FBI director says Chinese hackers are like a “drunk burglar”

[rhoenix]

James Comey, the Federal Bureau of Investigation director, says Chinese hackers are daily targeting US companies' intellectual property.

"I liken them a bit to a drunk burglar. They're kickin' in the front door, knocking over the vase, while they're walking out with your television set," Comey said Sunday on CBS' 60 Minutes. "They're just prolific. Their strategy seems to be: `We'll just be everywhere all the time. And there's no way they can stop us."'

Comey's remarks on the news magazine comes two weeks after a Senate Armed Services Committee report concluded that China's military broke into Pentagon contractors' computer networks at least 50 times—hacks that threaten "to erode US military technical superiority."
And in May, the government announced the indictment of five Chinese military personnel accused of hacking into major US corporations and stealing trade secrets. While Attorney General Eric Holder promised to bring the five to the US for trial, the defendants "are believed to be living freely" in China. The targeted companies, ranging from Alcoa to Westinghouse, were allegedly attacked between 2006 to 2014, and China got away with trade secrets connected to everything from nuclear to renewable energy, according to the indictment.

All the while, the Chinese government has accused the US government of hacking into China's businesses.

Comey, when asked Sunday by newsman Scott Pelley about how many cyberattacks the US has succumbed to, said, "It would be too many to count. I mean, I think of it as kind of an evil layer cake. At the top you have nation state actors, who are trying to break into our systems. Terrorists, organized cyber syndicates, very sophisticated, harvesting people's personal computers, down to hacktivists, down to criminals and pedophiles."

And when it comes to "what countries are attacking the United States," Comey added:

Well, I don't want to give you a complete list. But I can tell you the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People's Liberation Army, they are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry.

Moments later, he said, "I mean, there are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."

I suppose next to ebola and ISIL, knowing that China's thoroughly infiltrating US infrastructure and systems, and has been for years doesn't get good ratings.

[frigidmagi]

I should point out that we've been hacking the Chinese at the same time. Additionally there are the stunts we pulled in Iran. Basically this is the way the game is played. Whining about it does no good, you need to update your security.

[rhoenix]

I should point out that we've been hacking the Chinese at the same time. Additionally there are the stunts we pulled in Iran. Basically this is the way the game is played. Whining about it does no good, you need to update your security.

That's my ignorance then; I knew about Stuxnet, but I didn't know that the US routinely hacks China. In retrospect, it should have been obvious, but there it is.

At the least then, I think this should start a conversation regarding US infrastructure, and it's vulnerabilities.

[frigidmagi]

Expect we've known about the Chinese kicking in the door for almost a decade now and most people just whine about the Chinese being mean. It's easier to point figures then buy better locks for those metaphorical doors I suppose.

[rhoenix]

Expect we've known about the Chinese kicking in the door for almost a decade now and most people just whine about the Chinese being mean. It's easier to point figures then buy better locks for those metaphorical doors I suppose.

It just irritates me that something has to be seen as a political football in order to be addressed, especially as it concerns the longer-term health of our nation. However, I do get it - talking about aging infrastructure isn't really sexy, news-wise.

[frigidmagi]

Thing is the important stuff does get fixed on a need to basis. Alot of it on the state dime as opposed to the federal (Barry did try in 2008 but... You saw how that went). So the wealthier states with important stuff do fix them up, although they don't replace anything (to expansive, especially for Cally) while poorer states are just kinda screwed.

The interstate is maintained more or less decently I'm told... But I haven't driven on any since 2005.

[Steve]

New defenses don't work forever. It's a constant tug of war; new hacking methods get detected and defeated, and then the hackers find another inlet. The only way to really prevent cyberspace theft is to keep critical data physically separate from the networks. As in on computers not attached to the internet or any other means of remote access. And there you run into the age-old issue of security versus access. The more secure you make something, A) the more effort you must expend to keep it secure and B) the more difficulty you get in accessing it yourself. Which can run up costs in terms of manpower and time.

So sometimes it's cheaper to just accept that the Chinese and others will steal your shit because you don't want to deal with the hassle of keeping the data under strict off-network lock and key.

