Federal Gov. left ‘completely blind’ on cyberattacks looks to force reporting(politico.com)
politico.com
Federal Gov. left ‘completely blind’ on cyberattacks looks to force reporting
https://www.politico.com/news/2021/05/15/congress-colonial-pipeline-disclosure-488406
38 comments
> Remember 6 months ago when Christopher Krebs insisted that DHS had successfully protected US infrastructure?
I remember his statements about election integrity specifically, but not a general one about infrastructure... what was his statement exactly? Protected what against what?
I remember his statements about election integrity specifically, but not a general one about infrastructure... what was his statement exactly? Protected what against what?
Krebs didn't say anything about infrastructure. He said:
> Chris Krebs: I have confidence in the security of this election because I know the work that we've done for four years in support of our state and local partners. I know the work that the intelligence community has done, the Department of Defense has done, that the FBI has done, that my team has done. I know that these systems are more secure. I know based on what we have seen that any attacks on the election were not successful.
https://www.cbsnews.com/news/election-results-security-chris...
Based on op's post history this is some odd attempt at turning a thread about infrastructure security into "the election was stolen" nonsense. I doubt you'll get a response because there appears to be 0 evidence to back up that claim.
> Chris Krebs: I have confidence in the security of this election because I know the work that we've done for four years in support of our state and local partners. I know the work that the intelligence community has done, the Department of Defense has done, that the FBI has done, that my team has done. I know that these systems are more secure. I know based on what we have seen that any attacks on the election were not successful.
https://www.cbsnews.com/news/election-results-security-chris...
Based on op's post history this is some odd attempt at turning a thread about infrastructure security into "the election was stolen" nonsense. I doubt you'll get a response because there appears to be 0 evidence to back up that claim.
No, I don't believe and have never promoted that the election was stolen. Paper ballots - as noted by Krebs - are a great audit trail.
I believe DHS Cybersecurity didn't know - and still doesn't know - the depth and severity of what's going on or even how to get a handle on it as evidenced by the last year+. Therefore, when that agency makes a claim, we should be skeptical until there's evidence otherwise.
I believe DHS Cybersecurity didn't know - and still doesn't know - the depth and severity of what's going on or even how to get a handle on it as evidenced by the last year+. Therefore, when that agency makes a claim, we should be skeptical until there's evidence otherwise.
>Therefore, when that agency makes a claim, we should be skeptical until there's evidence otherwise.
"I'm not saying the election was stolen, I'm saying we should investigate whether it was stolen" is a tired and repeated talking point. This has been investigated exhaustively and in every instance the system worked exactly as it was supposed to. Continuing to cast doubt without a shred of evidence quickly ventures into the grounds of morally questionable behavior.
You also have failed to provide any quote from Krebs to backup the original claim. If you want people to assume you're acting in good faith, this isn't the way to go about it.
"I'm not saying the election was stolen, I'm saying we should investigate whether it was stolen" is a tired and repeated talking point. This has been investigated exhaustively and in every instance the system worked exactly as it was supposed to. Continuing to cast doubt without a shred of evidence quickly ventures into the grounds of morally questionable behavior.
You also have failed to provide any quote from Krebs to backup the original claim. If you want people to assume you're acting in good faith, this isn't the way to go about it.
> This has been investigated exhaustively and in every instance the system worked exactly as it was supposed to.
It has? The vast majority of court cases were thrown out on procedural issues, not basis of fact.
If there was nothing to see, there wouldn't be near the fireworks over the audit in Arizona as is currently happening :p
It has? The vast majority of court cases were thrown out on procedural issues, not basis of fact.
If there was nothing to see, there wouldn't be near the fireworks over the audit in Arizona as is currently happening :p
>It has? The vast majority of court cases were thrown out on procedural issues, not basis of fact.
If by "procedural issue" you mean a complete lack of evidence, I suppose?
https://lawandcrime.com/2020-election/rudy-giulianis-disgrac...
>If there was nothing to see, there wouldn't be near the fireworks over the audit in Arizona as is currently happening :p
There are fireworks in Arizona because of the way the recount is occurring with massive gaps in normal procedure. All of the things we have learned over the years and put in place to ensure there is no fraud, are being completely ignored for the recount. In other words: the recount is introducing gaps that would allow fraud to occur that never existed during the actual election. If you wanted to be assured that the original tally was correct, this is literally the exact opposite of what you're asking for.
