CSIS Report: Securing Cyberspace

Re: CSIS Report: Securing Cyberspace

Whiskey Tango Foxtrot? There's no way you would get past the ROT-26 encryption that protects the Gibson which keeps the national grid going...

Re: CSIS Report: Securing Cyberspace

I doubt it. In any "cyberwar" I've read about recently, both sides have managed to either hack websites and servers or bring them down with DDOS. Even Georgian hackers managed to deface and crash Russian websites in South Ossetia towards the end of last August. Both Palestinian and Israeli websites are being hacked almost on a daily basis now. The only group that I personally feel are capable of mounting a large scale Cyberwar and defending their own systems is China. And they're not only testing out their tactics on the US; France, UK, Germany, Australia and New Zealand all reported attacks on government systems originating from China last year.

Perhaps I haven't come across the article yet but does anyone have any info on Chinese government websites being successfully penetrated? I'm sure there was some instances, but I doubt anything on the scale of attacks they have mounted (one Wired article quoted a Pentagon Official that they face "thousands of attacks every day")

And in case anyone takes this the wrong way, I'm not being political by discussing different countries abilities or tactics, just making some observations

Re: CSIS Report: Securing Cyberspace


i know wat u meen for crying out loud all anyone has to do to ovoid getting cought is hack the national grid then you have acsess to every computer on the planet firewalls are useless against this methode and once your in all you have to do is change the electronics pulse display to binory code and its all good secure the web they lie

from Digit

Re: CSIS Report: Securing Cyberspace

It really doesn't come as any surprise that we're vulnerable, but then can any country in the world say that they're not?

Re: CSIS Report: Securing Cyberspace

As Gomer Pyle would say "surprise, surprise, surprise!" - NOT

Re: CSIS Report: Securing Cyberspace

Well mid december, around the time this report was published, Booz Allen Hamilton ran a "cyber-war" simulation with 230 representatives of government defense and security agencies, private companies and civil groups. Sounds like what you're talking about on a smaller scale. Basically they had two teams; one defending, one attacking.

Oh and in case you couldn't gather for yourself, they concluded the US cyber defenses are apalling.

http://www.canada.com/topics/technol...tml?id=1096131

Re: CSIS Report: Securing Cyberspace

Sorry to (possibly) thread jack but...

Seems ITIF agrees on the subject and has a few numbers to support this:
http://www.itif.org/index.php?id=212

The CSIS have been making a point to avoid the topic all together however. Although not specifically in their domain, the question has been put forward before and they didn't even address it in the report. Just another issue I have with it....

Re: CSIS Report: Securing Cyberspace

apologize, but I do find this the worst piece of dreck I have ever read in my life. It rivals all the crap written by L. Ron Hubbard. Why?

Define CyberSpace. No where, no how, no time is the concept of "Cyberspace" ever defined in this document.
I'm done.

regards,

valkyrie
__________________________________________________ ____________
sapere aude


When you were a kid back during World War One, what was the equivalent?[/QUOTE]

Re: CSIS Report: Securing Cyberspace

Installment 1 of ?:


(PDF p.7, printed p.1)
List of items to protect and guard includes items with known points of contention a sometimes mutually exclusive priorities.

If the FAA's only focus was to ensure passenger and pilot safety, then we wouldn't see many of the problems that the FAA has been plagued with over the pas 15 years. Burdening the FAA with a secondary purpose of on-time flights, and a tertiary purpose of keeping air-based commerce moving means there will be contention between these items. Passengers and pilots will just have to hope that their own safety is not overlooked so much (to keep flights on time and keep air-based commerce moving) that they don't die or get injured while flying.

(PDF p.8, printed p.2)
Again, contradictions exist in the list of items for this one group. A judicial system exists with search warrants as an established system to primarily focus on laws with respect to civil right, privacy and more. Law enforcement's focus is primarily enforcement of the law, not civil rights and privacy. By ensuring each group maintains a simple focus of a single objective without conflict in their assigned goal, they can specialize and push full-force, without internal conflict or disagreement.

Assigning a collection of goals to any group which are or can be in conflict is trouble. It can be as harmful as decoupling control from responsibility. Privilege separation, Mandatory Access Controls, User vs. Kernel Space, programming API with clearly defined interfaces, and even domestic partners with clearly defined areas of responsibility and control in a domestic space and surrounding property are all examples of how it is possible to avoid ALL issues of contention caused by contradictory selections make any such, specific decisions a violation of agreement.

Decisions which require subjective evaluation for “right” and “wrong” answers will eventually lead to failure, as what you think is, “right,” may not be what your boss thinks is, “right.” Decisions which require only objective evaluation for “correct” and “incorrect” are simpler to follow, and can be replayed and re-tested with only one correct answer given the same set of circumstances and input.