[rhoenix]

New defenses don't work forever. It's a constant tug of war; new hacking methods get detected and defeated, and then the hackers find another inlet. The only way to really prevent cyberspace theft is to keep critical data physically separate from the networks. As in on computers not attached to the internet or any other means of remote access. And there you run into the age-old issue of security versus access. The more secure you make something, A) the more effort you must expend to keep it secure and B) the more difficulty you get in accessing it yourself. Which can run up costs in terms of manpower and time.

I'm aware of this, and the aspects thereof. All the above is academic if the infrastructure lines in question have no security to them to speak of, which has been proven by both blackhats here in the US, as well as the Chinese now. One would think that the American public would become tired of people acting like children on a sugar rush by the prospect of the ease by which one can get access to our country's important infrastructure.

As hundreds of companies here in the US have discovered (including the one for which I work), computer systems don't magically upgrade themselves, harden themselves, or re-divide subnets themselves. Those in charge of the purse-strings say "oh but I JUST PAID for that two years ago! this is obviously frivolous and unnecessary," and then that company inevitably gets a massive outage that costs them lots of money, which could have been prevented if they paid a fraction of that on actually keeping up to date with computer equipment and software.

And then it's typically more convenient to blame IT for not preventing it as a scapegoat.

This in a broader perspective is precisely what's happening with our country's infrastructure. As an IT tech who works in the realm of fixing stuff, and working to fix stuff so it doesn't happen again, this is frustrating.

So sometimes it's cheaper to just accept that the Chinese and others will steal your shit because you don't want to deal with the hassle of keeping the data under strict off-network lock and key.

To be honest Steve, I don't think you understand the scope of the issue. I'll try to explain why this bothers me as it does.

Chinese hackers have now penetrated every last financial institution of the United States as of this year. They (and many others) have routinely infiltrated the networks that control power plants, dams, and other infrastructure, quietly placing logging, backdoor, or tracing programs there. Systems that, I will point out, only received very rudimentary "with the times" updates for the past fifty years, and nothing more than that.

This is not just penetrating Target's credit card processing systems, for instance.

What irritates me the most is that the US, as the country who has the biggest head start on computer knowledge and equipment, has the means to fix all of these problems quite nicely. While it's true that no upgrade makes you immune to such shenanigans, it can at the very least make it much harder, and much more obvious for them to try.

Right now, we're not even bothering to close the door and lock it - we're relying on the screen door's tiny lock.

[General Havoc]

Chinese hackers have now penetrated every last financial institution of the United States as of this year.

Horseshit. Every last financial institution? Including the ninety that opened yesterday? And how am I to reconcile this statement with:

What irritates me the most is that the US, as the country who has the biggest head start on computer knowledge and equipment, has the means to fix all of these problems quite nicely.

We can easily and nicely fix the problems of China hacking every single financial company in the United States? With what? The hackers from Swordfish? You cannot have it that the problem is a pervasive, all-encompassing one, unstoppable and poised to annihilate the very nation, and yet simultaneously easily fixable, save for the incompetence or treason of a few fools.

Half the reason nobody pays attention to this issue is because it gets wrapped up in this exact sort of Yellow Peril hyperbole.

[rhoenix]

You cannot have it that the problem is a pervasive, all-encompassing one, unstoppable and poised to annihilate the very nation, and yet simultaneously easily fixable, save for the incompetence or treason of a few fools.

That's... not at all what I said or implied. If you somehow got that impression from something I wrote, please point it out, and I'll be glad to reconsider it, or rewrite it if it gives an impression other than what I meant.

My statement was that this is a problem that's growing worse, and I was drawing on the (admittedly skewed) reasoning I've heard from people higher-up where I work, which appears to neatly describe the same issue. And that is that people responsible for managing this network infrastructure are told to perform miracles routinely without being given additional or better tools with which to accomplish this.

I could point out many systemic failures where I work due to this same mindset, but it would (rightly) be viewed as purely anecdotal evidence. Instead, there have been a number of news articles I've read in the past few months where the direct cause of the network intrusion was exploitation of the software or systems they were using, software that had a version available that didn't have the vulnerability, but the company in question never authorized the cost to upgrade said software or systems, for whatever reason.