>One of the biggest red flags for her, she told me, came not during the counting, but afterwards, when workers entered the aggregated total tallies from counts into computers. Morrell was deeply worried that there was only a single person responsible for entering the data and no one to check that they weren’t inadvertently entering a wrong number or accidentally switching the candidates.
>“There’s nobody verifying that what they entered was correct. There’s no reading out. These are things that you would typically see in an election office whether they were doing an audit, recount, where you want some sort of quality control mechanism in place,” she said.
https://www.theguardian.com/us-news/2021/may/13/arizona-audi...
If by "procedural issue" you mean a complete lack of evidence, I suppose?
https://lawandcrime.com/2020-election/rudy-giulianis-disgrac...
>If there was nothing to see, there wouldn't be near the fireworks over the audit in Arizona as is currently happening :p
There are fireworks in Arizona because of the way the recount is occurring with massive gaps in normal procedure. All of the things we have learned over the years and put in place to ensure there is no fraud, are being completely ignored for the recount. In other words: the recount is introducing gaps that would allow fraud to occur that never existed during the actual election. If you wanted to be assured that the original tally was correct, this is literally the exact opposite of what you're asking for.
>One of the biggest red flags for her, she told me, came not during the counting, but afterwards, when workers entered the aggregated total tallies from counts into computers. Morrell was deeply worried that there was only a single person responsible for entering the data and no one to check that they weren’t inadvertently entering a wrong number or accidentally switching the candidates.
>“There’s nobody verifying that what they entered was correct. There’s no reading out. These are things that you would typically see in an election office whether they were doing an audit, recount, where you want some sort of quality control mechanism in place,” she said.
https://www.theguardian.com/us-news/2021/may/13/arizona-audi...
Gotcha, thanks!
Not to mention all the recent attacks on hospitals.[1] My local hospital's electronic patient records systems were down for literally a month[2] after a cyberattack.
You can probably imagine how disruptive that is when it's the largest hospital in the state. Sorry, but we lost everyone's prescription information! We can't look up anybody's drug allergies, either! I guess we'll just have to guess the details of what treatments our current dialysis and cancer patients need? It was quite the mess.
[1] https://newsroom.ibm.com/2021-02-24-IBM-Security-Report-Atta...
[2] https://vtdigger.org/2020/11/23/a-month-after-cyberattack-uv...
You can probably imagine how disruptive that is when it's the largest hospital in the state. Sorry, but we lost everyone's prescription information! We can't look up anybody's drug allergies, either! I guess we'll just have to guess the details of what treatments our current dialysis and cancer patients need? It was quite the mess.
[1] https://newsroom.ibm.com/2021-02-24-IBM-Security-Report-Atta...
[2] https://vtdigger.org/2020/11/23/a-month-after-cyberattack-uv...
That amount of downtime isn't acceptable. Modern incremental backups should protect against ransomware at least.
Out the box solutions are expensive, but it would have been the good investment for this downtime alone.
Out the box solutions are expensive, but it would have been the good investment for this downtime alone.
It’s pretty trivial to setup Postgres with very high frequency wal shipping to append-only S3 which gives you point in time recovery and prevents your data from being ransomed.
As with all forms of backup, it's difficult to do retroactively.
It doesn’t seem like it’s worse for anyone in the industry. It’s readily apparent to see how underfunded cyber security departments are. Doesn’t take a genius to figure out that a single man hired for the entire department isn’t going to do an adequate job.
>Remember 6 months ago when Christopher Krebs insisted that DHS had successfully protected US infrastructure?
No, maybe you should edit your post by linking to what you’re referring to. Seems like a broad claim to make.
No, maybe you should edit your post by linking to what you’re referring to. Seems like a broad claim to make.
It's a war and most haven't even noticed. So far Western governments aren't actively forcing anything but are merely reacting. And so they're always at least a step behind.
>So far Western governments aren't actively forcing anything
What would you call the regular use of sanctions or the recent "trade war" with China?
