« “The Earth stands on the brink of its sixth mass extinction and the fault is ours” - TTG | Main | Israel's Two Faced Game with the Druze »

23 June 2015

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

JJackson

Every time there is a data breach somewhere or a sophisticated virus fingers are pointed. US, China, Russia, Israel and North Korea seem popular as suspects. Given the abilities to spoof routing data how certain can we be about the perpetrators? I assume there is plenty of disinformation, false flag operations etc. Does anyone here have the depth of knowledge to be able to explain how much credence we should give to the finger pointers?

LeaNder

Great cooperation CP and TTG.

I seem to be a bit paranoid again too, mostly concerning online banking. Although, I am pretty safe in this context theoretically. Minor system irregularities again it feels.

TTG: Checking your bank account more regularly isn't a bad idea either. I had a rather peculiar experience in this context ... But strictly this would concern a legitimate German firm. By now it looks like deliberate fraud vaguely related to a registered mail/advice of delivery mail of mine, since regular monthly withdrawals of a smaller amount ended for three month and then suddenly started again. Never ever got a reply, but the short interruption suggests there was some reflection. I guess I have to see a lawyer. I suppose they treat his mails more seriously.

LeaNder

That was vaguely on my mind too, JJackson.

And since we dealt with root access and superuser my more recent struggles with Windows and this introduction into Black Hat root techniques:

http://tinyurl.com/Rootkit-Arsenal

confusedponderer

"US, China, Russia, Israel and North Korea seem popular as suspects"

Actually, that prejudiced list of usual suspects is being produced precisely because they all ARE heavily engaged in that sort of stuff. So this case it apparently was the Chinese? Here, that is actually plausible.

I'd say it is actually much more plausible than accusing the NORK's of having concocted the Sony hack in order to lash out at Sony for disrespecting Dear Leader.

In case of the Sony hack, there is the view that "Sony was not just hacked; this is a company that was essentially nuked from the inside. We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history"

http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/

US politicos, and government officials, blaming the NORKs, or China or Russia - all designated villains - for any hack simply operate under US default settings, under which blaming, harassing and insulting designated enemies is always justified irrespective of reality based concerns like truthfullness and good sense generally. Expediency trumps factuality, and truthfulness is replaced by political fiction (in a legal sense) to shape the narative.

The side effect is a distorted perception of reality and a misdirected response. But that is not even seen as a defect since in perception management misdirection is the very point of the exercise. Narratives are specifically shaped to induce misdirected reponses, and great effort is being spent on ensuring that.

I'd wager that any intelligence service with access to that sort of info would have done the very same thing as the hackers did at the OPM, if not to use it themselves then to trade it. The US, if given the chance to fish ino like that from Russia or China or any other country, allies included, would absolutely have gone for it.

The Beaver

CP and TTG

Another good article :

http://arstechnica.com/security/2015/06/why-the-biggest-government-hack-ever-got-past-opm-dhs-and-nsa/

Reason that China is being finger-pointed:
[QUOTE]And that organization, by Ammon's estimate, is probably located in China. "I have yet to see any exploit that has this level of sophistication and data targeting," he said. "By sophistication, what I'm talking about is what you do to start getting the data out. Getting in is way too easy, but there's nobody who's had that level of sophistication for data exfiltration outside of Russia and China. Between the two, I'm placing my bets on the Chinese, because they have had a pretty consistent mission of gathering personal data. The raw data can be used in many ways, and none of them in our national interest."[EOQ]


wisedupearly

So far no one has directly commented on the key point of the article - the need to decide exactly what government functions can never be outsourced to private industry.
The current meme is to deride government as inefficient and continue with the cost cutting regardless of the end results. I see no calls for a return to sanity.

confusedponderer

"So far no one has directly commented on the key point of the article - the need to decide exactly what government functions can never be outsourced to private industry"

The question indeed suggests itself.

I hoped to bring that out.

Given the remarkable growth of private contracting in the US security field since 9/11 there apparently is little concern on that point in the US.

Allen Thomson


SF-86 (all 127 pages of it):

http://www.gsa.gov/portal/forms/download/116390

Joe100

Curious about how damaging this hack is likely to be to US intelligence activity, beyond the general point that great opportunities exist. For example, would the SF86 information be useful in selecting US humint targets?

And what if anything is the intelligence community likely doing to respond to this hack?

Peter C

As to outsourcing, is there money saved? The Corporations just being a labor and service middle man, the profits rising to the top, same cost as if GS did the job.

cville reader

The answer to your question is that the devil is in the details. I am not sure if you can make generalizations about whether outsourcing government functions saves money. It depends on the particular deal, and the level of attention and oversight given to it.

Certainly, in the case of security contractors, doing things that the military has traditionally done, it seems to be the case that the government could have done it cheaper. In fact, in that case, a pretty strong argument can be made that such outsourcing was done with the intention of avoiding accountability.

I am also not sure that the only issue here is what government functions should be outsourced. There are all kinds of sensitive data in private databases that could be used for nefarious purposes as well.

