课堂英语

美文欣赏童话故事历史文化英语诗歌名人名言英文歌词幽默笑话人文地理星座英语双语阅读

FT调查:美国正在输掉“黑客战争”?(双语)

cocotang 于2015-07-31发布 l 已有人浏览
增大字体 减小字体
2013年7月,一名自称“和平”(Peace)的黑客向美国能源部(US Department of Energy)的电脑上传了一串恶意代码。该部负责监督美国的核武器计划、电力生产以及其他至关重要的国家利益。

In July 2013, a hacker calling himself “Peace” uploaded a malicious string of code into computers at the US Department of Energy, the agency that oversees the American nuclear weapons programme, its power production and other vital national interests.  

2013年7月,一名自称“和平”(Peace)的黑客向美国能源部(US Department of Energy)的电脑上传了一串恶意代码。该部负责监督美国的核武器计划、电力生产以及其他至关重要的国家利益。

Peace hit the jackpot, gaining access to a trove of confidential personal data — including the names of employees, their social security numbers and their bank account details. 

“和平”很走运,他获得了大量的机密个人数据,包括雇员姓名、社会保险号码和银行帐户资料。

“YASSSS,” he typed in an online chatroom. “I AM INVINCIBLE!!! Finally shelled mis.doe.gov after over 24h.” 

“噢耶耶耶耶”,他在一个在线聊天室输入道,“我是不可战胜的!!!经过逾24小时的努力,终于攻陷了能源部网站。”

Prosecutors allege “Peace” is Lauri Love, a 30-year old resident of Suffolk, England. With relative ease, he and his unnamed co-conspirators gained “unlimited access” to the system and ran more than 600 queries on the DoE’s computers. The alleged hackers accessed personal information of over 104,000 current and former DoE employees by breaking in through a known — but unpatched — vulnerability in an Adobe software programme called ColdFusion. 

检方称,“和平”的真名是劳里?洛夫(Lauri Love),是英格兰萨福克郡一名30岁的居民。他和未被点名的同伙相对轻松地就获得了美国能源部系统的“无限访问权限”,并在能源部的电脑上进行了超过600次检索。利用Adobe公司ColdFusion软件程序的一个已知(但未修补)的漏洞,这些被指控的黑客得以闯入系统,窃取了美国能源部超过10.4万名现任及前任雇员的个人信息。

Mr Love allegedly used the same tactic to infiltrate the Federal Reserve, Nasa, the Environmental Protection Agency, the US Army and the US Missile Defense Agency, according to three separate criminal charges. The DoE breach was one of the biggest violations of government employee data at the time — and the department’s watchdog says it could have been prevented. 

三份独立的刑事诉状显示,洛夫还涉嫌使用同样的手段侵入了美联储(Federal Reserve)、美国国家航空航天局(NASA)、美国国家环境保护局(EPA)、美国陆军(US Army)和美国导弹防御局(MDA)。美国能源部遭黑客攻击是当时最严重的政府雇员信息泄露事故之一,而该部的监督机构表示,此次事故本来是可以避免的。

“The vulnerability exploited by the attacker was specifically identified by [US software company Adobe] in January 2013,” Gregory Friedman, the DoE’s inspector-general, concluded after investigating the hack. 

能源部监察长格雷戈里?弗里德曼(Gregory Friedman)在调查此次黑客事件后总结称:“黑客所利用的漏洞在2013年1月就被(美国软件公司Adobe)明确指出了。”

While serious, the breach at the DoE can hardly be called rare. Even as the US technology sector leads the world, the US government’s computer systems — including those of agencies that handle information crucial to national security — are woefully unprepared for the frequency and sophistication of today’s cyber attackers. 