I don't agree with the statement that criminal hackers mean we are at war, but if you consider that kind of damage war the US has been an aggressor for years.
What would you call the regular use of sanctions or the recent "trade war" with China?
I don't agree with the statement that criminal hackers mean we are at war, but if you consider that kind of damage war the US has been an aggressor for years.
> aren't actively forcing anything
You mean like a worm destroying Iranian PLCs?
You mean like a worm destroying Iranian PLCs?
The Iranian government is not a significant source of ransomware, to my knowledge, so I don't see how that's relevant at all.
Stuxnet was/is a worm that attacked air gapped PLC systems at Iran’s Natanz nuclear enrichment facility. It was the most sophisticated piece of malware ever discovered, allegedly by US/Israeli operatives.
That wasn't just the USA, and it turned into a boondoggle which embarrassed the perpetrators and gave the appearance that targeted cyberattacks were high-cost/low-impact.
I suppose that it is a diplomat's job to appear stupid until they have stolen your shoes, but I'm not sure anybody can act that well. My confidence in the West's ability to perpetuate an offensive cyber war is pretty low. Our main advantage is the quantity of servers/data that reside in/flow through our borders, but that's not too hard to dodge. Cryptocurrencies also erase the hammer of losing access to US financing.
I suppose that it is a diplomat's job to appear stupid until they have stolen your shoes, but I'm not sure anybody can act that well. My confidence in the West's ability to perpetuate an offensive cyber war is pretty low. Our main advantage is the quantity of servers/data that reside in/flow through our borders, but that's not too hard to dodge. Cryptocurrencies also erase the hammer of losing access to US financing.
How would we even know if they were acting, though? It's not like they're going to broadcast all the security steps they're taking. Just because we don't hear a strategy doesn't mean there isn't one.
The targets of those attacks are large numbers of private companies whose IT employs many of HN subscribers. If something was being done by the government to fix (or, more likely, mandate fixing) those networks, this community would see it.
The war is just beginning... they need to unplug critical systems even if a dropped USB stick could circumvent that.
Someone I know was happy because he could do his job remotely... controlling an hydroelectric plant... (that should not be possible).
Someone I know was happy because he could do his job remotely... controlling an hydroelectric plant... (that should not be possible).
How on Earth do you react with reasonable latency if you're N milliseconds away from all sources of truth, and or on a residential-class Internet connection without all kinds of SLAs?
That's a security problem in and of itself.
That's a security problem in and of itself.
Humans don’t react on those timescales. These systems where operators are doing things remotely have low latency things for any automation. It’s the “management” interface we’re talking about here.
Slightly off-topics but I'd like to know if there is some kind of turn-key solution for small business or home use which uses a Raspberry Pi with attached USB HD, that connects to other PCs via the network and pulls the files to be backed up. The idea being that the Pi and the HD themselves are never writeable from the outside and thus can't be encrypted themselves, 1) if using some suitably long retention time for older backups and 2) some kind of semi-smart monitoring system that can give warnings like "Hey, your data changed a lot suddenly. Might wanna have a look at that".
Companies doing business, at least with the DoD, are already required to report: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204....
What the hell is the government going to do? The government can't even protect it's own systems, they sure as hell aren't going to be helicoptering in to save some power company from malware...
What the hell is the government going to do? The government can't even protect it's own systems, they sure as hell aren't going to be helicoptering in to save some power company from malware...
> What the hell is the government going to do?
I can't help but think - if a person has a car accident with more than $500 (?) damage, they're required to report it. The government doesn't have to take action on anything, but it can. Also insurance companies.
I can't help but think - if a person has a car accident with more than $500 (?) damage, they're required to report it. The government doesn't have to take action on anything, but it can. Also insurance companies.
Insurance companies require reporting already, also. And many of the companies getting nailed have insurance, which is, in some respects, driving the increase: companies get a 'free' payout for the ransomware.
If you get physical shit stolen, and buy it back, do you have to report it?
If you get physical shit stolen, and buy it back, do you have to report it?
Of course DHS isn't getting good reporting. If you report a break-in or a vulnerability to DHS, they don't do much.
egberts1(3)
However behind/compromised we think the US Feds+private infrastructure is, seems like it's even worse.