back to article US and UK declare red-team cyber war – on each other

The US and the UK are planning a series of joint war games involving cyber-warriors from either side attacking each other in a bid to expose security weaknesses before they are abused by criminal hackers or hostile governments. The exercises, which will initially test the security defences and procedures at banks on Wall …

  1. Busby

    The danger with these unlike a standard military exercise taking place in the middle of no where is it could actually impact on civilians quite easily.

    Wouldn't surprise me if orgs on both sides of the pond end up having outages as a result. I would imagine that isn't the intention of the exercise but could easily see it happening. Not sure how happy people will be if friendly activity by an ally results in a major outage at their bank or something similar.

    1. Gordon 10
      Unhappy

      Outages

      I doubt there will be any - there is a real risk of the rules of engagement being defined such that actual damage doesn't occur - and therefore potentially nullifying some of the whole point.....

      1. djack

        Re: Outages

        It is basically impossible to guarantee no disruption or outages in even the most tightly controlled and planned test, never mind exercises like this. You can not do things that are likely to result in an outage, but that's as far as you can go. You simply don't know how everything is going to react to anything.

        I have shut down a manufacturing production line with no more than a TCP portscan so I know of what I speak.

  2. Anonymous Coward
    Anonymous Coward

    What a great way for the spies to get deeper into financial institutions networks and plant backdoors!

    1. dogged

      What a great way for criminals to use the publicized spook activity as a cover for doing, er, exactly what the spooks are doing.

      1. Ole Juul

        opportunity knocks

        Not only cover, but a rare opportunity to get a glimpse of what the two governments can actually do, what they can't, and what they think is important. This could be an intelligence bonanza for the crims.

        1. Jaybus

          Re: opportunity knocks

          And if the goal is espionage, then why would they reveal the results, or at least the real results, of this little experiment/cover story?

    2. nuked

      Front doors appear to be enough these days...

  3. M7S

    150 years ago private citizens in the UK formed local rifle clubs

    to help defend the UK, which eventually became the Territorial Army*

    Alas these days, I fear that any attempts, or even declared interest, in doing something similar or assisting these excercises would not go down well with the powers that be. Certainly I don't seem them appreciating efforts along the lines of Gary McKinnon exposing security weaknesses.

    I only hope we don't have cause to regret such an attitude. Whilst I appreciate there are routes for some talented people to join "the club" that does deal with this, its not a route for everybody.

    *Apologies if I have skipped some important steps in this history.

    1. Peter2 Silver badge

      Re: 150 years ago private citizens in the UK formed local rifle clubs

      There has always been a Territorial Army, all be it not by the same name. It may have been called Militia or Yeomanry depending on the times.

      It would be fairer to point out that the militia was a backup supply of basically trained personnel to the military. Milita could more easily reach the (higher) professional standards of the military virtue of having been partially trained in the first place.

      Likewise, Rifle Clubs never became the TA per se, but merely acted as pools of available personnel who could be absorbed into the TA and trained to standard more easily than starting from scratch as they at least knew how to shoot strait.

    2. Anonymous Coward
      Anonymous Coward

      Re: 150 years ago private citizens in the UK formed local rifle clubs

      FYI - McKinnon didn't disclose any security weakness, he hacked and got caught. Because Blighty allows cyber crims to get away with their crimes with no real punishment, we will continue to have major cyber crime issues here.

      As far as citizens joining the fight, that's all well and fine. Get a proper security job if you have the skills to help prevent hacking. Independent security players can create a world of problems and actually end up unknowingly aiding the enemy.

  4. Afernie
    WTF?

    So are we saying...

    That after all the bailing out and huge wedges of taxpayer cash, banks can't afford their own Tiger teams and need state-run security exercises at further taxpayer expense?

    1. Gordon 10
      FAIL

      Re: So are we saying...

      Not at all - we're saying we should test whether those tiger teams have done a good job - not assume they have, and since the threat surface is continually evolving and that State hackers would potentially have new & different insights to other professional testers it does no harm and possibly a lot of good.

      Did you know that but just wanted to take a cheap shot at banks, or did you not think before commenting?

