Lack of Attribution Undermines Clarke's China Warning

Sunday, June 19, 2011

J. Oquendo


Ballistically Unified Low Level Strategicly Holistic Information Technology

Richard Clarke and others in his area of expertise should learn from the experience and lessons learned via Iraq. Not everything is what it seems and any kind of planning or plotting via way of "cyber" is outright moronic.

Personally, I like Richard Clarke and I recall him during the 9/11 debacle. I would have thought he would have more common sense when it comes to "cyber" security but his recent statements prove otherwise.

"What would we do if we discovered that Chinese explosives had been laid throughout our national electrical system? The public would demand a government response. If, however, the explosive is a digital bomb that could do even more damage, our response is apparently muted—especially from our government," [1]

To support his points of view Mr. Clarke references instances of intrusions that occurred from computers in China and never iterates real facts about attribution to anyone in Chinese government.

While I don't believe that anyone doubts whether or not China has been or is spying on us, the fact remains that when it comes to an intrusion all anyone can ever claim is that a computer from "some country" was the source of the attack. This is the only fact that can be stated, however, the reality is, the attacker could be anyone in the world.

They could be German, Israeli, Iranian, even American. So why do we keep insisting on pointing a finger without definitive proof. This is similar to the invasion of Iraq where Saddam was associated to bin Laden. Ultimately, in following utter nonsense, we may be hurting ourselves more than helping anyone out.

In order to understand why some individuals tout such nonsense, it helps to understand that there always seems to be an agenda in or around the beltway when it comes to federal spending and contracts.

Where Mr. Clarke was once responsible for defending the nation, he is now (or at least wants to be) the nation's "cyber defender" while not understanding an iota about the protocols involved in technology. It is akin to me reading medical literature and labeling myself a doctor. Cyberanything is big business and Mr. Clarke is well aware of this which leads me to question his motives behind his statements...

"Cyber Defender Richard Clarke Advises Weapons Protection Tech Firm" [2] Cyber Defender? Where do people come up with these terms and titles? Is, or has Mr. Clarke at any point in his career sat behind an IDS, firewall, SIEM? Has he ever done post or live forensics or analytics on any compromise or is he tooting his own horn for the fast buck? What qualifications does he have that make him a cyber defender.

Individuals like Mr. Clarke and others should be ashamed of themselves knowing full well that people have died due to people jumping the gun [3]. At odds here are whether or not a country would be willing to wage a physical war over words. It is a very harsh and juvenile thing to do to outright blame Chinese government for all these hacks without having solid proof.

Connections from a machine in another country are not that proof. People need to stop following other lesser clued individuals. Again, this is not to state China ISN'T trying to weasel their way into our systems, this is merely a call to use caution when making statements. Statements that can lead to greater consequences.

I will share a "story" fact or fiction take your pick. While in the beltway, I had a conversation with someone in an agency responsible for information security. The invididual was a well placed professional with some heavy duty responsibilities. As I talked technology, he talked bureaucracy. While I spoke python, he spoke pie charts. During our conversation, I brought up ACLs, extrusion detection and defending his sector of government.

Now, although he worked in "an agency" he was a contractor for one of the big boys, take your pick doesn't matter. His response to ACLs, filtering, detection was something to the tune of: "Why bother? Would be too much work. Too much red tape. Things are open because higher ups want them open. You don't go above your ranks..." Lesson learned to me: "Government contractors simply don't care."

They are paid to do what they stated they would do and if they need to go above and beyond doing anything reasonable a) they will likely get fired [6], b) be court martialed for overstepping their access rights c) be out of tune with the herd [4] d) cost their company money via a lost contract they could have put together that says: "we will do the work you already paid us to do however we need another contract extension" e) all of the above.

In the meantime, as a taxpayer, I have to wonder how much of my taxed dollars are getting shoveled down a bottomless pit. I wonder at what point will we get it so wrong that there really WILL BE a disastrous cyber attack because security charlatans keep speaking outside of their league. I wonder when companies will actually start caring about security [7] especially when it comes to the country's infrastructure.

This in contrast to wondering which company or village idiot [8] will create "the next big thing" which still won't work because (again) we keep following decades old standards and guidelines [9] which don't apply everywhere [10]. Security isn't one size fits all. This is the problem with it as it stands: "lack of originality" if you ask me. Security isn't out of the box, cross your t's dot your i's paint a pretty pie chart.

If you believe this to be the case, you are in for a rude awakening one day. Sure baselines and guidelines help but if that is your interpretation of security, I honestly hope we never become co-workers. I at least like to joke with my colleagues not program them like robots.

Alas, back to cybernonsense. When can we look forward to government funding say IEEE engineers on implementing something like mandatory RPF [11] or BCP [12], or even solid extrusion detection systems versus dumping money at some of these silly companies with uber "Ballistically Unified Low Level Strategic Holistic Information Technology." Hasn't history already taught us to a) watch out for nonsense, because it can lead to war [13] and b) we already pay these contractors billions [14,15] yet they're constantly "getting owned."

Maybe its time government got smart and sought competent companies with competent individuals who use their brains. Not competent pie chart makers who cobble together decades old documents that are so outdated [9], bloated and non-applicable to today's day and age, that they really need be sent to a computer museum.

Anyhow, hopefully by this time next month I will have registered Brooklyn Bridge Security Services offering shares on the stock market. My goal? I will be making the world's first "Actionable Persistent Hacker Filtering" appliance.

These will be similar to high security walls around a perimeter. They will block attackers from making connections to a protected resource. Maybe I can patent them after I find a work around to the wording behind firewall and APHF. I don't know about you, but APHF sounds like a money maker if I ever saw.

Someone in the beltway it seems is likely to be stupid enough to buy it. If they're stupid enough to buy all of the FUD concerning China.

For Sale


Possibly Related Articles:
Information Security
China Attacks Cyber Warfare FUD Attribution Richard Clarke
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked