Apr 08 2009

Chinese hackers: You guys got candles? You’re going to need them.

Published by at 3:33 am under US attacks

In the past, I’ve avoided posting articles on potential damage to US infrastructure from Chinese hackers and others because they seemed too hyped in my opinion.   However, this report on critical infrastructure from this WSJ is a tad bit better, even though they don’t name all of their sources…understand why but I still don’t like it:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

UPDATE: Ned Moran, from the Cuckoo’s Egg, agrees that these types of articles get too much hype.  He makes a better case than I did.

13 responses so far

13 Responses to “Chinese hackers: You guys got candles? You’re going to need them.”

  1. every1s0bviouson 10 Apr 2009 at 7:07 pm

    Problem with someone saying a story is “hype” is that the source might not be revealing their full information as to why they are saying what they are saying. I guess you can assume there are a bunch of people shooting their mouths off without evidence. But, for what reason.

    And guess what? If you show evidence, well, that kind of kills it, doesn’t it.

    As for “federalizing” these resources… hrrm. What is being federalized? Should not our core infrastructure abide by the most stringent of regulations? And if these are “for profit” organizations that are non-governmental, where is the profit edge in this for them to do so?

    This is why there are plenty of laws and regulations which are deeply needed. Just imagine if we had had proper ones for the banking system.

    You have to be proactive in these sorts of activity.

    The Soviets absolutely spent a great deal of time planning to take down our infrastructure not only in case of some war, but also for diversions, to rile populations, and other reasons. If you note their intelligence methodology and ruthlessness really survived from the Czarist period through the Communist period… and you surely have seen enough clues to still see just how ruthless and capable they are.

    As for China, well, gee whiz. What are they doing there? “Just having fun”?

    Proactive security. Not reactive security. Pearl Harbor? 9/11?

  2. Heikeon 11 Apr 2009 at 5:22 am

    every1s0bvious,

    The problem I have with the story is that it infers motives and actors without providing evidence. Not saying it isn’t true but how can anyone draw a conclusion without full disclosure?

    If it is a source who shouldn’t be talking, then why is that person leaking it to the press? If you use anonymous sources, couldn’t that person have a bias or motive other than security? Lot of money floating around for Infosec.

    As for government regulations on private industry, that is a slippery slope. There are people who argue government intervention played a large part in the collapse of the banking sector; Mark-to-Market comes to mind.

    I don’t feel articles like this one are all that helpful, leaves too many unanswered questions.

  3. every1s0bviouson 11 Apr 2009 at 4:43 pm

    I don’t mean a source as a human in this case. It could be, I don’t know. I just mean when things are leaked to the press, especially from the governmental level, perhaps, the press is not going to get the full story. Why “leak” it.

    And I definitely do not mean the source for the article. The WSJ printed the original story (I tracked down)… and they talked to a former government official. He, obviously, would not be the “source” for how they figured out it was Russia, China, and “other countries”.

    A. You want people to be aware of the problem. We live in a Democracy. If it was just hype, who needs it? Anybody watch this season of 24?

    B. In this case, the primary source for the article was this ex-official. There may have been others, I am not doing a study here. Did he do this officially, even though he is a “former”? Or is he doing this because of some other reason? I find the WSJ credible. They vet their sources. But, every media is imperfect and how can you genuinely vet that which you do not know?

    Let’s imagine a hypothetical scenario. These guys had strong evidence to see that these tools were serious and almost surely likely foreign intel inspired… and there were indicators putting them as Russia and China and “other countries”.

    Two different factors. One factor is perhaps not too difficult to tell: whether or not the job done was “professional” or not. Further, maybe there are attack routes.

    You and I know such evidence is sketchy. If you have studied the history of intelligence you know the last thing a nation wants to do is leave evidence of such work by their own hands. Why should they do this?

    They can make it look like another country. This is why the Soviets, for instance, carefully used material in their direct action work from other countries. When giving the IRA weapons, or the PFLP, or even when counseling the Bulgarians in how to make that umbrella BB gun… (the umbrella was obtained from an American residency).

    So the second factor one would think is sketchy, wouldn’t you? What country was really behind this?

    But I don’t know, I just read a lot. I work in computer security but not in government.

    My general sense about the matter is, however, considering this story and the other “noise” going about on the matter is that pretty solid and alarming evidence of foreign intelligence penetration into our critical infrastructure has been found.