Most of the time, the reasons given are something like "well, we just bought that product a few years ago, why should I pay them money for them to fix their own product?" The issue with this is that it views computers and computer networks as an appliance - something you buy, just does its job until it wears out, and then you get another one. This is a rather common misconception I hear from people, and it's somewhat difficult to explain to such a person that what you can do with a given piece of software or hardware can rapidly expand, far faster than new product release cycles can keep up with. This has been the case in the PC industry for quite a few years now, and shows no signs of slowing down that I can see.

Essentially, most people who are interviewed or that I've spoken with about this seem to view this as the IT industry making excuses.


Now, I'll grant at this point that I was incorrect when I said "every single major financial institution." You're right to correct me on that count, since the sentence was hyperbolic. I'll give you that one.

What I intended to have clear is that this is a fixable problem - not easily or instantly, I'll certainly grant, but certainly doable if there was will there to do it. It would likely take setting a minimum set of network security standards that companies must meet to do business on the internet, which I'll acknowledge is a flawed solution. I simply can't think of a better one, nor have I seen a better one suggested yet.

Half the reason nobody pays attention to this issue is because it gets wrapped up in this exact sort of Yellow Peril hyperbole. I recommend considering this before you start denouncing the apathy of people you don't know.

Havoc, I get your point here, but in my eyes it appears to be a large problem that's well overdue for a solution - and considering that it makes other countries' espionage work on the US (and US businesses) much easier to leave this unfixed, because it costs money and time to fix, this to me is a sad state of affairs.

I am not trying to imply the world, or even America is coming to a dramatic (or even undramatic) end. I see this as the country I was born in, the one I call home, the one I'm quite happy in - and one thing my grandfather taught me was that if you like your house, you take care of it.

[General Havoc]

You certainly implied it was both all-encompassing (every single institution) and presently unstoppable, and leaped from there into discussing backdoors in every major infrastructure system in the US, planted there for nefarious purposes, which certainly sounds to me like a warning of pending annihilation. The Chinese are coming to destroy our water supplies, power grid, blow our dams, and burn our cities down. I'm supposed to draw what from this? There is a difference between sober risk analysis and screaming alarmism, and hyperbole tends generally speaking to aim at the latter. Take it from someone who uses the stuff himself.

Large companies tend to have shit IT systems. This is a truism across the planet. My company (to pull more anecdotal evidence) actually had no anti-virus software on our computers, with the results you would expect automatically to see from such a thing. But what you are discussing combating is not laziness or the foolish choices of a handful of people, but the nature of how humanity interacts with technology, ignoring, as I note a lot of IT workers do, that while it's true that not enough time is spent on IT in business or in the government, the reason for that is that, generally, people have work to do that does not revolve around concepts they don't understand that nobody bothers to sell them on. You cannot expect people to fetishistically operate their networks in such a way as to immunize themselves from all attempts at hacking, not unless your business is building such networks. Minimizing the damage and increasing the budgets for IT is only prudent, but there is a reason why this is not being done, and that reason is not simply that nobody else "gets it".

The problem, generally speaking, isn't that the IT industry is perceived by those not in it as making excuses. The problem is that the IT industry is perceived by those not in it as being myopically focused to the point of monomania on the integrity of their networks. This is to be expected, given that the integrity of networks is and should be their primary concern. But networks are designed to do things, things that cannot be done when IT insists on overstating the problem to the point of psychotic paranoia because they feel they will get no hearing otherwise. When I am required to use six different randomly-generated alphanumeric passwords of fifteen characters each which I'm not allowed to write down, or disable my computer for a full day every couple of weeks to apply "updates" whose purpose is entirely opaque to me, then the network will fail for reasons entirely unrelated to hacking, and entirely related to the fact that I will not use it at all, or violate the security protocols in favor of actually getting work done. It's gotten to the point in a number of companies that IT citing "network security" as a reason for something is about as trustworthy as the NSA citing "national security". And it's gotten this way because people are being prevented from doing their jobs by IT people insisting on radical changes in everyone's working lives for reasons they assume from the get-go, rightly or wrongly, that nobody will understand, and that they therefore have to frame in as cataclysmic a manner as possible.