Our digital universe is wonderful in some ways, but it is also creating a universe that is becoming more and more fragile in other ways.

confusedponderer

My impression is that, as far as corporations go, it is about shifting money from one pocket to the other, and about keeping the headcount low, for greater nominal profit per employee.

http://www.mckinsey.com/insights/strategy/the_new_metrics_of_corporate_performance_profit_per_employee

It allows for greater profits, and greater bonuses.

On ground zero, the work still needs doing.

Either you (a) do it yourself, or (b) you have someone else do it (c) in a cheap labour country, or (d) you automate it.

I am in favour of (a) and (d), because the act of working facilitates innovation.

Outsourcing work to countries with cheaper labour IMO delays innovation, since that makes affordable otherwise inefficient aproaches to work. Why innovate if it is so dirt cheap?

In copy editing, the low wages in China make 'economical' the following scheme for capturing text: You put to work three monkeys with typewriters and have them type a given text into digital form. Then you match the output, and auto correct whatever matches at least 2:1.

Of course, one could also use a decent OCR software.

confusedponderer

"In fact, in that case, a pretty strong argument can be made that such outsourcing was done with the intention of avoiding accountability."

Obviously a factor.

You cannot do things like that cool datamining idea you always had yourself because inexplicably it is prohibited by law?

Well, why not have a contractor do it for you as a private party. A contractor is under no legal obligations to repect, off the top of my head, say, the pricavy of citizens or silly stuff like that. And all of that without the annoying second guessing of 'oversight bodies'.

It appears like a thing the Bush 43 administration would have done faced with such an annoying obstacle, and I wouldn't put the Obama troupe beyond it either.

cville reader

CP--

I don't like much about the EU, but they are way ahead of the US on issues of data privacy. Most Americans are too busy being plugged in, and following the lastest trash story from the Kardashians to care.

And you are right-- Republicans and Democrats are equally to blame for not playing by the rules, even if not motivated by the same reasons.

C Webb

Based on publicly available information (https://en.wikipedia.org/wiki/Stuxnet), it's fair to say that the US has the most sophisticated offence capabilities in cyberwarfare.

Given that fact. How is it possible that they would be weak in defence?

(Yes, I read about the outsourcing etc.. but it IM(cynical)O it doesn't add up. What legislation do they need passed?)

Peter C

Out sourcing with limited time contracts eases the problem when managing Inherently Governmental programs. When money gets tight and programs are needing to be cut or reduced due to budget or end of program, the only person left to deal with the GS who was overseeing the contract.

Most of the stuff (Planes, Tanks, Ships, etc) needed by the Government has traditionally been purchased through the bid process, so why not purchase people the same way by contract.

OPM uses contractors to do the SF 86 field work, and more. What is interesting is the mention in your analysis is that Chinese crackers were given root access. That is definitely Inherently Governmental and should only be allowed by properly vetted U.S. Citizens in a GS function.

confusedponderer

"it's fair to say that the US has the most sophisticated offence capabilities in cyberwarfare. Given that fact. How is it possible that they would be weak in defence?"

Hunch: Cyber offence is probably centralised in NSA and the Defence Department, cyber defence is not?

OPM was responsible for their own network security.

There is so much classified info around that needs protection, the US is, given the sheer size of its bureaucracy, in a position to have to protect a lot of systems. At some point someone will make mistakes. Here size increases vulnerability.

Outsourcing magnifies that risk. Given that contractors need access to at least some secret information, they can be targetet too, and their private network security, while it probably has to meet standards, adds more targets that have to be protected/can be attacked.

I wonder whether one of the results of this will be a call for more centralisation of federal cyber security in homeland security.

DeWitt

Regarding offense vs. defense, here's what Bruce Schneier had to say recently:

"In general, it’s far easier to attack a network than it is to defend the same network. This isn’t a statement about willpower or budget; it’s how computer and network security work today. A former NSA deputy director recently said that if we were to score cyber the way we score soccer, the tally would be 462–456 twenty minutes into the game. In other words, it’s all offense and no defense."

The context of the article is that Schneier believes that these other actors have already penetrated our networks, and the UK's recent Snowden accusation is a political football. A good, if unsettling, read.

China and Russia Almost Certainly Have the Snowden docs:
http://www.wired.com/2015/06/course-china-russia-snowden-documents/

David Habakkuk

CP, 'wisedupearly', and all,

The momentum behind 'contracting out' in a wide range of fields, in Britain, derived from a curious combination – a (frequently well-merited) sense that large bureaucratic organisations are commonly very inefficient, and dogma drawn from the ideas of economists.

Among the (many) problems with economists is that, characteristically, they operate with notions of 'rationality' and 'information' which are highly simplistic.

It is, for instance, commonly a 'rational' strategy to provide those who may have influence over one's career with the kind of 'information' you know they want to hear.

Both I and my wife were working in British television at the time when there was a major shift from programmes being produced in-house to their being commissioned from 'independent' producers.

The two systems had their distinctive advantages and disadvantages; and so much depends on specific individuals, and the – highly varying – cultures of specific organisations, that I would hesitate to generalise.

