Cops Say Crooks Are Winning The 'Cyber Arms Race'

[HardOCP News]

We all know this is true, I just don't understand why. Governments around the world should be able to recruit the best talent on the planet but they just aren't doing it. It's humiliating to think that most of the "cyber crooks" out there are script kiddies that couldn't hack their way out of a paper bag but they still wreak havoc online.

Police and businesses are losing the 'cyber arms race' with criminals who are getting increasingly sophisticated, the UK's National Crime Agency (NCA) has warned. In its first Cyber Crime Assessment report the agency warned: "The accelerating pace of technology and criminal cyber capability development currently outpaces the UK's collective response to cyber crime. This 'cyber arms race' is likely to be an enduring challenge."

 

[Monkey God]

Low pay, stiffling environments, working for the man. I can't imagine why they are having issues with recruitment.

 

[slowstuff]

This ... so much ... Government pay scales are terrible compared to what and half decent IT professional can make in the real world. The environment in most branches of government is toxic, backstabbing, out dated, and extremely bureaucratic / political.

 

[HardOCP News]

Low pay, stiffling environments, working for the man. I can't imagine why they are having issues with recruitment.

This ... so much ... Government pay scales are terrible compared to what and half decent IT professional can make in the real world. The environment in most branches of government is toxic, backstabbing, out dated, and extremely bureaucratic / political.

That's just it, they don't have to be like that. Pay a competitive wage for white hat hackers and offer deals to convicted hackers, etc. etc. etc. Essentially, do what they do in Hollywood movies, make a division that is more like a Google / Facebook work environment where people WANT to work there. They can do it. They won't...but they can.

 

[Monkey God]

Evolve and move with the times or go extinct.

 

[Twisted Kidney]

That's just it, they don't have to be like that. Pay a competitive wage for white hat hackers and offer deals to convicted hackers, etc. etc. etc. Essentially, do what they do in Hollywood movies, make a division that is more like a Google / Facebook work environment where people WANT to work there. They can do it. They won't...but they can.

Except that you and I both know that a fancy lobby with a fountain and a juice bar, a building with gym facilities and nap-naps in the nap-nap room would play beautifully in an election. "Civil servants paid to nap! 'I gots to werk 25 howrs ever day wit no sleepin space at all' says one day labourer". Could you imagine how hard this would get played in an election?

They simply can't do what it takes to get the best people, the voters demand that the civil service be a shitty job where you can be fired for having a single nose hair too long. It's not that bad, but that's what the voters want to see. Optics, it's all about optics.

 

[Tak Ne]

This is just a prelude to "We need EVEN MORE spying powers".

 

[ml_paladin888]

governments do not want free thinkers...they want people to fall in line with what's already in place

problem is you need people capable of thinking outside of the box to combat this crap

 

[Pieter3dnow]

The reason is because it is to easy . Stuff can't cost to much so "cyber security" is not really high on the list of what those visionary captains of industry (read: captains of the Titanic) cut down on. Take that Sony hack. Supposedly Sony thought it was wise to cut down on security , while this sounds really good from someone at the top it does not work out in the real world. And with cut down on security they supposedly sacked that whole division.

Making it easy by not maintaining and cutting costs on security that should not happen it is as the song goes "there is a hole in my bucket" .
And it has been going on for ages ....

 

[Makaveli@BETA]

greats responses and so accurate.

This will forever be a losing battle for them until they get the heads of their asses.

 

[nutzo]

Too likely to get away with the crime, and even if they are caught, the punishment will be nothing more than a slap on the wrist.

Only way to stop it, would be to increase the likely hood of getting caught, it increase the penalty.

About the only penalty that might get this cyber crime under control would be public executions.

 

[twonunpackmule]

That's just it, they don't have to be like that. Pay a competitive wage for white hat hackers and offer deals to convicted hackers, etc. etc. etc. Essentially, do what they do in Hollywood movies, make a division that is more like a Google / Facebook work environment where people WANT to work there. They can do it. They won't...but they can.

Asking the government to adopt to quick thinking style digital logic is like asking McDonalds to make a quality burger. It ain't going to happen until we age out the political parties.

 

[Devilpup]

You're talking about two really different things but trying to understand them in the same vein. When it comes to combat against a single target (cyber, country, whatever) the government is very, very good. When it comes to combat against a distributed and disorganized adversary (Anons, insurgents, terrorists) we suck ass.

It's like an argument about public transportation, there are some ways in which it can be really successful but it can't account for your random country stoner needing tacos at 2 am. It's just not feasible to think you can cover everything with any one system.

 

[Retronym]

The guys investigating Silk Road did a pretty bang-up job beating the criminals at their own game.