Additionally, what advantage would exist by splitting cyberspace-specific issues from existing agencies? I see greater value in having each agency build their own cyberspace-specific teams based on their existing goals, mandates, or directives. Agencies focused on world trade, and international commerce have a specialized interest in cyberspace crime, while the FBI, CIA, or NSA would have totally different interests in cyberspace crime from detecting and recording violations of law for possible prosecution in court, to breaking laws in cyberspace through commission of actions instead of enforcement, or maybe eavesdropping and information gathering and analysis-- all different from each other.

A separate office for Cyberspace either means duplication of effort which presently exists in other agencies or government organizations or it means removing duplicate groups or sections in other agencies.

(PDF p.8, printed p.2)
This means using tax money in private business or it doesn't.
This means bypassing search warrant process or it doesn't
This means using private information gathering companies as a transparent government documentation repository which bypasses freedom of information acts, or it doesn't.

Separation of government from private business also provides more protection from abuse by raising the bar for abuse to requiring conspiracy and risk for papertrail. Arguments listed above with clearly defined boundaries (not responsibilities) also applies here.

(PDF p.8, printed p.2)
Regulation? This sounds very expensive.
I'll agree that a government is one of 3 ideal spaces for *standards* to exist, but regulation requires enforcement, and enforcement can be very expensive. At some point, a dollar amount will be made and a cut-off point for enforcement, and crimes with values less than that amount will be ignored, overlooked, or only documented, but not investigated. This will lead to an immediate refinement of attacks to choose attacks that fall under the arbitrary threshold and thus avoid investigation and penalty. Criminal elements are quick to react to changes in their environment, as those that don't learn quickly get caught sooner rather than later.
Additionally, why can't standards be created and passed through NIST for official review and use anyway?

(PDF p.12, printed p.6)
(See Item #8)
If CERT* remains with DHS, then why is there even a need for a NOC? Seriously.

(More comments later.)

Re: CSIS Report: Securing Cyberspace

Slashdot has now posted the results of that interview here: http://interviews.slashdot.org/artic.../12/19/1448238

Re: CSIS Report: Securing Cyberspace

Yea, you can't be just any geek off the street, gotta be handy with the steel if you know what I mean...

It really depends on what they mean by businesses in relation to creating their own authentication. Will it be every mom and pop shop on the net or primarily organizations who process CC and banks. I think this is definitely an area where they need to focus some more attention and thought.

There are a few technical hurdles they have to overcome, as well as a decision on usage. From reading the report, I don't think there was a single consensus as to what should be done for identity management while protecting civil liberties. I'm also concerned with a single point of failure if that's the avenue they are looking to go down.


Interesting for me was one of the last quotes in the report itself when they were discussing research and "reachitecting the internet" (p.75).

"Perhaps the most important game-changing research involves what we call 'rearchitecting the Internet". The Internet is a human creation and as a veteran of the 1970s DARPA effort said to us, "We built it; we can change it."

Re: CSIS Report: Securing Cyberspace

I concur. Its good to see some regulatin' again. :)

Anyway, the part of the CSIS report that interested me was the section "Identity Management for Cybersecurity" (p.61). This is something that has been a long time coming, but I don't really see how it could be implemented responsibly if businesses are given the option to create their own in-person proofing authentication methods(top of page 63). That would also create all sorts of interoperability problems I would think. It just seems like that could quickly escalate into a situation where all of my personal information is easily gained if one account (used on many different sites) is compromised.

Given, this is already the case with SSNs, but I don't plan on using that to login to Facebook/Myspace any time in the future. Provided that they will not allow any social networking sites to use these new methods I may be more comfortable, but the whole internet is moving towards being social. Its a tricky situation, for sure.

Re: CSIS Report: Securing Cyberspace

GET SOME!!!

Welcome back. THIS is HighWiz. Bout time.

Re: CSIS Report: Securing Cyberspace

Listen Wanker (that's what you people call each other over there, right?), you're definitely trying my fucking patience. My general instinct isn't to be polite and nice, trust me when I tell you I'm being really gentle with you. I don't know if you're into rough trade, but it most assuredly looks like that's what you want.

You are comparing apples and sofas. You're talking about a Law Enforcement agency with your posts... I don't believe the Koreans are trying to recruit hackers for law enforcement... You have an agenda and you're trying to push it with the wrong motherfucker.

I as well as others have already covered the fact that Korea is playing catchup to the US in terms of "events" like the ones you described earlier.

Now cut your losses while you're ahead before I put you in fucking place.

Re: CSIS Report: Securing Cyberspace

Which is EXACTLY what I was getting at when I mentioned the Korean Government running their own "hacker convention" with the sole purpose of recruiting!

I never said the US government doesn't recruit hackers, what I said was they would never OPENLY do it, as you rightly said from a political standpoint, nevermind set up an event similar to Korea's.

The only point I was trying to make, was that from a "political standpoint", the US government would never OPENLY recruit hackers on a scale that Korea is doing.

That was all. You were the one that tried turning it into something more.