It is however quite patently the case that people seeking commissions have commonly strong incentives to tell those who may provide them with work what these want to hear.

Likewise, what one might call the 'turbulent priest', or 'malcontent', problem does not arise, in a way it does in more stable institutional structures: it is much easier simply to send a form letter turning down a proposal than to get rid of someone saying things one finds unwelcome.

Accordingly, I would be concerned that the 'contracting out' of intelligence functions might be liable to increase the propensity to 'group think' which is a common source of major interpretative failures.

The views of members of this committee who are familiar with how 'contracting out' operates in intelligence would be of interest.

Richard Armstrong

JJackson - I believe that I can answer you final question with a modicum of authority. And it is a good question.

Despite server hopping (as frequently seen on TV and movies) or routing traffic through The Onion Network (TOR or the Dark Web) the originating endpoint of the attack can be determined with accuracy. To that I say "So what?" Knowing the originating endpoint is interesting, but of very little value. Example: Say that it was absolutely determined where an attack originated there is no technical or reasonable response available. The attackers may have been a national intelligence agency, a corporate espionage organization or even very, very bright young persons. They may or may not have originated the attack from their own location or they may have from another distant location in order to "throw off their scent." The attackers could be the British GCHQ or the French BRGE acting from within China. What then? A Predator drone strike? B1s from Whiteman AFB? I think not. Building an electronic wall to prevent all digital communications around the originating endpoint is impossible.

A better question would be how to protect the data from being accessed and then retrieved in a usable form. This is possible today through the application of a very little common sense and available encryption. Minimize your risk by carefully selecting the people you hire and grant access to (although there will always be Edward Snowdens out there), disable or remove the hardware that will allow the data to be duplicated and carried off and most importantly keep all the data, every single bit (pun intended) of it fully encrypted using standards that are available today.

Without possessing the encryption keys a brute force attack on the higher order AES encryption standards would take millions (yes millions) of years. Even for the NSA, GCHQ and BRGE Algorithmic decrypting attacks would consume over 38 yottabytes (3.67513449162847E+26 bits) of storage space - more than exists in the entire world today.

Organizations with information they wish to keep secret are just lazy.

Peter C

confusedponderer. All good points on the many Vectors available to bad actors. With so many Corporations especially since 911 in the Cyber supply business, with the interconnectedness of everything, breaching privatized networks that just can't keep up with the threats. Weak spots in the networks are spotted every day, getting all the networks up to speed is almost impossible with the micro second speed of attacks. Moving the hacked data does take time, but to disable a network in cyber attack mode is a different Beast altogether.

The architecture of the Internet was built not in anticipation of Networks attacking Networks.

mbrenner

Many thanks to the authors for a cogent and frank explanation of what's going on.

On the question of saving money: there are only two ways that outsourcing is more efficient - people are paid less or you get an inferior product. There is a correlation between the two, although not a complete one. Anyone who has observed outsourcing and related artifices for "improving" productivity knows this. Read today's NYT's story about hiring contractors to grade the Common Core exams: temps paid $12 per hour with bonuses for exceeding the piecework standard.

On the question of management oversight: upper management must have sufficient technical knowledge at their disposal if they are to do the job. Very few do. Otherwise, they should rely on permanent staff with those developed skills plus institutional knowledge. The latter, though, are disappearing from large organizations. Result? Obama Care website fiasco. In addition, talented people are harder to recruit because of pay differentials. Why go into public service when some "consultant" will pay you 3 X as much - and not care how shoddy your work is since the clients are too dumb to recognize the fact.

Talk to students who work part-time (well above 50%) and you'll learn that they know full well that the kids whose parents earn a bundle have an enormous advantage. So they aim for careers in business or "consulting" (70% of Harvard undergrads)and don't even think of public service.

Much of this has been intended and policies designed accordingly. Much of it is driven by dogmatic anti-government doctrine. Much of it slips under the radar because accountability has ceased to exist in any meaningful sense.
All of this is facilitated by the epidemic of cultivated ignorance and obtuseness infecting the American body politic.

Haralambos

Thank you for posting this. I was getting ready to put a similar thought up, since I am fairly familiar with the coverage of Snowden's leaks but not the content of most of the files. They seem to be dribbling out via Greenwald and other sources. I believe Snowden and others made the point about offensive vs defensive capabilities in several pieces in 2013. You saved me a fair bit of time by putting this up.

William R. Cumming

Thanks Allen!

William R. Cumming

The Chinese or whomever hacked know that the accretion of bureaucratic power is slow but dangerous to on'e career in many ways. Thus, I have no doubt that cultivation of those junior in rank but potentially leaders of their organization in some way [or others?} might well be of current and future interest.

Current leadership circles in the USA tend to select and promote those who most resemble themselves. There are about 8,000 political and non-political SES's and not too many to have detailed examination of their past, present, and possible futures.

But hey not all info on those forms accurate and as to what your friends and neighbors think of you you probably don't know them and they don't know you!

Any unclassified sources on how the Chinese select and develop party cadre?

The comments to this entry are closed.

My Photo

July 2020

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
Blog powered by Typepad