Biden warns 'real shooting war' will be sparked by severe cyber attack United States President Joe Biden has shared his view that a "real shooting war" could be sparked by a severe cyber attack. In remarks made on Tuesday at the Office of the Director of National Intelligence, Biden spoke of the need to "make sure that we're positioning ourselves to stay ahead of security challenges that will …
"We've seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world"
We have indeed - for decades, and it gets worse rather than better as time passes. But there wouldn't be anything like such a scale of threat if we could persuade developers to write software that wasn't littered with rather obvious silly errors. There are no more than around half a dozen critical metal-level cock-ups that have kept getting perpetrated for some four decades, and with all their rigor, even OWASP only cite 10 common critical web development errors. That's (being generous) less than 20 things any developer should know about and avoid - but they don't and they don't. So we have fragile bug-riddled software that requires constant "updates", and for some bizarre reason we find that perfectly acceptable. Until we get breached.
Until software development becomes a real engineering discipline (with global verified standards and rigorous oversight of compliance with them) we'll continue spiralling downward into the pit, as, on the one hand, we rely on software more and more in every aspect of our lives, and on the other it becomes less and less trustworthy.
There are around 30,000 parts in a car. There are hundreds of thousands of lines of code in a software if you include the libraries, and millions if you include the OS. Software has a complexity that as few equivalence IRL. Add to this the speed of development and changes in IT, pushed by the Moore Law. Car parts are rarely new, screws are a tested, proven technology for long, we know a lot about the materials and how to make them safe and secure. It's totally different in IT. Everything is moving, and fast, and faster. The technology we use now will probably be obsolete in 10 years.
Even if we improve methods to make software more reliant, it won't eliminate bugs and security breaches. It's way too complex: too many layers, too many interfaces. Look at the space industry, which tests, retests and tests again. It didn't stop Mars Climate Orbiter to crash because of a conversion error, or the first Ariane 5 to explode because of a float overflow.
Of course, we have to code better. But we should always keep in mind the code will be defective and will enable cyberattacks. Improved software development is one layer of protection, but it cannot be the only one.
Those writing/maintaining the software have to get it right 100% of the time. The attacker only has to find one place they got it wrong.
And the attacker doesn't need to be part of an army or even a group, he can be all alone and responsible to no one. He doesn't need to put himself at risk like a sniper or a terrorist planting IEDs. He can attack from the safety of his bedroom halfway around the world in a country that doesn't care what he does so long as he's not attacking their allies, and won't extradite.
I politely disagree.
Such powers NEED to be part of the regular armed forces, the sole coordinators on the use of force.
Otherwise it is just blood and chaos, and nobody wants that.
People want safety and prosperity, force being used only when others are hurting you.
I wasn't implying that a military doesn't need its own cyberwar capability, just that as far as DEFENSE goes it doesn't matter how big your forces are, a 400 lb guy on a bed in his basement could hit you and depending on where he was you'd have no recourse aside from traditional military attack (if you could find him and if you were willing to risk the greater conflict that might result)
It still remains as a matter of fact that software development is the only branch of engineering (granting it that courtesy) in which practitioners are allowed to be entirely self-taught and don't have to be certified against any global objective standards.
That alone needs to be fixed if things are to improve, as can be verified by no more than a cursory overview of the general quality of questions and answers at Stack Overflow.
I'm not sure your analogy with engineering actually stands up.
Real engineers don't do most of the work when building a bridge, but they supervise and they are on the line (in court) if it goes wrong. Insurers cover that risk as long as the "real engineer" has professional qualifications. In the end, it is all about money. The builder uses an engineer to off-load the risk, the enginer off-loads that risk to an insurer, and everyone keeps their fingers crossed that the bridge doesn't fall down.
If it falls down the first time someone drives a heavy truck over it, everyone loses. However, if it falls down when someone wraps shaped charges around a pylon, everyone shrugs shoulders and the police chase after the terrorist.