 

[lostinseganet]

American cyber hackers don't want to work for the man! Or depending how the next election goes woMAN

 

[westrock2000]

Will they pay $100K a year?

 

[Ehren8879]

There isn't a great threat or great evil like there was during the atomic race. Nuclear research would be further behind if it wasn't for that era.

Not that I want a cyber Hitler to fuel our defenses, but I predict that what's it's gonna take.

 

[malachy]

I think there are also conflicting governmental elements/organizations at play here.

The dedicated cybersecurity/attack groups do pretty well-- Stuxnet, anyone?-- but those groups either don't want, or are not allowed, to disseminate what they know to the rest of the government and/or private sector; those exploits are too useful as attack targets for their own malware.

The other government IT departments (e.g. State Department) are another matter, and yeah, they're often pants, either because they're poorly led/organized, or because they don't receive the budget to keep their systems up to date-- probably a combination of both in all cases. To say nothing of the inefficiencies of so many federal agencies maintaining their own IT / server departments...

 

[westrock2000]

The dedicated cybersecurity/attack groups do pretty well-- Stuxnet, anyone?-- but those groups either don't want, or are not allowed, to disseminate what they know to the rest of the government and/or private sector; those exploits are too useful as attack targets for their own malware.

Ya, the UN saying that a Cyber Attack (from Russia/China/Iran/NK) is enough to trigger an Article 5 WW3 really puts a hamper in us taking credit for such things. Gotta keep it on the downlow.

Like the CIA having a stealth plane (SR-71) before the military knew stealth existed (Have Blue). Although Stuxnet and Flame are not nearly as well guarded secrets.

 

[westrock2000]

To me it's a cash grab. It would be like the government saying they don't have enough money or resources to stop lone wolfs.......it's an impossible task from the get go, but it sounds great in press releases.

 

[lcpiper]

This ... so much ... Government pay scales are terrible compared to what and half decent IT professional can make in the real world. The environment in most branches of government is toxic, backstabbing, out dated, and extremely bureaucratic / political.

The first problem is that they take the entirely wrong approach.

The government should not be trying to fix the problem themselves and that is the biggest problem.

Instead, the government should be making sure that businesses are properly motivated and empowered to fix these problems.

Look, every hack, every vulnerability, every weakness is the result of one or more of these basic problems.

Either the software has a vulnerability, (usually that isn't being found and patched fast enough, or at all)

Or the IT workers lack the knowledge and skill to secure their systems.

Data handling processes are insecure, (workers getting backup tapes stolen from their cars cause they stopped at the mall before they dropped off the tapes).

Or the organization just will not spend the money to protect their systems and data, (which includes not paying their staff enough to make them give a damn or treating them right).

The only thing any government should be doing is making sure that businesses are properly motivated to ensure good security of their systems and data. Oh, and making sure that when businesses are negligent, that they pay for it and I mean they pay alot for it.

Some people say this will drive businesses to hide breaches, I say the government should hire companies to purposefully breach businesses and fine the hell out of them if they fail to keep out the attackers.

Don't try and tell companies how to keep things secure, that only invites laziness, they'll do what is required and no more.

Don't try and develop secure practices with your own experts, let the experts do that for the government. Create an environment where business is motivated by carrot and stick to do what is right and let them figure out how.

 

[lcpiper]

That's just it, they don't have to be like that. Pay a competitive wage for white hat hackers and offer deals to convicted hackers, etc. etc. etc. Essentially, do what they do in Hollywood movies, make a division that is more like a Google / Facebook work environment where people WANT to work there. They can do it. They won't...but they can.

No they can't.

Work with that mentality long enough.

The organization I work for has been essentially preparing for a major security review for the last year. It's almost right on top of us and we are still not ready. The reason we are not ready isn't because we couldn't get ready. It''s because the people at the top don't care if they are ready. They don't care if they pass, they only care enough that they can show they have been working on passing. Kick the can, make excuses, anything at all as long as they don't have to put their future on the line and be held responsible for anything.

People who think like this cheat at Solitaire on their PC, playing standalone.

And they download a bot to do it for them.......................

How are these kind of people capable of doing what you suggest?

It is simply not in their nature.

 

[lcpiper]

Evolve and move with the times or go extinct.

True, but you have to be in the "extinction" game.

Look, you can fantasize like Hollywood likes to do with movies about governments being crippled by hackers and such. But only a weak government is vulnerable to this, because a strong government will take what it needs from the weak ones.

There are many jungles in the world, but the only ones that actually involve extinction are the ones where Armies are the hunters.

 

[Deleted member 245375]

There's a really simple reason why bad guys win more often than not:

They choose not to play by the rules that other people or agencies do.

It sucks, sure enough, but there's nothing that's going to be done about it and better pay with more comfortable work environments ain't gonna make a dent.

