Chinese Stole Anthem Data For HUMINT; Should Raise US ‘Hackles’ by John Quigg.
From the post:
(Gen. Fang Fenghui, chief of PLA General Staff, and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff. [Two peas in a pod?])
The Chinese just walked out of Anthem’s enormous data warehouse (though without encrypting their data it might as well have been a troop of Girl Scouts) with personal data on a quarter of America’s population. Assuming that the pro forma outrage and denial is a confirmation of culpability, the People’s Liberation Army and its various subsidiaries will comb over this and other data they hoover up in the maw of their cyber apparatus for defense and economic intelligence purposes for years, further enabling their surveillance and exploitation of Americans they find interesting.
Which leads the article to conclude, among other things:
Our toothless response as a nation is doing little to deter attacks.
To his credit, John does point out in bolded text:
This is one of the largest corporate breaches ever and has significant fiscal, legal, and intelligence implications. The latest reports indicate that the breach occurred because the data was not encrypted and the attacker used the credentials of an authorized user.
But there is a radical disconnect between national cyberdefense and unencrypted data being stolen using credentials of an authorized user.
Fear will drive the construction of a national cyberdefense equivalent to the TSA and phone record vacuuming, neither of which has succeeded at identifying a single terrorist in the fourteen (14) years since 9/11. (Not my opinion, conclusions of U.S. government agencies, see the links.)
No cyberdefense system, private, governmental or otherwise, can protect data that is not encrypted and for which an attacker has authenticated access. What part of that is unclear?
Let’s identify and correct known computer security weaknesses and then and only then, identify gaps that remain to be addressed by a national cybersecurity program. Otherwise a cybersecurity program will address fictional security gaps, take ineffectual action against others and be as useless and wasteful as similar unfocused efforts.