DNI JAmes Clapper at NSS 2014

GEOINT: Director of National Intelligence James Clapper identified China today as “the leading suspect” in the two sweeping hacks of the Office of Personnel Management, one day after NSA Director Adm. Mike Rogers dodged the issue. In Clapper’s first answer to a question about who is responsible for the OPM hacks, he laid the blame squarely on China. “On the… Keep reading →


Technology is moving too fast to keep track of everything, but there’s one overarching trend that policymakers must not miss in 2015. Call it “convergence.” Cybersecurity is no longer its own specialized function for tech geeks to take care of off to one side while the rest of the organization gets on with the real… Keep reading →

King's College London scholar Thomas Rid argues in his new book that cyberwar has not  happened and never will.

  WASHINGTON: Many a mother has warned roughhousing children that “it’s all fun and games until somebody loses an eye.” On Monday, four cybersecurity experts (two Americans and two Brits) agreed that the online attacks we’ve seen so far are all either espionage or sabotage: It doesn’t count as war until somebody dies. We have… Keep reading →

CAPITOL HILL: Maybe cyberspace isn’t as fragile as it’s made out to be. “Relax, Chicken Little, the sky isn’t falling,” said Columbia professor Abraham Wagner. “Protection ultimately is easier than penetration.”

Wagner’s argument reverses the conventional wisdom that the attacker always has the advantage online. A forthcoming study by the Cyber Conflict Studies Association, for example, says that even a good offense is no defense, because it’s so easy to hide who really launched a particular attack — the notorious “attribution problem” — that it’s nigh-impossible to know whom to retaliate against. But Wagner and several other cyber experts assembled Thursday by the hawkish American Foreign Policy Council collectively suggested that both defense and deterrence are doable, even against hackers backed by nation-states like Russia, China, and Iran. Keep reading →

WASHINGTON: Rep. Mike Rogers, chairman of the House intelligence committee, cast doubt today on reports that the Stuxnet and Flamer viruses were the work of the US and Israel. In fact, he argued, it’s against America’s interest to be staging any cyber attacks because the US is so vulnerable to retaliation.

“Don’t believe everything you read in the newspaper,” Rogers said of reports that both Stuxnet and Flamer were a joint US-Israeli endeavour. “I would be very, very cautious about assigning any nation-state originator to any of the [viruses]…. There was as much wrong in those [articles] as there ever was right.” Keep reading →

CAPITOL HILL: The number of malware attacks soared 81 percent last year, from three billion in 2010 to five-and-a-half billion in 2012, Symantec senior engineer Patrick Gardner told congressional staff in a briefing here today.

But those raw numbers aren’t the really bad news. Keep reading →

The Stuxnet computer worm that damaged Iranian nuclear facilities – widely suspected to be an Israeli or even U.S. covert action – was a model of a responsibly conducted cyber-attack, said the top lawyer for the U.S. military’s Cyber Command, Air Force Col. Gary Brown. By contrast, the Chinese stance, which holds that the international law of armed conflict does not apply in cyberspace, opens the door for indiscriminate online actions launched with less concern for collateral damage than was evident in Stuxnet, he warned, while a joint Russo-Chinese proposal for international collaboration on cyber-security could potentially threaten free speech. Brown emphasized that his remarks represented his own opinion and that he was not speaking for the U.S. government, but they still open a window into the thinking of an influential official on the cutting edge of policymaking on cyber war.

At a small gathering of students and faculty at Georgetown University, hosted by former CIA lawyer Catherine Lotrionte, Col. Brown hastened to Stuxnet’s defense when this reporter raised the possibility of the worm having damaged systems outside Iran. The way Stuxnet was designed, “it looked like lawyers had been involved, because it was set to do no damage until it saw a very precise set of circumstances that doesn’t exist anywhere except in Iran,” said Brown, who has written on the legal ramifications of Stuxnet. “Also,” he added, “it was set to expire,” erasing itself from every infected machine this coming June 24th. Both those attributes suggest a conscientious effort to limit the online equivalent of “collateral damage,” a particularly crucial concern when releasing a worm or virus to replicate itself across the internet, whose omnipresent connectivity means an attack aimed at a legitimate military target in one country can easily spread out of control to innocent civilian systems around the world. “Your normal terrorist or criminal doesn’t care about what collateral damage happens,” Brown said. Keep reading →