      1. Afernie

        Re: So are we saying...

        "Not at all - we're saying we should test whether those tiger teams have done a good job not assume they have, and since the threat surface is continually evolving and that State hackers would potentially have new & different insights to other professional testers"

        Which is fine, but a bank, a commercial concern that is in business to make a profit should be paying for that oversight itself, just like they pay accountants to conduct audits on their financial operations. Why should we pay for government to carry out a security audit on banks to allow twats like David Cameron to be seen to be 'doing something?'

        "it does no harm and possibly a lot of good."

        It does me plenty of harm if I end up paying for it. Which at some level, as a taxpayer, I will.

        "Did you know that but just wanted to take a cheap shot at banks,"

        I made a valid comment, whereas you sound like you're possibly defending a vested interest.

        "or did you not think before commenting?"

        Yes, I did. Try it some time yourself.

        1. ThomH

          Re: So are we saying... @Afernie

          Which is fine, but a bank, a commercial concern that is in business to make a profit should be paying for that oversight itself, just like they pay accountants to conduct audits on their financial operations. Why should we pay for government to carry out a security audit on banks to allow twats like David Cameron to be seen to be 'doing something?'

          The counterargument is that should these institutions fail then the cost for you and I would be huge, just as it was in the 2007–2008 financial crisis. So we're paying for preventative care in order to reduce total expected lifetime costs.

          I guess the fact that we keep paying at all comes down to a resigned acceptance that the industry is a net benefit rather than a net cost in a country with limited natural resources and no significant manufacturing base. Not the healthiest position to be in but there it is.

          1. Afernie

            Re: So are we saying... @Afernie

            "The counterargument is that should these institutions fail then the cost for you and I would be huge, just as it was in the 2007–2008 financial crisis. So we're paying for preventative care in order to reduce total expected lifetime costs."

            Indeed - but that still isn't a counterargument regarding the taxpayer picking up the bill, rather than the bank.

  5. plrndl
    Go

    The Yanks will never break out (t)rusty valve mainframes.

    1. cowbutt

      My expectation is that the UK side gets some very-clever-but-not-terribly-strategic 0wnage of the US, but the US side comprehensively 0wns the UK.

      1. graeme leggett Silver badge

        Or there might be a surprise. Like when the UK helped test the US air defences in the early 60s (Skyshield) and perhaps (or not) surprisingly some of our bombers got through. By dint of some impressive flying and electronic countermeasures, I believe.

      2. Anonymous Coward
        Anonymous Coward

        Will it be like the pwn2own contest?

        Like, if you successfully break in to a bank you get to keep it?

      3. werdsmith Silver badge

        But is Gary McKinnon playing for the UK?

        It only takes one aspergers guy in his bedroom to completely embarrass the Pentagon so much that they start frenzied extradition proceedings (instead of handsomely rewarding him for carryout a better pen test than their own guys could).

        But anyway, doubtless we are neck-deep in Cisco kit, and the US spooks will just use their built in back doors.

  6. Dan 55 Silver badge
    Happy

    That's after the next election, isn't it?

    The yanks are going to have an easy time of it if there's no encryption or big honking government backdoors in every server in the UK.

  7. Teiwaz

    cyber war, yeah

    I had a 90's anime flashback when I read this headline, and thought...

    Giant mecha and modified humans, cool.

    Then I read the article, and thought, Britain are going to get squashed.

    This moment inside UK C&C...

    "We have a chance sir, we've cloned Carol Vorderman a thousand times, the yanks don't stand a chance."

    Poor deluded bastards...they needed to hire the Knight Sabers.

  8. Simon Biles
    WTF?

    Glad we are focusing on the right things ...

    ... Cyber War ...

    Yeah, my first thought will be to attack the banks - a highly secure environment with shedloads of money to spend on security.

    I won't even consider the far more effective targets that would take out power, utilities & health care with underfunded IT departments, 'cos that's not going to have any impact on the population at all ...