虽然后果很严重,但像能源部遭黑客攻击之类的事件并不罕见。虽然美国科技行业领先世界,但在当今网络攻击者频繁且技术含量较高的攻击面前,美国政府(包括处理对国家安全至关重要信息的联邦机构)的计算机系统严重准备不足。

US agencies’ vulnerabilities have been hiding in plain sight. Last week the Obama administration admitted that hackers stole the private information of about 25m individuals through two hacks at the Office of Personnel Management, the government’s human resources arm. The second breach was the largest ever cyber attack on a US government agency. The OPM’s chief resigned last Friday. 

美国各政府机构的脆弱性一直不难发现。奥巴马政府最近承认,黑客通过对政府人力资源部门——美国人事管理局(Office of Personnel Management)的两次攻击,窃取了约2500万联邦雇员的私人信息。第二次侵入是美国政府机构历来遭遇的最大规模网络攻击。美国人事管理局局长已为此辞职。

Lawmakers see the skyrocketing number of hacks as evidence of a new cold war — one which the US is losing. Whether the attacker is a nation — China is thought to have been behind the OPM hack — or a small group like Mr Love and his associates, the enemy is often more sophisticated and more nimble than the US government. Mr Love, who has been charged by prosecutors in New York, New Jersey and Virginia but who has not yet been sought for extradition, could not be reached for comment. 

美国议员将黑客攻击激增视为新冷战的证据,而美国正在输掉这场战争。无论攻击者是一个国家(中国据信要对美国人事管理局遭侵入负责),还是像洛夫及其同伙之类的小群体,对手往往比美国政府更懂技术,也更加灵活。纽约、新泽西及弗吉尼亚三地的检方都对洛夫提出了指控,但他尚未被要求引渡。记者联系不上洛夫请其置评。

China and Russia have become more aggressive in their cyber attacks, prompting US defence and intelligence officials to admit grudging admiration. 

中国与俄罗斯在实施网络攻击方面变得越来越咄咄逼人,使得美国国防和情报官员不情愿地承认佩服。

“You have to kind of salute the Chinese for what they did,” said James Clapper, director of national intelligence, referring to the OPM breaches. 

“对于中国人的所作所为,你不得不在一定程度上表示敬佩,”美国国家情报总监(DNI)詹姆斯?克拉珀(James Clapper)在谈到美国人事管理局被攻击时表示。

An analysis by the Financial Times of dozens of reports by agency inspectors general, the Government Accountability Office and the Office of Management and Budget reveals that for years more than half of the 24 agencies required to report their cyber defences failed to take the most basic security steps. Such measures include patching software holes, using strong authentication technology and continuously monitoring systems, to help secure the data collected on employees, retired military officials and government programmes. 

英国《金融时报》对政府机构监察长、美国政府问责局(Government Accountability Office)以及白宫行政管理和预算局(Office of Management and Budget)发表的几十份报告的分析表明,多年来,在24家被要求报告自身网络防御情况的联邦机构中,超过半数没有采取最基本的安全措施。这些措施包括安装软件补丁以堵住漏洞、使用强认证技术,以及不间断监测系统以保障其采集的雇员、退役军官及政府计划数据。

A review of thousands of documents and interviews with current and former government officials reveal the deep challenges facing government agencies. Most agency officials did not return repeated calls to discuss the reports’ findings or declined to comment. 

对数以千计文件的查阅,以及对现任及前任政府官员的采访,都显示出政府机构所面临的深度挑战。对于记者一再提出的讨论报告发现的请求,多数联邦机构的官员要么拒绝置评,要么根本不回电。

“One of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats,” Tony Scott, the government’s new chief information officer, told Congress this year. 

今年,美国政府新任首席信息官托尼?斯科特(Tony Scott)对国会表示:“如今的核心问题之一是,我们手上的这些老式设备在设计或建造时不存在这样的威胁。”

The number of successful hacks of government agencies into highly sensitive information has been skyrocketing. This year, hackers accessed 100,000 tax accounts after breaking into systems at the Internal Revenue Service. A hack of the US Postal Service last year exposed the sensitive information belonging to 800,000 employees. The State Department and White House said last year that their unclassified systems were breached, officials believe, by the Russian government. 

