Ask the writers | DOD Special Report: Red Storm Rising

September 06, 2006 11:00 AM

Guest: Dawn Onley, GCN Senior Writer

Guest: Patience Wait, GCN Senior Writer

Guest: Moderator, GCN.com

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Q & A: 1
Moderator:

Greetings to everyone, and welcome to today's online forum featuring GCN writers Dawn Onley and Patience Wait, who will answer your questions about their special report, "Red Storm Rising," featured in GCN's Aug. 21 print edition.

A growing band of civilian units inside China is writing malicous code and training to launch cyberstrikes into enemy systems. And for many of these units, the first enemy is the U.S. Defense Department. These cyberassaults reveal China's growing interest in information warfare, and have put the Pentagon on guard against nation-state attacks.

Dawn and Patience are standing by for your questions, which will be answered in the order they are received.

Let's get started.

Q & A: 2
Morgan, Rhode Island: It seems that United States government officials have pursued a technical line of defense against these countries, but have failed to seek assistance higher up; why are no economic sanctions being used as bargaining tools against a government that is clearly employing hackers such as Titan Rain? Have we failed to "think outside the box" and look beyond the scope of our technical expertise?

Patience Wait: Interesting question. I suppose one might argue that this is simply a new form of espionage, which has a long history among nation-states, and which normally is responded to in diplomatic, military or justice circles, rather than economic ones.

Q & A: 3
Andretta Summerville, D.C.: Can you name a few of the other 20 nations that have their own cyberattack programs?

Patience Wait: The countries I found mention of include France, Iran, N. Korea. I would expect the U.K., Israel and India to be on the list, too, based on the advanced state of their networks, software and hardware programs. I could speculate further, but it truly would be speculation.

Q & A: 4
Joe in Groton, CT: I am an administrator of a DoD network. Why haven't I heard anything from up above about what types of attacks they are using, and whether or not Sysadmins need to take any extra steps to secure our networks? As a matter of fact, I haven't even heard anything from the DoD that there was a compromise at all. There was not even a post at the infosec web site about any compromise. If it wasn't for the SANS newsletter, I wouldn't have even found the GCN website. I feel that we need to share information within our community so we can all be more proactive in protecting our networks and our data. I get the impression that without this cohesion, we are sitting ducks.

Patience Wait: One of the reasons that Dawn and I wanted to tackle this subject is because of our perception that many IT personnel, both in DoD and in other federal agencies, haven't been that aware of the origin of many incursions, even though Gen. Croom at DISA and other officials have been talking about it for at least a year. I can't speak to their rationale for not conveying more information about the nature of the threat - perhaps they believe that infosec should be pursued because it's a "best practice," and that should be sufficient. For myself, I am always more concious of security when I have a specific reason to be careful.

Q & A: 5
Andretta, D.C.: Have you heard of any specific Chinese actors or groups supported by the Chinese government in hacking American classified or unclassified defense/military networks?

Dawn Onley:

There was a published report, which originally appeared in a Taiwanese newspaper we believe, that said an organization called the "Red Hacker's Alliance" had regrouped after a short break and is now boasting upwards of 20,000 members. The members are believed to have come from a hodgepodge of informal hacker organizations prior to joining the RHA.

The article said the group has a paid staff, including university network security experts, and that RHA is developing cyberwar weapons and defenses.

In addition to this, the U.S. Defense Department, in several documents, including the most recent: “Annual Report to Congress: Military Power of the People’s Republic of China 2006” says the Chinese People's Liberation Army (PLA) is developing information warfare militia units and is training them to conduct network intrusions on enemy systems.

These units are comprised of IT engineers drawn from Chinese universities, institutes and corporations.

Q & A: 6
Boston, MA: How are the Chinese getting access to NIPRnet?

Dawn Onley: Well, one reason I hear often is that the DOD relies on a lot of commercial software products and since components in these products are built all over the world, that poses a particular concern to Defense officials and can open up Defense networks to attack.

