http://voices.washingtonpost.com/securityfix/2008/08/georgian_web_sites_under_attac.html?nav=rss_blog
by: Brian Krebs
As Russian bombs rained down on towns in separatist towns of the former Soviet republic of Georgia, hackers mounted a digital assault on the nation's top Web properties this week, knocking government Web sites offline and defacing others.
According to reports from security experts who have been monitoring the ongoing cyber attacks, the Web site for the office of Georgia Foreign Affairs (mfa.gov.ge) was hacked, and its homepage was replaced with images depicting Georgia's president as a Nazi. That site is currently offline.
Other Georgian Web properties, such as the Caucasus Network Tbilisi -- key Georgian commercial Internet servers -- remain under sustained attack from thousands of compromised PCs aimed at flooding the sites with so much junk Web traffic that they can no longer accommodate legitimate visitors.
Security Blogger Jart Armin has been tracking the attacks by conducting Internet traces and lookups at key Georgian Web properties.
The apparently coordinated cyber attacks are reminiscent of recent cyber wars waged against other former Soviet republics that have attracted the ire of the Russian government for various political reasons. Last month, a similar assault targeted important Lithuanian government Web sites. In April 2007, the ultra-wired country suffered major disruptions in much of its information infrastructure, thanks largely to Russian hackers who were upset over the removal of a Soviet World War II memorial from the center of Tallinn, the capital of Estonia.
Sunday, August 10, 2008
Chertoff: I'm Listening to the Internet (Not in a Bad Way)
By Ryan Singel August 06, 2008 8:28:51 PM
http://blog.wired.com/27bstroke6/2008/08/chertoff.html
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I'm going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn't have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn't have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It's not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue -- the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn't not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded -- it didn't take a lot of persuasion -- that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets -- meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS's Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I'd be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don't want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don't want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don't want to force people to do what they don't want to do. We don't want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn't just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn't do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don't exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are -- or close to it -- so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don't know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops ... It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there's nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn't it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That's exactly why I put it up on the internet. It is on the web to say, 'We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.'
We were trying to say we don't take everyone's laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, 'Let's look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.'
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that's where I came up with idea of finding a way to assure people they won't lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn't the program just get at low-hanging fruit?
Chertoff: I'm going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years -- it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, 'I'm not going to put it on my laptop. I will put it somewhere else.' They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don't want to give the password, what happens?
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.[In response to a follow-up e-mail, spokesman Russ Knocke clarified.
"Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government's watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won't be an issue.
One airline has done that very well. There are some airlines that have not done that. They don't want to reconfigure their software, it's not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year ... so we do the checking. Some of the airlines don't want to do that because they would have to reconfigure their software.
So that's why there was a discussion recently about whether we should fine airlines that don't correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don't care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I'm not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn't be -- because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don't do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that's going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 -- which authorized the program -- there's still not an unclassified version of it. You can talk about Einstein, but there are other things you can't talk about. There's reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it's hard to know what's going on.With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That's because the culture of the internet is an open culture and I would like to see us be as open as possible. It's obvious that some things can't be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain stepsWe will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out -- so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn't a program about sitting on the internet and monitoring everything?Chertoff: That's why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.And that's why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based. If you don't want any part of it, then you can walk away.
http://blog.wired.com/27bstroke6/2008/08/chertoff.html
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I'm going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn't have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn't have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It's not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue -- the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn't not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded -- it didn't take a lot of persuasion -- that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets -- meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS's Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I'd be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don't want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don't want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don't want to force people to do what they don't want to do. We don't want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn't just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn't do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don't exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are -- or close to it -- so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don't know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops ... It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there's nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn't it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That's exactly why I put it up on the internet. It is on the web to say, 'We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.'
We were trying to say we don't take everyone's laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, 'Let's look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.'
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that's where I came up with idea of finding a way to assure people they won't lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn't the program just get at low-hanging fruit?
Chertoff: I'm going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years -- it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, 'I'm not going to put it on my laptop. I will put it somewhere else.' They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don't want to give the password, what happens?
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.[In response to a follow-up e-mail, spokesman Russ Knocke clarified.
"Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government's watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won't be an issue.
One airline has done that very well. There are some airlines that have not done that. They don't want to reconfigure their software, it's not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year ... so we do the checking. Some of the airlines don't want to do that because they would have to reconfigure their software.
So that's why there was a discussion recently about whether we should fine airlines that don't correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don't care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I'm not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn't be -- because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don't do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that's going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 -- which authorized the program -- there's still not an unclassified version of it. You can talk about Einstein, but there are other things you can't talk about. There's reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it's hard to know what's going on.With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That's because the culture of the internet is an open culture and I would like to see us be as open as possible. It's obvious that some things can't be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain stepsWe will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out -- so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn't a program about sitting on the internet and monitoring everything?Chertoff: That's why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.And that's why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based. If you don't want any part of it, then you can walk away.
Beckstrom on cybersecurity
By William Jackson
http://www.gcn.com/online/vol1_no1/46849-1.html
LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.
Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.
"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.
Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.
"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."
Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."
To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.
"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."
Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.
http://www.gcn.com/online/vol1_no1/46849-1.html
LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.
Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.
"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.
Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.
"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."
Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."
To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.
"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."
Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.
Collaborative Process Guides Military’s Cyber-electronic Future
http://www.defenselink.mil/news/newsarticle.aspx?id=50714
By Tim Kilbride
Special to American Forces Press Service
WASHINGTON, Aug. 6, 2008 – Faced with a rapidly evolving and borderless technological landscape, the U.S. military is reaching out to government, academia and industry for help in developing capabilities for protecting the nation’s cyber infrastructure, an Army electronic warfare expert said yesterday.
Col. Wayne A. Parks outlined for military bloggers the broad effort under way to keep up with technological change and the resultant emerging threats to the United States’ defense.
Parks is Electronic Warfare Proponent director of computer network operations and Training and Doctrine Command capabilities manager for at the Combined Arms Center, Fort Leavenworth, Kan.
The challenge is immense, Parks said, and research partnerships have been critical in framing the mission.
“Our understanding of the science of cyber-electronics is relatively immature at this point,” Parks said. “It includes the study of both the physical and the virtual.”
Part of the task is to ensure that the Army works through these concepts carefully and defines them in a way that doesn't limit intellectual exploration of potential and emerging concepts or capabilities, he said.
In that exploration, the Army must balance evolving how the military thinks about cyber-electronics with continuing to develop capabilities for the operational front, he added.
“There's been some tremendous things going on, especially in [Iraq and Afghanistan], where electronic warfare has helped in the operations and in limiting and reducing … the deaths in theater,” he said.
Operational requirements in Iraq and Afghanistan, especially the need to defeat roadside bombs, spurred the Army to speed development of near-term solutions, Parks explained.
Simultaneous research and development has continued on mid- to long-term electronic warfare capabilities, he said, with the goal of keeping pace on both the tactical and strategic levels.
“Cyber-electronics could include or have distinct relationships between things that we call network operations, network warfare, computer network operations, space superiority, electronic warfare and the electromagnetic spectrum operations,” Parks said. “Each represents a different slice of the cyber-electronic continuum within which different capabilities must exist.”
At the strategic level, the Army’s two main responsibilities are maintaining its internal capabilities and networks to be able to deploy around the world and defending the United States’ borders and inside its borders, Parks explained.
But cyberspace has no distinct, physical borders, Parks said. “There is no nation-state border where we're talking now,” he explained.
“There are nation-state sponsors, and we have to look at it in terms of nation-state sponsors, as well as those who are not nation-state sponsors -- I might call them cyber-state sponsors -- who are really developing on their own out there.”
The military is working with interagency partners to officially define its way ahead with regard to defending areas of the financial, travel and related industries that operate across nation-state and cyber-state boundaries, Parks said. The same collaborative approach applies to fielding technologies, he said, and the Army has developed the mind set of “go work with your sister services as they get things approved.”
One potential technology is what Parks described as “self-healing networks,” virtual worlds wherein the system can isolate a weak point and regenerate or repair itself without human intervention. These types of networks could stand up to cyber attacks, he said.
(Tim Kilbride works in the New Media directorate of the Defense Media Activity.)
By Tim Kilbride
Special to American Forces Press Service
WASHINGTON, Aug. 6, 2008 – Faced with a rapidly evolving and borderless technological landscape, the U.S. military is reaching out to government, academia and industry for help in developing capabilities for protecting the nation’s cyber infrastructure, an Army electronic warfare expert said yesterday.
Col. Wayne A. Parks outlined for military bloggers the broad effort under way to keep up with technological change and the resultant emerging threats to the United States’ defense.
Parks is Electronic Warfare Proponent director of computer network operations and Training and Doctrine Command capabilities manager for at the Combined Arms Center, Fort Leavenworth, Kan.
The challenge is immense, Parks said, and research partnerships have been critical in framing the mission.
“Our understanding of the science of cyber-electronics is relatively immature at this point,” Parks said. “It includes the study of both the physical and the virtual.”
Part of the task is to ensure that the Army works through these concepts carefully and defines them in a way that doesn't limit intellectual exploration of potential and emerging concepts or capabilities, he said.
In that exploration, the Army must balance evolving how the military thinks about cyber-electronics with continuing to develop capabilities for the operational front, he added.
“There's been some tremendous things going on, especially in [Iraq and Afghanistan], where electronic warfare has helped in the operations and in limiting and reducing … the deaths in theater,” he said.
Operational requirements in Iraq and Afghanistan, especially the need to defeat roadside bombs, spurred the Army to speed development of near-term solutions, Parks explained.
Simultaneous research and development has continued on mid- to long-term electronic warfare capabilities, he said, with the goal of keeping pace on both the tactical and strategic levels.
“Cyber-electronics could include or have distinct relationships between things that we call network operations, network warfare, computer network operations, space superiority, electronic warfare and the electromagnetic spectrum operations,” Parks said. “Each represents a different slice of the cyber-electronic continuum within which different capabilities must exist.”
At the strategic level, the Army’s two main responsibilities are maintaining its internal capabilities and networks to be able to deploy around the world and defending the United States’ borders and inside its borders, Parks explained.
But cyberspace has no distinct, physical borders, Parks said. “There is no nation-state border where we're talking now,” he explained.
“There are nation-state sponsors, and we have to look at it in terms of nation-state sponsors, as well as those who are not nation-state sponsors -- I might call them cyber-state sponsors -- who are really developing on their own out there.”
The military is working with interagency partners to officially define its way ahead with regard to defending areas of the financial, travel and related industries that operate across nation-state and cyber-state boundaries, Parks said. The same collaborative approach applies to fielding technologies, he said, and the Army has developed the mind set of “go work with your sister services as they get things approved.”
One potential technology is what Parks described as “self-healing networks,” virtual worlds wherein the system can isolate a weak point and regenerate or repair itself without human intervention. These types of networks could stand up to cyber attacks, he said.
(Tim Kilbride works in the New Media directorate of the Defense Media Activity.)
DHS stays mum on new 'Cyber Security' center
CNet News had a good article a couple of days back on DHS' new National Cyber Security Center that I've pasted below.
Though the article focuses on just a few aspects of the NCSC (its security classification, privacy and budget), the links to the memo from Senators Lieberman and Collins and the resonse from Michael Chertoff are worth reading. Both provide considerable amount of recent history and behind the scenes work on the DHS' cyber security initiatives.
I'd be interested to know what others thought about the story and the memos. What has struck me when reading these documents is the continuing struggle to balance individual privacy, societal security, private/public partnership and security classification. The National Strategy to Secure Cyberspace, released in 2003, outlines the issues fairly well, but never settles any of the debates other than noting that yes, it is a balancing act which must be conducted by public and private entities in partnership.
I noticed in Mr Chertoff's response that he slips in a gentle reminder to the Senators that the government does not have much power currently to force the private sector to follow government security guidelines. Here is the quote from page 6 of memo:
===============
Posted by Stephanie Condon
http://news.cnet.com/8301-13578_3-10004266-38.htm
The Bush administration's newly created National Cyber Security Center remains shrouded in secrecy, with officials refusing to release information about its budget, what contractors will run it, and how its mission relates to Internet surveillance.
In correspondence with the U.S. Senate posted on Thursday, the Bush administration said it would not provide that information publicly. An 18-page, partially redacted letter from DHS said that disclosure could affect "the conduct of federal programs, or other programs or operations essential to the interests of our nation."
The censored letter--a nonredacted, "For Official Use Only" version was provided to senators--came in response to queries from the top Democratic and Republican members of the Senate's Homeland Security committee.
Sen. Susan Collins, a Maine Republican, indicated that the nonredacted version satisfied her, at least for now. "Increased information sharing will benefit the department, Congress and the public, as well as the private-sector, which controls the vast majority of the nation's cyber infrastructure," Collins said in e-mail to CNET News. "It is my hope that the release of this information will assist in improving security in both the public and private sectors."
Sen. Joe Lieberman, an independent from Connecticut who caucuses with Democrats, did not respond to our queries on Thursday.
In March, DHS announced that Rod Beckström, 47, would be appointed as director of the National Cyber Security Center. Secretary Michael Chertoff said at the time that Beckström would "implement cyber security strategies in a cohesive way" and contribute to the "protection of federal networks and the security of our homeland."
Oddly, DHS seemed to change its mind about whether even the mere existence of the National Cyber Security Center was classified or not.
"On March 20th, you announced that Rod Beckstrom would be the director of the new National Cyber Security Center within DHS," Lieberman and Collins said in a letter (PDF) to DHS in May. "Prior to this announcement, committee staff had been instructed that the existence of the NCSC was itself classified."
Their letter to DHS in May asked for a detailed account of the department's role in the Comprehensive National Cyber Security Initiative, noting a lack of information from the department, in spite of the fact that the administration had claimed that cybersecurity was one of Chertoff's "top four priorities for '08."
The DHS has requested an additional $83 million for National Cyber Security Center for fiscal year 2009 (which begins in October 2009); including the $115 million awarded for the initiative in 2008, that would increase its budget by $200 million, tripling the amount the DHS has spent on cyber security since 2007.
The department's new National Cyber Security Center is taking the lead on the CNCI, a "multi-agency, multi-year plan to secure the federal government's cyber networks" that was established in January by a directive signed by President Bush. In the letter made public on Thursday, DHS described the center as a way to "coordinate and integrate information necessary to help secure U.S. cyber networks and systems and help foster collaboration among federal cyber groups," and serve as a "single location for all-source situational awareness about cyber activity and security status of the U.S. networks and systems."
Though just made public Thursday, the letter was initially sent to the senators on June 2. The subsequent redacted version eliminated the department's response to questions such as: "Why was the determination made that the contract will be for a 10-month period?" and "How will the DHS provide appropriate oversight to ensure that the contractors support efforts do not intrude on inherently governmental functions?"
One question left unanswered is how the National Cyber Security Center will interact with DHS's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. (Not much about Einstein is public, but a privacy impact assessment offers some details.)
A Homeland Security spokeswoman told us in April that the primary focus of Einstein at the time was protecting federal-government networks--not monitoring the privately operated Internet, a move that would raise unique legal, technical, and privacy challenges.
The DHS letter refused to divulge any information about Einstein. It said: "Technological upgrades and planning activities are classified. DHS will be happy to provide the committee with a briefing in the appropriate (classified) setting."
CNET News' Declan McCullagh contributed to this report
Though the article focuses on just a few aspects of the NCSC (its security classification, privacy and budget), the links to the memo from Senators Lieberman and Collins and the resonse from Michael Chertoff are worth reading. Both provide considerable amount of recent history and behind the scenes work on the DHS' cyber security initiatives.
I'd be interested to know what others thought about the story and the memos. What has struck me when reading these documents is the continuing struggle to balance individual privacy, societal security, private/public partnership and security classification. The National Strategy to Secure Cyberspace, released in 2003, outlines the issues fairly well, but never settles any of the debates other than noting that yes, it is a balancing act which must be conducted by public and private entities in partnership.
I noticed in Mr Chertoff's response that he slips in a gentle reminder to the Senators that the government does not have much power currently to force the private sector to follow government security guidelines. Here is the quote from page 6 of memo:
"The Federal Government can provide incentives and in some
cases exert regulatroy authority to compel the private sector to act."
===============
Posted by Stephanie Condon
http://news.cnet.com/8301-13578_3-10004266-38.htm
The Bush administration's newly created National Cyber Security Center remains shrouded in secrecy, with officials refusing to release information about its budget, what contractors will run it, and how its mission relates to Internet surveillance.
In correspondence with the U.S. Senate posted on Thursday, the Bush administration said it would not provide that information publicly. An 18-page, partially redacted letter from DHS said that disclosure could affect "the conduct of federal programs, or other programs or operations essential to the interests of our nation."
The censored letter--a nonredacted, "For Official Use Only" version was provided to senators--came in response to queries from the top Democratic and Republican members of the Senate's Homeland Security committee.
Sen. Susan Collins, a Maine Republican, indicated that the nonredacted version satisfied her, at least for now. "Increased information sharing will benefit the department, Congress and the public, as well as the private-sector, which controls the vast majority of the nation's cyber infrastructure," Collins said in e-mail to CNET News. "It is my hope that the release of this information will assist in improving security in both the public and private sectors."
Sen. Joe Lieberman, an independent from Connecticut who caucuses with Democrats, did not respond to our queries on Thursday.
In March, DHS announced that Rod Beckström, 47, would be appointed as director of the National Cyber Security Center. Secretary Michael Chertoff said at the time that Beckström would "implement cyber security strategies in a cohesive way" and contribute to the "protection of federal networks and the security of our homeland."
Oddly, DHS seemed to change its mind about whether even the mere existence of the National Cyber Security Center was classified or not.
"On March 20th, you announced that Rod Beckstrom would be the director of the new National Cyber Security Center within DHS," Lieberman and Collins said in a letter (PDF) to DHS in May. "Prior to this announcement, committee staff had been instructed that the existence of the NCSC was itself classified."
Their letter to DHS in May asked for a detailed account of the department's role in the Comprehensive National Cyber Security Initiative, noting a lack of information from the department, in spite of the fact that the administration had claimed that cybersecurity was one of Chertoff's "top four priorities for '08."
The DHS has requested an additional $83 million for National Cyber Security Center for fiscal year 2009 (which begins in October 2009); including the $115 million awarded for the initiative in 2008, that would increase its budget by $200 million, tripling the amount the DHS has spent on cyber security since 2007.
The department's new National Cyber Security Center is taking the lead on the CNCI, a "multi-agency, multi-year plan to secure the federal government's cyber networks" that was established in January by a directive signed by President Bush. In the letter made public on Thursday, DHS described the center as a way to "coordinate and integrate information necessary to help secure U.S. cyber networks and systems and help foster collaboration among federal cyber groups," and serve as a "single location for all-source situational awareness about cyber activity and security status of the U.S. networks and systems."
Though just made public Thursday, the letter was initially sent to the senators on June 2. The subsequent redacted version eliminated the department's response to questions such as: "Why was the determination made that the contract will be for a 10-month period?" and "How will the DHS provide appropriate oversight to ensure that the contractors support efforts do not intrude on inherently governmental functions?"
One question left unanswered is how the National Cyber Security Center will interact with DHS's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. (Not much about Einstein is public, but a privacy impact assessment offers some details.)
A Homeland Security spokeswoman told us in April that the primary focus of Einstein at the time was protecting federal-government networks--not monitoring the privately operated Internet, a move that would raise unique legal, technical, and privacy challenges.
The DHS letter refused to divulge any information about Einstein. It said: "Technological upgrades and planning activities are classified. DHS will be happy to provide the committee with a briefing in the appropriate (classified) setting."
CNET News' Declan McCullagh contributed to this report
'Casual Games' to School Airmen on Cyber Threats
I think the cyber community's use of simulations for training is at its infancy. Pilots, tank drivers/operators, air traffic controllers, etc., are using simulations extensively to train. I don't think we can say the same for our cyber operators. Yes, there are some simulations available, but I can't even begin to count how many network/computer outages I've seen that are caused by folks who are doing on-the-job training since no widely available simulation environment exists.
The issue I have with the AF solicitation reported by Wired.com is that good money is being wasted on developing this "training game" to teach troops not to click on things they should not be clicking on.
If you read the original news story that prompted this solicitation, only 0.16% (409 people) in the ad-hoc experiment clicked on the offending banner. To me that seems like an incredibly small percentage. The experiment was not demographically contained, meaning these were not necessarily military personnel.
I'd be more interested to know how many military personnel clicked on the ad before spending military dollars to address this issue. Are we spending good money to develop training solutions to fix stupidity?
I'm not saying that there isn't value in trying to find innovative ways to teach our young (and old) troops, but the justification for this project is on shaky grounds. Funding innovative network/cyber simulators may be a better use of our limited resources.
==================
By Noah Shachtman July 31, 2008 10:33:00 AM
http://blog.wired.com/defense/2008/07/airmen-will-cli.html
The Air Force is sick of getting pwn3d. So the service wants to develop a little game or two, to teach its airmen not to click on every on-line come-on -- and infect their networks, in the process.
"The fact that 409 people clicked on an ad that offered infection for those with virus-free personal computers proves people will click on just about anything," the Air Force complains. "Yet computer users are still individually held responsible for the operational security of their systems." And cyber security training just doesn't grab the average airman.
So the service wants "to use casual gaming technology to promote warfighter knowledge and awareness of cyber threats and malicious exploits." A request for research proposals notes, "Retention of critical information concerning frequently used exploits (phishing, viruses, worms, spyware, key loggers, etc.), information assurance tools (patches, digital signatures, Common Access Cards, boundary management, firewalls, password protector), and how they affect computers and networks is more likely to occur if the user is engaged."
"Casual games can be very effective in engaging the learner, imparting important information in a timely manner, and aiding in retention of information," the request adds. "The simplicity of micro games gives the user the ability to focus on content, rather than learning the intricacies of the game. "
Some sage observers see cyberwar as akin to the ancient game of Go. The Air Force wants something a little more like Jewel Quest. To grab its airmen, the service thinks these new games should last anywhere from five to 20 minutes, and include "appealing music and stimulating graphics," be able to run on everything from PCs to cell phones. "Innovative and creative approaches to addressing technical goals are invited."
The issue I have with the AF solicitation reported by Wired.com is that good money is being wasted on developing this "training game" to teach troops not to click on things they should not be clicking on.
If you read the original news story that prompted this solicitation, only 0.16% (409 people) in the ad-hoc experiment clicked on the offending banner. To me that seems like an incredibly small percentage. The experiment was not demographically contained, meaning these were not necessarily military personnel.
I'd be more interested to know how many military personnel clicked on the ad before spending military dollars to address this issue. Are we spending good money to develop training solutions to fix stupidity?
I'm not saying that there isn't value in trying to find innovative ways to teach our young (and old) troops, but the justification for this project is on shaky grounds. Funding innovative network/cyber simulators may be a better use of our limited resources.
==================
By Noah Shachtman July 31, 2008 10:33:00 AM
http://blog.wired.com/defense/2008/07/airmen-will-cli.html
The Air Force is sick of getting pwn3d. So the service wants to develop a little game or two, to teach its airmen not to click on every on-line come-on -- and infect their networks, in the process.
"The fact that 409 people clicked on an ad that offered infection for those with virus-free personal computers proves people will click on just about anything," the Air Force complains. "Yet computer users are still individually held responsible for the operational security of their systems." And cyber security training just doesn't grab the average airman.
So the service wants "to use casual gaming technology to promote warfighter knowledge and awareness of cyber threats and malicious exploits." A request for research proposals notes, "Retention of critical information concerning frequently used exploits (phishing, viruses, worms, spyware, key loggers, etc.), information assurance tools (patches, digital signatures, Common Access Cards, boundary management, firewalls, password protector), and how they affect computers and networks is more likely to occur if the user is engaged."
"Casual games can be very effective in engaging the learner, imparting important information in a timely manner, and aiding in retention of information," the request adds. "The simplicity of micro games gives the user the ability to focus on content, rather than learning the intricacies of the game. "
Some sage observers see cyberwar as akin to the ancient game of Go. The Air Force wants something a little more like Jewel Quest. To grab its airmen, the service thinks these new games should last anywhere from five to 20 minutes, and include "appealing music and stimulating graphics," be able to run on everything from PCs to cell phones. "Innovative and creative approaches to addressing technical goals are invited."
OPEC 2.0
Intriguing Op-ed in today's New York Times by Tim Wu, co-author of Who Controls the Internet?
==========
July 30, 2008
Op-Ed Contributor
By TIM WU
http://www.nytimes.com/2008/07/30/opinion/30wu.html?_r=1&ref=opinion&oref=slogin
AMERICANS today spend almost as much on bandwidth — the capacity to move information — as we do on energy. A family of four likely spends several hundred dollars a month on cellphones, cable television and Internet connections, which is about what we spend on gas and heating oil.
Just as the industrial revolution depended on oil and other energy sources, the information revolution is fueled by bandwidth. If we aren't careful, we're going to repeat the history of the oil industry by creating a bandwidth cartel.
Like energy, bandwidth is an essential economic input. You can't run an engine without gas, or a cellphone without bandwidth. Both are also resources controlled by a tight group of producers, whether oil companies and Middle Eastern nations or communications companies like AT&T, Comcast and Vodafone. That's why, as with energy, we need to develop alternative sources of bandwidth.
Wired connections to the home — cable and telephone lines — are the major way that Americans move information. In the United States and in most of the world, a monopoly or duopoly controls the pipes that supply homes with information. These companies, primarily phone and cable companies, have a natural interest in controlling supply to maintain price levels and extract maximum profit from their investments — similar to how OPEC sets production quotas to guarantee high prices.
But just as with oil, there are alternatives. Amsterdam and some cities in Utah have deployed their own fiber to carry bandwidth as a public utility. A future possibility is to buy your own fiber, the way you might buy a solar panel for your home.
Encouraging competition is another path, though not an easy one: most of the much-hyped competitors from earlier this decade, like businesses that would provide broadband Internet over power lines, are dead or moribund. But alternatives are important. Relying on monopoly producers for the transmission of information is a dangerous path.
After physical wires, the other major way to move information is through the airwaves, a natural resource with enormous potential. But that potential is untapped because of a false scarcity created by bad government policy.
Our current approach is a command and control system dating from the 1920s. The federal government dictates exactly what licensees of the airwaves may do with their part of the spectrum. These Soviet-style rules create waste that is worthy of Brezhnev.
Many "owners" of spectrum either hardly use the stuff or use it in highly inefficient ways. At any given moment, more than 90 percent of the nation's airwaves are empty.
The solution is to relax the overregulation of the airwaves and allow use of the wasted spaces. Anyone, so long as he or she complies with a few basic rules to avoid interference, could try to build a better Wi-Fi and become a broadband billionaire. These wireless entrepreneurs could one day liberate us from wires, cables and rising prices.
Such technologies would not work perfectly right away, but over time clever entrepreneurs would find a way, if we gave them the chance. The Federal Communications Commission promised this kind of reform nearly a decade ago, but it continues to drag its heels.
In an information economy, the supply and price of bandwidth matters, in the way that oil prices matter: not just for gas stations, but for the whole economy.
And that's why there is a pressing need to explore all alternative supplies of bandwidth before it is too late. Americans are as addicted to bandwidth as they are to oil. The first step is facing the problem.
Tim Wu is a professor at Columbia Law School and the co-author of "Who Controls the Internet?"
Big bucks for cyber security
Foreign Policy magazine commented in their blog today on Walter Pincus' story in Washington Post regarding cyber security funding. CSIS's James Lewis notes the perennial issue surrounding cyber security...who exactly is in charge.
================
by: Alex Ely
Mon, 07/21/2008 - 4:31pm
Walter Pincus reports today on a surprisingly large allocation of U.S. federal funds for cyber security:
"A highly classified, multiyear, multibillion-dollar project, CNCI -- or "Cyber
Initiative" -- is designed to develop a plan to secure government computer
systems against foreign and domestic intruders and prepare for future threats.
Any initial plan can later be expanded to cover sensitive civilian systems to
protect financial, commercial and other vital infrastructure data."
The cyber security issue is a tricky one. For lack of a better option, the job of protecting government computer systems has fallen to the Department of Homeland Security (DHS), although the Air Force is an active player. The Navy and the Army also have their own programs.
I called James Lewis, an expert at the Center for Strategic and International Studies, to get some insight. He told me that the White House was becoming concerned because "DHS hasn't really done anything" on the issue of cyber security. "Some of it's internal squabbling" he says, "but they just can't seem to get their act together. You hear [Defense Secretary Robert] Gates and [Director of National Intelligence Mike] McConnell talking about it, but you never hear anything from [DHS Secrtary Michael] Chertoff."
So far, CNCI has been criticized for being too secretive, though the initiative is a step forward overall. In fact, it's good news that someone is finally starting to take this seriously. Both presidential candidates have expressed a committment to improving cyber security. Senator Obama has said he will appoint a "national cyber advisor" and will make the issue "the top priority that it should be in the 21st century." Senator McCain has pointed to a need to "invest far more in the federal task of cyber security" in order to protect strategic interests at home.
Knowing just who is supposed to be in charge of cyber security would be a good start. As Lewis points out, "It's not something you can do on an ad hoc basis like we've been doing for the past several years," adding, "We need to be better organized and better at assigning responsibilities."
Symposium gets to core of Air Force's role in cyberspace
http://www.af.mil/news/story.asp?id=123107290
by Scott Knuteson
Air University Public Affairs
7/18/2008 - MAXWELL AIR FORCE BASE, Ala. (AFPN) -- In an effort to bring together minds and ideas from across the cyberspace community, Air University officials hosted a week-long cyberspace symposium here recently. Some 250 professional civilian and military information experts gathered to discuss the implications of cyberspace, especially with regard to the Air Force and national defense.
Officials from the United States Strategic Command, 8th Air Force and the provisional Air Force Cyber Command helped host the symposium.
"Airmen must implement their warfighting traditions in the cyberspace domain," said Dr. Rebecca Grant, founder and president of IRIS Independent Research. "I think we need the Air Force to truly embrace and understand this and excel in cyberspace, as they have in the domain of air and space.
"If there was ever a domain that needed an 'air-minded' look, [cyberspace] is it," she said, after comparing the current development in the cyber realm to that of Brig. Gen. William "Billy" Mitchell's approach to airpower.
Trust is the foundation for a working cyberspace realm, said Lt. Gen. Robert Elder, commander of 8th Air Force and joint functional component commander for global strike and integration at U.S. Strategic Command.
"How do you put the trust relationship back in?" he asked. "It's not by establishing a hierarchical organization. It's by establishing a body of law [which mandates conformance as a prerequisite to connection]. Defense of a network requires everyone's involvement."
During his remarks, General Elder focused on defining cyberspace and discussed how cyberspace relates to national security operations and the Air Force.
And, he noted, adaptation cannot come too quickly in the protection of such an amorphous domain.
"We are not changing fast enough," he said. "This is a national problem, not just a military one. You have to approach [cyberspace] from a network standpoint."
Currently, 8th Air Force serves as the air component headquarters to U.S. Strategic Command for cyberspace operations, among other things, and personnel in the command are responsible for the security and defense of the Air Force's global computer enterprise network.
"Every military service provides cyber forces," General Elder said. "We're trying to provide forces that can provide support for joint cyber warfare operations."
He correlated cyberspace adaptation with airpower, and noted that this relatively new domain is unlike any other. But, the general said, it must be defended.
"We have a physical, logical, wireless and social network to defend," he said. "The bottom line is that there is an attack vector that goes against each facet. We have to protect each one."
Air Force officials have taken on a role in cyberspace protection and plans are underway to select the host base for the newly formed, provisional Air Force Cyber Command. In a memo to attendees, General Elder said the symposium, "will allow discussion on the vital topic of the Air Force's role in protecting the cyberspace domain."
Following midday working group sessions, conferees heard remarks from Dr. Grant. She focused on policy decisions and the philosophical nature of cyberspace as a "domain," in contrast to the traditional "domains" of air, land, and sea.
"I think it's really exciting that we're able to watch a new domain emerge," she said, comparing cyberspace to the emergence of air as a domain for technology propagated by the Wright Brothers and airpower icons such as General Mitchell.
Dr. Grant compared the relatively new domain to ancient Socratic thought and the dilemma of what is real and what is not.
"Cyberspace is not land, the sea, or the air. It is, in large part, a cognitive domain," Dr. Grant said. "That is partly why it gives us trouble as we think of policies for how we will act in this domain."
Dr. Grant also approached the issue of nation-state sovereignty in a domain which knows no bounds.
"Our objective is to safeguard the commons," she said. "But where are the new sovereign boundaries? If it's not a geographic line, is it somewhere in that technical transport structure that creates the Internet?"
Conferees were treated to briefings such as these, which addressed a broad range of cyberspace topics. They were also able to choose from three focused learning tracks which were "Cyberspace Doctrine and Concepts of Operations," "Cyberspace Policy and Law" and "USAF Cyber: Supporting National Security."
"It is fitting that we have this symposium at Maxwell," Lt. Gen. Allen Peck, Air University commander, said during his remarks. "This is the intellectual and leadership center of our Air Force. Seventy years ago, the Air Corps Tactical School moved to Maxwell Field, and was instrumental in developing our understanding of the potential for exploiting the air domain for warfighters. Today we are exploring another relatively new domain and the implications it has for the Air Force and our nation."
by Scott Knuteson
Air University Public Affairs
7/18/2008 - MAXWELL AIR FORCE BASE, Ala. (AFPN) -- In an effort to bring together minds and ideas from across the cyberspace community, Air University officials hosted a week-long cyberspace symposium here recently. Some 250 professional civilian and military information experts gathered to discuss the implications of cyberspace, especially with regard to the Air Force and national defense.
Officials from the United States Strategic Command, 8th Air Force and the provisional Air Force Cyber Command helped host the symposium.
"Airmen must implement their warfighting traditions in the cyberspace domain," said Dr. Rebecca Grant, founder and president of IRIS Independent Research. "I think we need the Air Force to truly embrace and understand this and excel in cyberspace, as they have in the domain of air and space.
"If there was ever a domain that needed an 'air-minded' look, [cyberspace] is it," she said, after comparing the current development in the cyber realm to that of Brig. Gen. William "Billy" Mitchell's approach to airpower.
Trust is the foundation for a working cyberspace realm, said Lt. Gen. Robert Elder, commander of 8th Air Force and joint functional component commander for global strike and integration at U.S. Strategic Command.
"How do you put the trust relationship back in?" he asked. "It's not by establishing a hierarchical organization. It's by establishing a body of law [which mandates conformance as a prerequisite to connection]. Defense of a network requires everyone's involvement."
During his remarks, General Elder focused on defining cyberspace and discussed how cyberspace relates to national security operations and the Air Force.
And, he noted, adaptation cannot come too quickly in the protection of such an amorphous domain.
"We are not changing fast enough," he said. "This is a national problem, not just a military one. You have to approach [cyberspace] from a network standpoint."
Currently, 8th Air Force serves as the air component headquarters to U.S. Strategic Command for cyberspace operations, among other things, and personnel in the command are responsible for the security and defense of the Air Force's global computer enterprise network.
"Every military service provides cyber forces," General Elder said. "We're trying to provide forces that can provide support for joint cyber warfare operations."
He correlated cyberspace adaptation with airpower, and noted that this relatively new domain is unlike any other. But, the general said, it must be defended.
"We have a physical, logical, wireless and social network to defend," he said. "The bottom line is that there is an attack vector that goes against each facet. We have to protect each one."
Air Force officials have taken on a role in cyberspace protection and plans are underway to select the host base for the newly formed, provisional Air Force Cyber Command. In a memo to attendees, General Elder said the symposium, "will allow discussion on the vital topic of the Air Force's role in protecting the cyberspace domain."
Following midday working group sessions, conferees heard remarks from Dr. Grant. She focused on policy decisions and the philosophical nature of cyberspace as a "domain," in contrast to the traditional "domains" of air, land, and sea.
"I think it's really exciting that we're able to watch a new domain emerge," she said, comparing cyberspace to the emergence of air as a domain for technology propagated by the Wright Brothers and airpower icons such as General Mitchell.
Dr. Grant compared the relatively new domain to ancient Socratic thought and the dilemma of what is real and what is not.
"Cyberspace is not land, the sea, or the air. It is, in large part, a cognitive domain," Dr. Grant said. "That is partly why it gives us trouble as we think of policies for how we will act in this domain."
Dr. Grant also approached the issue of nation-state sovereignty in a domain which knows no bounds.
"Our objective is to safeguard the commons," she said. "But where are the new sovereign boundaries? If it's not a geographic line, is it somewhere in that technical transport structure that creates the Internet?"
Conferees were treated to briefings such as these, which addressed a broad range of cyberspace topics. They were also able to choose from three focused learning tracks which were "Cyberspace Doctrine and Concepts of Operations," "Cyberspace Policy and Law" and "USAF Cyber: Supporting National Security."
"It is fitting that we have this symposium at Maxwell," Lt. Gen. Allen Peck, Air University commander, said during his remarks. "This is the intellectual and leadership center of our Air Force. Seventy years ago, the Air Corps Tactical School moved to Maxwell Field, and was instrumental in developing our understanding of the potential for exploiting the air domain for warfighters. Today we are exploring another relatively new domain and the implications it has for the Air Force and our nation."
U.S. Fears Threat of Cyberspying at Olympics
It's timely that we are having a discussion about China and their threats of cyberwarfare. The piece below from the Wall Street Journal talks about the cyber espionage threats folks will be facing in China.
==================
By SIOBHAN GORMANJuly 17, 2008; Page A6
WASHINGTON -- A debate is brewing in the U.S. government over whether to publicly warn businesspeople and other travelers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.
According to government officials and security consultants, U.S. intelligence agencies are worried about the potential threat to U.S. laptops and cellphones. But others, including the State and Commerce departments and some companies, are trying to quiet the issue for fear of offending the Chinese, these people say.
Barack Obama became the first major presidential candidate to propose new cybersecurity policies Wednesday when he unveiled his cybersecurity strategy, which includes combating corporate espionage, shielding the country's Internet infrastructure and establishing a national cybersecurity adviser.
U.S. intelligence and security officials are concerned by the frequency with which spies in China and other countries are targeting traveling U.S. corporate and government officials. The Department of Homeland Security issued a warning last month to certain government and private-sector officials stating that business and government travelers' electronic devices are often targeted by foreign governments. The warning wasn't available to the public.
The spy tactics include copying information contained in laptop computers at airport checkpoints or hotel rooms, wirelessly inserting spyware on BlackBerry devices, and a new technique dubbed "slurping" that uses Bluetooth technology to steal data from electronic devices.
In addition to cybersecurity threats in other countries, "so many people are going to the Olympics and are going to get electronically undressed," said Joel Brenner, the government's top counterintelligence officer. He tells of one computer-security expert who powered up a new Treo hand-held computer when his plane landed in China. By the time he got to his hotel, a handful of software programs had been wirelessly inserted.
Mr. Brenner says he doesn't take a laptop to China and uses disposable cellphones while there.
Asked about potential electronic surveillance during the Olympics, a spokesman for China's Ministry of Foreign Affairs said: "Allegations that China supports hacker attacks against U.S. computer networks ... are entirely fabricated, and seriously misleading."
Some companies are taking steps to increase security. General Electric Co. encourages traveling employees to leave laptops behind or use a stripped-down travel laptop and encrypted hard drives, said spokesman Jeff DeMarrais. Pfizer Inc. is evaluating a policy that would require employees to take travel laptops to a number of countries, including China, said spokesman Chris Loder.
Despite the risks, many government and corporate officials are leery of discussing the security risks and singling out countries, such as China, for fear of damaging diplomatic and business relationships. One member of a task force at the Office of the Director of National Intelligence, the U.S.'s top spy agency, said the prospect of an Olympics warning comes up repeatedly, but is never resolved, with technology experts advocating a warning and government officials arguing against it.
One credit-card company executive said many in his industry "are becoming almost afraid of the security issue." Lawyers at credit-card companies have advised against taking some security measures, fearing the company could be liable if they fail, this person said.
Western companies' responses to the problem have ranged from "very concerned to positively ostrich-like," said Mr. Brenner.
The government has no established system for telling travelers about cybersecurity risks. The State Department issues alerts for terrorism and health risks, but not for cybersecurity. That's inconsistent with the government's position on terrorism alerts, says Paul Kurtz, a former National Security Council official who is now a cybersecurity consultant. The government is prohibited from withholding terrorist threats from the public, but that's effectively what it's doing with cyberthreats, he says.
The State Department men tions Chinese cyberthreats briefly on its Web site, noting that computers in hotel rooms may be searched. That information "is basically the extent of any concerns," a department official said.
Mr. Kurtz suggests that the government develop a warning system assigning countries a threat level. Intelligence agencies already produce an annual classified country-by-country report on cyberspying abilities.
Homeland Security's nonpublic assessment, issued last month, doesn't single out any countries. It was issued less than two months before the Olympics and shortly after reports that a U.S. government laptop may have been hacked during a December trip to China by the U.S. Commerce secretary.
This unclassified document wasn't made public. Department spokesman Russ Knocke said the assessment was shared with the department's "state, local, and private-sector partners" but not with the public because such notices are usually the State Department's responsibility and the assessment didn't point to a specific threat. The department tries to avoid inundating the public with nonspecific information, he said.
==================
By SIOBHAN GORMANJuly 17, 2008; Page A6
WASHINGTON -- A debate is brewing in the U.S. government over whether to publicly warn businesspeople and other travelers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.
According to government officials and security consultants, U.S. intelligence agencies are worried about the potential threat to U.S. laptops and cellphones. But others, including the State and Commerce departments and some companies, are trying to quiet the issue for fear of offending the Chinese, these people say.
Barack Obama became the first major presidential candidate to propose new cybersecurity policies Wednesday when he unveiled his cybersecurity strategy, which includes combating corporate espionage, shielding the country's Internet infrastructure and establishing a national cybersecurity adviser.
U.S. intelligence and security officials are concerned by the frequency with which spies in China and other countries are targeting traveling U.S. corporate and government officials. The Department of Homeland Security issued a warning last month to certain government and private-sector officials stating that business and government travelers' electronic devices are often targeted by foreign governments. The warning wasn't available to the public.
The spy tactics include copying information contained in laptop computers at airport checkpoints or hotel rooms, wirelessly inserting spyware on BlackBerry devices, and a new technique dubbed "slurping" that uses Bluetooth technology to steal data from electronic devices.
In addition to cybersecurity threats in other countries, "so many people are going to the Olympics and are going to get electronically undressed," said Joel Brenner, the government's top counterintelligence officer. He tells of one computer-security expert who powered up a new Treo hand-held computer when his plane landed in China. By the time he got to his hotel, a handful of software programs had been wirelessly inserted.
Mr. Brenner says he doesn't take a laptop to China and uses disposable cellphones while there.
Asked about potential electronic surveillance during the Olympics, a spokesman for China's Ministry of Foreign Affairs said: "Allegations that China supports hacker attacks against U.S. computer networks ... are entirely fabricated, and seriously misleading."
Some companies are taking steps to increase security. General Electric Co. encourages traveling employees to leave laptops behind or use a stripped-down travel laptop and encrypted hard drives, said spokesman Jeff DeMarrais. Pfizer Inc. is evaluating a policy that would require employees to take travel laptops to a number of countries, including China, said spokesman Chris Loder.
Despite the risks, many government and corporate officials are leery of discussing the security risks and singling out countries, such as China, for fear of damaging diplomatic and business relationships. One member of a task force at the Office of the Director of National Intelligence, the U.S.'s top spy agency, said the prospect of an Olympics warning comes up repeatedly, but is never resolved, with technology experts advocating a warning and government officials arguing against it.
One credit-card company executive said many in his industry "are becoming almost afraid of the security issue." Lawyers at credit-card companies have advised against taking some security measures, fearing the company could be liable if they fail, this person said.
Western companies' responses to the problem have ranged from "very concerned to positively ostrich-like," said Mr. Brenner.
The government has no established system for telling travelers about cybersecurity risks. The State Department issues alerts for terrorism and health risks, but not for cybersecurity. That's inconsistent with the government's position on terrorism alerts, says Paul Kurtz, a former National Security Council official who is now a cybersecurity consultant. The government is prohibited from withholding terrorist threats from the public, but that's effectively what it's doing with cyberthreats, he says.
The State Department men tions Chinese cyberthreats briefly on its Web site, noting that computers in hotel rooms may be searched. That information "is basically the extent of any concerns," a department official said.
Mr. Kurtz suggests that the government develop a warning system assigning countries a threat level. Intelligence agencies already produce an annual classified country-by-country report on cyberspying abilities.
Homeland Security's nonpublic assessment, issued last month, doesn't single out any countries. It was issued less than two months before the Olympics and shortly after reports that a U.S. government laptop may have been hacked during a December trip to China by the U.S. Commerce secretary.
This unclassified document wasn't made public. Department spokesman Russ Knocke said the assessment was shared with the department's "state, local, and private-sector partners" but not with the public because such notices are usually the State Department's responsibility and the assessment didn't point to a specific threat. The department tries to avoid inundating the public with nonspecific information, he said.
China Threatens Olympics Cyber Attacks
I don't think I am as alarmed as the writer of the defensetech.com story regarding China's intentions.
First, I believe this story is aimed at the internal Chinese audience. The link in the story takes you to a Chinese language web page with no English translation button. If the Chinese government was serious about putting the world on alert, I would guess that they would publish the ultimatum in English and other languages. Piracy is a big issue for Chinese who have not done a very good job about curtailing piracy or enforcing intellectual property rights.
Fareed Zakaria, in his new book, The Post American World, devotes considerable space to how China views its place in the world and what actions would be required to make China abide by international norms. Zakaria makes a compelling case that we cannot view China's actions based on a Western mind-set. He argues that China's actions are based on individual and formal relationship, not on the pure balance of power equation. I believe China's sudden concerned about piracy of Olympics broadcasts probably has more to do with their relationship with the Intl Olympic Committee, those who have been awarded the broadcast rights and China's perceived place in the world than it has to do with them laying down the guantlet against international pirates.
Second, I'm not sure China is challenging the soverignity of other nations with their press release. China's long-standing policy has been to respect the sovereignty of other nations. They are not concerned about what nations do within their borders as long as they remain on friendly terms with China. We've seen this stand recently regarding The Sudan and Zimbabwe. If they are so adamant about respecting the territorial soverignty of other nations, why would they abandon this policy in the cyber domain to engage in cyber warfare/police action on web sites controlled by other nations?
Yes, according to press reports, China has been engaging in mapping/attempted penetration of a variety of networks around the world. But is this any different that what many nations, including allies, around the world do to each other...espionage? China is probably just very sloppy about it.
Third, I wonder how well tied the Chinese Copyright Management Division is to the PLA. Would an ultimatum from the Copyright Management Division bureaucrats cause the PLA generals to engage in military action on the cyber front? Does this bureaucrat really have have the power to put the cyberwar legions in the PLA on the war-path to shut down foreign web sites? I don't know enough about the inner workings of the Chinese government and PLA to be able to answer that. But knowing bureaucracies in general, I'm not convinced that the Copyright Management Division is speaking for the senior leadership of China. If the Chinese leadership was really serious about challenging the world on copyright infringement through cyberwarfare, the press release would have come from a much more senior person and most likely worked though diplomatic channels as well.
=======================
by Kevin Coleman
http://www.defensetech.org/archives/004300.html
Multiple sources have confirmed that China has openly threatened anyone who reuses or rebroadcasts the Beijing Olympics. Chinese officials publicly stated they will “punish” Internet Web sites, Re-broadcasters and other “new media” that replay the 2008 Olympic Games and related events without the authorization of state-run China Central Television.
Xu Chao, deputy director of the Copyright Management Division in the State Copyright Bureau said “during the Olympic Games, many unauthorized broadcasts will flood into the market. We should initiate an “attack” against broadcast piracy.” Xu went on to discuss some of their anti-piracy measures including a public hotline for reporting illegal broadcasting through the State Copyright Bureau website or by dialing the "12390" anti-piracy hotline to collaborate with the government. People involved will be rewarded for the reports once the report is found to be true.
The International Olympic Committee granted CCTV the new media broadcast rights for the summer games exclusively. We were unable to obtain their exact definition of “new media broadcast.” However, in a statement by the State Administration of Radio, Film and Television, the National Copyright Administration and the Ministry of Industry and Information Technology, they said Web sites and mobile platforms using Olympic broadcast signals without getting permission from the CCTV will be punished.
They went on to say that “Web sites may be shut down if they carry the events illegally.” Olympics coverage is big business. The 2008 Summer Games in Beijing will mark the arrival of streaming content as a viable alternative to the Olympics’ television broadcast. Online video streaming is attracting an increasing share of ad spending and many believe is the future of advertising. NBCOlympics.com will offer 4,400 hours of on-demand streaming content plus 2,200 hours of live programming, making the Beijing Olympics the largest streaming media project to date. There is little doubt that carbon copies of the streamed media will be available from numerous sources on the web and in the physical world. So it appears China has a big challenge ahead.
Are they really threatening cyber attacks on public companies, private industry and individuals? That is the way one Cyber Security Expert we spoke to interpreted it. Only time will tell. What if a company in the United States, or any other country, is attacked? How will the government respond? One thing for sure, this is a sign of things to come.
Facts:
The Olympics have become a very, very big business. Worldwide media rights to the 2008 Summer Olympics in Beijing sold for $1.7 billion, with NBC Universal paying $894 million for the U.S. media rights alone.
China Central Television (CCTV) said that “Web sites may be “shut down” if they carry the events illegally.” In addition, a Chinese Government spokesperson said “Any individual without authorization who uploads recorded Olympic events or pirated Olympics video broadcasting websites will face up to 100,000 RMB in penalties.”The statement in its entirety can be found here.
First, I believe this story is aimed at the internal Chinese audience. The link in the story takes you to a Chinese language web page with no English translation button. If the Chinese government was serious about putting the world on alert, I would guess that they would publish the ultimatum in English and other languages. Piracy is a big issue for Chinese who have not done a very good job about curtailing piracy or enforcing intellectual property rights.
Fareed Zakaria, in his new book, The Post American World, devotes considerable space to how China views its place in the world and what actions would be required to make China abide by international norms. Zakaria makes a compelling case that we cannot view China's actions based on a Western mind-set. He argues that China's actions are based on individual and formal relationship, not on the pure balance of power equation. I believe China's sudden concerned about piracy of Olympics broadcasts probably has more to do with their relationship with the Intl Olympic Committee, those who have been awarded the broadcast rights and China's perceived place in the world than it has to do with them laying down the guantlet against international pirates.
Second, I'm not sure China is challenging the soverignity of other nations with their press release. China's long-standing policy has been to respect the sovereignty of other nations. They are not concerned about what nations do within their borders as long as they remain on friendly terms with China. We've seen this stand recently regarding The Sudan and Zimbabwe. If they are so adamant about respecting the territorial soverignty of other nations, why would they abandon this policy in the cyber domain to engage in cyber warfare/police action on web sites controlled by other nations?
Yes, according to press reports, China has been engaging in mapping/attempted penetration of a variety of networks around the world. But is this any different that what many nations, including allies, around the world do to each other...espionage? China is probably just very sloppy about it.
Third, I wonder how well tied the Chinese Copyright Management Division is to the PLA. Would an ultimatum from the Copyright Management Division bureaucrats cause the PLA generals to engage in military action on the cyber front? Does this bureaucrat really have have the power to put the cyberwar legions in the PLA on the war-path to shut down foreign web sites? I don't know enough about the inner workings of the Chinese government and PLA to be able to answer that. But knowing bureaucracies in general, I'm not convinced that the Copyright Management Division is speaking for the senior leadership of China. If the Chinese leadership was really serious about challenging the world on copyright infringement through cyberwarfare, the press release would have come from a much more senior person and most likely worked though diplomatic channels as well.
=======================
by Kevin Coleman
http://www.defensetech.org/archives/004300.html
Multiple sources have confirmed that China has openly threatened anyone who reuses or rebroadcasts the Beijing Olympics. Chinese officials publicly stated they will “punish” Internet Web sites, Re-broadcasters and other “new media” that replay the 2008 Olympic Games and related events without the authorization of state-run China Central Television.
Xu Chao, deputy director of the Copyright Management Division in the State Copyright Bureau said “during the Olympic Games, many unauthorized broadcasts will flood into the market. We should initiate an “attack” against broadcast piracy.” Xu went on to discuss some of their anti-piracy measures including a public hotline for reporting illegal broadcasting through the State Copyright Bureau website or by dialing the "12390" anti-piracy hotline to collaborate with the government. People involved will be rewarded for the reports once the report is found to be true.
The International Olympic Committee granted CCTV the new media broadcast rights for the summer games exclusively. We were unable to obtain their exact definition of “new media broadcast.” However, in a statement by the State Administration of Radio, Film and Television, the National Copyright Administration and the Ministry of Industry and Information Technology, they said Web sites and mobile platforms using Olympic broadcast signals without getting permission from the CCTV will be punished.
They went on to say that “Web sites may be shut down if they carry the events illegally.” Olympics coverage is big business. The 2008 Summer Games in Beijing will mark the arrival of streaming content as a viable alternative to the Olympics’ television broadcast. Online video streaming is attracting an increasing share of ad spending and many believe is the future of advertising. NBCOlympics.com will offer 4,400 hours of on-demand streaming content plus 2,200 hours of live programming, making the Beijing Olympics the largest streaming media project to date. There is little doubt that carbon copies of the streamed media will be available from numerous sources on the web and in the physical world. So it appears China has a big challenge ahead.
Are they really threatening cyber attacks on public companies, private industry and individuals? That is the way one Cyber Security Expert we spoke to interpreted it. Only time will tell. What if a company in the United States, or any other country, is attacked? How will the government respond? One thing for sure, this is a sign of things to come.
Facts:
The Olympics have become a very, very big business. Worldwide media rights to the 2008 Summer Olympics in Beijing sold for $1.7 billion, with NBC Universal paying $894 million for the U.S. media rights alone.
China Central Television (CCTV) said that “Web sites may be “shut down” if they carry the events illegally.” In addition, a Chinese Government spokesperson said “Any individual without authorization who uploads recorded Olympic events or pirated Olympics video broadcasting websites will face up to 100,000 RMB in penalties.”The statement in its entirety can be found here.
Q&A with Lt. Gen. Michael Peterson
This interview from The Hill was carried by the AF's Aim Points daily news service. Lt Gen Peterson is the Senior Communications Officer in the US Air Force.
========
BY: Roxana Tiron, The Hill07/9/2008
http://thehill.com/the-executive/qa-with-lt.-gen.-michael-peterson-2008-07-09.html
Air Force Lt. Gen. Michael Peterson has a fancy title: Chief of Warfighting Integration and Chief Information Officer. But he calls himself the "tech guy on the operations team." Peterson is the guy who talks about bits and bytes, cyber security, radars and satellites. He also is the one who keeps tabs on all the Air Force's assets and how they can best be used to be effective in the fight. Peterson manages a more than $17 billion portfolio for communication, intelligence, surveillance and reconnaissance assets.
Q: What are some of the biggest concerns of your job?
The biggest concern is that we can't go to war without the Internet. That is how we travel, that is how we move, that is how we are re-supplied, that is how we reach out and get help from vendors and the industry. The Internet is unclassified, literally unprotected. We can add our classified networks directly to the Internet and there is some degree of protection, but that is not good enough. So what keeps me up at night is having a potential adversary deny us the use of that network to make it much more difficult for us to go to war.
Q: Are cyber attacks getting more sophisticated? How is the Air Force staying ahead of those threats?
We get probed hundreds of thousands of times. "Probed" means that someone is coming in and finding out what protocols are available to come into the system. Tens of thousands [of probes] are looking for chinks in the firewall so that they can exploit a vulnerability. When we have not configured systems properly, probes sometimes work because we have not closed all of the ports. Or they come inside the network through a port we want them to use, but then they have attacked a piece of equipment inside the network and that opens up other vulnerabilities.
The problem remains that this moves along so quickly, and as vulnerabilities are found immediately we want to go and patch them. Eighteen months ago it took 57 days to patch computers because it was all manual. You had to go out and touch every single machine. Today, because we have put standard configurations in place and you can do it remotely, we can do it in a day and a half. The goal is going to be minutes.
Q: How do you stay a step ahead with the technology and hacking methods always evolving?
As soon as a new version of software, as soon as a new version of a chip is delivered to us, we have teams that are working with the national computer emergency teams to do analysis and find vulnerabilities. We immediately go to work if we find vulnerabilities.
Q: Has the headquarters for the new Cyber Command been chosen yet? The new command received a lot of congressional attention as several districts and states expressed interest in housing the new endeavor.
No, and we will not be able to do that soon. Very aggressively, we thought we could. I did not know how complex it was to find the right location to stand up a new mission. [About 18 states showed interest in housing the command.] We asked governors for their input and they are coming back now. We will narrow down the decision to a few places before Christmas. Then some really hard work goes in. We will send our engineers out to do the environmental impact work. Probably in summer of 2009 we would be able to tell people where it is going to be.
Q: Defense Secretary Robert Gates has talked so much about strengthening the intelligence, surveillance and reconnaissance (ISR) capability and created a task force. What are the Air Force's priorities as part of that task force? Any new ideas or capabilities?
Our priorities are Secretary Gates's priorities. What we did is we took an end-to-end look at what we could provide and what we can deliver in terms of ISR. The highlight of that is the importance of full-motion video to the ground force. Today most of that is done with the Predator [unmanned aerial vehicle (UAV)]. Global Hawk [UAV] has still images, but we also moved on with a few aircraft called Reaper [UAV], which is the follow-on generation to the Predator.
We did the experimentation for reach-back through satellite and fiber optic networks, so today the bulk of our Predators are flown from Creech Air Force Base in Nevada. The crews are there. They do not deploy forward and that way they can be in the fight 365 days a year. That allowed us to put 88 percent of our Predators forward [into theaters of war]. The other 12 percent are training new crews and doing test and evaluation for new capabilities. By December, we will have 31 [Predator] orbits. That means 24/7, 365 days there is a Predator on board supporting you in 31 separate locations in the theater. Our stated objective is to have 50 orbits available. We will need them to be Reaper, principally because they can carry more payload for ISR.
Q: Do you still think there should be an executive agency for unmanned vehicles?
That question got answered, and the deputy secretary of Defense does not think we need an executive agent. He is insistent that we work closely together to develop those common technical standards. That is our intent and that is what we are going to push towards.
Q: The whole issue with the nuclear parts mishaps — what do you think happened there, and what do you think could strengthen the information sharing about assets and how they are being employed?
[The secretary and chief of staff of the Air Force were forced to resign over two flaps involving nuclear parts. Last August, a B-52 bomber flew from North Dakota to Louisiana with nuclear weapons and earlier this year, the Pentagon discovered that four nuclear warhead fuses were accidentally shipped to Taiwan in 2006.]
We have some important work to do on our legacy logistics system. Any time a person is in the loop, there is the potential of typing something incorrectly. So in my lane we have been working with the logistics personnel so that we have the best tools available and that we modernize those systems. That would be an absolute priority on my part.
========
BY: Roxana Tiron, The Hill07/9/2008
http://thehill.com/the-executive/qa-with-lt.-gen.-michael-peterson-2008-07-09.html
Air Force Lt. Gen. Michael Peterson has a fancy title: Chief of Warfighting Integration and Chief Information Officer. But he calls himself the "tech guy on the operations team." Peterson is the guy who talks about bits and bytes, cyber security, radars and satellites. He also is the one who keeps tabs on all the Air Force's assets and how they can best be used to be effective in the fight. Peterson manages a more than $17 billion portfolio for communication, intelligence, surveillance and reconnaissance assets.
Q: What are some of the biggest concerns of your job?
The biggest concern is that we can't go to war without the Internet. That is how we travel, that is how we move, that is how we are re-supplied, that is how we reach out and get help from vendors and the industry. The Internet is unclassified, literally unprotected. We can add our classified networks directly to the Internet and there is some degree of protection, but that is not good enough. So what keeps me up at night is having a potential adversary deny us the use of that network to make it much more difficult for us to go to war.
Q: Are cyber attacks getting more sophisticated? How is the Air Force staying ahead of those threats?
We get probed hundreds of thousands of times. "Probed" means that someone is coming in and finding out what protocols are available to come into the system. Tens of thousands [of probes] are looking for chinks in the firewall so that they can exploit a vulnerability. When we have not configured systems properly, probes sometimes work because we have not closed all of the ports. Or they come inside the network through a port we want them to use, but then they have attacked a piece of equipment inside the network and that opens up other vulnerabilities.
The problem remains that this moves along so quickly, and as vulnerabilities are found immediately we want to go and patch them. Eighteen months ago it took 57 days to patch computers because it was all manual. You had to go out and touch every single machine. Today, because we have put standard configurations in place and you can do it remotely, we can do it in a day and a half. The goal is going to be minutes.
Q: How do you stay a step ahead with the technology and hacking methods always evolving?
As soon as a new version of software, as soon as a new version of a chip is delivered to us, we have teams that are working with the national computer emergency teams to do analysis and find vulnerabilities. We immediately go to work if we find vulnerabilities.
Q: Has the headquarters for the new Cyber Command been chosen yet? The new command received a lot of congressional attention as several districts and states expressed interest in housing the new endeavor.
No, and we will not be able to do that soon. Very aggressively, we thought we could. I did not know how complex it was to find the right location to stand up a new mission. [About 18 states showed interest in housing the command.] We asked governors for their input and they are coming back now. We will narrow down the decision to a few places before Christmas. Then some really hard work goes in. We will send our engineers out to do the environmental impact work. Probably in summer of 2009 we would be able to tell people where it is going to be.
Q: Defense Secretary Robert Gates has talked so much about strengthening the intelligence, surveillance and reconnaissance (ISR) capability and created a task force. What are the Air Force's priorities as part of that task force? Any new ideas or capabilities?
Our priorities are Secretary Gates's priorities. What we did is we took an end-to-end look at what we could provide and what we can deliver in terms of ISR. The highlight of that is the importance of full-motion video to the ground force. Today most of that is done with the Predator [unmanned aerial vehicle (UAV)]. Global Hawk [UAV] has still images, but we also moved on with a few aircraft called Reaper [UAV], which is the follow-on generation to the Predator.
We did the experimentation for reach-back through satellite and fiber optic networks, so today the bulk of our Predators are flown from Creech Air Force Base in Nevada. The crews are there. They do not deploy forward and that way they can be in the fight 365 days a year. That allowed us to put 88 percent of our Predators forward [into theaters of war]. The other 12 percent are training new crews and doing test and evaluation for new capabilities. By December, we will have 31 [Predator] orbits. That means 24/7, 365 days there is a Predator on board supporting you in 31 separate locations in the theater. Our stated objective is to have 50 orbits available. We will need them to be Reaper, principally because they can carry more payload for ISR.
Q: Do you still think there should be an executive agency for unmanned vehicles?
That question got answered, and the deputy secretary of Defense does not think we need an executive agent. He is insistent that we work closely together to develop those common technical standards. That is our intent and that is what we are going to push towards.
Q: The whole issue with the nuclear parts mishaps — what do you think happened there, and what do you think could strengthen the information sharing about assets and how they are being employed?
[The secretary and chief of staff of the Air Force were forced to resign over two flaps involving nuclear parts. Last August, a B-52 bomber flew from North Dakota to Louisiana with nuclear weapons and earlier this year, the Pentagon discovered that four nuclear warhead fuses were accidentally shipped to Taiwan in 2006.]
We have some important work to do on our legacy logistics system. Any time a person is in the loop, there is the potential of typing something incorrectly. So in my lane we have been working with the logistics personnel so that we have the best tools available and that we modernize those systems. That would be an absolute priority on my part.
Monday, July 7, 2008
Interview with LTC John Bircher from SlashDot
Below is an interesting on-line interview conducted by SlashDot of LTC John Bircher, US Army, a few days back. Bircher stresses the need for a whole-of-government and a civil-military partnership to defending our nation’s portion of cyberspace.
Also, he tries to clarify the military’s role in cyberspace. The AF’s push for the cyber command and the associated ads has created a perception among the public that the military is going to start policing the whole of cyberspace. That is, of course, not the case. As Bircher points out, the military needs to consolidate its own cyber-defense while it partners with the rest of govt and private industry to secure cyberspace.
=================
http://interviews.slashdot.org/article.pl?sid=08/07/03/1913245&from=rss
A few weeks ago, you asked questions of Lt. Col. John Bircher, head of an organization with a difficult-to-navigate name: the U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent's Futures Branch. Lt. Col. Bircher has answered from his perspective, at length, not just the usual 10 questions, but several more besides. Read on for his take on cyberwar, jurisdiction, ethics, and more.
First, Lt. Col. Bircher adds this note:
I'd like to preface my responses to your questions by first remarking on the quality and intensity of the input. I was quite literally blown away by the questions you asked, and humbled. Quite candidly, I had some difficulty answering them all. Part of my responsibility in participating in this forum is sticking to "my lane," which means not speaking about things I don't know anything about and not speculating beyond my level of experience and expertise. In those cases where I either didn't know or couldn't answer the question specifically, I inform you of this fact. Still, you will note that every question has an answer because I use every opportunity to share some aspect of the Army's story. Thank you for this rare chance to engage great minds in an important discussion.
1) "What is that?" by khasimWhat, specifically, would be a "cyber-electronic engagement" Include examples. Compare/contrast with traditional forms of intelligence gathering (wiretaps, listening devices, etc) and their counter-measures.
As I mentioned in my preface, I'll try to stick to my lane. I have been given the challenge of helping the Army map out the concepts for how we will operate in and through cyberspace in the future: specifically, 2015 and beyond. Sometimes I feel like I'm part science fiction writer, part futurist, part planner. Other times I feel as though I'm leaning into the proverbial windmill. All that said, it's an exciting time to be associated with the Army. One of the concepts we're working on is the thought that you can create effects both in cyberspace and through cyberspace. There are a myriad of tasks, actions, and activities that you can do in order to achieve effects in and through cyberspace - we're grouping these "things" under the banner Cyber-Electronics as a place holder for now. For example, you and I are engaged in a cyber-electronic engagement right now: I'm answering you through cyberspace, as opposed to in person, in order to achieve the effect of informing you.
At its foundation, this is what military operations are about: effects generation and management. Traditionally, we tend to think about effects having impact in the physical domain only, but military operations have always been about cognitive effects, too. In cyberspace, most effects are cognitive: they inform, affect and influence our beliefs, values, dogmas and, ultimately, decisions. One of the best aspects of my current job is that I am afforded the luxury of "engaging" (there's that word again) in discussions, debates, and decision processes that actually cause me to think beyond traditional military functions, and I get to "engage" in these forums with some pretty smart, outside-of-the-box thinkers who are not in uniform (and some who are!).
There has long been a debate about the appropriateness of the military participating in influence operations but if we think about it, influence operations are fundamental to everything we as a society do. Rather than shy away from the debate, we are actively embracing it as we strive to articulate an appropriate role for the Army in cyberspace. The American Public, too, has its role - that of defining the checks and balances that proscribe the acceptable limits of these operations.
2) "Threat Assessment" by mykepredko
As I understand it, every military in the world assess the threat its opponents pose by their capabilities rather than perceived intents. How do you perform a threat assessment in the area of cyber-warfare where the physical weapons (as was pointed out in an earlier post) is the keyboard and mouse with much of technology being used as a threat being developed in the U.S?
New capabilities and technological breakthroughs always challenge the ability to assess the threat, but the fundamentals of threat assessment will not change. Today, we use terms such as kinetic and non-kinetic to describe military operations: kinetic meaning motion and physical impact; non-kinetic meaning non-physical impact, something akin to "winning hearts and minds." Cyberspace is an interesting amalgam of both. While largely non-kinetic, it can yet produce kinetic outcomes, especially when you think about not just creating effects in cyberspace but also when you consider creating effects through cyberspace. A virus can crash systems, rendering hardware useless. Malicious rumors on the Internet can result in someone taking their own or someone else's life.
There's a scene in the movie Patton, where Patton is watching a battle unfold on the North African desert against his arch adversary Erwin Rommel. Patton is winning and triumphantly explains why, "I read your book, you son of a b****." Part of threat assessment is not only tallying up an adversary's arsenal of weapons but also getting inside his head. Cyberspace is highly cerebral and highly diffused, where threats can come from any corner. This reality demands new assessment tools. It's all unfolding fast and furiously, and we're working hard to ensure we have the capabilities needed to assess and defeat these new threats effectively. The Army is not acting alone. We work very closely with the Department of Homeland Security, Department of Justice, FBI, and just about every other government organization that operates in cyberspace to make sure we don't overstep our bounds. The Army and all the Department of Defense organizations are very aware of our legal restrictions and requirements, and we go to great pains to make sure we do not cross over into another organization's area of responsibility concerning cyberspace.
3) "Technique?" by Manip
Does the US Army take advantage of traditional misconfiguration and social engineering techniques in order to compromise a network or is the US government developing a home-grown list of exploits to gain access to foreign government systems?
First, it's important to clarify that as far as I'm aware, we're not in the business of compromising networks or gaining access to other governments' systems without just cause. When there is a clear threat to national security, we then employ legal and just means to deal with that threat. Also, I'm not able to discuss specific methods that the Army might or might not be employing but only speak in terms of concepts and capabilities that we should have in order to be successful conducting operations in cyberspace. If you have insights and skills that might broaden our capabilities in this arena, I encourage you to consider joining the emerging DoD cyber-workforce.
As members of the military, we are sworn to uphold the Constitution against all enemies foreign and domestic. The challenge in cyberspace is being able to discern with clarity one's enemy. Social engineering takes advantage of this anonymity. There are significant legal implications with which we are constantly checking. The rules of war have always been their own; yet we have always held American forces to a higher standard, and the same will hold true in cyberspace.
4) "Attacks" by Notquitecajun
Without diving into details that compromise security, can you reveal anything about the types or quantities of attacks that the US military is able to fend off, and how often they are faced?
If the Air Force television commercial is accurate, the Pentagon alone is cyber-attacked at least three million times a day. So military-wide, the number of attacks is likely significant, but I would suspect relatively few of these attacks are pernicious enough to comprise a significant threat and fewer still are successful. Beyond this, I am not privy to details about the nature and magnitude of these attacks.
5) "China" by je ne sais quoi
What is the U.S. Army doing to protect U.S. sensitive information from the frequent number of cyber-attacks originating from inside the People's Republic of China? Is it primarily defensive?
U.S. sensitive information requires safeguarding, no matter who may be probing or attacking our systems in order to gain access to this information. This fact demands that we undertake all protective measures possible ... and we are.
6) "Hacker war..." by Notquitecajun
I doubt you could REALLY answer this, but Is the US military playing any sort of role in the semi-underground "hacker war" that appears to be going on between China and the US?
You're right NQC ... I really can't answer this. Beyond the sensitive nature of the subject, I simply don't know because it is well beyond my scope of responsibility. There's a laundry list of government organizations focusing on the threats to our nation and to our military TODAY. Remember - I'm focusing on how to operate in and through cyberspace in the future.
7) "And if and if ..." by khasim
And if there actually is a "Hacker War" between us ... and if our military is currently playing a role in such ... are there any civilian applications that will be released to help defend our non-military assets (corporations, education, etc)? Example: the NSA has worked on SELinux.
The Army, especially the Commanding General of the Combined Arms Center, Lt. Gen William B. Caldwell IV, firmly believes that the challenges we face today can only be addressed using a whole-of-government approach. We often use the acronym JIIM, which speaks even beyond our own government. It stands for Joint, Interagency, Inter-governmental and Multinational partnerships and collaborations to deal effectively with increasingly global problems. The defense of cyberspace is akin to the defense of our fledgling nation: it will require that everyone do his or her part. It behooves us all to work together to protect cyberspace, a frontier where a strong civil-military partnership is vital to success.
8) "Are We At War?" by Doc Ruby What is the "cyber command" doing to protect the US from current serious attacks on major Federal government sites, including the attacks on sensitive Congressional sites [slashdot.org] reported this week? Is there any traditional military precedent for tolerating these attacks to the extent we do? Is that hesitancy making us weaker, so our eventual delayed military (or "cyber-military") response will be compromised from winning the conflict to our satisfaction? At what point do these attacks constitute acts of war, does that need to be declared by Congress, and how does the "cyber command" change its response at that point?
In the last question, I spoke about the need for a whole-of-government approach to serious threats but we have a ways to go before we have the equivalent of a national "cyber command." We currently rely on each agency protecting its own assets and working in collaboration when there are overlaps. Without question, the overlaps are rapidly increasing. With this in mind, the Combined Arms Center recently hosted an interagency symposium to discuss ways to strengthen whole-of-government responses and capabilities.
Your second question is both tough and fundamental to the nature of a democracy. Our nation was founded in opposition to a strong standing army. Throughout our history, we have wrestled with the dichotomy of eschewing a strong military even as we recognized the need for one. You will find a compelling analysis of this dichotomy in T.R. Fehrenbach's classic study of the Korean conflict titled This Kind of War.