    1. amanfromMars 1 Silver badge

      Re: Glad we are focusing on the right things ...

      the banks - a highly secure environment with shedloads of money to spend on security. ….. Simon Biles

      Simon, you are making the simple common universal fundamental error which their systems administrations and Main Stream Media does not wish you to fathom and realise chains you to perform as an organ grinders' monkeys for peanuts ……. banks spend and gamble recklessly with everybody else’s assets and have no money of their own, and never have had. And that makes their environment very insecure and liable to violent revolutionary action and virtually catastrophic attack from any number of practically anonymous and smarter specialist intelligence services, which may well believe in the merits of alignment and supply of EMPowering Overpowering Systems knowledge to Grand Masters of the Military Mind with Dangerous Elite Phormed Forces who/which be considerably better than just excellent at being suddenly bad and unbeatable whenever they decide it be necessary to achieve heavenly goals and relative riches and quite an absolute power with a commanding control beyond any possible compare.

      Have that sort of sensitive disruptive knowledge to give away for free and just a fraction of any intelligently gotten gains and you will have nation's smart agents and non-state actors worldwide beating a path to your door* with searching leading questions?

      * Or website and space of work, for is that not the new reality in these days of exploring and exploding zeroday trades.

      PS ..... Do you think El Reg is AIMaster Hub and Virtually Secret Sorting Clearing House? And if not, would y'all like it to be so, so that y'all can be made more perfectly aware of that which is transpiring all around you and deciding your future fate?

      1. FormerKowloonTonger
        Devil

        Re: Glad we are focusing on the right things ...

        More longer sentences, puhLEEEZE.

  9. Anonymous Coward
    Happy

    British tea distributors...

    Will receive strange, but confirmed, electronic orders to take their product down to the local harbor and chuck it in.

    1. Anonymous Coward
      Anonymous Coward

      Re: British tea distributors...

      ...and the US will have several million pizzas delivered to customs: "Some bloke called Obama ordered them...said there's a party or something"

      1. Anonymous Coward
        Anonymous Coward

        Re: British tea distributors...

        Either that or have shipments of erectile dysfunction tablets billed to our credit cards!

        1. Anonymous Coward
          Anonymous Coward

          Re: British tea distributors...

          I believe it is correct etiquette to subscribe the opposing team to as many gay porn mailing lists as you can find.

  10. batfastad

    Isn't this sort of thing going to be made illegal? http://www.theguardian.com/technology/2014/jun/04/life-sentence-cybercrime-queens-speech

    Oh yeah, law enforcement and surveillance agencies are above the law.

  11. Anonymous Coward
    Anonymous Coward

    attacking each other

    but it's a simulation, right?

    ...

    right? hello?! anybody out th

  12. Alister

    So, in the time honoured tradition of previous UK/USA agreements, the US intelligence community will be allowed to carry out attacks on any UK financial institution, and the UK intelligence community will be allowed to try and break into the email account of a minor US banking official...

  13. amanfromMars 1 Silver badge

    Fun to be had and Fortunes to be made in Greater IntelAIgent Games Plays

    The scheme will see GCHQ squaring up against the National Security Agency and the FBI in a rolling program of cyber war exercises due to begin later this year.

    And a perfect enough zeroday vulnerability exploitation exercise and opportunity for Private Intelligent Rogue Agencies and Sublime Anonymous Pirates to strut and share their stuff in the making of greater sense of the nonsense that drivers such desperate novelties and delivers ab fab fabless fortunes.

    Have GCHQ/MI5/MI6/CESG a portal that registers Greater Intelligent Game Players or is that the whole point of the development …….. to discover all that is required and be missing from their blunt and blind intelligence trawling?

    And yes, that is a real question which should be answered. Replies to El Regers and Global Operating Devices via this thread in the first instant, please.

    And the summary here ….. http://cryptome.org/2015/01/nap-bulk-sigint.pdf ….. would not disagree with the above with the following snippet advising on powers/capabilities/facilities sought ……

    … responds to a request to the National Academies from the Office of the Director of National Intelligence [ODNI]. Presidential Policy Directive 28 [PPD-28] Section 5(d), asks the Director of National Intelligence for “a report assessing the feasibility of creating software that would allow the Intelligence Community [IC] more easily to conduct targeted information acquisition rather than bulk collection [of signals intelligence]

  14. sysconfig
    Pint

    Encryption ban

    "Later this year" so that Dave has time to ban encryption in the UK first? That should be interesting.