Q & A: 7
Lanham, MD: Would the government consider developing a well-thought-out, well-planned, ongoing false set of circumstances to continuously mislead the Chinese?

Dawn Onley:

A year ago, two Army technologists were doing just that, looking for ways to apply niche types of technologies to accomplish a system of decoy DOD networks and "honey pots" that could keep hackers away from mission critical systems.

Those two technologists worked for the Joint Task Force for Global Network Operations (JTF-GNO) and one of the technologies they were looking at was called Net Force Maneuver.

I'm not sure where the effort stands today or if it's still being looked at as a viable option. But it gives me something to follow up on.

Q & A: 8
Marc Los Angeles CA: It is my understanding that there are many civilian hackers here in the U.S. doing the exact same thing to China. I had read an article a while back talking about the cat-and-mouse game played by hackers in both countries. Are these civilian hackers in China operating autonomously or with military and governemnet approval? Marc

Patience Wait: Our research indicates there are, broadly, two types of hackers targeting U.S. government systems - the People's Liberation Army has established cyber units, according to the Pentagon's 2006 annual report on China's military forces, and there have been newspaper reports overseas that individual hackers in the country have organized into what almost sound like computer militias, taking actions they consider patriotic (such as defacing U.S. Web sites after the accidental downing of the Chinese fighter plane in 2001). We did not find any hard evidence that the Chinese government was supporting them financially, for instance.

Dawn Onley: From what Patience and I have gleaned from our research, the civilian hackers appear to be operating with both military and government approval.

Q & A: 9
Jim - Pasadena California: How is Computer Forensics being used, and by whom in this emerging threat?

Patience Wait:

That's a difficult question, because so many federal agencies have some level of forensic capability. Within the Defense Department, for instance, the Defense Cyber Crime Center may play a very large role, but each service has its own investigative/forensic capabilities, as well.

As you may already know, much of computer forensics is concerned with after-the-fact diagnostics (e.g., what vulnerability was exploited, what files did they visit and/or download, etc.). New tools that allow "online forensics," watching an incursion as it happens, are now available; I'd be willing to bet money there are places in the government those tools are being used, but whether to thwart an attack or track back where it's coming from - that I can't say.

Q & A: 10
Larry Dietz, CA: Has your research indicated any other major nation state targets besides the US?

Patience Wait: The U.K and Australian governments have had similar attacks. Both countries have their own equivalent to US-CERT (the United States Computer Emergency Readiness Team), which coordinates defense against and response to cyber attacks against government and private sector systems. Both countries' CERTs have been more forthcoming about hack attacks, viruses, worms, etc., than our own - as a reporter, I've found information on their sites, but then had a harder time getting it confirmed here.

Q & A: 11
Bernie MN: Norm Coleman (R-Minn.) is my senator, and he recently draped accolades on China for the advances in diplomacy over the past 20 years. His office has not responded to my questions on this cyberattack. Any updates from the senators?

Dawn Onley: We put out several phone calls to senators who are familiar with this topic, but haven't heard back from them.

Q & A: 12
Moderator:

We've received some e-mails reporting a broken link to GCN's Aug. 21 print issue featuring the "Red Storm Rising" special report. Click here to see the table of contents for that issue.

The hyperlink is http://www.gcn.com/print/25_25/.

Q & A: 13
Steve CT: Has anyone investigated the use of offshoring/outsourcing with companies in China or other countries for the possibility of Trojan horses or other malicious soft and firmware. Who's watching the store in U.S. government and industry when we buy this code made overseas?

Patience Wait: This is one of the concerns we addressed in the story on procurement (Procurement conundrum: What's inside the box? (http://www.gcn.com/print/25_25/41717-1.html )). included in the special report. While there are various groups that raise a flag (so to speak) - the U.S.-China Commission, for one - there really isn't any single body that appears to be responsible for this.

