President Obama Wants To Prevent a Cyber Weapon 'Arms Race' (theverge.com) 138
An anonymous reader writes:During an address to reporters at the G-20 international summit in China, President Obama stated that he'd like to prevent an "arms race" among countries that have various cyber weapons at their disposal. The remarks come after Russian president Vladimir Putin denied having any involvement with the hack of the Democratic National Committee's emails earlier this summer. Obama said that the world is "moving into a new era where a number of countries have significant capacities", before noting that the United States has "more capacity than anybody, both offensively and defensively" when it comes to cyber weapons.
Cyberweapon arms race negated by older tech? (Score:5, Interesting)
Out of his depth (Score:4, Insightful)
Re:Out of his depth (Score:5, Interesting)
Obama was a law professor? I thought he was a community organizer?
At any rate, there's nothing he or anybody else can do to "stop" a cyberweapons arms race. It's pretty damn easy to deploy a cyberweapon without in any way leaving a trace as to where it came from. Besides, it's probably best to let it proceed anyways that way we can learn from security issues (like the upcoming IoT security nightmare) before we get too entrenched in it and suddenly somebody decides to create something worse than stuxnet...Speak of which, I wonder what Obama's comments on that would be, given that he likely authorized its deployment.
Re: Out of his depth (Score:1)
Obama was a law professor? I thought he was a community organizer?
Maybe you should read his biography sometime then?
At any rate, there's nothing he or anybody else can do to "stop" a cyberweapons arms race. It's pretty damn easy to deploy a cyberweapon without in any way leaving a trace as to where it came from.
Hence the value to not doing it. The same as not practicing chemical or biological warfare or other such acts. One can, as the sentiments expressed in the speech, refrain.
Besides, it's probably best to let it proceed anyways that way we can learn from security issues (like the upcoming IoT security nightmare) before we get too entrenched in it and suddenly somebody decides to create something worse than stuxnet...Speak of which, I wonder what Obama's comments on that would be, given that he likely authorized its deployment.,
Actually, it was more likely he got briefed with "This is what we're already doing" and ended up being thankful that it didn't blowup that bad on anybody. Of course, given how much effort was put into keeping stuxnet from being indiscriminate, it isn't hard to see how badly things coul
Re: (Score:2)
Hence the value to not doing it. The same as not practicing chemical or biological warfare or other such acts. One can, as the sentiments expressed in the speech, refrain.
The problem here is that it's a prisoners' dilemma situation where there's a lot of problems with cooperation and little downside to defection.
Actually, it was more likely he got briefed with "This is what we're already doing" and ended up being thankful that it didn't blowup that bad on anybody. Of course, given how much effort was put into keeping Stuxnet from being indiscriminate, it isn't hard to see how badly things could have gone. Which in turn leads to a call to not doing it, since seeing the bigger picture is easy.
If he got briefed and he didn't stop it, then he authorized it. And there's indications that the US was deliberately using Stuxnet well into Obama's first term.
Re: (Score:2)
Re:Out of his depth (Score:4, Interesting)
Besides, it's probably best to let it proceed anyways that way we can learn from security issues (like the upcoming IoT security nightmare)
Indeed. We should look at cyberwar offensives as free penetration testing. Most arms-races are lose-lose. But the defensive side of cyberwar leads to secure systems, and greater privacy. Instead of pleading with the Russians and Chinese to refrain out of the goodness of their hearts, we should look at this as an opportunity to adopt pervasive end-to-end encryption, and stop social engineering exploits by getting humans out of the loop.
Re:Out of his depth (Score:5, Insightful)
The US is at a major disadvantage and their cyber security forces know it and hate it and that disadvantage will cripple them. It's not a technical one either, it's a political one and that disadvantage is lobbyists. Corrupt lobbyists paid by corrupt corporations to pay off corrupt politicians to force the purchase and installation of poor security closed source proprietary software relying on nothing more than security by obscurity. Other countries will jump ahead with more secure FOSS, basically because their cyber security forces can than directly monitor and audit that software and not just alone but in indirect association with all other governments cyber security forces. The US government will be blocked by 'no no zones' which they are not allowed to touch because profits first, those 'no no zones' will of course be touched by other countries cyber security forces, whilst those countries will be blocking the entry of closed source proprietary software, especially back doored US proprietary software and hardware. The NSA played and now the US economy pays.
Re: (Score:2)
Re: (Score:3)
Even if the US has completely lost the cyberwar or whatever, it remains that Russia and China can hack each other and of course, anyone else with the right tools and knowledge can give it a try too.