And while I agree that the issue is fixable, that solution, which you described as "flawed", is in reality not "flawed" but "emblematic". Your proposal, which I understand you're throwing out as a basis for discussion and not an actual proposal, illustrates exactly what I mean. You are proposing, in essence, that 90% of all internet businesses be banished from the internet forever, a number which will rise to 99% in countries other than the US, Japan, and Western Europe. In the name of securing the internet, you are proposing destroying the internet as we understand it. It is as though I were to suggest that the solution to the problem of counterfeiting is to ban paper money for all purposes. And then you wonder why your warnings are tinged with alarmism. If that is truly the working framework of the solution, then there is no solution. I would rather have the Chinese hack us every day than even implement a fraction of what you are suggesting.

You want people to take the threat seriously? The entire industry needs to stop sounding like the bearded preacher on the street corner with the 'REPENT' sign. I understand why the industry sounds this way, but IT is ultimately no different than any other aspect of business or governance, yet the denizens thereof prefer to treat it as the sole means by which the world is held together. Hacking is going to happen. You can mitigate it by improving your security, and the best way to do that is to convince people it's a rational choice, not the thing everyone must drop everything to go and do this instant or else. But you cannot stop it entirely, and if you try to stop it entirely you will both fail and fuck everything else up in the process of failing. And whether or not it was actually your intention all along to merely suggest mitigating the matter, when IT phrases the problem in terms of dire warnings of the imminent apocalypse, and IT departments are universally notorious for this, then they will not be listened to, and they will sit around wondering why.

This is true of more than just IT of course, but that's another story.

[rhoenix]

Ok - I'm going to try to unpack and discuss just the parts related to IT departments here, from a company's perspective. I'm going to try to set this up properly, as I think this specifically is something worth discussing different perspectives of.

---

In your reply, you acknowledge that most businesses do not do most of the things a network manager would suggest - a person whose sole job, you also acknowledge, is maintaining the security and integrity of that company's network. You then acknowledge that IT folks have become increasingly shrill and hyperbolic as a result of this in an effort to get across the seriousness of the situation, which you then dismiss as not helping the situation.

You describe it as emblematic of the issues with IT. I'd have to ask you to elaborate on that to have more of your perspective, and I recall you mentioning elitism and shrill hyperbole as main examples - but I would counter that by saying that this is a human problem, and I go back to my "PC as an appliance" example. From the non-IT perspective, managers and such see IT as a black hole for money because they keep asking to pay for the same stuff you paid for last year, when you already have it - or want even more stuff. Worse yet, as you described, some IT managers will insist that people be forced to do draconian and awkward things in the name of security, things which inconvenience everyone and sometimes make you have to use your computer differently in order to do the same work you did last week.

However, the Internet is now a stable part of everyone's existence - it has rapidly become as ubiquitous as the idea of business itself. Even with the possibility of power-mad or outright incompetent IT managers, if a business doesn't want to do what's necessary to keep their connections to the rest of the Internet secure, in a world where sometimes entire lines of software have to undergo rapid changes within a month or less, then you might get up tomorrow to see your company in the news, and in a really not good way, as well as set everyone's hair on fire within the company you work for.

Nobody wants to see their company in the news in that way. IT folks would consider it a nightmare scenario to have something like this happen, and knowing that it could have been prevented if x was done, but they were unable to do so because of y. Nobody likes feeling like they were capable of doing something about it, but didn't have the authority to do so, especially when you're going to be the one working to clean up most of the mess.

Your examples of IT policies being utterly ridiculous are certainly ridiculous, I will agree - I unfortunately have similar stories of techs. My perspective is different, though based on my job history - all the jobs I've had (except my current one, I'll note) before now were in some way related to ISP's, and how they talked with systems. In all of those (again, except my current one), network managers strongly emphasized making an effort to have all their system updates and such be transparent to the userbase (as in, if a user cannot access something because you're updating it, then you created a situation in which you fucked up, because there should be a transparent failover to a backup in the meantime), and always balancing that against security.