Q & A: 14
Moderator: We're having technical difficultly with our hot links this morning, ladies and gentlemen. Instead of inserting hyperlinks, we'll include the URL(s) that you can cut and paste into your browswers' address bar. We apologize for the inconvenience.

Q & A: 15
Michael, North Carolina: I do not doubt that China is the source of many incidents. My question is: have you found situations where other countries (e.g., France, NK, Israel, etc.) are using China as a launch pad for their operations on our networks? (In order to disguise their origin)

Dawn Onley: This is certainly a real possibility and the reason why Navy Rear Adm. Elizabeth Hight, deputy director of the Joint Task Force for Global Network Operations, is careful to characterize network attacks as "traversing through China" as opposed to originating from China. The attacks are likely coming from numerous countries. We mention that there are at least 20 other nations that also have cyberattack programs.

Q & A: 16
Washington, DC: Earlier in the year the Congress became concerned when it found that the Department of State was planning on buying 16,000 desktops from China's Lenovo. Were the concerns about security genuine or was the purchase politicized because we were buying the machines from a foreign (and not an American) manufacturer?

Patience Wait:

How about both? There are a lot of people, inside and outside the government, who are concerned about possible security risks - whether from Trojan horses embedded in the software or hardware, or that we could be vulnerable to supply shortages if our economic relationship with China is ever in jeopardy. (And that applies to a whole lot more than computers.)

On the political side, many of those who were upset with the deal specifically had China in mind. Rep. Frank Wolf of Virginia, for instance, was pointed in his objection to this contract going to a company partially owned by the Chinese government.

Q & A: 17
Washington, DC: How closely tied is the Chinese hacker community to the PLA and the Chinese government. What leads you to believe that many of the cyber attacks the US and Taiwan have been facing are coordinated through the PLA?

Patience Wait:

We don't know how closely the Chinese hacker community is tied to China's People's Liberation Army or other government agencies. But as our story on the origins of malware ("Malware's tangled roots" (http://www.gcn.com/print/25_25/41693-1.html )) reported, many viruses and spyware programs are extremely sophisticated, both in their coding and in their execution, and experts inside and outside the government believe it takes a large amount of resources (computers, platforms, manpower) to develop malware that can work across many different environments.

And, of course, while China is becoming more "capitalist" in its economic programs, politically it remains a one-party state, which controls just about every facet of infrastructure. I find it implausible to believe the Chinese government is unaware of attacks originating there (though I could imagine their turning a blind eye to them).

Q & A: 18
Moderator: Based on the volume of questions we are receiving, we are going to extend today's forum until 12:30 pm ET to accommodate as many questions as possible.

Q & A: 19
Andretta Summerville, D.C.: If the United States waits until the "rules of engagement" change in order to conduct offensive cyberattacks in response to Chinese cyberattacks, doesn't that technically leave the United States in a reactionary and defensive posture, leaving defense systems vulnerable? Should the United States take the cyberwar to where they are, just as we are doing against al-Qaeda and other pro-terrorist groups?

Dawn Onley:

The National Security Agency is responsible for the offensive areas of operations in cyberspace. From our research, we know that NSA and the DOD are analyzing the vulnerabilities and determining the best way to prioritize defensive and offensive measures and the best way to allocate resources to accomplish this.

But what we don't know is just how proactive NSA and DOD's offensive and defensive postures are. So we don't know the extent in which, for example, the Defense Department and NSA could be launching counter attacks on Chinese networks.

Q & A: 20
john szwast PA: I would expect "Information Warfare" attacks like this will start to occur with more frequency in the months and years ahead. In the current DoD organziational structure, is it DISA that has the responsibility to "fend off these attacks" and also to attack the computing infrastructure of nations like China? Are we organized correctly in DoD today to engage in this type of Information Warfare?

Dawn Onley: The Joint Task Force for Global Network Operations, a component of the U.S. Strategic Command, is responsible for defending the DOD's Global Information Grid. The National Security Agency is responsible for the offensive parts of operations in cyberspace.

Patience Wait: It also remains the responsibility of the "owner" of the networks under attack - whether in DoD or other federal agncies. That's why DISA issues policies and procedures for infosec; that's why Congress tracks agencies' FISMA grades. The Internet is such a diffuse organism, there probably could never be a single gatekeeper.

Q & A: 21
Washington, DC: How do both China / US view IPv6 in the context of cybersecurity -- offering more or less security to networks...?

Dawn Onley: I know the U.S. services and agencies are currently looking into the best ways to "bake in" security in IPv6, because of the inherent vulnerabilities associated with moving to the new protocol. I'm not sure how China views IPv6 in terms of cybersecurity.

Q & A: 22
Moderator: To those of you who would prefer to refresh your transcript page manually, in the shoulder box titled "Forum Links" near the top of the page, in the link "Turn off automatic refreshing" click the word "off."

Q & A: 23
Charles Roberts, Falls Church, VA: In gathering information for your article did you uncover a picture of the extent of Chinese probes of U.S. government and non-government systems -- when they began, volume over time, trends, etc?

Patience Wait: In a word, no. That's another reason we wanted to explore this subject—there were lots of individual incidents reported, but no coherent look at all of them together. (Or at least not at the unclassified level! Who knows what NSA or DIA has pulled together?) We know we've barely scratched the surface of this subject.

Q & A: 24
Jerry Wilson: I would suggest the current situation says a whole lot about our progress in information assurance. We appear to have many vulnerabilities remaining. Are we fixing them, or are we closing our eyes to potential serious disruption of our infrastructure?

Dawn Onley:

Information assurance was the number one issue that senior Defense officials kept raising at the recent Army LandWarNet Conference. So the issue appears to be high on the minds and agendas of DOD officials.

But one of the reasons why this is such a nagging issue in the DOD is that the cybersecurity threat gets more pervasive each year, according to Thomas Reardon, chief of the intelligence division with Army Network Enterprise Technology Command/9th Army Signal Command.

Reardon said there is a working group inside the DOD that is currently looking at ways to mitigate the threat. Also NETCOM recently established a battle command lexicon that breaks cyber intrusions into categories depending on the severity of the hit.

Q & A: 25
Jerry, San Diego, CA: Are Chinese hackers sitting in on this forum?

Moderator: We can't say for sure that they are or aren't; GCN online editorial forums are open to the public. Anyone with a computer and access to the Internet can participate.

Dawn Onley: It's certainly possible.

Q & A: 26
Frederick, MD: Are we working on a massive virus so that if the Chinese shut down one of the governments major computer systems, it will launch a virus that will shut down every computer linked to the internet in the "invading "country?

Dawn Onley: Defense officials won't divulge their offensive plans to combat cyber attacks.

Q & A: 27
Kraus, DC: Do you anticipate that IT products produce by China will carry the capability to invade networks or relay information back to China?

Dawn Onley: It is certainly a possibility and something that Defense officials are aware of.

Q & A: 28
Russ Bourke , VA: What has the United Nations done to assess this problem that threatens to destabilize world peace?

Patience Wait:

First, I haven't done any research on what the U.N. might be doing in the whole Internet arena. Second, I'm not sure I consider this something that could "destabilize world peace," at least not today.

We have heard from some readers who point out that no one can prove these cyber attacks actually originate from China - they could be simply routed through servers there. That's true. That may be why government officials hedged their bets in talking with us about the origins of the attacks.

However, those same government officials (and others) do believe that China is playing some role in these attacks, and is not just a pass-through nation.

Q & A: 29
Boston, MA: Going back to the question from Joe in Groton, CT, are there any vetted information-sharing forums, similar to the Justice Dept.-based data fusion centers, available or in the works focused on network/cyber-security?

