Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/19/2009
10:45 AM
Fritz Nelson
Fritz Nelson
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Full Nelson: The Growing Threat Of Cyberwarfare

Many more casualities will pile up, but policy and agreements will prove meaningless against today's anonymous cyberwarrior.

Each F-35 Joint Strike Fighter contains several hundred chips, many of which aren't fabricated in the United States and which, according to some theorists, could be the target of trapdoors. A Wall Street Journal article reported that the F-35 program was recently compromised by an attack using Chinese Internet host systems, and the data stolen was encrypted. An AviationWeek story later downplayed the incident. Cyberthreats.

In 2007, Israel, suspecting a nuclear installation in Syria, sent an air raid to destroy the facility, bypassing Syria's vaunted radar systems. Many speculate that the radar had been tampered with. Cyberwarfare.

Because civilians allegedly drove the Russia-Georgia battle in cyberspace, many refuse to call it war. Likewise, in Estonia, a country was disrupted, money was lost, but no sovereignty was taken, no guns, no victory or defeat. The wars of history don't allow for engines of abstraction, only those of explosives.

Mike McConnell, former director of national intelligence, recently said: "The ability to threaten the U.S. money supply is the equivalent of today's nuclear weapon."

Despite the threats, some experts, including RAND Corp., suggest a slowdown in spending on cyberwar defenses, and there already have been substantial cuts, including the Air Force cybersecurity programs. The government has been mum on developing cyberoffensive capabilities, although many arm-chair pundits have suggested we're building our own trapdoors in the hardware and software we export.

There are, however, several initiatives under way, including building a replica of the Internet to test for vulnerabilities and a DARPA-funded initiative through MIT to test our own ability to examine chips for things like trapdoors (the program is called Trust in IC). Col. Charles Williamson III, the staff judge advocate for Air Force Intelligence, argued in the Air Force Journal for creating a .mil botnet using an army of discarded or aging computers, though he stopped short of calling for civilian zombies.

And then there's policy. Certainly, the rules will need some rewriting. The Geneva and Hague Conventions make civilian involvement in war illegal, but those agreements don't account for cyberwarfare. Melissa Hathaway, former senior director for cyberspace for the National Security Council and Homeland Security Council, made the case to take the discussion international given the widespread nature of these threats. "If we can bring it into some of the policies we're looking at, the synchronization, formulation, rules of engagement, and what is ethical behavior . . . that's one way to address it."

While policy and agreements are nice in theory, they will prove meaningless against today's cyberwarrior. The anonymity of attackers and the thick dossier of attack targets mean more casualties and a call for an ever-more-vigilant defense posture. The painful part is figuring out who may attack, how it will occur, and where it will begin. Indeed, it may have already begun. After all, on the Internet, nobody knows they're in a dogfight.

Fritz Nelson is the Editorial Director for InformationWeek and the Executive Producer of TechWebTV. Fritz writes about startups and established companies alike, but likes to exploit multiple forms of media into his writing.

Follow Fritz Nelson and InformationWeek on Twitter, Facebook, YouTube and LinkedIn:

Twitter @fnelson @InformationWeek @IWpremium

Facebook Fritz Nelson Facebook Page InformationWeek Facebook Page

YouTube TechWebTV

LinkedIn Fritz Nelson on LinkedIn InformationWeek

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/22/2016 | 4:21:09 AM
Bring Back the Full Nelson
First, I think the Full Nelson needs to make a comeback.  Just saying.  Second, while nobody "in the know" can argue with the points here, it isn't surprising that all these years later nothing's changed, and in fact it has gotten worse.  As tech becomes more independent and "autonomous" so does the illegal access by the hacker and cracker underground to this tech become ubiquitous.  And all the while our policies and procedures in business and government remain somewhat stagnant, inadequate and unapologetic about their inability to fully meet the cyber threats that we see reported on by the dozen, on the hour, every hour.  I equate it to the rise of hip-hop culture and the ease with which the youth bond to it and speak its language, but just when our President seemed able to communicate in that language and relate to the "now", our government is taking a step backward and the communication is lost again.  So are our driving standards and security narratives.  They need to get back to understanding the "now" and speaking the language of modern hackers.  Social engineering works both ways, and the sooner we see more InfoSec professionals with government job titles who look and speak like Aaron Swartz (R.I.P.) the sooner we'll see some ground gained in the battle against black hat hackers...   
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33347
PUBLISHED: 2021-06-18
An issue was discovered in JPress v3.3.0 and below. There are XSS vulnerabilities in the template module and tag management module. If you log in to the background by means of weak password, the storage XSS vulnerability can occur.
CVE-2021-33576
PUBLISHED: 2021-06-18
An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.
CVE-2021-33577
PUBLISHED: 2021-06-18
An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain.
CVE-2021-32536
PUBLISHED: 2021-06-18
The login page in the MCUsystem does not filter with special characters, which allows remote attackers can inject JavaScript without privilege and thus perform reflected XSS attacks.
CVE-2021-21669
PUBLISHED: 2021-06-18
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.