“… a cyber attack has the potential of existential consequence.”

Screen Shot 2015-07-21 at 7.35.57 PM

After conducting an 18-month study, this Task Force concluded that the cyber threat is serious and that the United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities (a “full spectrum” adversary). While this is also true for others (e.g. Allies, rivals, and public/private networks), this Task Force strongly believes the DoD needs to take the lead and build an effective response to measurably increase confidence in the IT systems we depend on (public and private) and at the same time decrease a would-be attacker’s confidence in the effectiveness of their capabilities to compromise DoD systems. This conclusion was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.

Final Report of the Defense Science Board (DSB) Task Force on Resilient Military Systems.

Was anything done in response to this report?

Is there anything that could have been done in time to prevent the massive Office of Personnel Management hack?

And this:

Based upon the societal dependence on these systems, and the interdependence of the various services and capabilities, the Task Force believes that the integrated impact of a cyber attack has the potential of existential consequence. While the manifestation of a nuclear and cyber attack are very different, in the end, the existential impact to the United States is the same.

Wow: “…existential consequence…”

Is anyone paying attention to this?

Are any of the presidential candidates?

20 thoughts on ““… a cyber attack has the potential of existential consequence.””

  1. Is anyone paying attention to this? Certainly whoever is pressing for increased departmental budgets or infosec procurement from well-connected companies.

    I have no doubt that there is a threat. I am somewhat skeptical that the threat is truly existential.

    We’ve had three existential crises in American history: the Revolution, the Civil War, and World War II. The Fourth Turning folks would argue that we’re due for another. I don’t disagree, but an attack on IT infrastructure would be only part of that (if at all).

    Just my centigram of silver…


  2. Classic political bureaucracy in action. Issue like illegal immigration helps your party maintain power but breaks the law? No problem, executive order, directives to border patrol managers, done!

    Issue doesn’t do anything for you politically and may divert money that could be used to buy votes, but endangers the nation? 1. Pass it off to a committee. 2. Claim your studying the problem. 3. Ignore the report. 4. Business as usual.

  3. The The people who authored this report are, based on reliable hearsay, senior people who are likely to tell the truth and you don’t get much personal benefit out of doing so.

    The report is like the and I’ve only skimmed it. Explain in some detail why they are willing to make the extraordinary statement that this sort of attack presents and existential threat.

    I am not inclined to dismiss this level of risk out of hand, based on what I’ve read so far.

  4. China has no motive to end our existence, nor that of our consumers buying their manufactures.

    This sounds strangely like the claim that international trade had made war between nations unprofitable and therefore, smart countries would avoid destructive wars. How’d that work out?

  5. This is nothing new. Our power grid is at huge risk. If there is a cyber attack on the grid, there is no easy path to get power moving again. How long do you think the country will last if there is no power? No refrigeration, no factories running, no gasoline pumps working, no water.

  6. Not a new message, but a serious and sober one. A few years ago Chinese academics connected to their armed forces published a network analysis of the power grid nodes whose destruction would most seriously and economically bring down all power to the western half of the US. A similar analysis for the eastern half is actually easier from a technical perspective.

    With regard to what could have been done to prevent the OPM hack, that agency failed to implement even the level of basic security most Americans implement on home wifi networks. But most critically, they gave full administrative control of the data servers to a contractor with mainland Chinese employees. “Here are the keys to the house, the combo to the safe and when we’ll be away from home.’

  7. Peter Saint-Andre said:”I have no doubt that there is a threat. I am somewhat skeptical that the threat is truly existential.”

    Hey, Pete, there’s this little thing called the “power grid” upon which civilization, depends. Its run almost exclusively by computers these days and virtually every system of supply for food, water, sewage treatment, emergency response (Police, fire and emergency medical) are all highly dependent on that grid and the computers that run off it.

    Shut that baby down thrpough cyber attack and you’d better be prepared for a total breakdown of civil society as we know it. And by “prepared” I mean water, food and firearms, in your possession. Big Brother is incapable of providing for the entirety of thse who will be affected.

  8. “A few years ago Chinese academics connected to their armed forces”

    I wonder if that was the same Chinese person administering the OPM database ?

  9. Mike K…”Wake me up when we go back to paper records. The present interconnected world is far too vulnerable.”

    Thomas Watson Sr of IBM is often cited as being negative about the potential for the computer market, but according to his son and successor Tom Jr, this was not true…the elder Watson was enthusiastic about computers for scientific and engineering calculations. What he was negative about was the idea about replacing physical and visible holes in punched cards with invisible coding on magnetic media (tapes, at the time), which he felt was too abstract for most businesspeople to relate to and also too risky…”it could all disappear and you wouldn’t even know it.”

