On the Sony hack, a CTO speaks

Reader Jonathan F. writes in response to John’s post on our pathetic response to the Sony hack. Having worked in IT since 1996, Jonathan is the Chief Technology Officer at his company. He has been involved in the security side of IT at least part time since 2000. He is a Certified Information Systems Security Professional, the certification bestowed by (ISC)2. He also has a CompTia Security+ certification. His corporate responsibility includes cybersecurity for his company, and also as a contractor for some government projects. He is therefore focused on the defense side of cybersecurity. I think his comments add a context to events in the headlines that is worthy of consideration. He writes:

You raised a lot of questions in your post. Most of your questions can be summed up as “How bad is the cybersecurity situation?” and “What are we doing to prevent these attacks?” I am not going to delve into the political aspects of the “proportionate” response. I will leave that up to you.

The answer to the first question is as depressing as it is easy. We are under pervasive and constant attack. According to GAO testimony to Congress in April this year (GAO-14-487T), there were 61,214 cyber incidents, of which 46,160 were deemed cyberattacks (GAO-14-354). The remaining were not considered cyber-attacks. For instance, losing a PC would be an “incident,” but not an “attack.” Note that these are only the incidents that were noticed and reported to the government for tracking. Some incidents are unreported and others are unknown. So, these numbers are considerably lower than reality. Additionally, per the same reports, the attacks are rapidly increasing in number, rising over 100 percent between 2009 and 2013.

As for what we are doing, the answer to that question is more complicated. It also is somewhat depressing. The simple fact is, we can harden networks against most attacks, especially the amateur script-kiddies, but a really determined professional attacker likely will find a way in. To really secure your network, you need to disconnect from the Internet. Unfortunately, this isn’t an option for most entities.

Due to the above reality, really critical infrastructure (like nuclear power plants) is supposed to be completely disconnected from the Internet. I worked for a power company for several years and from personal experience I can tell you that they took this very seriously. I can also tell you that it is very easy to run a cable from one network switch to another and that this can be very hard to spot. In other words, while they are not supposed to have any critical infrastructure on the Internet, and there is a real effort to ensure this is the case, accidents can (and do) happen.

This Sony hack has been widely reported as the “first cyberwar,” which we have supposedly lost. This is utter nonsense. Has everyone already forgotten Stuxnet and Iran? You mentioned the Executive Office hack and Target. This is merely one more skirmish, one which was dealt with very poorly (or pathetically, as you suggest). Everything I have read about the Sony hack leads me to believe that they did not take security very seriously to start with, and they responded poorly. It’s always easy to be an armchair quarterback, especially with little information, so I will refrain from saying more about that.

The truth is that the black hats are winning right now. The white hats are playing a defensive game. We do what we can, but mostly it is monitoring the networks to hope we spot something in time. If we don’t, things like Target and Sony happen. Things like the White House attack (and thousands of others you are not even aware of) happen. For instance, did you know that 48,000 Federal employees recently had their information stolen?

Anti-virus software is no longer nearly as effective as it used to be. Why? Malware writers now have their programs modify themselves when they install. This means that the old method of running a static check (usually using something called an MD5 checksum) no longer works. It’s like a bank robber wearing a disguise – if it’s good, no one can tell the real identity of the perpetrator. While heuristic algorithms that can see through this disguise have been developed, they are still a few steps behind and tend to turn up false positives.

The Federal Government is better at cyber-security than most private enterprises, but even they admit that they are not well prepared for a full-scale cyber-attack. I recommend reading the entire article, as it is not technical, and provides some additional insights into the preparedness of our government for similar attacks. It also contains this gem, which I find very interesting; in light of the whole Lois Lerner lost emails farce: “Federal auditors have uncovered one bright spot in resiliency — at the Internal Revenue Service. The tax agency has processes in place to recover data, including up-to-date contingency plans it has rehearsed, according to an April Government Accountability Office report.”