    Lastly, on regulations, yes, of course… too much regulations can be bad. It is very hard to come up with solid regulations that give people enough rope, but not too much. I am not a fan anymore then you nor the guy cited of too much regulation. There has to be some solid regulations however, I would point out, and it should be reasonable, but enough.

    EO

    (Like the farmer’s song, sing it outloud now…)

  4. every1s0bviouson 11 Apr 2009 at 5:40 pm

    Hrrm, actually wasn’t paying much attention to your comments here, and see you already found the original article and “understand why” (which I would guess so, as you actually have worked in that area).

    <>

    The area I do work in is computer security and I have had to do some work in infrastructure security. What we do is not compelled by business interests but by regulations. Without regulations, the job simply would not get done. Does the above sound like a competent job is being done?

    So, I am making two judgements here (albeit they are just possibilities)… one, the government is incompetent in terms of doing enough to protect these assets as are the companies in charge of them (when that is the case)… and two, despite that incompetence both corporate and government does have a lot of smart people and are capable of correctly assessing a threat and generally will not be eager to go out and make undue concerns – improbable concerns – loudly.

    It is a simple bureaucratic problem. Of course there is not much work done there, where is funding for that or proper regulations? Two, but there is funding, regulations, and history in determining threats. Maybe it remains a bit young in terms of determining computer security threats, but there is definitely a lot of maturity there… and a direct relation to physical threats which agencies are mature on.

    And, I also agree China [with WSJ article] has little to gain from hurting us economically. They are known for leaving their tracks. But, it is impossible to say, “China will always react X way”, because who knows? The point here, however, is not China nor Russia nor anyone else… but simply that these critical points need to be secured though there is not adequate business reason – profit motive – to do so.

    I am absolutely conservative, nearly libertarian on such matters, but that is just what I see from ‘on the ground’.

    EO

  5. every1s0bviouson 11 Apr 2009 at 5:41 pm

    “The NERC set standards last year requiring companies to designate “critical cyber assets.” Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.”

    The above quote was filtered out. It goes in between the two special characters above. That is what I was quoting from the WSJ article.

    EO

  6. Heikeon 11 Apr 2009 at 7:14 pm

    EO,

    You and I seem to agree on much of this. The reason I decided to link this article was that it came from the WSJ. One of the few media outlets I trust.

    Would love to get more of your insight into infrastructure security. I obviously don’t work in that field and it would be fantastic to get the ideas of someone who knows what they are talking about.

    Thanks for taking the time to articulate the situation!

  7. Heikeon 11 Apr 2009 at 7:31 pm

    I should probably add, don’t like discussing my politics on this blog, but I’m of the Libertarian mindset as well. Although you might classify me in the small “L” category. Just not a good joiner.

    I trust guys like you much more than I do the government to solve certain security situations. Not that they aren’t well intentioned but have a limited understanding of third-order consequences.

    Security is one of the areas I totally agree should be proactive and falls squarely under the purview of the government. Just not sure what the best method is for dividing the baby when it comes to private industry.

  8. BigBubbaXon 12 Apr 2009 at 6:47 pm

    So, if normal Chinese civilians are patriotic hackers, where are the American civilian counter-hackers?

  9. Heikeon 13 Apr 2009 at 11:18 am

    BBX,

    There was actually a mini-conflict between US hackers/others and the Chinese over the EP-3 incident.

    My opinion…a pox on both their servers.

  10. Oh2BaCowboyon 13 Apr 2009 at 2:18 pm

    I just finished reading an article written by Mara Hvistendahl entitled “The China Syndrome” in the May issue of Popular Science. Your site is mentioned in the article and that is how I found you.

    I love your site (and the info it contains)…picture Arte Johnson in your mind’s eye when I say…”very interesting”.

    Keep up the good work…how can I join your posse?

  11. Heikeon 13 Apr 2009 at 3:31 pm

    Oh2BaCowboy,

    Very glad you came to the website! Of course you knowing mentioning Arte Johnson dates both of us. :)

  12. every1s0bviouson 18 Apr 2009 at 1:43 am

    <>

    There is no such thing as US government hax0rs. We are too wussy for that. Sorry.

    Heike, you know this. We are the good guys which means we don’t take chances.

  13. Heikieon 18 Apr 2009 at 5:40 am

    You’re right, the US does not have any thing similar to the Chinese groups.

    Wan Tao, the leader of China Eagle, even talks about the difference in the two cultures. In the early years, the Chinese hackers tried to copy the Western model but found it didn’t fit.

    Chinese hacker populations tend to mirror their society.