  10. Nothing can grow forever, but something always shows up to replace/supplant/transpose –
    usually where we weren’t expecting.

  11. Secure your network. Secure your network. Secure your network.

    I give up. I may come and play in it if I can, but I have, been there, done that.

    Secure your network. It’s quite possible. It’s a bit hard though, you know knowledge, and all that boring stuff.

    It’s very easy to set up an insecure one.

  12. “”it could all disappear and you wouldn’t even know it.”

    Did you by any chance read that essay I linked to ?

    “So what happened to the future?”

    “The next generation of technology was not just a dream; it was already in the prototype stage.

    But it all just kind of stopped.

    We have a space station in 2014, but it’s too embarrassing to talk about. Sometimes we send Canadians up there.

    Never mind the Moon—we can’t even launch astronauts into orbit anymore. If we want to go to our sad-sack space station, we have to ask the Russians, and they’re mean to us.

    Can you imagine the look in that engineer’s eyes?”

    “Here we are, fifty years into the computer revolution, at what feels like our moment of greatest progress. The outlines of the future are clear, and oh boy is it futuristic.

    But we’re running into physical and economic barriers that aren’t worth crossing.

    We’re starting to see that putting everything online has real and troubling social costs.

    And the devices we use are becoming ‘good enough’, to the point where we can focus on making them cheaper, more efficient, and accessible to everyone.

    So despite appearances, despite the feeling that things are accelerating and changing faster than ever, I want to make the shocking prediction that the Internet of 2060 is going to look recognizably the same as the Internet today.

    Unless we screw it up.”

    Interesting POV.

  13. Here’s a 2015 Vint Cerf interview with US CTO Megan Smith. She lists her priorities, NONE of which is cybercrime/cyberterrorism. The country is in the best of hands.

  14. “Is anyone paying attention to this?”

    Absolutely we’re paying attention. DoD fear-mongering fund-raising always provide humor in our dark times (at DoD, our times are always dark).

    How have we survived so long, under the looming superiority of the Soviet Union’s aircraft and missiles, plus their soon-to-be supercarriers. Plus Global Cooling! Global Warming! Peak oil! EMP’s (threatening our infrastructure for decades, on paper at least). Iran’s nukes. And China, China, China! Now the newest existential threat: cyber-stuff.

    Does the report mention what DoD has done with the billions given them since 2000, since Congress has pretty much given them an open check? If those vast sums have left us spread wide open, defenseless — will the next ten billion made a difference?

  15. — will the next ten billion made a difference?

    Probably not. But the beyond incompetent leadership at OPM made all the difference, didn’t they? These things are often more about leadership and commitment than money. Obama has been too busy weaponizing the bureaucracy against its own citizens to be bothered with protecting the nations critical information. Surprised? Me neither.

  16. Michael,

    “incompetent leadership at OPM made all the difference … Obama has been”

    Most analysts say that OPM’s computer infrastructure is no worse than that of many other gov’t agencies with critical data or providing computer services. Congress often refuses to grant the funds necessary for upgrades — as OPM’s were denied due to the sequester. Also, Federal procurement rules make information systems project even more difficult than for the private sector (which has high failure rates for large computer systems projects, often described at 1:3 to 1:2).

    And the frequent hacks of critical data at mega-corps (e.g., banks, retailers, Sony) suggest that blaming “incompetent leaders” is not exactly the analytical magic bullet for understanding these problems.

  17. >>Congress often refuses to grant the funds necessary for upgrades

    Utter horseshit. I remember well the FAA was going to the air traffic control system. Many years and many billions later they had made minor progress. A few years later they gave up and started again.

    Case in point, NASA spent, what?, five billion over ten years developing the Orion spacecraft. They developed one rocket and held one test. Over less time SpaceX developed developed the Falcon 1 and Falcon 9. They did that with 500 million dollars and have them both tested and in production and are launching them at a fraction of the cost to boot. Now they’re working on reusable spacecraft. Did NASA, with all its personnel and vast resources do that? No. Why?

    Government is incentivized to fail. When they fail, they get more, because you want them succeed, don’t you? When they fail again, it’s because they aren’t given enough money. When they get more again and still fail it’s because they don’t have enough people, which will require more money. They have a monopoly on many of these services so there’s no one to point to and say, ‘Gee, they did the job in less time with less money!’ or ‘Those folks over there do the same job faster with fewer people and have happier customers.’ The more they fail and the worse they do, the more money and people and equipment they get. You don’t even have to worry about customer satisfaction because, guess what?, we have nowhere else to go. Nice gig.

Comments are closed.