黑客成功侵入政府机构并窃取高度敏感信息的次数近年激增。今年,黑客闯入美国国税局(IRS)系统,窃取了10万个税务账户。去年,对美国邮政服务(US Postal Service)的网络攻击曝光了其80万雇员的敏感信息。美国国务院(State Department)和白宫去年曾表示,它们的非机密系统遭到入侵;官员们认为那是俄罗斯政府所为。

“We have to raise our level of cyber security in both the private sector and the public sector,” Michael Daniel, the White House cyber security co-ordinator, said last week. 

白宫网络安全协调员迈克尔?丹尼尔(Michael Daniel)不久前称:“我们的私营和公共部门都必须提高网络安全水平。”

Under siege 

包围之下

Since 2006 the number of “incidents” at federal agencies, including phishing attempts, malware attachments and unauthorised access by employees, rose 1,100 per cent to 67,168 in 2014, according to OMB. Some of that increase, officials say, reflects the better job agencies have done in detecting attacks. 

根据白宫行政管理和预算局的数据,自2006年以来,联邦机构遭遇“事故”的次数(包括网络钓鱼、恶意软件附件以及未经授权的雇员访问)上升了1100%,至2014年的67168次。官员们称,数量增加在一定程度上反映出这些机构探测攻击的能力有所增强。

“The entire nation is now making up for 20 years of under-investment in our nation’s cyber security, in both the public and private sectors,” Andy Ozment, assistant secretary of the Department of Homeland Security, told Congress.

国土安全部(Department of Homeland Security)助理部长安迪?奥兹门特(Andy Ozment)对国会表示:“整个国家如今在弥补过去20年期间对公共和私营部门网络安全的投资不足。”

The Obama administration has incrementally increased IT spending for the federal government from $78.6bn in 2013 to a suggested budget of $86.3bn for 2016. For 2015, the administration initially suggested cutting the budget by about 3 per cent before it was increased. Budget wrangling with Congress and a focus on cost-cutting add to the woes.

奥巴马政府近年渐进增加了联邦政府的信息技术支出,从2013年的786亿美元增至2016年预算提案中的863亿美元。对2015年,奥巴马政府起初建议削减3%的预算,后来才增加预算。在预算问题上与国会的争吵以及对削减开支的关注加剧了困难。

Although more money would help, officials also note problems such as bureaucratic hurdles in hiring, a challenging procurement process and bad budgeting — tens of millions of dollars have been wasted on software upgrades that went awry. 

虽然更多资金将有所帮助,但官员们也指出了一些问题,比如招聘中的官僚主义壁垒、具有挑战的采购流程和糟糕的预算编制(数千万美元被浪费在了搞砸的软件升级上)。

Tom Carper, a Democratic senator from Delaware, told the FT that two laws passed last year to give agency chief information officers more authority over their IT budgets will help make “significant strides” toward modernising cyber security. 

特拉华州民主党参议员汤姆?卡珀(Tom Carper)对英国《金融时报》说,去年通过的两部给联邦机构首席信息官在信息技术预算方面更大权限的法律,将有助于朝向网络安全现代化“大步跨越”。

“But Congress cannot rest on our laurels when it comes to cyber security — we have more work to do. Congress should promptly authorise and fund the latest generation in cyber defence technology to make future intrusions across our government less likely,” he said. 

“但在网络安全问题上,国会不能满足于已有的成绩——我们还有更多的工作要做。国会应该立即授权并拨款资助最新一代网络防御技术,以降低我国政府未来遭遇网络侵入的可能性,”他说。

The outdated equipment often used by US agencies means that modern cyber defence techniques such as having a “zero trust” approach in which all users, applications and devices must be verified — now a common feature in software offered by companies such as VMware, Palo Alto Networks and Cisco — do not work. Encryption is also not possible on older IT infrastructure, such as the legacy networks at OPM. Its cyber security was viewed as so poor that in the week before the latest breach, its inspector-general recommended shutting down its networks and essentially rebooting. OPM declined. 

美国联邦机构往往使用的过时设备意味着,现代网络防御技术——例如实行让所有用户、应用程序和设备都必须得到验证的“零信任”方式(如今VMware、Palo Alto Networks以及思科(Cisco)等公司提供软件的常见功能特点)——无法发挥作用。对于老旧的信息技术基础设施(如美国人事管理局的古董级网络)而言,也不可能进行加密。该局的网络安全状况如此糟糕,以至于在最近一次被黑客侵入的前一周,其监察长就建议关闭网络然后从头开始。但该局拒绝这样做。

‘An intelligence bonanza’

“一个情报宝藏!”

Strong authentication is defined as requiring more than a username and password, such as a two-factor test using a login and security code or a personal identity verification card. This is now a basic procedure at many companies and is frequently used in free online services such as Gmail. Some agencies, including the State Department, Labor Department and OPM, did not implement a two-factor test, while 15 out of 24 agencies failed to have at least half of their users in compliance, the OMB said in February.

强身份认证意味着比用户名和密码更多的验证要求,比如双因素认证,要求使用登录+安全码或个人身份验证(PIV)卡。此类认证已经是许多企业的基本程序,而且经常用于Gmail等免费在线服务。白宫行政管理和预算局在2月表示,美国国务院、美国劳工部(Department of Labor)以及美国人事管理局等一些机构没有实施双因素测试,而在24个联邦机构中,有15个机构未能达到至少一半用户遵守程序。

“This statistic is significant due to the fact that major cyber incidents can often be tied to a lack of strong authentication implementation,” OMB wrote in its annual report to Congress. 

白宫行政管理和预算局在提交美国国会的年度报告中写道:“这一统计数字具有重大意义,因为重大网络事故往往与缺乏强大的身份验证程序有关。”

The layers of old technologies, far flung operations and need for 24/7 connectivity present a host of security challenges, current and former officials say. “We’re trying to put a Band-aid on a carotid artery that’s been severed,” said an inspector-general auditor who identified flaws at the agency he audits. 

现任和前任官员均表示,旧技术的层层累积,业务分布广泛,以及每天24小时/每周7天的网络连接需要,构成了大量安全挑战。一位审计总监在谈到他负责审计的机构存在的漏洞时表示:“我们正试图在已经被切断的颈动脉上贴创可贴。”

Many federal agencies do not even have a handle on the basics of their IT — as was illustrated by the DoE breach, where an employee deleted a data file rather than investigate the traffic produced by Mr Love’s hack. Government reviews found that many departments did not have a grasp of how many IT systems they operated. 

许多联邦机构甚至搞不清本部门IT的基本情况,比如美国能源部遭到黑客攻击后,一名雇员删除了一个数据文件,却不去调查洛夫入侵时产生的流量。政府在评估时发现,许多部门不清楚自己在运行多少IT系统。

Even the Department of Homeland Security was found to have spotty cyber defences in some areas, especially at the Federal Emergency Management Agency, according to a December 2014 report by its inspector-general. Among other responsibilities, DHS has oversight of immigration and background checks on foreign visitors; it is also the federal agency that is supposed to help other agencies better manage their cyber risks.

国土安全部监察长2014年12月的一份报告显示,就连该部的网络防御水平也被发现在某些领域参差不齐,尤其是在联邦紧急事务管理署(FEMA)。国土安全部职责众多,包括监督外来移民,对外国游客进行背景调查,理论上该联邦机构还应帮助其他机构更好地应对网络风险。

US officials say China gained access to the background records of 21.5m people, their contacts overseas, their friends, their financial information and their work history in the second hack into the OPM. 

美国官员称,在美国人事管理局受到的第二次网络攻击中,中国获得了2150万美国居民的背景档案,包括他们的海外关系,他们的朋友,他们的财务信息以及他们的工作履历。

“It’s an intelligence bonanza for the Chinese. Why there isn’t more outrage tells me how far we are from fixing this problem,” says Mike Rogers, a former senator who, as chairman of the intelligence committee, was an advocate for improving cyber defences. “It would take a serious effort in each [agency] to get this right, to revamp the technology, and it takes money.” 

前众议员迈克?罗杰斯(Mike Rogers)说:“这对中国方面是个情报宝藏。为什么这件事没有引起更大的愤慨?这告诉我,我们距离解决这一问题还差多远。”罗杰斯在担任众议院情报委员会主席时曾经倡导加强网络防御。“每个(机构)都需要付出认真努力纠正这一问题,采用更好的技术,这需要花钱。”

The US government, he says, has to be held accountable. “If you expose all of these people who have voluntarily filled out these forms and put their lives out there you have some responsibility [to protect the data],” says Mr Rogers, who was among those whose information was exposed. 

罗杰斯表示,应该追究美国政府的责任。他说:“人们是自愿填这些表格、陈述自己的生活细节的,如果你要令他们面临风险,那么你就有一定的责任(保护这些数据)。”被曝光的信息里也包括了罗杰斯的信息。

A decade behind 

落后10年

Six months before Peace’s alleged hack, a unit within the DoE identified weaknesses in the compromised software. But the agency put off spending $4,200 to buy the new version, the inspector-general found. The IG calculated the breach cost at least $3.7m in credit monitoring and lost productivity. 

在“和平”涉嫌发动网络攻击的半年前,美国能源部内部的一个部门就已识别了软件漏洞。但该部监察长发现,该机构推迟支出4200美元购买新版软件。根据能源部监察长的计算,网络入侵事件造成了至少370万美元的信用监督和生产力损失。

Some agencies do not have clear lines on who is responsible for their IT, often meaning no one takes charge. And if improving cyber security interferes with the main job of an agency, those fixes often get put on the backburner.

一些机构在IT方面责任不清,这往往意味着无人负责。而且如果提高网络安全与机构的主要职能发生抵触,修补措施常常被搁置。

The risks and frustration with the lack of response to repeated warnings about security flaws led Steven Linick, inspector-general for the State Department, which in addition to diplomatic relations has reams of data on visas and passports, to ask Congress for a proprietary network. “I would like to be completely separate from the department to ensure the integrity of our system,” Mr Linick said this year. 

面对有关安全漏洞的一再警告,美国国务院仍缺乏应对,这其中的风险和受挫感促使国务院监察长史蒂芬?利尼科(Steven Linick)请求国会拨款建立一个专有网络。国务院除了负责外交关系,还掌管着大量签证和护照数据。利尼科今年表示:“我希望这个网络与国务院完全脱离,以确保我们系统的完好性。”

Robert Brese, who was in charge of DoE’s IT system at the time of the “Peace” hacks, bemoans the fact that the US government’s technology lags behind that of the private sector. 

罗伯特?布雷泽(Robert Brese)是美国能源部遭到“和平”入侵时IT系统的负责人,他哀叹美国政府的IT技术比私营部门落后了10年。

“The government in many places is still several years to a decade behind the best and brightest in the private sector on legacy modernisation and the building of secure, resilient systems,” says Mr Brese, who left the agency in 2014. “I don’t mean the Googles and Amazons, but longstanding companies like Ford.” 

布雷泽于2014年离开了能源部。他表示:“与私营部门最优秀、最明智的机构相比,美国政府在老设备现代化,以及构建安全、强韧的系统方面,有很多地方要落后若干年甚至10年。我指的还不是谷歌(Google)和亚马逊(Amazon)这样的科技先驱,而是像福特(Ford)这样的老牌企业。”

 1 2 下一页

分享到

添加到收藏

双语阅读排行