Some high-profile attacks on software feel like the latter case. The software was fit for its purpose, but an attacker just "changes the purpose" until the software is no longer fit. Expecting every software package to be resistant against crackers is like expecting bridges to be resistant to bombing. Maybe it can be done, I don't know, but it doesn't sound like it would be cheap and who is going to pay?
I'm aware that some other attacks are just plain stupid. (Anything where key infrastructure is connected to an international network sounds ... rash.) But let's not pretend that qualifications can save us from an foreign adversary who is clearly practising for the next war.
While coding better software is important the real issue is that the weakest link in your security defense is your employees! Most of these current ransomware attacks are perpetrated through social engineering. Target someone in a position where they may have access to a large portion of a companies data, get them to perform some action through social media, email, even a phone call, i.e. either inadvertently or some time deliberately install malware on their devices and your in!
They have not targeted a vulnerability in a program or operating system they have targeted a vulnerability in the Human Interface!
We on the IT side tend to focus exclusively on the technical aspects of security and completely ignore the human factor!
At one point in my life, I thought automotive companies would be worried about cyber attacks. The truth is that they are not.
They buy cyberinsurance between $1-$10 per car. Maybe even less. Then they make a lot of noise.
The only automaker serious about security is Tesla. And that is because they are a nice target. Teslas are a high end multiprocessor computers with a motor and a battery connected to their fleet management software.
@Potemkine
Computer systems are, as you observe, the most complicated machines made by man. But the biological world is much more complex. First the complexity of proteins; then the bacterial cell; then the eucaryotic cell; then plants and animals; then what we call our brains. (That with which we think we think - Ambrose Bierce.)
But nature proceeds by small changes, and takes a lot of time. Bugs crop up along the way, e.g. the human loss of the ability to synthesise vitamin C.
I know many won't like this but it is time to phase out writing software in C, C++. Rust may not be at the place where it can replace everything C based languages can do but that transition need to happen. There are too many inherent dangers coding in C, C++ that languages like Rust can mitigate. This won't stop dumbass programmer error but it will stop some of the common problems with C based programs because Rust will not let you compile with these vulnerabilities.
Bottom line, you can prevent all this with proper security measures and user training. The biggest problem is "That costs money" and Corporate leadership will not spend the money "until something bad happens"! It is much like "disaster recovery", they only want to spend on it AFTER an incident that loses data!
Then there are the Security Professionals who spend more time selling FUD and crap products than actually protecting their clients.
And there is the "internet generation" that will throw childish tantrums if you block social media on their corporate devices. They view this as an infringement on their "civil rights". Unfortunately most management doesn't have the courage to tell them no. Usually because they don't want their social media blocked. And then there IS management, who request exemption from every security measure you try to implement.
Finally, people should only have access to what they need! Not what they think they need. As a senior IT employee do I have full access to our financial system? NO! and I don't want it. When someone requests access to something that is outside their job requirements the answer should be NO! No matter their position.
Bottom line, you can prevent all this with proper security measures and user training
That's very dubious, assuming someone pins you down on the "proper security measures" hand-waving.
User training is important, but decades of experience with computing end users, and millennia with humans in general, show its limits. Even highly knowledgeable users regularly make errors. Cory Doctorow has a good blog post from years ago about how he got phished – working quickly, distracted by other things, entered credentials into a pop-up that looked legitimate without stopping to think about it.
In fact, some studies show experienced, trained users are more likely to make security errors or bypass security mechanisms because they assume their knowledge serves as a compensating defense.
"Proper security measures" is meaningless without definition, of course; but for any feasible set of specific, realistic measures, a security expert can likely construct an attack tree that bypasses all of them.
Certainly there is a great deal that can be done, across the entire software lifecycle, from architecture through monitoring and defending in production. And certainly most people and organizations aren't doing most of those things, or do them poorly. But "prevent all this" is a fairy story.