Patience Wait: There's US-CERT, which gathers information and sends out alerts, for instance through the government's CIO Council, to agencies. And the Office of Director for National Intelligence (ODNI), the new operation that heads up the intelligence community, has actually started a blog (another reporter here wrote about it: http://www.gcn.com/print/25_17/41156-1.html ) regarding improving accreditation and certification.

Q & A: 30
WKelly, Virginia: The article identified how much information had been downloaded from the NIPRNET... any specifics available about nature of the information downloaded? Specific areas of interest or type files being sought?

Dawn Onley: We have gotten no specifics regarding the nature of the downloaded information off of the NIPRnet. This is considered secret (classified) information.

Q & A: 31
Scott Belden:

With our increasing dependence on BlackBerry devices and their role in COOP, why are we not concerned with inevitable attack on this infrastructure. It is a well known fact that ALL BlackBerry email sent in North America routes through a single point in Waterloo Canada, this is a single point of failure, couple that with a cyber attack or Denial of Service and we could be looking at not only a crippling attack on communications but an even more destructive disruption in responding to this attack. Are we concerned? And how have we addressed this potential attack?

Dawn Onley: Our report didn't look at PDAs in particular, but you raise an important point. In the event of a cyberwar, our research has shown us that all communications infrastructures are vulnerable.

Q & A: 32
Carl WI: It seems to me that we have quite a dichotomy with the PRC. On one hand, we can't wait to outsource jobs and technology to them, provide MFN trading status and otherwise sing their praises. On the other hand, anyone with a modicum of common sense can that some day we will be at war with them. My question is; Are we going to transfer so much wealth that they will be too rich to want to go to war? We're already transfering technology and money at an astounding rate. Thank you.

Patience Wait:

There is a widely held school of thought that building up trade between nations is a way to prevent war between those same nations - that countries will not act against their economic self-interest. That model certainly seems to be one aim in the relationship developing between the U.S. and China.

On the other hand, one of the major ideas that we learned about in doing our research is whether the concept of war itself has to be redefined in the cyber era. The Chinese colonels who wrote "Unrestricted Warfare" pointed out that war has become less and less bloody (the U.S. goal always is to minimize casualties). A war in cyber space might involve no blood at all. Which could mean the "barriers to entry" become so small as to not matter. Food for thought.

Q & A: 33
WKelly, Virginia: How does the government square its sustained focus on teleworking as a cost/time saving initiative in light of the security concerns highlighted in your article. How can they expect to control the source of IT equipment for personnel that work from home or from satellite workcenters?

Dawn Onley:

Great question. Several Defense organizations are promoting telework to keep personnel from leaving in droves as a result of pending base realignments and closures.

There's been talk in the Army, for example, of establishing and enforcing encryption and portfolio management policies, in light of data breaches that occurred recently in the Energy and Veterans Affairs departments.

Q & A: 34
Rich, San Diego, CA: With the Chinese Government able to censor the World Wide Web fairly effectively from users within the country, wouldn't it be rather difficult to circumvent the so-called "Great Firewall of China" twice to launch an attack through Chinese servers without Chinese Government support?

Patience Wait: Exactly.

Q & A: 35
Moderator:

All right everyone, that wraps up today's session. We squeezed in every question we could, but there was not enough time to answer them all. We apologize to those whose questions weren't answered.

The transcript of today's session, as well as previous GCN forums, will be available shortly at http://www.gcn.com/forum .

Thanks again for your participation.

Government Computer News

Ask the writers | DOD Special Report: Red Storm Rising

Forum Links

Ask the writers | DOD Special Report: Red Storm Rising

Question and Answer

How GCN Forums work

Forum Archives

More on this topic from GCN

Red storm rising | DOD�s efforts to stave off nation-state cyberattacks begin with China

Procurement conundrum | What�s inside the box?

IT as a prime target

Malware�s tangled roots

Vigilance means guarding many levels

Sharing data is crucial to cyberdefense