As for your questions about how the White House and State department tried to suppress information on the breach in November, it probably wasn’t just politics. Indeed, it is easy to argue that it wasn’t even primarily politics. It is a good method for handling breaches like that, especially when you are able to glean useful information from them – or feed false information to the attackers. When a security breach happens, and is caught, a good practice is to isolate the breach, and then carefully monitor the hackers, their tools, and their methodologies. Then, when you have the information you want, you close it down.

If you suspect that the attackers are politically motivated (e.g., foreign government, espionage, etc.), you can also feed them false data, effectively turning your breach into a sort of double agent. It is also possible to present vast quantities of worthless information, thus slowing the hackers down. Their search goes from “needle in a haystack” to “sand grain in the Sahara.”

This article presents more information on the rationale behind delayed (or very subdued) reporting of incidents, and how they can be used against the attackers. It is presented in non-technical language, and provides a good overview of the issues involved in the decision of whether and when to go public with breach information.

I trust that other knowledgeable readers will weigh in in the comments.

In Today’s Mailbag. . .

Oh goody—a new journal dedicated to the holy trinity of race, class, and gender, because I’m sure there’s a shortage of outlets for scholarship in this field.  Here, in full, is an email communication I received today:

Dear Steven Hayward:

We are thrilled to announce that the Journal of Race, Ethnicity, and Politics (JREP) is now open for submissions and review! This moment has been years in the making, and is particularly meaningful as the REP section of APSA approaches its 20th anniversary.

Please find more information about the journal below. We encourage you to send your best work to JREP, and we very much appreciate your timely responses to review requests.

For future use, your user name is S——— and your password is ———–.

Thanks, and happy holidays!

The editorial team of JREP

Karthick Ramakrishnan, UC Riverside

Michael Javen Fortner, CUNY Graduate Center

Michael Jones-Correa, Cornell University

Sheryl Lightfoot, University of British Columbia

Dara Z. Strolovitch, Princeton University

Email contact: repjournal@gmail.com

ABOUT THE JOURNAL OF RACE, ETHNICITY, AND POLITICS

Journal of Race, Ethnicity, and Politics (JREP) is the official journal of the Race, Ethnicity, and Politics section of the American Political Science Association. JREP highlights critical and timely research into the multiple junctures between politics and issues of race, ethnicity, immigration, and indigeneity, as well as their intersections with other axes of identity and marginalization. The journal publishes work that broadly focuses on racial and ethnic politics, from scholars across all subfields of political science and allied disciplines. The key distinguishing feature of the journal is its focus on politics, whether in a single country, across countries, or transnationally.

JREP is open with respect to areas of substantive focus, with methods and approaches ranging The journal will also provide opportunities for enhanced academic engagement, including a guest column section featuring perspectives from practitioners in political and policy worlds, specialized symposia on timely topics, and blog postings and media engagement by authors, reviewers, and editors.

INSTRUCTIONS FOR CONTRIBUTORS

Instructions for contributors can be found on the JREP website.

JOURNAL BLOG

A reminder that we have also launched an official blog for the journal, Politics of Color (http://politicsofcolor.com/), featuring commentary and reflections by scholars of race, ethnicity, and politics.

If you are interested in submitting a piece, please read our submission guidelines (http://politicsofcolor.com/submission/).

As Squidward likes to say on Spongebob Squarepants, “Would that just be the best day ever?!”  I know I can’t wait to dig in.

Check Your Privilege copy

JOHN adds: Sick. Utterly sick. Where does the money for this sort of BS come from?

Wodehousing?

This has to be a gag, right?  (If not, I’m going to start a gang immediately, which I’ll call the “Fink-Nottle Newt-sters.”)

You’ve probably already heard about “Wodehousing,” a disturbing trend in which teenagers videotape themselves covering strangers’ homes with the full text of P.G. Wodehouse novels. . .

