Schneier on Security
A blog covering security and security technology.
« Boring Jobs Dull the Mind |
| More Insane Police Photo Hysteria »
April 28, 2008
Interesting investigative article from Business Week on Chinese cyber espionage against the U.S. government, and the government's reaction.
When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."
It can only help for the U.S. government to get its own cybersecurity house in order.
Posted on April 28, 2008 at 6:45 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Isn't it the US government that is compromising the security of the Internet by enabling itself, through its contractors -- foreign and domestic -- to spy on all Internet traffic?
> It can only help for the U.S. government to get its own cybersecurity house in order.
If that is, indeed, what they do.
But hey - they established the "Department of Homeland Security" and now we're all safer.
Can the "Ministry of Love" be far behind?
You gotta hand to them though. Reducing the number of connections to public networks is a good idea. I'm often surprised by how often important networks seem to be needlessly connected to the internet or other "public" networks.
Weather it was worth 10B I leave as a exercise to the US taxpayer.
I see Microsoft as a big (presumably unwitting) conspirator in this problem. Why does email, a communications tool intended to pass text traffic, even have the ability to execute code?
The USG should write its own office suite (and put it on a "standardized", minimalist OS; Vista need not apply), and include only functionality that it needs. Then it would not be chasing daily updates to patch the "latest" MS version which adds some random obscure functionality no one actually wants but has 15 different holes in it.
Furthermore, the DoD has spent >$2Bn (so far) on developing "secure" email communications, yet 20 years after the program started, yet they still do not have a functional, universally accessible GAL/CRL combination to enable unencumbered routine email encrypting/signing (authentication, nonrepudiation etc).
Once again, if half that money wasn't being used to chase the "latest" MS release, which comes out weekly but takes 6 months to propagate to all the users, they might have accomplished something.
It's always funny to see the 1984-Pavlovian reactions on this blog, as soon as a post related to homeland security is posted... "big brother", "ministry of love", "ministry of truth", etc., etc.
You're doing exactly what you would like to criticize: clichés and commonplaces, good versus evil...
It would be reassuring to see some serious security on governement computers, but that last bit about 4000 -> 100 open ports is kind of dispiriting. It looks as some project-managing bureaucrat wanted a progress metric to stick in a Gantt chart as a milestone, and the security-sysadmins pulled that one out of an un-nameable orifice just to make him go away.
While it is alarming that it is common for so many ports to be "open" (presumably they mean with listening services on them?), it is imbecilic to believe that cutting the number from 4000 to 100 on average does anything to secure networks. What services are running on those remaining ports? Are they necessary or superfluous? Are the listening services secure, or even securable? (with MS services, the answer to both is often "no"). Even one superfluous port is too many, particularly since if it isn't needed it probably isn't monitored either.
And, what about the fact that most malware sets the hook be e-mail and attacks through browsers, not through listening services? Businessweek's reporters don't seem to be aware of the distinction.
Oh, and while we're at it, why is it that it takes a "Yellow Peril"-scare about intrusions from China to set in motion some elementary security measures that should have been in place years ago? Did we not care when the intruders were script kiddies, or Argentinians, or Rumanians, or Russians? It couldn't be that the Chinese menace is more effective at scaring Congress into dumping cyber-security money into the Pentagon, could it? No, I'm sure that isn't it.
Not ports on the system.. ports into the network (eg access points, etc). Currently there are over 4000 (I would actually say more than that) Point of Presense connections from government systems to various ISP's etc. Each with its own interpretation of rules and regulations, most with soft and chewey insides, etc. So instead of possibly 4000 different firewall (or just plugin points) they are going to cut it down to 100 monitored ones with equivalent rules and the same set of auditing rules and tools
These are the same people who "lost" critical e-mails by ignoring the PRA and using a 'secondary e-mail system,' then claiming the archived backups had been 'recycled.'
And I'd like to know why, when national cybersecurity plans were presented years ago, that we're suddenly getting around to doing something.
Heckuva job, Mike.
Personally, I believe that those emails were intentionally "lost". But that's just my opinion.
Therefore, whether they can actually improve the security of their networkS is not tied to their ability to retain email.
As to why they are just now getting to doing this ... my opinion is that it is more "Security Theatre". Non-technical people are hearing about the "Chinese Threat" and our government has to do something to appear to be dealing with the problem.
The reality will be that (just as with the email "error") there will be enough holes that are intentionally left open that any security improvements will be rendered moot.
The high risk is not government networks, it's defense contractors' technical data over insecure networks - also see recent export violations such as: http://exportlogisticsguide.com/...
Chertof doesn't even know how to use
email-that is a fact. Bush? Nothing more
needs be said. He once consigned Richard
Clarke to computer security thinking
that since the guy was so crazy(couldn't
stop talking about da Quidas)that the
job would sure drive him over the edge.
To get some idea about what a joke
Govn't computer security is read
"Zeneth Angle" by Bruce Sterling.
One of his better recent books.
The problem with email is the same as with any other code execution: it's not that it's executed, it's that our security model makes the assumption that any code we execute is trusted, and thus is executed with all our permissions.
When you run Solitaire or Mahjongg, the process you start has authority to read, write or delete all your files and to make arbitrary connections to the network.
There are known solutions to this issue, each with its own tradeoffs. I personnaly have much hope in object-capability security and the application of the Principle of Least Authority in general, but proof-carrrying code is another very interesting path.
But without a paradigm shift from our current broken security model, I don't think there's much to do to significantly increase security.
Chertoff spoke on this at RSA. Rather than focus on getting their house in order using tried and true technologies and practices, he instead spent his speech talking about inventing make-believe new technologies necessary to combat cyber-terrorism.
According to a talk by Ira Winkler at the same conference, the U.S. power grid can be compromised with an e-mail and a trojan horse hosted on a website.
Perhaps using the EXISTING technology would be a better start. I know it isn't as glamorous as inventing.
For many years the feds worked to prevent any sort of real security in the private sector, especially in the realm of cryptography and authentication. Now they are getting bit by that decision and hacked because the off the shelf software is not up to spec.
There is a lot of schedenfreude here.
A daily dose of irony in every bowl.
Then again, every time I see Chertoff, I expect him to blame all his problems on Castle Greyskull.
Bruce, as the Business Week article points out, its difficult to know who the attackers were because of the attribution problem. What makes you, or the DOD so sure it was Chinese cyber espionage and not simply Chinese server-based cyber espionage?
@ Pierre THIERRY: lookup bitfrost.
Securing confidential information on Government computers is a trivial matter. Use the diagonal cutter "firewall" and then restrict physical access.
Changing the business models and processes within the Government is a far sight more difficult.
Take away my Internet connection? What?? (Forget that it should have never been connected in the first place...)
It's not a matter of "inventing new technology to secure systems". It's a matter of restricting access, both physically and through the "ether-nic".
But, to think that you can connect a system to the Internet, load it with confidential information, and have it be secure (even with "new" technology) is nothing short of sheer hubris.
This article is perhaps the most boring and outdated article I have read in a while. With all due respect to BusinessWeek's usually insightful stories,this one is written by people who have no idea what they're talking about,and is meant to be read by people who know nothing either.
Just listen to the podcast and you'll get my point.
A simple prediction,
As long as any Government insists that it's workers have to "prove a saving" before they "spend money" at the deployment end of a system then their computer security will be at best weak.
It does not matter one jot how much money you spend at the top end doing research etc, if the effects cannot filter down, due to "cost savings" preventing purchase of the resulting technology.
Likewise if the results of the research it (supposedly) pays for remains hidden and not in the public domain due to corperate self interest it will likewise fail to be deployed.
As pointed out above the money might as well be a back hander to "friends in industry".
I'd realy love to know who was behind this as it smells like a "poisoned chalice" for the next President (and I'm not sure GWB can understand the concept).
If the next President blocks the spending then they will be attacked for being soft on National Security, if they don't then they will be attacked for not being able to run a "mission critical" policy to protect the "critical inferstructure" of the "Nation State" and thereby "endanger National Security" (and any other drum banging statments you care to think of).
So damed if they do and damed if they don't. Perhaps they should seek a "third path" that is spend the money not with private corperate researchers such as "defence contractors" but with public researchers such as Universities.
Thereby ensuring two things, first the money goes where it has some chance of doing some good irespective of the results. Secondly where the results of the paid for work effectivly end up in the public domain and available to float everybodies boat.
Secrecy only ever produces the illusion of security.
Like any mainly deffensive technology security becomes strengthend by testing.
As history shows, most secret weapons, fail after the initial surprise attack, as they usually have significant weaknesses that where not thought of by those that designed them.
Physical security is and always will be a "defence in depth" technology based on "delay, detect and react" with time tested and proven technology. There is no reason to suppose otherwise for computer and communications security.
If you hear hoof beats think horses not zebras. If the US Government wants to improve its overall cyber security posture it needs to do better at basic fundamentals.
It needs to provide basic infosec awareness training for its masses. It needs to perfom basic risk assessments and perform mitigation on gaps found. It then needs to provide reasonable controls and establish policies and practices and not be afraid to fire anyone found not complying with those policies and practices. Most security breaches have been found to be caused by not following already in place security rules.
Thinking that every cyber security problem is highly unique or requires complex thought processes or that throwing technology at every security problem will solve it is not the answer. Get back to basics.
Chertoff called it a cyber security
...further proving he's an idiot. This isn't inventing anything new, as the Manhattan Project obviously did. This is just the government finally following best practices that have simply been ignored up until now.
Heck of a job, Cherty!
French embassy hacked in Poland...
French embassy hacked in Poland...
there will be no accountability as to wireless acts terrorism/ espionage due to cia herndon va overseeing malcolm tombs uk enagged in buisiness/ internet/ telecomm fruad; illicit use radioactive materials in viol atomic enrgy act 1954.
same operational methods used for cyber terrorism/ cyber espionage that of extraordinary rendition and data mining.
technology developed at public expense.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.