"We have indeed - for decades, and it gets worse rather than better as time passes. "
MBA seagulls blow off any and all warnings about this stuff until it explodes in their faces
The problem is that such individuals are so numerous and noisy that they effectively mask the problem UNTIL it's too big for them to cover up anymore
Wholeheartedly agree with Potemkine.
And never forget that the bad guys are not the coders but those that are doing the attacking. And the attackers are no longer script kiddies, it is at the governmental level and they have the budgets and capabilites to do far more than one might imagine..
And don't forget the real issue here, Joe Biden is preparing for whatever war the USA had decided to start within the next 2 years.... Which undoubtedly they will....
And don't forget the real issue here, Joe Biden is preparing for whatever war the USA had decided to start within the next 2 years.... Which undoubtedly they will.... .... Khaptain
One would have thought that being such a constant serial loser in such an enterprise that entertains and provides victims of war, would have them realising the error of their ways. The fact that it mightn't and/or doesn't must be a reflection on their lack of available in-house, actionable non self-destructive nationalised intelligence.
I wouldn't be that generous to the coders. The pushback I get when I point out obvious vulnerabilities would make you think I was stealing their first born. In fact developers HIDE their systems from security teams to prevent them from getting audited.
I remember I found a vulnerable web server in a system once and requested it be replaced with a less vulnerable version. The team just moved it to a different port, well-known in fact, hoping that I would get fooled that they were running something else.
For many developers and development managers, security vulnerabilities are externalities. Fixing them is expensive, particularly in opportunity costs and cognitive load, and they have little or no direct return in market appeal (features, usability, etc). So they resist.
The only fix is to turn those externalities into direct costs (e.g. with customer pressure to fix vulnerabilities or an SDLC with metrics that feed into KPIs), or make improving security a reward in itself by convincing developers of its importance (so fixes are psychologically rewarding). In-organization direct rewards (e.g. bounties) are too easy to game to be workable in many organizations.
"...whatever war the USA had decided to start within the next"
Regan did the exact same thing with his first year of speeches, which all foreshadowed the Star Wars project, increasing retirement age and the War On Drugs... all of which came to reality before he was out (many of his early foreshadowing quotes have been used on a TV showed called Jeopardy).
Here is the line that lets you know, that you know, something greedy is being drawn up....
"...you're as informed as I am..."
Yep, so when I'm informed something is starting, I'll be "right with my beloved president". So heart felt, so much spreading of fear for profit.
People just refuse to see it, they just keep believing in it all way too much, but all 1st world politicians now have to be assumed to be corrupt.
"Wag the Dog" as they say. No, this won't be an action against Russia and most certainly will not be against China as Slow Joe is far too "in bed" with the Chinese for that to happen.
It will most likely be against Iran. Once he loses badly in the next election, which is at this point a veritable certainty. This will be the play used to regain his popularity.
But I believe it will fail. The American public bit Left & Right has had enough of the endless wars in places where these wars make not a shred of change in the lives, politics and ideology of those living in these nations.
Is Bidenesque FUD the new MAD and does Uncle Sam intend to be world leader in that too? Go for it Joe. You're a star in the making with the following high bar and low tide mark to overcome and improve upon ....
"Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we." — President George W. Bush, Washington, D.C., August 5, 2004
Is there something strange and deranging in the 1600 Pennsylvania Avenue NW, Washington, D.C. water supply/intelligence source provision ‽ .
So the WH should stand down? What exactly are you proposing? .... A random security guy
If they could cease and desist from scoring so many damaging own goals would be immediately quite helpful, A random security guy.
Is there something strange and deranging in the 1600 Pennsylvania Avenue NW, Washington, D.C. water supply/intelligence source provision ‽ .
No, there's something in the electoral process that ensures normalish people can't get elected.
People thought Trump was an anomaly, when in fact he was just less subtle.
"People thought Trump was an anomaly, when in fact he was just less subtle."
The new guy is just less of everything, especially the neurons... The media are propping him up for the moment but I get the feeling that that's not going to last for long now....
