The hack on the U.S. government was not a ‘cyber Pearl Harbor’ (but it was a very big deal)

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonpost.com/blogs/monkey-cage/wp/2015/06/15/the-hack-on-the-u-s-government-was-not-a-cyber-pearl-harbor-but-it-was-a-very-big-deal/

The U.S. government has suffered a hacking attack that has potentially
revealed highly sensitive information about millions of government
employees. Some commentators are claiming that this is the “cyber Pearl
Harbor” that they have been warning of for years.

Noah Rothman, writing for Commentary, says that this attack aims at the
“preventative neutering of America’s defensive capabilities” and compares
to the moment when “the zeros [sic] screamed out of the sky over Hawaii in
1941.” Rothman also says that the “professorial voices of mock prudence”
have been proved to be utterly wrong, referring to a Monkey Cage post. We
don’t particularly object to being described as professorial voices of mock
prudence, but the underlying errors in Rothman’s post provide a useful
opportunity to clear up some of the widespread confusion about
cybersecurity and cyber war.

The hack on the U.S. government was not the “cyber Pearl Harbor”

Very serious people, including then-Defense Secretary Leon Panetta, have
warned that the United States is vulnerable to a “cyber Pearl Harbor.” They
have cautioned that adversaries could launch attacks on “critical
infrastructure” and seek to disable or degrade “critical military systems
and communication networks.” They argue that this could have crippling
consequences for the nation.

By referring to “cyber Pearl Harbor,” observers are talking about attacks
that — like physical attacks — could disable communications systems, power
plants, electricity transmission systems and the like. Such attacks would
indeed resemble the one on the real Pearl Harbor, a devastating surprise
attack that could determine the outcome of a war. Our original post talked
about the risk of a “major online attack aimed at taking down key
communications systems,” as did the research by Erik Gartzke that was
summarized in the article.

But hacking into information on U.S. government employees, however
sensitive, is not a Pearl Harbor attack. It doesn’t disable large-scale
communications systems, power systems or the like. It doesn’t have any
direct consequences for the nation’s ability to defend itself. Instead, it
is an (extremely worrying) exercise in espionage, of the kind that the
original post distinguishes from Pearl Harbor-type attacks, noting that
even if Pearl Harbor-type attacks are unlikely, “many actors have an
interest in penetrating U.S. networks to spy or to carry out covert
actions.”

The distinction between warfare and spying is important

Since people have begun to worry about cyber warfare, military and civilian
experts have stressed that there is a crucial difference between cyber
warfare and cyber spying. As the National Academies of Science pointed out
in one of the most influential early documents on cybersecurity, we
shouldn’t treat spying as an exercise in the use of military force:

. . . if a cyberattack would have the same effects as certain
governmentally initiated coercive/harmful actions that are traditionally
and generally not treated as the “use of force” (e.g., economic sanctions,
espionage, or certain covert actions), such a cyberattack should also not
be regarded as a use of force.

This expert report further warns that treating cyber-espionage as the
equivalent of a military attack “overstates the actual threat, thus
inflaming public passion and beating the drums of war unnecessarily,” as
well as incorrectly implying that the United States should respond
militarily. In actuality, nations have been spying on one another for
centuries without going to war over it.

A strong distinction between warfare and spying is in the nation’s interest

The National Academies report says that treating cyber-espionage as an act
of war could mean that the United States found itself “outside
international norms even when it might not object to limiting certain
attack capabilities.” More plainly put, the nation doesn’t want to treat
cyber-espionage as Pearl Harbor-type attacks, because it engages in an
awful lot of cyber-espionage itself. If successful cyber-espionage is an
act of war, then the United States is engaging in overt warfare all the
time, against its allies as well as its adversaries.

Many reports suggest that China is responsible for this latest hacking
incident. The United States has indeed been trying to force China to stop
engaging in certain kinds of hacking. However, the United States has been
arguing that political espionage (where governments try to discover
information that is in their national interest) is okay, but that
commercial espionage (where governments try to hack into companies to pass
on trade secrets to their competitors) is not. As Jack Goldsmith notes, the
recent hacking is just the kind of cyber-espionage that the U.S. government
has been defending as acceptable. Moreover:

This is almost certainly the type of collection we are trying to do, and
probably succeeding in doing, against China’s government officials. . . .
We can hardly go ballistic if we are doing the same thing.

If the United States wanted to treat this as the equivalent of a Pearl
Harbor attack by China, it would have to deal with the fact that it has
been engaged in the same kind of hostilities against China. In fact, the
U.S. government doesn’t want to treat this attack as the equivalent of an
act of armed hostility, and it is perfectly right not to, regardless of how
much excitable Internet commentators may want to condemn it.

The key implications are domestic

Even if the United States should not treat this as a “cyber Pearl Harbor,”
it should treat it as an important wake-up call. Espionage is a very real
problem, and it appears that the nation has seriously let down its
defenses. At the very best, this is enormously embarrassing for the U.S.
government. Very likely, it is seriously damaging, just as other major
incidents of espionage have been in the past.

It’s clear that there are grave cybersecurity problems within the federal
government. As Marcy Wheeler notes, elementary security steps were not
taken. It is very likely that there are much worse problems in the private
sector. The appropriate responses to these problems are painstaking and
technical improvements in security and procedures, not amateur dramatics on
the Internet.

As noted on the Monkey Cage, the new U.S. cyber strategy moves away from
Pearl Harbor alarmism to a focus on “advanced persistent threats” — sneaky
and continuous forms of hacking that can gather large amounts of data and
subvert systems over time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!