In case you need a bracer, though, here are some basic facts about the illegal new craze:

1. P.G. Wodehouse did not invent “Wodehousing”
Though the British author was an eminent jokester and wit, his pranks never included writing the entirety of his novels sentence-by-sentence on unsuspecting neighbors’ homes. The first documented instance of “Wodehousing” occurred in New Jersey in 2011.

2. Cleaning up after getting “Wodehoused” takes hours
Scrawling the entirety of Wodehouse’s 1938 book The Code Of The Woosters on someone’s house might seem like fun to the teens doing it, but to homeowners it’s anything but. It can take hours and cost hundreds of dollars to scrub away passages describing (often in spray paint!) the buffoonery of Bertie Wooster and his quick-thinking butler, Jeeves.

3. Three teens have died while “Wodehousing”
Two of them slipped while trying to “Wodehouse” a residence that overlooked a sheer cliff face. A third teen was struck by a drunk driver who’d accidentally veered onto the lawn of the home she and her friends were “Wodehousing.”

4. “Wodehousing” always involves a P.G. Wodehouse novel
Defacing someone’s walls with one of Wodehouse’s short stories (or short story collections) is considered a lesser form of “Wodehousing.” Works by Wodehouse contemporaries such as James Thurber and Raymond Chandler are similarly looked down on.

5. “Wodehousing” can happen to anyone
Even if you live in a typically “safe” neighborhood, you may be at risk of being “Wodehoused.” Be alert and on the lookout for groups of teenagers, usually Caucasian and dressed in tweed jackets and bowler hats, walking at night carrying stationery along with one or more copies of a P.G. Wodehouse novel. Report such activity to your local police immediately

Gruntled copy

Pinker Steps Up Against Harvard Anti-Israel BDS

Paul wrote yesterday about the mendacity of the Israel BDS (“Boycott, Divest, Sanctions”) movement at Harvard, where the presence of a water dispenser made by an Israeli-based company in Harvard dining halls was called a “microaggression” by the permanently aggrieved.

Late yesterday the widely noted psychologist Steven Pinker stepped up, writing to Harvard’s president Drew Faust and provost Alan Garber to protest in the strongest possible terms against capitulating to the mob on this issue. I’ve never known exactly what to make of Pinker, who is a liberal of some stripe. I’ve liked some of his work when I read it (especially parts of his book The Better Angels of Our Nature); other times, not so much. But here he deserves our three cheers.

Here are the best two paragraphs:

Equally foreign to the mission of a university is the idea that students are to be protected from “discomfort” or so-called “microaggression” when they are exposed to beliefs that differ from theirs, or when the university does not accede to demands that it prosecute their moral and political crusades. Discomfort is another word for tolerance. It is the price we pay for living in a democracy and participating in the open exchange of ideas.

Middle East politics above all is a subject on which thoughtful people disagree; it is certainly not one on which a university should decree the correct position. While I am sympathetic with many of the students’ objections to the current policies of the Israeli government, I object even more strongly to the policies of the governments of countries such as Russia, India, Pakistan, China, Turkey, and Saudi Arabia. In a world filled with governments with deplorable policies, it is pernicious for a university to single out one of them for opprobrium.

You can download a PDF of the whole letter here. And here’s a facsimile for readers with really good eyesight:

Pinker 1 copy

Pinker 2 copy

Where Did the Jobs Go?

Somewhat remarkably, given that it has presided over the worst recovery–by far–of the post-war era, the Obama administration tries to slice and dice employment numbers to portray itself as a champion of job creation. There are, indeed, a few more jobs today than there were six years ago. Yet for most Americans, the employment scene has gotten worse, not better. Why is that?

Senate Budget Committee staff offer data in explanation:

According to BLS data, in November of 2007 there were 23.1 million foreign workers in the United States with jobs. Today, the BLS reports, there are 25.1 million foreign workers in the United States with jobs – meaning 2 million jobs, on net, have gone to foreign workers since the recession. By contrast, BLS reports there were 124 million American-born workers with jobs in November of 2007 but only 122.5 million American-born workers with jobs today – a decline of 1.5 million for American workers.