We can see it in the press conferences that the media are starting to attack, just as they did with Trump, the difference being that Trump's was at least funny and laughable whereas with Biden it's just plain embarrasing..
Trump could at least wrangle with reporters and hold his ground.
This guy...I cannot believe the media thought it was a good idea to have him elected.
Though, I suspect they thought that Kamala being sworn in mid-term wasn't too bad either.
I still have a bet with a co-worker that he won't make it to mid-term. Those drugs he gets to prop him up will stop working sooner or later or the side-effects will show.
I have been posting a wager on social media, which none of you trumpers have taken: I bet $1000 US dollars that Trump will NOT be "reinstated" or "returned to power" at the White House by Aug 13, as the pillow guy has been hollering. Hell, I'll give it to Aug. 31st. On August 31, we meet (loser pays their own way) and one of us walks away with ten $100 bills. Otherwise, all you trumpers concede, aver, and maintain you are gutless, inverted-weenie scum suckers who are desperately hoping there is someone dumber than you who might actually swallow that codswallop.
So, Rainer, I'll take that bet about Biden making it to midterm. I'll even make it for that same $1000, same terms. I live in the US Midwest. Deal? Or do you concede,, aver,,,etc.?
If you'll step outside your social media bubble for five minutes you'll find the vast majority of Trump supporters never made that claim in the first place, so I'm not surprised you don't have any takers.
Online betting is illegal in my current location or I'd propose a counter-offer about the midterms. Or do you think that Trump is currently touring every electoral region in the USA as an inefficient means of making a few dollars?
@Ordinary Donkey
Twitler's anointed, endorsed candidate just lost a runoff election for a Texas house seat (she is the wife of the late office-holder, usually a shoo-in for GOP voters) to another Republican, in a deep GOP area. I hope and pray this is another example of, as the book title has it, "Everything Trump Touches, Dies". He nearly killed the USA, by unchecked epidemic and then by attempted coup.
Yes, I think {Twitler} is touring as an inefficient means of making a few dollars - he is using the slush fund of campaign dollars sent by his suckers, so it isn't costing him anything, AND he's getting the strokes his pathetic, yawning maw of an ego desperately needs. Besides, he is completely bollocks at being a businessman, so why should this be any different?
Oof! You went full Hitler.
Might want to tone that down, these days it makes you sound dangerously unhinged.
I mean, it always did but without President Trump as a distraction more people are reacting negatively to it.
The purpose of war isn't very obvious. In many respects the US lost the wars in Iraq, Afghanistan, Libya, etc. where they had various degrees of involvement. The US doesn't believe in colonialism. It believes in projection of power.
Think about the destruction the US can cause and the number of leaders it can humiliate. There was Saddam Hussein, strutting around like a rooster. The US got to him.
Would you like to pick a fight with the US? You know you are going to get hammered.
The cost to the US? The lives of a large number of underpaid, underprivileged US soldiers and some cash that goes to the Military Industrial Complex.
China has been a troublemaker in that region since Mao's time. None of its neighbors except for Pakistan like it.
The stage is set. We don't know how the cards will play out.
Downvoted for arrogance and stupidity. Bad case of SLS (Slow Learner's Syndrome) there I think.
BTW -- What makes the post author (and the American establishment) think that the US will be able to identify cyber-attackers well enough to target retaliation? Most likely any attack on the US will appear to come from someplace(s) other than their actual source. It'll very likely be like the still poorly understood 2016 attacks on US and Canadian diplomats in Habana and elsewhere(?) in 2016. Real most likely. But a mystery.
If you ask me, the US and others would do well to start identifying their critical infrastructure and moving/keeping it off public networks. Even if that interferes with some folk's (planned) profits.
One immediate response might be to drop the international Internet communication rate to 300 baud which would make infections much harder if they are coming in from outside - yes, it would have a severe effect on the economy (Amazon, Google, Facebook, Twitter, Instagram etc) but it would not be as bad as killing people in both countries ...
Fight a war when you intend to win -- Never threaten to start a war when all chips are down.