The US has been openly accused of releasing Stuxnet but I am pretty sure the Stuxnet authors wanted the target and the world to know who did it and let it serve as an example to others. The most amazing thing about Stuxnet was getting it carried into one of Iran's most heavily guarded labs and inserting it into the USB drive. Compared to this the rest was easy. Can you just imagine how incensed, scared, and worried that little cyber weapon was to Iran's leaders. They realized if someone was able to do this with impunity what else were they capable of.
Capable of? Like the usual state-level shenanigans? Iran already knew that the US could do that sort of stuff with impunity. What they didn't know was how successful those shenanigans could be. I guess they know now.
Re: (Score:2)
something worse than stuxnet...Speak of which, I wonder what Obama's comments on that would be, given that he likely authorized its deployment.
Think of this as something like Eisenhower's military industrial complex speech, that was made after he helped create it.
What the government probably fears the most is that, unlike with nuclear and other heavy equipment, it doesn't take a government sized budget to create the weapons. A kid can put one into a clock and deploy it almost anywhere. Either way, the race
Re: (Score:3)
At any rate, there's nothing he or anybody else can do to "stop" a cyberweapons arms race.
If software makers could be sued for vulnerabilities, then it would clean up a lot of problems quickly. Most vulnerabilities are a result of people not caring (managers, programmers, etc). The human loophole is another problem, but again, with legal liability, companies would pay for training to teach people not to open suspicious attachments.
Re: (Score:2)
You can't, or most people usually won't? It is pretty easy to run code (source and binary) through filters that would entirely alter its style. Most "outing" happened on comments, strings, variable names or metadata.
Re: (Score:1)
His official title at the University of Chicago was "senior lecturer" not professor. Not the same thing at all.
Re: (Score:2)
Yes, if you want to be exterminated. (Score:1)
Two problems with this:
1. EMPs are indiscriminate. They take out _everything_ not just specific services/functions. If you deny a countries population basic needs and services ... aka fresh water, that's Total War [wikipedia.org] and the other country is going to strike back if they can (and the US, USSR, China and a few other countries have subs with SLBM's that any EMP is not going to touch).
2. An EMP (currently) requires a nuke and lobbing a nuke over another country escalates things to a whole other level. To being
Re: (Score:2)
Re: (Score:2)
For how long. I hear doomsday Sayers site this EMP bomb causing the end of civilization.
However Electricity and Magnetics field can be protected from. And such a fable weapon outside the lab environment will not distroy all tech just some of it. And other systems may need a reboot.
Tactically the EMP would just create a short term disruption in technology allowing the military to invade past radar and preventing communication for at most a few hours.
Re: (Score:2)
Most business and organizations of consequence have backup energy capabilities.
As Einstein said: (Score:5, Funny)
Re: (Score:1)
What about "with compasses"?
(Weird word for me.)
Re: (Score:1)
I meant the math / architect / drawings "compasses."
I have no idea why they are called "compass" in English and the EMP vs magnetics was nothing I even considered with them but I was thinking about how you could hurt others with the nail(s) on the ends of the compass :)
(Well, the measure distance thing may be the "compass" thing I guess (at-least it's somewhat (but very weakly) related), or maybe it had a degrees part or something used against a fixed compass on a map or something.)
So, stop (Score:4, Interesting)
It will only get worse with robotic self-driving cars and robotic everything else.
Re: (Score:3, Interesting)
But then how will Silicon Valley spy on every man, woman, and child and funnel the data to the NSA? Won't somebody think of the Tech Sector Espionage Complex?!?!?
Re: (Score:2)
I know no one will like this, but maybe don't have the internet cross international borders. Make it country by country. Packages can be inspected and stopped and borders, why not packets.
Re: (Score:2)
China and North Korea are intrigued by your idea, and wish for you to subscribe to their newsletter, comrade.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
NAT everything!
Re: (Score:2)
Re: (Score:3)
Maybe the US shouldn't rush to deploy cyber weapons, spurring other countries to do the same.
Struxnet was the watershed moment when the new cyber cold war started. It showed that as long a you had deniability you could pretty much do what you liked to another country's infrastructure.
Eisenhower tried too (Score:2)
He's too late (Score:2)
it's already too late and unfortunately the US and other countries are already under attack. Don't believe me? Stuxnet.
Re: He's too late (Score:4, Informative)
Re: (Score:2)
Re: (Score:1)
Are you being intentionally obtuse? Any attacker, anywhere in the world with an internet connection, can conduct attacks against political targets in the US and do it from Chinese or Russian IP space. The participation of a Chinese or Russian person is not required, and in fact *inaction* (not patching computers) is even better. Parent poster's entire point is that just because attacks are coming from Russian IPs doesn't mean any Russians are actually involved.
Re: (Score:2)
Little too late? (Score:1)
Re: (Score:1)
But it has to stop before they need to deploy potheads!
After Hillary called for a military response ? (Score:4, Informative)
http://thehill.com/policy/cybe... [thehill.com]
and the Democrats referred to their recent attacks as "Terrorism"
Self-inflicted vulnerabilities (Score:5, Insightful)
We must make sure other countries don't attack us, because we've created so many back doors for us to attack ourselves.
The NSA and their ilk have made us prime targets, and now we rely on begging other countries to not exploit all those vulnerabilities we've created.
Re: (Score:2)
Do you really think its fair to blame US intelligence services for the backdoors? What you have to remember is they are authorized to basically do whatever they want. If they want a secure login to your phone, they can get it. If someone in the private sector developing software for phones makes that same secure login and then logs in to spy on customers, he can be found and convicted just on the basis that he had the password to get into his own backdoor. However If he "screws up" and makes a vulnerability
Re: (Score:2)
It makes sense most of the backdoors are coming from this kind of corruption in the private sector, not the government.
Please explain how the corporate private sector isn't the government. Who did Snowden work for, the government or the private sector? I'm so confused.
Re: (Score:2)
Better offensive and defensive capabilities?? (Score:3)
If the NSA can't even keep their own weapons from being stolen it looks like we are all in for a world of hurt.
Putin: DNC hack wasn't state of Russia (Score:2)
Tinfoil Time (Score:1)
Hillary didn't deny hacking the DNC either. OMG she was the mole all along!!!
How much laughter greeted him? (Score:2, Insightful)
Does anyone take Obama seriously anymore? Certainly none of the leaders at G-20 do.
Let's not, and say we did (Score:1)
am I right? Well, given what the U.S has been doing onto their "allies" for many years, any country today would be nuts to not build up cyber warfare, and in particular be very very wary about the U.S, since again, they have been attacking their "allies" for many years.
Exact opposite effect (Score:3)
Prevent? (Score:5, Interesting)
That train left year ago. He's delusional if he thinks a race is even an option. The US is years behind and isn't even in the running. Hell we've just started to realize this is something we ought to /start/ training professionals for. We've still got people trying to outlaw security tools.
http://breakingdefense.com/201... [breakingdefense.com]
http://blog.hackerrank.com/whi... [hackerrank.com]
http://www.techinsider.io/nort... [techinsider.io]
http://abcnews.go.com/blogs/he... [go.com]
http://abcnews.go.com/Blotter/... [go.com]
We're years behind the competition, where professionals have been getting trained and put to work for many years. We're just getting to the point of having courses in hacking, never mind college degree based level training. How the hell are we going to enter a race when only a handful of three letter agencies even have professional hackers in their employ? This isn't the kind of thing your going to call up your local friendly pen-test company for. You can't win a race you refuse to enter.
Re: (Score:1)
Just wait until next year: Comey has already promised us another "adult conversation" about encryption following the 2016 election.
Adult conversation about encryption? (Score:3)
Just wait until next year: Comey has already promised us another "adult conversation" about encryption following the 2016 election.
Adult conversation about encryption?
"You see Jimmy, when Alice and Bob love each other very, very much, Bob sends packets to Alice, and..."
Re: (Score:2)
The US is years behind and isn't even in the running.
Stuxnet was really impressive tbh
Re: (Score:1)
And the heads of those departments make vast sums of money and live in Fairfax, VA with all the other wealthy government leaders.
How could you suggest we are behind?
Re: (Score:2)
Re: (Score:2)
By contrast, where it genuinely pioneers, it promptly and inevitably gets left behind. Examples: automobiles, the internet.
Pretty awful examples. But then I don't think your assertion is true here.
Re: (Score:2)
Re: (Score:2)
Two centuries isn't that long in the grand scheme of things.
It's long for democracies. Older than the UK, for example.
If America will last longer than other democracies, I doubt it is because they had better democratic systems, but rather better UN-democratic practices that rig the game and exploit general voter ignorance and apathy. Printing the world's primary reserve currency and having the biggest guns also help.
It's not worth arguing that. In some sense, things like the Bill of Rights are undemocratic. But if the system is based on pulling the wool over voters' eyes, it's not going to stay a democracy. It's also worth noting that the US didn't have the the primary reserve currency and biggest guns for most of its lifespan. That's a very recent thing.
Not that longevity is a good metric for determining whether you are still had and practiced the democracy and freedom that you pioneered.
It is for determining how stable the system is.
Cyber-Weapons are the ultimate equalizer (Score:1)
A talented group of individuals with modest funding (compared maintaining a standing military force) can wreck absolute havoc and they can also do it in a why where there's enough plausible deniability to forestall immediate retaliation. If you launch an ICBM at someone, everyone knows it was you and the counter-strike will probably be in the air before your strike lands. If you screw with a countries elections or finances, no one may realize for days, months, years or ever. And even what's they do, what
How's that going, Pandora? (Score:2)
...and I'm not talking about the streaming service. The cat is already out of the bag; the only question is whether we'll be smiling in front of, or behind, our victims' collective backs.
*for* the people instead of against? (Score:5, Insightful)
Real security is plugging the holes, not attacking (Score:3, Informative)
The way 'cyber' wars are won is to have proper mechanisms in place such that there aren't security gaps in the first place. The way things are designed today we have significant bloat and in part as a result are incapable of securing our devices. Adding 'security' on top was never the answer and we've done a really terrible job of designing systems from the ground up to be secure. We need to design processors, chipsets, and the like with long-term shelf lifes and the software that runs on these chips with the utmost minimalism and simplicity. By doing so we can spend more time identifying and more easily identify and plug the holes. The systems we utilize should feel more like something from the 1980s and 1990s with a handful of modern enhancements.
Nothing to see here (Score:1)
Just rich military people being retarded. Internet warfare already exists and is going on right now. All these military bozos have to do is not link up everything to the internet. It might be less convenient but it's at least 100% safe from online hacks.
Outsourcing (Score:1)
How to prevent a Cyber Weapon Arms Race? (Score:1)
Deja Vu (Score:2)
So the US is calling for restraint in the creation and use of cyber weapons now that other states and actors have caught up to them. Sounds exactly what had happened with nuclear weapons.
Cyber Weapons Are Effective and Relatively Cheap (Score:1)
It will be very difficult to convince other countries not to invest in cyber weapons for the following reasons:
1. Cyber weapons, unlike other strategic arms, are a relative bargain. For example, in comparison to nuclear weapons which are both difficult to keep secret and ruinously expensive, cyber weapons are much easier to keep under wraps, much cheaper and potentially more effective under realistic use circumstances.
2. In a limited asymmetric war, which has become the norm rather than the exception now in
Don't want to be vulnerable? (Score:1)
Don't put key assets on a common network.
If you are an individual or business, it's your choice:
* Accept the costs of not being vulnerable (stay disconnected)
* Accept the costs of having a recovery plan and implementing it when needed (offline backups, etc.)
* Accept the costs of NOT having a recovery plan or not being able to implement it (permanent data loss, insolvency, etc.)
In modern society, the first option isn't an option for most people and most companies.
Fortunately, the costs don't always have to b
Why we don't want everything network-connected (Score:3)
> Don't put key assets on a common network% of unaffected .
>
> If you are an individual or business, it's your choice:
> * Accept the costs of not being vulnerable (stay disconnected)
[...deletia...]
> In modern society, the first option isn't an option for most people and most companies.
Ex-bleeping-scuse me, we've got too much stuff connected to the internet, and exposed to take-over, already. Here's "The Killshot Event" scenario...
It's the middle of January, and the weather forecast is calling
Re: (Score:2)
Thew cyberwar has been going for 10 years now (Score:2)
This new breed of attack are much more selective and directed. I
My capacity is bigger than your capacity (Score:2)
Generally, the ones that ask for a pause in an arms race are the ones that are behind.
The war is all already on, and has been... (Score:2)
Cyberwarfare uses weapons launched from anywhere. Untraceable. Unattributable. The cost is much lower than the value of the target(s), and the weapon can be reused.
In fact, multiple weapons capable of different attacks are being used. And some are unknown to us yet .
Defenses against these are at best reactionary. That's ineffective. But some effort needs to be made, if only to mitigate damage.
But we are already at war, military and cyber, assymetrical, with a variety of opponents. Some are opportun
Well... (Score:2)
Time to build Arsenal gear.
translation (Score:1)
We want to spend that money on creating wealthy, party-beholden government leaders, and who do you think you are to interfere with that?
Talk about late to the party (Score:1)
Obama's concerns are about as out of date as his 1960s policies that were rehashed 1930s failed policies.
Arms race has been underway since the late 1980s.
Re: (Score:1)
speaking of which ... remember when the photographs of the TSA keys got leaked?
https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/