Just when it seemed that cyberspace was safe again, there is reason to believe that a new cyber army is waging war. In 2005 the Pentagon logged over 79,000 intrusion attempts into their network. From this about 1,300 were successful, including the penetration of computers linked to the Army's 101st and 82nd air force and 4th infantry divisions.
The attacks aren't directed at just one government agency either. In August and September of the same year, Chinese hackers penetrated US State Department computers in several countries. As a result, hundreds of computers had to be replaced or taken offline for months, to make the necessary provisions.
Jim Melnick, a retired Pentagon computer network analyst, told Time magazine that the Chinese military holds hacking competitions to identify and recruit talented members for a “cyber army.”
Chinese military documents and generals' speeches contain elements that support this claim. Namely, China has expressed its ambition to extend its efforts to cripple an enemy's “financial, military and communications capabilities early in a conflict.” A study conducted by the Pentagon has found that China's military regards offensive computer operations as critical in the first stages of war.
In fact, cyber attacks by China are said to be so frequent and aggressive that President George W. Bush has raised the subject with Chinese Communist leader Hu Jintao when they met at the Apec summit in Sydney, Australia.
Hu denies that China is responsible for the attack. But is there truly a cyber war and if so, who is winning?
SOH radio network's Dong Xiang investigates, interviewing Larry Greenblat, lead instructor at the Internetwork Defense and Information Security Training and Consulting company.
SOH: We are joined today by Larry Greenblat, Lead Instructor for Internetwork Defense and Information Security Training and Consulting company. Welcome to the show.
Larry Greenblat: Thank you.
SOH: Is a cyber war a too far fetched and exaggerated statement to make?
LG: I don't think so. I work with many government employees and contractors and they say much of what you just said that there's a big concern, especially over the past 18 months, the Chinese have really stepped up their attacks, probing everywhere on our internet.
SOH: So if there is a cyber war, how serious is it?
LG: If it is not a cyber war yet, it is definitely the beginning of a cyber war, so I don't know where to draw the line that we're waiting for some digital “Pearl Harbour” to signal the beginning of it.
SOH: What damage can a hacker do to the US government, apart from taking away personal identity or disabling electricity?
LG: They can do a number of those things, including what you just mentioned. They use… systems to access the operating interface, which is connected to the Internet. Take power plants that are run via Internet based applications, for example. So technically they could take over power plants but it doesn't stop there. Since 1987 more money has been represented in electronics than in any other form. When you think about what money is, people tend to think of it as paper or gold. But it's not true anymore. Since 1987, it's all gone electronic. So the wealth of the world is at stake.
SOH: When we talk about hacking a common understanding is that people from China or other countries, can log into a network and pretend they are us. How do they do that? Don't we have firewalls and controls prevent them from getting in?
LG: We do our best, but there is a principal called “six sigma,” I don't know if you are familiar with this, but it's a quality control system that seems to be a matrix that if you hit theoretically perfect quality, that for every million something, you'd have 3.4 defects. Now that's pretty good when you're talking about manufacturing clothing — it's a great target. But when your operating systems or your application has millions and millions of lines of code, even if we're to have perfect theoretically “six sigma” level of quality, we would still have thousands of potential software defects. It's just very difficult to make something perfect when you have millions of parts.
SOH: Because we have so complicated computer programs that control our daily lives, there's always some flaws and people can take advantage of that?
SOH: What can we do about it?
LG: We can look for the well-known flaws. Once something is exposed, then we can try to patch that but it's theoretically impossible to close all these doors and perhaps the worst thing is invalid input attacks. What happens is that in a computer database, they ask you to enter a name. They don't always check to see that you just enter in your name, you might enter a million characters so that'll be a buffer overflow and they can overwrite computer information. Or they could just answer “My name is …,” [then] a SQL command to change the database. So if you go to the the national vulnerability database website (nvd.nest.gov), they report a new discovered vulnerability everyday and it's almost always the result of an invalid input.
SOH: Looks like there's a war, or fierce competition, going on. Who's behind it?
LG: It's hard to say. I think it's just young hackers who are above the law and interested in knowing what's going on in any country's national interest. But international interest is what I'm hoping will stay protected. Right now these hacker kids are a little confused, they feel the road's up and they are seeing the folly in their old ways. Maybe they are a little misguided on how to use their skills, but I believe that they will rise above it before they grow up. There are rumours that China is at the top of the peak in this.
SOH: What do you mean that China is at the top of the peak, because it is so technologically advanced or more manpower or money?