 

[Scizyr]

The Cybercrims™ will always be 2 steps ahead because they understand and accept the fact that there is no such thing as security, something governments refuse to believe.

 

[NukeDukem]

Blue Lives Matter

 

[Ducman69]

Low pay, stiffling environments, working for the man.

Not to mention being demonized by the press for doing your job, and being shot and killed by BLM terrorists protesters.

 

[lcpiper]

The Cybercrims™ will always be 2 steps ahead because they understand and accept the fact that there is no such thing as security, something governments refuse to believe.

Really? Cause Classified US systems get hacked every day?

You do understand that there has never been a known breach of the DoD Secret and Top Secret networks? And that they are under attack all the time.

And I am not talking about insider attacks Like Snowden and Manning where they downloaded data to external media and physically walked it out. I am talking about a breach of the networks.

Go get a clue, then talk.

 

[slowstuff]

That's just it, they don't have to be like that. Pay a competitive wage for white hat hackers and offer deals to convicted hackers, etc. etc. etc. Essentially, do what they do in Hollywood movies, make a division that is more like a Google / Facebook work environment where people WANT to work there. They can do it. They won't...but they can.

The reality is they can't pay a competitive wage, without restructuring the way the entire government is paid, from congressmen down to clerical staff. That isn't a reasonable expectation. They also can't create that type of work environment due to many, many government wide restrictions on how and what money can be spent on. Just look at the whole thing with GSA in Vegas a couple of years ago, people like that are the reason government money is bundled into stupid little batches that can only be spent on certain things. At the federal level they are not even supposed to pay for a water cooler for staff. In many areas of the government the "IT" people are people that know how to use a mouse, BAM you're the new IT guy. They also do not promote growth, learning, thinking outside the box. The entire structure of government is based on out dated monolithic ideas of management that won't ever change because that is how the people in charge think. The reality is you are dealing with people that have 30+ years of doing things a certain way, and training the people who have 20+ years to do things that way, and it just trickles down. It can't change because the structure of government is so static and entrenched in bureaucratic BS and so many things are so closely tied together that it will take decades of small changes to get caught up with the current standard. It also doesn't help that when given leeway to do things different and try to pull in philosophies from the corporate world the people they put in charge F things up royally, healthcare.gov anyone, which sets things back tremendously. I can't tell you how many systems I deal with based on great technology with the absolute worst implementation, and it all amounts to a pile of crap and blamed on the underlying technology or trying something new rather than poor implementation and mis-management. It's easy to wave your hand and say they can or should change or do things differently, but the truth is it's like telling a freight train it should learn to stop driving on the tracks, it just isn't possible without replacing so much of the train that it becomes a truck. You can't fix the problem with IT in government without replacing so many of the outdated BS rules, regulations, people, ideas, etc that you now have a completely different government.

 

[Scizyr]

Really? Cause Classified US systems get hacked every day?

You do understand that there has never been a known breach of the DoD Secret and Top Secret networks? And that they are under attack all the time.

And I am not talking about insider attacks Like Snowden and Manning where they downloaded data to external media and physically walked it out. I am talking about a breach of the networks.

Go get a clue, then talk.

Don't try to redefine what I said. There is no such thing as security, regardless if the vulnerability is physical or digital or human, there will always be a breach.

 

[DocSavage]

Really? Cause Classified US systems get hacked every day?

You do understand that there has never been a known breach of the DoD Secret and Top Secret networks? And that they are under attack all the time.

And I am not talking about insider attacks Like Snowden and Manning where they downloaded data to external media and physically walked it out. I am talking about a breach of the networks.

Go get a clue, then talk.

Have you forgotten about this huge breach that we found out about just one year ago? Office of Personnel Management data breach - Wikipedia, the free encyclopedia

Or is the hr, background check, and psych info of all government employees not considered something to be kept secret?

 

[lcpiper]

Don't try to redefine what I said. There is no such thing as security, regardless if the vulnerability is physical or digital or human, there will always be a breach.

And I am challenging you directly on this then. You made an absolute statement and I am telling you that there are networks that have never been breached.

Have you forgotten about this huge breach that we found out about just one year ago? Office of Personnel Management data breach - Wikipedia, the free encyclopedia

Or is the hr, background check, and psych info of all government employees not considered something to be kept secret?

OPM was not a classified network.

And NO, that data is not classified as secret. It is classified as "Unclassified" and is stored and processed on the government's unclassified networks. Unclassified can still be considered as sensative just like the government requires that Personally Identifiable Information, (PII), be protected. But the Unclassified networks have connections to the internet, the classified networks do not. This is what few people realize, the classified networks do not share any physical connections with the Internet. They don't even talk through the same communications satellites. You can't hack what you can't touch.