Think about this: despite American workers accounting for 70 percent of all population growth among adults, they received, on net, none of the post-recession jobs gains. As a result, there are 11 million more American workers outside the labor force today than 7 years ago. So, despite the trillions spent, the enormous interventions, the years spent trying to climb out of the economic doldrums, the total number of American workers who are employed today is 1.5 million less than at this time in 2007. All employment growth during this time went to foreign labor imported from abroad at less cost.

This is not an inexplicable phenomenon but the plain result of Washington policy: each year the U.S. admits 1 million permanent immigrants (overwhelmingly low-wage) in addition to 700,000 foreign guest workers, 500,000 foreign students, and 70,000 refugees and asylees. The number of foreign-born has quadrupled since 1970. During that same time, the NYT reports: “More than 16 percent of men between the ages of 25 and 54 are not working, up from 5 percent in the late 1960s; 30 percent of women in this age group are not working, up from 25 percent in the late 1990s. For those who are working, wage growth has been weak, while corporate profits have surged.”

Here are the BLS data. You can check the numbers for yourself; click to enlarge:

BLS data

So Far, Response to Sony Hack Is Pathetic

North Korea, we are told, hacked into Sony Pictures’ computer system. The hackers made off with a vast number of emails, brought film production to a halt by disrupting Sony’s ability to pay bills, and stole passcodes governing entry into the studio’s headquarters so that employees had to line up to gain admission, one by one. The hackers then caused two movies to be withdrawn from circulation by threatening terrorist attacks on theaters, almost certainly an empty threat. In response to these acts of war–if it really was North Korea–our newspapers carried on gleefully about whether Angelina Jolie really is a moron, and whether it is “racist” to speculate in childish fashion about whether Barack Obama likes movies featuring black characters.

I would say that the administration’s response was equally lame, except that so far there hasn’t been one. White House spokesman Josh Earnest, who is ineffective on his best days, was asked about the Sony matter. Here is the exchange:

Earnest says that “this is something that’s been treated as a serious national security matter.” Not so far, it hasn’t been. This concerns me, too: “[T]hey would be mindful of the fact that we need a proportional response and also mindful of the fact that sophisticated actors when they carry out actions like this are often times, not always, but often, seeking to provoke a response from the United States of America.” I never understand the concept of a proportional response. What are we going to do, knock out part of North Korea’s film industry? The response to any terrorist act should not be proportionate, but rather, should be massive enough to deter any future actor from even considering doing anything similar.

The striking thing about the Sony attack is how much worse it could have been. The film industry is relatively unimportant. What if North Korea, or some other adversary, carried out a similar attack against J.P. Morgan Chase, Bank of America, Citigroup and so on? They could bring America’s banking system to its knees. Or how about hacking into the computer systems of America’s utilities? Could a hostile regime turn off power to homes in the northern U.S. in mid-winter? Or maybe a hacker could disrupt the traffic lights in a major American city, and bring traffic to a standstill. The possibilities are endless. And North Korea is by no means the last word in computer expertise. The Chinese have state of the art technological capacity. Russia is a basket case in many ways, but software is like chess and Russians are great at it.

Was Sony Pictures’ computer system uniquely inadequate and therefore vulnerable to intrusion? I haven’t heard anyone say that. It appears that many companies could be vulnerable to similar attacks; indeed, as we have recently seen, major retailers have been vulnerable to hackers who sought profit rather than disruption. But the potential for disruption is the national security threat.

And if companies are vulnerable, then how about government agencies? What if North Korea hacked into the White House’s or State Department’s computers?

