More on this book
Community
Kindle Notes & Highlights
Read between
July 23 - August 14, 2019
We created a new military command to conduct a new kind of high-tech war, without public debate, media discussion, serious congressional oversight, academic analysis, or international dialogue.
(Tests run by the National Security Agency determined that even the best-trained experts could not, by visually looking through the millions of lines of symbols, find the “errors” that had been introduced into a piece of software.)
One use of cyber war is to make a conventional (the U.S. military prefers the term “kinetic”) attack easier by disabling the enemy’s defenses. Another use of cyber war is to send propaganda out to demoralize the enemy, distributing e-mails and other Internet media in place of the former practice of dropping pamphlets.
the Air Force seems to think it may have to bend the rules. “If they can’t run three miles with a pack on their back, but they can shut down a SCADA system,” mused Air Force Major General William Lord, “we need to have a culture where they can fit in.”
a new era in international relations, what General Brent Scowcroft, President Bush’s National Security Advisor, went so far as to call a “new world order.” In it, the sovereignty of all nations would be respected and the mission of the United Nations would finally be fulfilled, now that the Soviet Union was no longer in a position to check such actions.
Beijing persuaded Bill Gates to provide China with a copy of its secret operating system code. Microsoft had refused to show that same code to its largest U.S. commercial customers.
The extent of Chinese government hacking against U.S., European, and Japanese industries and research facilities is without precedent in the history of espionage.
Other nations known to have skilled cyber war units are Israel and France.
In all the wars America has fought, no nation has ever done this kind of damage to our cities. A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes, without a single terrorist or soldier ever appearing
When they do something like going where they are not authorized, hackers become cyber criminals. When they work for the U.S. military, we call them cyber warriors.
the three things involved in cyberspace that make cyber war possible: (1) flaws in the design of the Internet; (2) flaws in hardware and software; and (3) the move to put more and more critical systems online.
For cyber warriors, the Domain Name System is a target. It was designed with little thought to security,
One cyber security company found twenty-five different ways it could hack the Domain Name System to cause disruption or data theft.
the Internet itself could easily be a target for cyber warriors, but most cyber security experts think that unlikely because the Internet is so useful for attacking other things.
The third vulnerability of the Internet is the fact that almost everything that makes it work is open, unencrypted.
The fifth Internet vulnerability is the fact that it is one big network with a decentralized design.
While many regard the Internet as an invention of the military, it is really the product of now aging hippies on the campuses of MIT, Stanford, and Berkeley.
It was designed for thousands of researchers, not billions of users who did not know and trust each other.
most people who write code make mistakes.
In one segment of the pipeline, the software caused the pump on one end to pump at its maximum rate and the valve at the other end to close. The pressure buildup resulted in the most massive non-nuclear explosion ever recorded, over three kilotons.
Strap yourself in, we are first going to move quickly through twenty years of efforts in the U.S. to do something about cyber security. Then we will talk about why it hasn’t worked.
Their inhumane attack in Oklahoma City, killing children at a day care center and civil servants at their desks, really got to Bill Clinton.
He identified the chief challenge as being the role of the private sector, which owned most of what counted as “critical infrastructure.
Privacy, civil liberties, and technology interest groups united in vehement opposition. For some reason, they did not trust that NSA would only listen in when they had a warrant
Substantively, there was little difference between the Clinton and Bush approaches, except that the Republican administration not only continued to eschew regulation, they downright hated the idea of the federal government issuing any new regulations on anything at all.
Oddly, the plan did not address the problem that had started the discussion in the Oval Office, the vulnerability of the financial sector to cyber war. Nonetheless, Bush requested $50 billion over five years for the Comprehensive National Cybersecurity Initiative, which is neither comprehensive nor national.
It was not surprising to me that Obama “got” the issue, since he was running the most technologically advanced, cyber-dependent presidential campaign in history.
I tried to point out that if you are a senior member of the informal national security transition team, you probably should not be planning the takeover of the White House from a Starbucks, but not everyone seemed to care.
was actually supposed to do. Senator Carl Levin of Michigan asked the Pentagon to send over an explanation
The invitation-only session was populated by a group of “old hands,” people who knew where the virtual bodies were buried in cyberspace: former government officials, current bureaucrats, chief security officers in major corporations, academics, and senior IT company officials. Moss’s question to them: What do we want the new Obama Administration to do to secure cyberspace?
When both the left and the right disagree with your solution to a problem, you know two things: (1) you are probably on the correct path, and (2) you stand almost no chance of getting your solution adopted.
Regulations where compliance is not audited or enforced are worthless, almost as troubling as regulations requiring the hovering presence of federal officials. Third-party audits and remote compliance verification generally seem like sensible approaches.
If what we need to do to defend ourselves from cyber war opens the possibility of further government abuse, we will need to do more than simply pass laws making such government action illegal. That has not stopped some in the past. (Cheney, I’m thinking of you here.)
You might think that the new Democratic administration would be in favor of finally solving the market failure on cyber security by introducing some new regulation, but you would be wrong.
Microsoft makes OpenSecret.org’s top 30 list of “Heavy Hitters,” donating to political causes.
Microsoft was making up for lost time. Before the company’s battle with the Justice Department over antitrust issues in the late 1990s, the West Coast–based company wanted nothing more than to be left alone and stayed out of politics.
In 2008, Microsoft beat those numbers, giving $2.3 million to Democrats and only $900,000 to Republicans.
COTS brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer.
In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security.
We cannot, they say, be expected to know how to, or spend the money to, defend against a nation-state attack in a cyber war. Then they usually add words to the effect of, “Defending against other nations’ militaries is the government’s job, it’s what we pay taxes for.”
While the United States very likely possesses the most sophisticated offensive cyber war capabilities, that offensive prowess cannot make up for the weaknesses in our defensive position.
China, meanwhile, remains behind the United States in the automation of its critical systems. Its electric power system, for example, relies on control systems that require a large degree of manual control. This is an advantage in cyber war.
In part because Congress has required it, successive U.S. administrations have periodically published a National Security Strategy and a National Military Strategy for all the world to read.
As we saw with the illegal wiretapping in the Bush Administration, if the checks and balances in the system fail, the government can already improperly monitor citizens.
out of fear that customers would switch providers
this sort of data screening, the government would remain sufficiently removed from the process to protect privacy and to encourage competition.
Admiral Mike Mullen, the Chairman of the Joint Chiefs of Staff, was realizing how vulnerable his military really was. According to a high-ranking Pentagon source, Mullen screamed, “You mean to tell me that I can’t rely on our operational network?”
As one pilot told me, “Aircraft these days, whether it’s the F-22 Raptor or the Boeing 787…all they are is a bunch of software that happens to be flying through the air. Mess with the software and it stops flying through the air.”
Sometimes just saying things, things that do not always cost money, can buy you added security, if you have credibility.
Of all the nuclear-strategy concepts, however, deterrence theory is probably the least transferable to cyber war.