So what I am saying is that with the exception of cases like Snowden, Manning, and previous spies who took physical documents or removable media with copied files, there has never been an actual hack or breach of a classified DoD network except for one case. It was very unique, and it happened because someone purchased equipment from an unauthorized vendor source and the hardware was compromised before it was purchased and used. That is the closest thing to a hack of classified DoD networks that I know of.

 

[Darunion]

Don't try to redefine what I said. There is no such thing as security, regardless if the vulnerability is physical or digital or human, there will always be a breach.

This is partially true. Like a door lock on the front door, it merely provides a filter. Leaving the front door open would let a 5 year old rob you, where as a lock maybe a 12 year old and a broken window, barred windows and now you require someone with experience to get into such a house. Computer networks are similar, do you really want every script kiddie to have access or only a select few that could have the capability to get in? The definition of security could be changed to mean 'less likely to be in danger'.

 

[westrock2000]

There have been breaches on networks that house military classified documents such as Lockheed and Boeing. It's not DoD network directly, but it does contain sensitive information related to our military superiority.

Typical cat and mouse games that governments play though.

 

[Scizyr]

And I am challenging you directly on this then. You made an absolute statement and I am telling you that there are networks that have never been breached.

Lack of a breach does not mean something is secure. My car has never been broken into, does that mean my windows are shatterproof and my door locks can't be picked? Or are you saying you believe in security through obscurity? That's been proven in every case to be bad practice.

 

[Scizyr]

This is partially true. Like a door lock on the front door, it merely provides a filter. Leaving the front door open would let a 5 year old rob you, where as a lock maybe a 12 year old and a broken window, barred windows and now you require someone with experience to get into such a house. Computer networks are similar, do you really want every script kiddie to have access or only a select few that could have the capability to get in? The definition of security could be changed to mean 'less likely to be in danger'.

That basically describes the entire infosec industry.

 

[lcpiper]

Don't try to redefine what I said. There is no such thing as security, regardless if the vulnerability is physical or digital or human, there will always be a breach.

I am not redefining anything. I am pointing out that you are wrong.

You made an absolute statement and I am telling you that there are networks that have never been breached.

There have been breaches on networks that house military classified documents such as Lockheed and Boeing. It's not DoD network directly, but it does contain sensitive information related to our military superiority.

Typical cat and mouse games that governments play though.

You are correct, do you know how those breaches happened?

I am betting you do.

 

[lcpiper]

Lack of a breach does not mean something is secure. My car has never been broken into, does that mean my windows are shatterproof and my door locks can't be picked? Or are you saying you believe in security through obscurity? That's been proven in every case to be bad practice.

You infer an absolute meaning to a word that is not an absolute. It's like saying someone is an honest person which is only good up and to the point that this person does something dishonest.

Security is a state that is derived through constant effort, it's not an absolute thing that is perpetually inviolate. If you had any idea just how many attacks are happening, just trying to get into the unclassified networks, you would be rethinking your assessment. The wisest thing the military did was physically separate the classified networks from the unclassified ones. That one move alone, though very expensive, greatly enhances the security posture of those networks. The DoD contractor networks are classified networks, but they are not talking to or connected to the primary Military classified networks.

 

[Scizyr]

You infer an absolute meaning to a word that is not an absolute. It's like saying someone is an honest person which is only good up and to the point that this person does something dishonest.

Security is a state that is derived through constant effort, it's not an absolute thing that is perpetually inviolate. If you had any idea just how many attacks are happening, just trying to get into the unclassified networks, you would be rethinking your assessment. The wisest thing the military did was physically separate the classified networks from the unclassified ones. That one move alone, though very expensive, greatly enhances the security posture of those networks. The DoD contractor networks are classified networks, but they are not talking to or connected to the primary Military classified networks.

Secure is a state of perfection which is unobtainable. To say something is secure is to say it is invulnerable. I know how many attacks are happening and how many are successfully stopped. With time and effort the most expensive and guarded network on the planet can be breached. There will always be an open vector.

There is no such thing as an honest person either. Someone can be relatively honest and a network can be relatively secure, but neither are truly honest or secure, respectively.

 

[lcpiper]

By Scizyr
Secure is a state of perfection which is unobtainable.

This may be your definition but it is not the definition of secure for IT departments.

Secure is in practice, a word that means we have done all we can reasonably do.

You see Secure as an unobtainable goal, but networks all over the world are declared "secure" because everything has been done that reasonably can be expected in order to secure them. Therefor they are secure and your definition of a state of being which provides perfect protection does not exist, and can't exist.

For the most part we are arguing semantics, but my definition which is the real and accepted definition, is the one that lives in the real world, not a fantasy one that reporters and the such like to think they live in.