Maybe they already have. In October, we wrote here, here, here and here about a mysterious intrusion that brought down computers in the Executive Office of the President (which includes the White House and much more) and the State Department. The Obama administration was close-mouthed about the incident and refused our several requests for comment. Despite our efforts, the story was barely covered in the press, and disappeared without a trace. To my knowledge, no one has ever reported on the source of the intrusion or the cause of the outage.

It seems likely that the Obama administration wanted to suppress the story, which threatened to break days before the midterm elections. News of a hostile power invading the White House’s own computer system, if that is what happened, or may have happened, would have reinforced the perception that the Obama administration is weak. It is easy to imagine the press staying away from the story on political grounds. So, for all we know, the North Koreans–or the Russians, the Chinese, or some independent group–may already have carried out a highly destructive attack on the federal government’s computer system.

Be that as it may, the central questions arising out of the Sony Pictures story are 1) how widespread is the vulnerability to sophisticated hackers among corporations and government agencies, and 2) what can be done to secure our systems so that catastrophic attacks do not take place in the future? President Obama is scheduled to give a speech on several topics, including the Sony hack, later today. It will be interesting to see whether he addresses these questions, and if so, how.

Mark Falcoff: The Cuban paradox

Mark Falcoff is resident scholar emeritus at AEI. He is the author of several books including Cuba the Morning After: Confronting Castro’s Legacy. He writes further to this post on Wednesday:

This subject has already been written to death, but may I add a couple more comments?

There are two kinds of people who favor normalization of relations with Cuba. One is the person who believes that by freeing up the possibilities of Americans to travel to Cuba, the Cuban people will get to know us better and share our vision of a freer society. They also imagine that normalization will offer new economic opportunities to the impoverished Cuban people.

The other is the person who secretly harbors the hope that this will provide the Castro brothers with the resources to continue in power indefinitely (and after their passing, to allow their progeny and relatives to continue to rule the island, all under the fiction of “sustainable socialism”.) Both points of view have their merit; that is to say, each point of view has its own internal logic. Rand Paul has just expressed the first. The Nation magazine, the New York Times, Jimmy Carter, and needless to say, President Obama, his National Security Advisor Ben Rhodes, and all American leftists and most most American liberals harbor the second.

The problem is, both cannot be right. We will soon find out which is.

The other aspect untouched by the media is the upcoming Summit of the Americas in Panama next year. For some time now the Latin American chanceries have been making it clear they will not attend this event at all if Cuba is not invited. By doing an end-run with the Vatican, the administration has avoided a major diplomatic embarrassment (although one can’t be certain that the cancellation of the conference would be a great loss to anyone).

I cannot help reflecting, however, that the Latin Americans move back and forth on what used to be called the Estrada Doctrine. This was the diplomatic formula fashioned by a Mexican foreign minister in the 1920s, to the effect that it is countries rather than governments that are recognized. Hence, sanctions and non-recognition amounted to a violation (in Estrada’s opinion) of international law. After much pressure, lobbying and criticism in the late 1920s, the U.S. adopted this doctrine. The chief beneficiaries were patrimonial dictatorships like the Somozas in Nicaragua and the Trujillos in the Dominican Republic, who ruled the roost in their countries undisturbed for decades.

Then, however, after the coup in Chile and the disappearances in Argentina, the Latins suddenly decided that human rights should be at the top of our agenda (not theirs, however—all of them except Mexico maintained perfectly normal relations General Pinochet or the Argentine junta).

Suddenly it wasn’t countries but governments that were recognized after all! The job of sanctions was assigned by them to the United States and the United States alone. Did someone get tortured in a back alley of Santiago? That must have been the result of U. S. “support” for Pinochet!

Now, however, it turns out that human rights and democracy aren’t really all that important after all, and our spinsterish insistence on both in Cuba is an offense to decency. The Pope thinks so too.

If this proves anything, it is the profound lack of seriousness on the part of Latin American political elites, or what a friend of mine calls a lack of their democratic militance. What it reveals about the too clever Jesuit in the Vatican I will leave others to explain.