Joint Chiefs Seek A New Warfighting Paradigm After Devastating Losses In Classified Wargames
@Def
"You'll basically be bringing guns to a drone-fight with the same effectiveness as trying to stop an erupting volcano by pissing in it."
Which puts the dems in a sticky situation. They cant claim the capitol riots as a threat to democracy (they didnt even have guns) while claiming people have no chance if the gov turns on them. Second to that Vietnam beat the technically superior US. Afghanistan, Iraq being recent wins against the US.
@Def
"You're confusing the legislative branch of the government with the armed forces it controls."
Does that mean a bunch of unarmed protesters could have overthrown the US democracy but armed citizens would have no chance against the government? And on which side or that question do the capitol fences stand?
No, the angry mob that stormed the capitol building had no chance of doing anything other than disrupting legal proceedings for a few hours - or at worst a few days. If they had decided to attempt to occupy the building for any prolonged period of time they would have been forcibly removed. Even if they had succeeded in killing a sufficiently large number of senators, the US constitution has provisions for what would have happened if the Electoral College vote count couldn't be completed.
Similarly, any attempt of an uprising by armed US citizens at any other time of the year wouldn't have any chance of succeeding without serious backing from the armed forces. There's a reason coups around the world have been historically carried out by military personnel.
And in the instance that the US government itself went full-dictator on the US people and tried to exert excessive force upon its populace, it would only realistically be able to do so with full support from the military.
Either way, any resistance or uprising would, at the end of the day, be bringing guns to a drone-fight. :)
@Def
"No, the angry mob that stormed the capitol building had no chance of doing anything other than disrupting legal proceedings for a few hours"
I agree. It just screws with the dem narrative. As with the fence while cities are terrorised by actually dangerous protests. The disconnect between them and the world seem at odds (republicans not excluded completely either). There is still plenty mocking of AOC over the capitol 'riots'
The problem with the capitol riots wasn't the riots per se. It was the background under which they happened. An outgoing president who lost the popular vote and the electoral college spent the preceding month crying to anyone and everyone about how rigged and unfair it all was and who then organised a rally a short distance from the capitol on the day his loss was to be confirmed, worked the crowd into a frenzy, and then suggested they walk to the capitol to protest.
Given the fact there there were also improvised bombs planted in the vicinity the whole thing could have been a lot worse. But people still lost their lives, simply because Trump is a poor loser.
"They cant claim the capitol riots as a threat to democracy (they didnt even have guns)"
You're spreading misinformation:
This post has been deleted by its author
"...look what Russia is doing already about the 2022 elections and misinformation. It's a pure violation of our sovereignty."
So, eh, the Democrats are already expecting to lose seats next year? Won't hurt my feelings, but judging from 2017-2018, the Republican leadership is too neutered/scared/paid-for to do anything useful if they get back into a majority. Well, do anything except call people names and twiddle their thumbs.
I don't think Trump can win if he runs again. The media and entertainment complex have tarnished his image among the middle-grounders (even worse than he did, himself) to the point that he can't get enough of those votes to win. That's why Biden is in the Oval Office now - he's milquetoast and uninspired enough that he doesn't offend the "undecideds", unlike the more vocal and aggressive members of the Democrat party.
@AC
"I don't think Trump can win if he runs again."
I have no idea if he could. Its the concerted effort to have him impeached to stop him rerunning and the continued attacks that make it seem the dems are afraid. Considering things seem to have got worse under Biden there is plenty for Trump to talk up, but he is also good at shooting himself in the foot too and has a lack of polish which either works for or against him depending on the observer
Rather than discuss going to war over software security, why don't we just make it illegal to connect any public utility/critical facility etc to the Internet?
Until recently, New Zealand ran its electricity infrastructure on RS232, which is beginning to sound like a good idea, again.
Also, instead of blindly going to war, why not re-employ the guys who found Osama Bin Laden, to find the hackers? Give them the same instructions, and sit back and wait.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
