Snowden: US has put too much emphasis on cyber-offense, needs defense

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/tech-policy/2015/01/snowden-us-has-put-too-much-emphasis-on-cyber-offense-needs-defense/

By Sean Gallagher
Ars Technica
Jan 8, 2015

In an on-camera interview with James Bamford for an upcoming episode of 
PBS' NOVA, Edward Snowden warned that the US Department of Defense and 
National Security Agency have over-emphasized the development of offensive 
network capabilities, placing the US' own systems at greater risk. With 
other countries now developing offensive capabilities that approach those 
of the NSA and the US Cyber Command, Snowden believes the US has much more 
at stake.

The raw transcript of the NOVA interview showed Snowden in full control, 
to the point of giving direction on questions and even suggesting how to 
organize the report and its visual elements. Snowden frequently steered 
questions away from areas that might have revealed more about NSA 
operations, or he went into areas such as White House policy that he 
considered "land mines." But the whistleblower eloquently discussed the 
hazards of cyber warfare and the precariousness of the approach that the 
NSA and Cyber Command had taken in terms of seeking to find and exploit 
holes in the software of adversaries. In fact, he says the same 
vulnerabilities are in systems in the US. "The same router that’s deployed 
in the United States is deployed in China," Snowden explained. "The same 
software package that controls the dam floodgates in the United States is 
the same as in Russia. The same hospital software is there in Syria and 
the United States."

Some of the interview, which took place last June in Russia, possibly 
foreshadowed the cyber attack on Sony Pictures. Snowden said that the 
capabilities for cyber attacks such as the "Shamoon" malware attack in 
2012 and other "wiper" attacks similar to what happened to Sony Pictures 
were "sort of a Fisher Price, baby’s first hack kind of a cyber campaign," 
capable of disruption but not really of creating long-term damage. But he 
said more sophisticated organizations, including nation-state actors, are 
"increasingly pursuing the capability to launch destructive cyber attacks 
as opposed to the disruptive kinds that you normally see online...and this 
is a pivot that is going to be very difficult for us to navigate."

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/