[TABLE]

POINT by Marcus Ranum

Something is definitely going wrong with the U.S. Department of Defense and government agency networks, but it's not what you probably think. When it was announced that more than 10 terabytes of data had been stolen from DOD unclassified networks as part of an orchestrated operation from China, I was as horrified as you. Ten terabytes is a lot, and I'd have expected someone to do something after, say, the first terabyte flew by--especially because I happen to know something about the money spent on monitoring systems for some of those networks, and the sensitivity of the data on them. DOD always counters: no classified information was accessed. But that's BS--the unclassified networks carry logistical, payroll, personnel, medical and operational data.

What's really going on? Could it be that many government networks have access rules that are vastly permissive, and have lost control over the software running behind their firewalls? When I try to get answers from people "in the know," I hear one of two things: Given I'm cynical, when someone from the FBI says, "Well, there's evidence but we can't talk about it," I assume he's lying--because if he did have solid evidence, he couldn't say as much. Or he'd be presenting it. The best evidence I've heard that there's a Chinese cyber-espionage operation in progress are "The IP addresses are in China," "We hear stuff in chat rooms" and "I can't tell you but my buddy's cousin's uncle says it's true." Excuse me for crying "BS!", but if we're going to make public accusations of espionage, they need to be accompanied by equally public and compelling evid

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

To read more you must become a member of SearchSecurity.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

ence. The FBI and our intelligence community are not the pinnacles of credibility we wish they were. Here are three pieces of data: If you're the spymaster for a nation-state's intelligence arm, and you've got budget and personnel, an open society like ours must be easy game. This is especially true if the target has an uncoordinated mass of government agencies desperate to outsource all their information assets into the hands of beltway bandits. Stealing information openly and obviously through an Internet connection (with the termination in your country) would be shockingly crude and amateurish. I'm willing to bet there are Chinese spies looking at our networks--but doing it from the safety and the comfort of our own data centers.

A hacker living in China is probably not going to want to attack Chinese government systems. The Chinese would not slap him on the wrist and let him hit the celebrity hacker circuit alongside Kevin Mitnick.

If there's any strategic thinking going on behind this whole Chinese hacker fiasco, it's possible that some smart intelligence officer in the Chinese government realized it doesn't cost them anything to have U.S. security practitioners distracted. They know the best way to defeat the U.S. is to rattle us until we slap ourselves stupid.

Chinese cyberattacks? Why fabricate elaborate conspiracies when foreign demographics and domestic incompetence are adequate explanation? My concern is not that we're under attack by the Chinese, but rather that our sensitive networks are so lame that someone can steal 10 terabytes of data from them. We shouldn't be asking, "What are the Chinese doing?" We should be asking, "What's going wrong in Virginia, Los Alamos and Livermore?"