges face her: space and hypersonic delivery vehicles for nuclear warheads, air denial around the world by the proliferation of anti-air capabilities (sold by Russia, China), very effective propaganda campaigns on US citizens by foreign states fake blogs and newspapers, decrepit alliances and infrastructure, and having the softest underbelly in new sophisticated levels of cyberwarfare.
America's cyberstrategy can only be understood in context of its broad strategy to both contain its competition beneath a level where physical warfare can break out and to prevent balances of powers and alliance systems that could similarly challenge her.
The problem for us is that an all-in in cyber is a canary. It means that diplomacy and other forms of coercion, influence and sabotage haven't been enough to address the issue - and it foretells of conflict, at least for the meantime in the information domain.
The US exports technology around the world and the US is also wary about domestic threats (they will not admit this). Widespread access to E2E encryption thwarts global surveillance and legitimate law enforcement (imagine insider trading), both inside and outside the country, and weakens America's national power. She feels she needs every advantage right now.
> the actual problem is that the US is too powerful and the world needs more balance
Whether or not this is the actual problem, this isn't what the US government thinks and we are analyzing the US governments behavior by examining what she thinks.
ICBM delivered nuclear bombs are no longer the primary threat for cities in the west. Kinetic bombs are harder to intercept with lasers or projectiles and suitcase nukes are essentially impossible to stop from entering a port.
Yield doesn't truly matter. Even a couple thousand people dying on 9/11 was enough to cause mass despair.
It's true that there are many challenges and threats the nation faces and that it would be a trivial exercise to attempt to enumerate them all.
On the nuclear front today it would be impossible to intercept a barrage of ICBMs - it is a fact of life that some strikes in a barrage would go through - this is exacerbated by new delivery vehicles that can strike in under 40 minutes from across the globe.
You are right to mention that this is just one of the many emerging challenges the nation is compelled to defend.
The number of flaws in software running critical infrastructure is terrifying- very very little of it was ever designed or implemented with serious threats in mind.
If you look at what was done at Natanz then think of what that group could have done against your local power grid, or water supply, or grocery store supply chain, it is scary.
As an American, our current wars are all fought in distant lands- out of sight and mostly out of mind. The next generation of warfare will strike home.
It is a lucky fact that for the past 10 years huge investments have been made in securing infrastructure inside the United States. That's not to say we aren't assailable (look at Natanz - it was an air gapped network; or better yet look at the attacks on US infrastructure we do know about).
Washington has compared cyberwarefare to Basketball rather than Soccer. In Soccer the offense and defense are mostly matched and the team to score those few big shots take the victory. Cyberwar isn't like that. Cyberwar is like Basketball. The defense can only slow the offense - and the victor is the team that scores more points, more often.
I do not know about the implication about wars being fought on the homefront. As far as kinetic warfare it seems less likely - but yeah when it comes to cyber essentially every country has a home there.
One more note. The military, from this year onward, is investing in something known as red teaming as a standard process for military R&D. Red teaming is the active no holds barred exercise where hackers are set loose on a target while a blue team tries to detect, mitigate and expunge them. Red teaming will now until forever be featuring in the development of new US weapon systems. Everything from RPGs to tanks and helicopters to drones to radar to radios.
Interesting notion... has anyone at the DOD even considered stricter software-QA standards for critical infrastructure-projects? Or anything regarding ... you know defense -- defense as in defending, not as an euphemism for warfare...
So, as per usual, an anecdote. In high school, as a budding Middle East geek, I was told to apply to Saint Andrews of Scotland. Ironically, beyond golf, they had a top notch group of counter-terrorism experts in their security studies (the fact that this was what dawned on people when I studied Arabic in HS without question should have been a red flag for Arabic language academia in the West, but I digress). I never went, but they said another guy in my high school years before did.
What did he end up doing after studying with these guys? The state of Illinois in the US apparently had a rare Office of Counter-Terrorism (as did NJ, but it was reorganized into their state level DHS) and all he did was analyze the physical security and threat risks around reservoirs and other infrastructure. Primarily reservoirs.
If you are worried about the software stack, you are wasting your time. The end game is far easier and just requires jumping a fence.
I cannot really tell from the details re Shrivenham but you know better than me.
As for the grandparents thing: it depends. I have European friends told it was not a problem, and Arab friends that have been warned before applying there will be no rainbows or unicorns in their road to security clearances, and likely be full-on rejected.
Didn't realize that Non US Citizens could even get TS clearance except in special circumstances ie your on secondment from MI5 or MI6 or similar organization
>As an American, our current wars are all fought in distant lands- out of sight and mostly out of mind. The next generation of warfare will strike home.
To invade the US you have to be Mexico, Canada or send an entire invasion fleet across the Pacific or the Atlantic oceans. That means you are look at supply lines 3000 miles long, after you have contended with the most powerful navy in the world.
To launch a cyber attack you have to be on the internet. By shrinking space so much every single country is placed next to all the other countries. This effectively means that you no supply lines and can hack the US no problem. The mainland US is relatively poorly defended in cyber space, but that has normally never been an issue.
Fireeye, Cloud (Microsoft, Amazon and Google), Facebook, RSA, CloudFlare, IBM, Intel, chip manufacturers, pentesting companies... lots of new companies... actually the list is quite long...
The attack on SONY pictures will deter other companies from working with the US government to craft propaganda or other ventures - from the US perspective the SONY attack was pretty horrible.
This is definitively NK. They did it because the US State and Defense Department were involved with the creation of the interview (this can be seen easily in the email leaks).
No, it is definitively in Sony's email but not definitively North Korea that did the hacking. The US government has zero credibility here, and most of the independent security researchers that are trustworthy think that it was not at all North Korea. That was the purpose of my original comment, because it's "so clearly" not North Korea that perpetrated the attacks on Sony. I have yet to see convincing evidence from a trustworthy source saying otherwise.
Did you read the analysis from Fireeye or Symantec? Their analysis seemed pretty solid to me. The people questioning it asked good questions, but these questions were answered quite well by the forensic reports.
Either way, we do know that the State Department and CIA cooked The Interview from the leaked emails. We know from the Guardians of Peace that they are NK sympathizers (be they from NK or elsewhere).
Yes, if you haven't seen them you should search through the leaked SONY emails - in particular the Lynton emails pointed out by the Guardians of Peace.
The target of the propaganda was not the US - it was NK citizens. There was a pipeline ready to send the film to NK residents.
My question to sec enthusiasts and pros: isn't the whole point of security to disclose as little as possible? Security through obscurity?
I realize that most of this information is public knowledge and there are all kinds of double agents, but this really seems like a lot of information!
It just seems to me as though we have everything wrong. China raises children to be hackers and hires criminals to do their bidding, or subs it out to whoever while you can't even get a government job if you have a DUI?
You shouldn't use HN as a place to gain knowledge itself; Google is much more useful for that. HN is best seen as a place to expand one's awareness of knowledge.
For example, people here have provided their thoughts on "security through obscurity" -- a clear controversy exists! Your next task would be to Google the phrase, and read the Wikipedia article[1] that comes up. Then, if you still have questions, check out the references the Wikipedia article cites[2][3][4][5], or perhaps visit other results from your Google search[6][7][8].
In other words, Internet social media sites are terrible places to learn -- use the greater web to do actual learning. Use social media sites like HN and Reddit to expand your awareness of ideas.
Interesting stance to state publicly.