This may sound somewhat ominous to someone not in IT, but as I learned it, the ideal was for IT to effectively become invisible. To get everything working to the point where the way everything worked and connected was both stable and secure, and that security was inherent within the software and connections both, so no onus was placed on a user to make it work - the systems would simply handle that in the background. In other words, things should be a secure as possible without impeding the user in any way - to make the systems as reliable as an appliance.

Now of course, this is an ideal, and unfortunately, the more secure you want to make something, the more the user is going to notice. There are reasonable limits to this of course, but you can still do much by focusing on the traffic layer of things more than the software layer of things, and then simply configuring the software to use it properly. In fact, while someone walking by a VP's computer who didn't lock their workstation and stealing company secrets is a thing to be wary of (not to mention good ol' fashioned social engineering; "Hi, this is Bob from over in Accounting, could you reset my password? I forgot it..."), a very good portion of a network's vulnerable spots are going to be how your network connects to the rest of the Internet, and what you do to make it that much harder for someone to get in. Cisco's entire line of well-respected certifications circle entirely on this realm for the reason that there's much you can do with this area.

This is, of course, because script kiddies are a thing, and a 11-year old who's bored after school can easily download a program from 4chan or another site, and use it on a couple websites they know, just for the hell of it. This happens very often, and if you can at least make it very difficult for standard methods those programs use to work, as well as accounting for the other relatively simple, but still effective other ways to mess with a network or the stuff on it - and you can do most of that without a user being inconvenienced in the least, or even noticing at all.

However, someone who knows how to do this properly will rightly demand an impressive paycheck for their skills, and an equally impressively expensive shopping list for equipment. As a result, most people who know how to do this properly act as consultants, helping companies do first-time setup and such, because very few companies are willing to cough up the amount of money necessary to keep that person employed, and outbid other companies for their continued employment.

This has had the result of what we're both talking about from different angles, as companies will naturally want to keep costs down as much as they can. On one end of the spectrum, this can have the result of hiring someone who you know won't bother you much to run your IT department, and therefore develop glaring exploitable holes you didn't know about, along with a badly managed and ill-equipped IT department. On the other end of the spectrum, the company is not willing to allocate the money necessary, because that extra money would be for stuff that might happen, not what will be happening tomorrow, and the day after that.

From my perspective, being in IT, I see this as a "get what you pay for" sort of thing. If a company isn't willing to pay the extra money for insurance, then when what you aren't insuring against happens, you're without insurance when you're caught with your pants down. Then you're going to have to work overtime to clean up the mess of a disaster that you could have prevented from occurring, and by spending quite a bit less time and money than you did to clean up the disaster.

But, I have to grant that there are unscrupulous assholes in IT who will try to take advantage for their ego and pocketbook both, who don't care about the impact of what they're doing on the users they are ostensibly there to ensure can all work without shenanigans. That unfortunately is the worst of human nature at work, and should be accounted for.

Now, I'll grant that from your perspective, this creates the disquieting possibility of an IT manager essentially making NASA's second processing facility (and PC game room) out of your pocketbook, as well as IT managers attempting to vomit jargon or hyperbole at people to get more money. Nobody wants to be taken advantage of, and I imagine another nightmare scenario is for the IT department to get out of control, paying for hugely expensive equipment whose sole purpose is to prevent something that has a 0.00005% chance of occurring or less, thus shortchanging other departments who definitely could have used that money for something that would actually show a result to help the company continue to be a success.

But, I would say that in quite a few cases I've seen, the fear of the possibility of an out-of-control IT department happening ends up creating the probability that a disaster will occur through the reality of an ill-equipped and/or badly managed IT department. However, I would add that this is also the worst of human nature at work, and should be accounted for.

That went on for far longer than I'd like, and you have my apologies for that. But my hope is to better understand what you describe from your perspective, by sharing mine and inviting you to do the same. In this way, I can understand what you mean from your point of view, and from there, see if we can agree with a solution that we can agree on.