    (Getting me coat and heading for a <see icon>)

  15. Message From A Self-Destructing Turnip

    Just picture the scene

    Colin: "We've cracked it sir, I think we're in!"

    Vladimir: "Greetings comrade, what took you so long?"

    Li: "Vladimir? Is that you? Have you heard from Ahmad lately?"

    Ahmad: "Li, good to see you, how are you?"

  16. hatti

    Where's Matthew Broderick when you need him?

    1. Anonymous Coward
      Mushroom

      Yeah, one rule--no hacking into WOPR. It took us forever to get that guy hooked on World of Warcraft instead of "Global Thermonuclear War".

  17. Anonymous Coward
    Anonymous Coward

    Cameron talks cyber with the BBC political editor

    That must have been an utter waste of time.

    Teenagers know more about cyber than Call me Dave.

    Most of the technical community have been ridiculing Cameron this week for his facile comments, but funnily enough, mainstream media hasn't joined in - they've just asked if his suggestions were "practical".

  18. Anonymous Coward
    Anonymous Coward

    Very appropriate testing

    The general public is so naïve that they have no clue as to the current cyber security issues which actually affect them - like their bank account or credit cards or employment or personal identity, etc. The security challenge is monumental and it's going to get worse. IMO it's best to not tell the public and just go ahead with the testing and to implement whatever processes are necessary to achieve the best security possible because it certainly will not be enough to prevent major attacks.

    Many people are just as naïve about security as they are about terrorism until it touches them directly as has been the case most recently. It's time to wake up and understand that we live in a new world with many different security issues that never existed previously or on such a large scale.

  19. Daz555

    "Testing" security hard enough invariably results in a genuine unplanned service outage in my experience.

  20. Anonymous Coward
    Anonymous Coward

    Business as usual

    Banks do pay huge sums for the services of GCHQ types to make sure they are as secure as possible. And I doubt they will even notice the attempts by the secret squirrel types trying to break in during the war games, mainly because they tend to be constantly under attack for hackers of every level all over the globe. Being high profile and dealing in money makes them obvious targets for hackers, and they are well aware of that. Oddly enough, Microsofts Patch Tuesday and poorly trained operators tend to have a bigger impact on uptime than hackers.

  21. Anonymous Coward
    Anonymous Coward

    Now the question I'm asking is how does that stand with the public stance of "hacking is terrorism" and "encryption will be illegal in the unlikely event that I have my way"?

    Seems a little hypocritical.

    And if we're talking in sheer military terms then banning your population from accessing a technology just means that your population is going to get completely fucking owned by everyone else in that field in short order.

    1. DavCrav

      "Now the question I'm asking is how does that stand with the public stance of "hacking is terrorism" and "encryption will be illegal in the unlikely event that I have my way"?

      Seems a little hypocritical."

      I guess it's about as hypocritical as making owning a tank illegal and then giving the Army them?

      1. Anonymous Coward
        Anonymous Coward

        Bit of an unkind simile there. And you are allowed to own a tank. There is also not much similarity between being able to chat in private and a 30 ton machine designed to kill people.

        1. DavCrav

          "Bit of an unkind simile there. And you are allowed to own a tank. There is also not much similarity between being able to chat in private and a 30 ton machine designed to kill people."

          No, the point is that the government does, and has, all sorts of things it's illegal for the general population to do and have. Detain people for questioning, etc.

          It's not hypocritical. It might be stupid to ban encryption, but that's a different adjective.

          1. werdsmith Silver badge

            If you have enough money you can go on Ebay and purchase your tank.

            However I doubt that there are many Ebay traders with Sabot rounds for a Buy-It-Now price.

            On the other hand, I am pretty sure that there was plenty of chatter going on during the planning for 9/11.

  22. DLKirkwood
    IT Angle

    Sounds like a good plan but … what if the terrorists are just smarter than US or UK intelligence? There is something to consider.

  23. Anonymous Coward
    Anonymous Coward

    waste of time

    like we will really show them what we can do. come on. waste of time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon