Obama: US government has largest capacity to hack

Obama: US government has largest capacity to hack
© Screenshot

President Obama said the United States’s offensive cyber “capacities” are greater than any other nation at a press conference following G-20 summit in China.

"[W]e are moving into a new area where a number of countries have significant capacities. And frankly we have more capacity than any other country, both offensively and defensively,” he said Monday. 

ADVERTISEMENT

Obama called for nations to prevent a “cycle of escalation” seen in other forms of conflict by agreeing upfront to norms of acceptable use of digital weaponry. 

The State Department has advocated for governments to agree on a few simple rules, including no attacks on critical infrastructure and no state-sponsored theft of intellectual property. 

A bilateral agreement with China to curb IP theft appears to have drastically reduced the number of state-planned attacks out of Beijing.

Obama’s claim is a tough one to verify, and not only because of the secrecy behind the U.S. cyber armament. There is no single accepted measure of which nation has the most “capacity” to hack other states because there is no accepted measure of which techniques would count as part of that measure. 

A recent Columbia University project to estimate the U.S. stockpiles of “zero days” — unpatched security flaws in hardware and software that would allow a hacker to breach a network — determined that the country kept far fewer on hand than many thought, despite being known for its research and acquisition budget. 

By executive order, U.S. agencies are required to justify keeping any zero day to a White House review board. Agencies must inform companies of other security vulnerabilities to allow them to be patched.

With little openness around the world, it is unclear how any estimate compares to other nations. 

Making matters even muddier, zero days are not the only form of attack. Most hacking does not rely on them.  

Other attacks include simply tricking users into giving up login credentials, using extreme amounts of online traffic to crash networks, monitoring unsecured communications like email and simply exploiting well-worn vulnerabilities a target never got around to patching.