LG: Both. I don't know if it is necessarily money, but they certainly have manpower. We have a difficult time recruiting children to be engineers and they have got a much bigger pool to choose from. That's a big challenge, probably our toughest challenge – I don't think it is money per se.
SOH: In the middle of 2007 we heard reports that Chinese hackers are attacking the Pentagon, they also allegedly attacked the government system in Britain and Germany. But the US government reaction is usually to play it down – why is that? Is it because it is not that serious or what's going on there?
LG: I'm not really certain but perhaps they don't just want to panic people. So I have, as I said, the pleasure to work with many government employees and they certainly are aware of these problems. Some of them are almost alarmed about this, but to release this type of information it would bring the cost of widespread panic – I don't know if there is any advantage to that.
SOH: In my hands, I have a Times magazine article that was published in September, 2007. There is something pretty scary when I read it. It said that one guy called Sammy who worked on cyber defense at the Pentagon since 1980s, told Congress in a testimony on April 25th in the same year that a massive cyber attack could leave 70 per cent of the U.S. without electrical power for six months. That is a very serious threat.
LG: This is a bit like the concern about the power plants. I believe there is a special taskforce that deals with system vulnerability. The Department of Energy and other power plants have hired government red teams or ethical penetration testers, to test whether someone could break in and they were 100% successful in every attempt. Someone said what you mean by successful is mirrors and what you see in those mirrors and they are able to tamper with them.
SOH: Compared to that, looks like the war in Iraq is a distraction?
LG: That's my feeling and partly many other people's feelings too. I think that the war in Iraq is obviously very important for oil and oilfields, but a similar danger is that most money is transferred electronically. If somebody could that take over and hijack the internet, we would have much more serious problems
SOH: As a lot of people know, I'm from China. I know that the Chinese army always consider the U.S. as its potential enemy in the future, probably over the Taiwan Straight conflict or some other issues, but they always treat U.S. as a potential enemy. Do you think so far that the U.S. Government is doing enough to defend our cyber world?
LG: You know what, I'm afraid to speak about this and they can only reveal so much to me. I do have faith in the skill of the people who I work with, but the question is more like: are they overwhelmed? That's my concern that there is just so much that they can do, because of that distraction in Iraq and other things that are eating up resources so I'm optimistic but cautious.
SOH: Optimistic but cautious…we don't have much time. I would like to touch base on your teaching method. I'm reading your biography and it seems are a creator of the cyber kung-fu information security training program series. I know you are a senior kung-fu instructor as well as a network security instructor. I keep wondering what kung-fu has to do with the network security?
LG: I got the idea when I was teaching martial arts and was a network operator teaching CISCO and networking. I had a student study Tai-chi with me and he was also an information security professional. He said: “You should get into this, your teaching methods are all very, very close to computer security. This way you mix your martial arts idea in.”
So it just started, I came up with the idea of cyber kung-fu and it just a kind of “pop” in me and as funny as I thought the word was, the 'cyber' comes from Greek. It does not mean computers, rather it means to steal. So the important thing in information security is directive control. For somebody to take the helm of the ship and steer it is governance. Governance also comes from Greek. Another misunderstood word is kung-fu. Many people think it's some type of martial arts, but it literally means something like, to spend time and energy on a field where you improve. I just mixed the concepts together to teach people how to defend themselves and take the wheel.
SOH: Give us an example of how you apply teaching of kung-fu to network security. I mean is there any connection other than the theory and principles?
LG: I was involved in a lot of street fights and one of my favourite examples was to start telling people the importance of showing that you are here, the things that you know, what you don't know, and it's the things that you don't know that bring trouble. “No, no, that's not true,” I say, as I left out the bully and fourth choice. There are the things that you think you know that turn out to be wrong. So when you watch alternate fights, everyone says “Oh, you have to fight on the ground”. I say “No, that's not how the fights end on the street. They don't tell you ready, set, go! The other time when you look down on your watch, they hit you.” – that's how computer security works. They don't tell you they will attack, you think it was a packet from your network, but it turns out you were wrong.
SOH: Surprise attack…that's why you mention “cyber virtual Pearl Harbour.” A surprise attack – it's the most vulnerable part, you say?
LG: And invalid input attacks too. It goes back to when I thought I was processing a guy's name, “What's your name?,” and they didn't enter their name. They enter in a SQL command to have me delete everything in my machine or something like that. So it's the things you think you know that turn out to be wrong that prove to be the most dangerous.
SOH: Applications of ancient martial theory into today's technology world. Thank you very much Larry.
LG: Thank you.
The SOH Network is an independent media company that specializes in providing original news directly from China.