Recently, historians and pundits have noticed increasing tension within this dichotomy: a continued suspicion of a strong military by the American public coupled with an ever-growing dependence on that military to solve intractable problems. Robert D. Kaplan wrote in The Atlantic Monthly:
The acceleration of technology is driving a wedge between military and civilian societies and bringing about, for the first time, a professional-caste elite. Thus today's volunteer Army is different from all others in our history. Soldiers are becoming like doctors and lawyers -- another professional group we'd like to need less of but upon which we rely more. And just as health reform requires the consent of the medical community, because doctors own a complex body of knowledge, foreign policy will over the decades be increasingly influenced by the military, because war, peacekeeping, famine relief, and the like are becoming too complex for civilian managers.
Given this framework, words like "hesitancy" and "weakness" become problematic. How much do we want the military involved in cyber defense? Is a weaker military the price a democracy pays for being a democracy? Excellent questions and worthy of discussion. I encourage forums such as this one to continue the debate. Quite honestly, my hands are full enough trying to figure out what cyberspace will look like in seven years!
Because we are a democracy, your last question is best answered by our civilian leadership. Only the President can determine what constitutes an act of war.
9) "Recruitment" by caljorden
Does the US Air Force, or any branch of the armed services, currently recruit for cyber-related positions directly? Or is it a requirement that all members come out of the standard armed services personnel? If there is currently no system for recruiting the best and brightest CS/IT/Security personnel from the civilian population, would that ever be considered?
I encourage you to contact Air Force Cyber Command folks to better understand how the Air Force is structuring its newest command.
In the Army, we do not yet have cyber soldiers. That is part of what my office is chartered to do: determine what skills sets are needed, what training is needed to produce these skills sets, what organizations these skills sets will be assigned to, and what doctrine they will employ. We currently have soldiers with related MOS or Additional Skill Identifiers (ASI). These include soldiers who are in intelligence, signal, fires and maneuver specialties, and ASIs such as Electronic Warfare and Information Operations. I do envision that cyber-electronics will evolve into its own specialty for which we will actively recruit both soldiers and civilians.
10) "Jurisdiction?" by Caerdwyn
Given that the most likely targets for cyber warfare are civilian targets, and that the perpetrators will likely be either non-government organizations or non-military employees of foreign governments, how do you see the jurisdiction question playing out? In particular, at what point are there handoffs in investigation, arrest, and prosecution between the US military, the FBI, and local authorities of affected civilian targets?
Issues of legality and jurisdiction are outside my lane; however, there are plenty of lawyers around to tell me what can and cannot be done (usually the latter!). Unfortunately, in an increasingly inter-connected electronic world - a world inhabited by both flesh and blood actors, as well as their virtual avatars - the ability to discern "the enemy" with clarity is made incredibly complex. Again, only a whole-of-government approach will enable us to navigate these tricky issues successfully.
11) "Legal Ramifications" by muellerr1
How does the military ensure that it is operating within the law regarding online military offensive activities? Are there any laws or oversight, as such? If so, how are those laws and/or oversight affected by a declaration of war?
Again, I can't speak to specifics, both because I don't know and because the legal issues involved in operations in cyberspace are just now being tackled in earnest. More broadly, the military has a very deliberate process for assuring it adheres to the law and is aggressive in its vigilance. But cyberspace is truly a "brave new world," and we will collectively have to wrestle with questions such as this one. Our ultimate oversight comes from you, the American Citizen...so you have an important role in this conversation.
12) "Making defenses available to the tax payers" by scorp1us Would you support the release of information and software (Like Security-Enhanced Linux from the NSA) regarding successful defensive configurations and strategies to the general public so that the tax payer can derive additional benefits from your work? Surely the private industries in this country are valuable and may be attacked in order to cause economic harm. What limitations or rules would you use for release of such information?
Clearly I don't have the authority to make such a decision. Philosophically, however, I do feel that strong civil-military collaboration in cyberspace is and will be essential to our national security. How this will play out (the degree to which military applications will find their way into the civil and corporate sectors) remains to be seen. I can tell you that my organization is actively looking to partner with industry and academic institutions (and not just the Defense Industrial Complex) in this field to make sure that we not only generate a free-flow of information but also capture the ideas of the best and brightest minds available. It's no secret that industry is well into the notion of operating in and through cyberspace, and in many instances, has paved the way for the military to follow.
13) "Timing and relevancy" by zappepcs
It's common knowledge that what we call the Internet was suckled by the military. Black-hat and white-hat security conferences and practices have been an active part of Internet security for over a decade. Can you explain what seems to be the US Military arriving at the game in the third inning? Having had TSEC and observed security processes and procedures, such as tempest precautions some time ago, I'm having trouble understanding why the 'cyber defenses' of the US Military only now seem to be actually realized. Is the delay due to funding? Priorities? or simply to underestimation of what the rest of the world was up to all this time? Please be as specific as you are able to be.
This question is an important one because it speaks to some of the themes that have echoed in earlier questions. Let me start by citing an observation about our current wars in Afghanistan and Iraq. Last year a reporter from a national magazine asked me what it would take for our nation to win the Global War on Terrorism. I offered the opinion that we're not a nation at war - we're a group of military folks, about 200,000 at a time, who are at war. The difference between the war today and World War II is that in 1941 our entire nation mobilized for war: Detroit began producing more tanks and less cars; when you went to the movies you saw Movietone newsreel releases instead of ads for popcorn and sodas; American citizens had victory gardens, fuel rationing, and metal collection drives. The war affected everyone in America. If you put this in perspective of a future war in cyberspace, I think the best question is what will be the nation's response to cyber war? Are cyber threats, cyber terrorism, cyber attacks, cyber war purely the province of the military or the entire nation? The ways in which we answer this question will determine our future priorities and funding.
Over the last seven years, we have been largely focused on the global war on terror and counter-insurgency operations, within which cyber operations and engagements have emerged as significant threats. If we are late to the game, it is attributable to a complex array of reasons, as it always is for a military within a democracy.
14) "Hurdles of Cyber Warfare" by Digital Ebola
One issue to cyber warfare is linguistics. How does a military unit overcome this? Does the unit consist of people skilled at the various languages used in theater plus the technical concepts required to execute, or are you forced to cooperate with any other agency? Also, agency cooperation: are there good relationships between the cyberwarfare units and the intelligence community, and can you say whether or not there are SOPs in place that would utilize cyberwarfare units in conjunction with a physical offensive, i.e. disable Three Gorges Dam right before an op?
Having enough trained linguists is challenge enough in "meatspace," so it will likely remain one in cyberspace. In essence, we're essentially asking for dual linguists...those who can speak Farsi, Chinese, Spanish or Urdu, as well as C++, Java, XML, Perl, etc. Sadly, there is a growing gap between the skills we need and the skills brought to us by graduates of our public education system. In many school districts that are struggling for funding, foreign language instruction is considered a luxury they can't afford to sustain. And we have yet to integrate computer science into our high school curriculum fully or effectively.
The military has a long tradition of recruiting, training and employing linguists in support of full spectrum operations. In fact, the Defense Language Institute is a subordinate command of my higher headquarters, the Combined Arms Center. Again, part of my task overseeing the Futures division of the U.S. Army Computer Network Operations-Electronic Warfare Proponent is helping to define the requisite force structure the Army will need to operate in cyberspace successfully. This effort will certainly include an analysis of language needs and capabilities. While we will always need humans involved in this process to deal with the fine nuances of language, cyberspace offers new possibilities (software applications, for example) that facilitate interpretation. Our developmental efforts will also include development of doctrine and capabilities that cross joint, interagency, inter-governmental and multinational boundaries.
15) "Relationship with the Air Force?" by El Cubano
Since the Air Force is the U.S. military branch claiming dominance in "cyberspace" (along with air and space), how do you view the Army's relationship with the Air Force in "cyberspace"? Will the Army seek to take over all of the "cyberspace warfare", carve out its own niche in cyberspace, or peacefully coexist with the Air Force? With respect to leadership in this area across the DoD, do you feel that the Air Force being denied the program executive role for all DoD UAV endeavors represents an opportunity for the Army increase its role with respect to UAVs (as many people see cyberspace and UAVs to be inextricably linked)?
16) "Avoiding Redundancy or is it Necessary?" by introspekt.i
What steps is the Army taking to avoid overlap with the Air Force's "cyber warfare" program(s)? Is avoiding overlap considered necessary, or is redundancy considered a good thing? Are there plans to collaborate on large scale with the Air Force, or keep the programs isolated from one another?
Let me tackle these two questions together.
I applaud the Air Force's aggressiveness in tackling the challenges that confront us in cyberspace. To employ a naval maxim: when the tide comes in, all ships rise. The Air Force's focus and emphasis on cyberspace has helped ensure all of us are placing requisite attention to it. It's important to note that at its recent symposium in Massachusetts, the Air Force made very clear that it is focused squarely on developing Air Force-unique cyber requirements.
I would say that we are doing likewise: focusing on our service-unique requirements, even as we explore collaborative strategies. As a land component force that operates in and amongst populaces that are increasingly connected through cyberspace, the Army must focus on that portion of cyberspace that is virtually contiguous to the land on and in which we operate. Only when we know our own roles and requirements can we adequately integrate our efforts with the other services to support full-spectrum operations. And we have an existing structure in place with the Joint Staff to ensure that internecine turf battles are avoided.
17) "Civilian contractors" by faloi
Do you foresee a high utilization of civilian contractors? Knowing that there are some restrictions on people that can be recruited into the Army for any number of reasons (asthma, medications, criminal records), do you see a need for either more lax recruiting guidelines for some of the "front line" troops in the cyber warfare field, or a higher use of civilian (or at least non-Army) personnel?
I definitely see that operations in cyberspace have the potential to alter the composition of our military, as well as broaden civil-military alliances. I mentioned earlier that cyberspace is highly cerebral. The key prerequisite becomes, therefore, "brain" rather than "brawn," and recruitment standards should probably be adjusted accordingly. Because cyberspace is also highly diffused, operating within it will demand wide participation and collaboration. Some observers have suggested the notion of creating a Cyber National Guard or Cyber Reserve, which merits consideration. How the mix of formal military, auxiliary forces, civilian allies and civilian contractors plays out will require further study, but you're right to suggest that it will need skill sets that currently exist mostly outside the military.
18) "What value does doing it in the Army add?" by scorp1us
We already know that the USAF has a cyber-warfare division. Given that all network attacks are fundamentally based in IP Packets, it stands to reason that the Army and USAF would be duplicating work, while creating an opportunity for lack of communication. Would you agree that a special, single cyber-defense branch should be created to assist all branches of the military as well as non-military? Generally the armed forces are never known for technical prowess. (They are more consumers than creators) The role of creation comes from contractors. Why shouldn't we rely on contractors to perform these functions when contractors already obtain top-secret clearances? Contractors compete for projects which ensures a level of cost limitation (lets face it, Cost+ rips off the tax payer), continual advancement (beyond what the enemy throws at us). Why should the armed forces be doing this in-house?
The notion of a single cyber-operational force merits strong consideration. Yet if we use our recent experience with the creation of the Department of Homeland Security as a benchmark, the consolidation of the cyber divisions of multiple agencies is likely to be difficult. Earlier, I spoke about the need for each service to focus on its service-unique requirements, even as we explore collaborative strategies. For now, I believe we must each master our corner of "the sandbox" completely. Over the past three decades, in particular, our emphasis on joint inter-operability has helped to ensure that we mitigate duplication of effort and collaborate wherever possible. For example, because the Marine Corps is also a land component force, the USACEWP is working with the Marine Corps Combat Developments Command to develop joint cyber-electronic concepts and capabilities.
To your observation about the role of contractors, they will play (and are playing already) an important role in the development of cyber-electronic concepts and capabilities. We clearly recognize that we can't go it alone. Beyond the use of contractors, we are leveraging academia and industry to help devise the way forward. As I've said repeatedly, the cyber environment demands such collaboration.
"A military brat asks:" by UncleTogie
In your work as Director of IO for Combined Joint Task Force -76, what were your greatest challenges in Afghanistan? What technology threats other than IEDs were your greatest concern?
The challenges in Afghanistan are immense and include: a population that is 18-20% literate, and it drops to less than 5% once you leave the seven major population centers; the need for basic infrastructure to take root and flourish, like sewage systems, clean water, electricity, schools, medical care, and jobs; a fledgling government trying to allow a concept called Democracy to grow; and a criminally-minded, terrorist organization willing to assassinate anyone who buys into that concept called Democracy.
But the biggest challenge was expectation management, and it's a challenge I deal with every day still. We are a society of instant results and instant gratification: I get upset when I can't get a doctor's appointment that fits perfectly into my personal schedule. What we lose sight of is that we, as a nation, have been experimenting with (and trying to perfect) Democracy for 232 years - our Constitution was adopted in 1787 and has since been amended ("changed") 27 times; we suffered a pretty major Civil War over it; the Supreme Court interprets it every day. My point is that we've worked mightily at it for nearly two and half centuries and are still perfecting it. We're viewed as the hallmark for Democracy (how humbling is that?), which only means we can't let up in this grand endeavor...nor back away from the responsibilities it requires of us. I believe that what we are doing in Afghanistan and Iraq is absolutely critical to the defense of our Nation, but Democracy takes time...and sacrifice.
The ability to develop concepts and capabilities that will provide our country enduring capacity in cyberspace will also take time. While technology may be developing faster than Moore's Law ever forecasted, we cannot afford to react to the current problem in a shortsighted way. Any capabilities we develop must be enduring. At the same time, they must flexible - adaptable as technology adapts or, lead technology development. Finally, they have to be tied to the JIIM community - like I said earlier, the Army isn't going this alone.
Also, he tries to clarify the military’s role in cyberspace. The AF’s push for the cyber command and the associated ads has created a perception among the public that the military is going to start policing the whole of cyberspace. That is, of course, not the case. As Bircher points out, the military needs to consolidate its own cyber-defense while it partners with the rest of govt and private industry to secure cyberspace.
=================
http://interviews.slashdot.org/article.pl?sid=08/07/03/1913245&from=rss
A few weeks ago, you asked questions of Lt. Col. John Bircher, head of an organization with a difficult-to-navigate name: the U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent's Futures Branch. Lt. Col. Bircher has answered from his perspective, at length, not just the usual 10 questions, but several more besides. Read on for his take on cyberwar, jurisdiction, ethics, and more.
First, Lt. Col. Bircher adds this note:
I'd like to preface my responses to your questions by first remarking on the quality and intensity of the input. I was quite literally blown away by the questions you asked, and humbled. Quite candidly, I had some difficulty answering them all. Part of my responsibility in participating in this forum is sticking to "my lane," which means not speaking about things I don't know anything about and not speculating beyond my level of experience and expertise. In those cases where I either didn't know or couldn't answer the question specifically, I inform you of this fact. Still, you will note that every question has an answer because I use every opportunity to share some aspect of the Army's story. Thank you for this rare chance to engage great minds in an important discussion.
1) "What is that?" by khasimWhat, specifically, would be a "cyber-electronic engagement" Include examples. Compare/contrast with traditional forms of intelligence gathering (wiretaps, listening devices, etc) and their counter-measures.
As I mentioned in my preface, I'll try to stick to my lane. I have been given the challenge of helping the Army map out the concepts for how we will operate in and through cyberspace in the future: specifically, 2015 and beyond. Sometimes I feel like I'm part science fiction writer, part futurist, part planner. Other times I feel as though I'm leaning into the proverbial windmill. All that said, it's an exciting time to be associated with the Army. One of the concepts we're working on is the thought that you can create effects both in cyberspace and through cyberspace. There are a myriad of tasks, actions, and activities that you can do in order to achieve effects in and through cyberspace - we're grouping these "things" under the banner Cyber-Electronics as a place holder for now. For example, you and I are engaged in a cyber-electronic engagement right now: I'm answering you through cyberspace, as opposed to in person, in order to achieve the effect of informing you.
At its foundation, this is what military operations are about: effects generation and management. Traditionally, we tend to think about effects having impact in the physical domain only, but military operations have always been about cognitive effects, too. In cyberspace, most effects are cognitive: they inform, affect and influence our beliefs, values, dogmas and, ultimately, decisions. One of the best aspects of my current job is that I am afforded the luxury of "engaging" (there's that word again) in discussions, debates, and decision processes that actually cause me to think beyond traditional military functions, and I get to "engage" in these forums with some pretty smart, outside-of-the-box thinkers who are not in uniform (and some who are!).
There has long been a debate about the appropriateness of the military participating in influence operations but if we think about it, influence operations are fundamental to everything we as a society do. Rather than shy away from the debate, we are actively embracing it as we strive to articulate an appropriate role for the Army in cyberspace. The American Public, too, has its role - that of defining the checks and balances that proscribe the acceptable limits of these operations.
2) "Threat Assessment" by mykepredko
As I understand it, every military in the world assess the threat its opponents pose by their capabilities rather than perceived intents. How do you perform a threat assessment in the area of cyber-warfare where the physical weapons (as was pointed out in an earlier post) is the keyboard and mouse with much of technology being used as a threat being developed in the U.S?
New capabilities and technological breakthroughs always challenge the ability to assess the threat, but the fundamentals of threat assessment will not change. Today, we use terms such as kinetic and non-kinetic to describe military operations: kinetic meaning motion and physical impact; non-kinetic meaning non-physical impact, something akin to "winning hearts and minds." Cyberspace is an interesting amalgam of both. While largely non-kinetic, it can yet produce kinetic outcomes, especially when you think about not just creating effects in cyberspace but also when you consider creating effects through cyberspace. A virus can crash systems, rendering hardware useless. Malicious rumors on the Internet can result in someone taking their own or someone else's life.
There's a scene in the movie Patton, where Patton is watching a battle unfold on the North African desert against his arch adversary Erwin Rommel. Patton is winning and triumphantly explains why, "I read your book, you son of a b****." Part of threat assessment is not only tallying up an adversary's arsenal of weapons but also getting inside his head. Cyberspace is highly cerebral and highly diffused, where threats can come from any corner. This reality demands new assessment tools. It's all unfolding fast and furiously, and we're working hard to ensure we have the capabilities needed to assess and defeat these new threats effectively. The Army is not acting alone. We work very closely with the Department of Homeland Security, Department of Justice, FBI, and just about every other government organization that operates in cyberspace to make sure we don't overstep our bounds. The Army and all the Department of Defense organizations are very aware of our legal restrictions and requirements, and we go to great pains to make sure we do not cross over into another organization's area of responsibility concerning cyberspace.
3) "Technique?" by Manip
Does the US Army take advantage of traditional misconfiguration and social engineering techniques in order to compromise a network or is the US government developing a home-grown list of exploits to gain access to foreign government systems?
First, it's important to clarify that as far as I'm aware, we're not in the business of compromising networks or gaining access to other governments' systems without just cause. When there is a clear threat to national security, we then employ legal and just means to deal with that threat. Also, I'm not able to discuss specific methods that the Army might or might not be employing but only speak in terms of concepts and capabilities that we should have in order to be successful conducting operations in cyberspace. If you have insights and skills that might broaden our capabilities in this arena, I encourage you to consider joining the emerging DoD cyber-workforce.
As members of the military, we are sworn to uphold the Constitution against all enemies foreign and domestic. The challenge in cyberspace is being able to discern with clarity one's enemy. Social engineering takes advantage of this anonymity. There are significant legal implications with which we are constantly checking. The rules of war have always been their own; yet we have always held American forces to a higher standard, and the same will hold true in cyberspace.
4) "Attacks" by Notquitecajun
Without diving into details that compromise security, can you reveal anything about the types or quantities of attacks that the US military is able to fend off, and how often they are faced?
If the Air Force television commercial is accurate, the Pentagon alone is cyber-attacked at least three million times a day. So military-wide, the number of attacks is likely significant, but I would suspect relatively few of these attacks are pernicious enough to comprise a significant threat and fewer still are successful. Beyond this, I am not privy to details about the nature and magnitude of these attacks.
5) "China" by je ne sais quoi
What is the U.S. Army doing to protect U.S. sensitive information from the frequent number of cyber-attacks originating from inside the People's Republic of China? Is it primarily defensive?
U.S. sensitive information requires safeguarding, no matter who may be probing or attacking our systems in order to gain access to this information. This fact demands that we undertake all protective measures possible ... and we are.
6) "Hacker war..." by Notquitecajun
I doubt you could REALLY answer this, but Is the US military playing any sort of role in the semi-underground "hacker war" that appears to be going on between China and the US?
You're right NQC ... I really can't answer this. Beyond the sensitive nature of the subject, I simply don't know because it is well beyond my scope of responsibility. There's a laundry list of government organizations focusing on the threats to our nation and to our military TODAY. Remember - I'm focusing on how to operate in and through cyberspace in the future.
7) "And if and if ..." by khasim
And if there actually is a "Hacker War" between us ... and if our military is currently playing a role in such ... are there any civilian applications that will be released to help defend our non-military assets (corporations, education, etc)? Example: the NSA has worked on SELinux.
The Army, especially the Commanding General of the Combined Arms Center, Lt. Gen William B. Caldwell IV, firmly believes that the challenges we face today can only be addressed using a whole-of-government approach. We often use the acronym JIIM, which speaks even beyond our own government. It stands for Joint, Interagency, Inter-governmental and Multinational partnerships and collaborations to deal effectively with increasingly global problems. The defense of cyberspace is akin to the defense of our fledgling nation: it will require that everyone do his or her part. It behooves us all to work together to protect cyberspace, a frontier where a strong civil-military partnership is vital to success.
8) "Are We At War?" by Doc Ruby What is the "cyber command" doing to protect the US from current serious attacks on major Federal government sites, including the attacks on sensitive Congressional sites [slashdot.org] reported this week? Is there any traditional military precedent for tolerating these attacks to the extent we do? Is that hesitancy making us weaker, so our eventual delayed military (or "cyber-military") response will be compromised from winning the conflict to our satisfaction? At what point do these attacks constitute acts of war, does that need to be declared by Congress, and how does the "cyber command" change its response at that point?
In the last question, I spoke about the need for a whole-of-government approach to serious threats but we have a ways to go before we have the equivalent of a national "cyber command." We currently rely on each agency protecting its own assets and working in collaboration when there are overlaps. Without question, the overlaps are rapidly increasing. With this in mind, the Combined Arms Center recently hosted an interagency symposium to discuss ways to strengthen whole-of-government responses and capabilities.
Your second question is both tough and fundamental to the nature of a democracy. Our nation was founded in opposition to a strong standing army. Throughout our history, we have wrestled with the dichotomy of eschewing a strong military even as we recognized the need for one. You will find a compelling analysis of this dichotomy in T.R. Fehrenbach's classic study of the Korean conflict titled This Kind of War.
Recently, historians and pundits have noticed increasing tension within this dichotomy: a continued suspicion of a strong military by the American public coupled with an ever-growing dependence on that military to solve intractable problems. Robert D. Kaplan wrote in The Atlantic Monthly:
The acceleration of technology is driving a wedge between military and civilian societies and bringing about, for the first time, a professional-caste elite. Thus today's volunteer Army is different from all others in our history. Soldiers are becoming like doctors and lawyers -- another professional group we'd like to need less of but upon which we rely more. And just as health reform requires the consent of the medical community, because doctors own a complex body of knowledge, foreign policy will over the decades be increasingly influenced by the military, because war, peacekeeping, famine relief, and the like are becoming too complex for civilian managers.
Given this framework, words like "hesitancy" and "weakness" become problematic. How much do we want the military involved in cyber defense? Is a weaker military the price a democracy pays for being a democracy? Excellent questions and worthy of discussion. I encourage forums such as this one to continue the debate. Quite honestly, my hands are full enough trying to figure out what cyberspace will look like in seven years!
Because we are a democracy, your last question is best answered by our civilian leadership. Only the President can determine what constitutes an act of war.
9) "Recruitment" by caljorden
Does the US Air Force, or any branch of the armed services, currently recruit for cyber-related positions directly? Or is it a requirement that all members come out of the standard armed services personnel? If there is currently no system for recruiting the best and brightest CS/IT/Security personnel from the civilian population, would that ever be considered?
I encourage you to contact Air Force Cyber Command folks to better understand how the Air Force is structuring its newest command.
In the Army, we do not yet have cyber soldiers. That is part of what my office is chartered to do: determine what skills sets are needed, what training is needed to produce these skills sets, what organizations these skills sets will be assigned to, and what doctrine they will employ. We currently have soldiers with related MOS or Additional Skill Identifiers (ASI). These include soldiers who are in intelligence, signal, fires and maneuver specialties, and ASIs such as Electronic Warfare and Information Operations. I do envision that cyber-electronics will evolve into its own specialty for which we will actively recruit both soldiers and civilians.
10) "Jurisdiction?" by Caerdwyn
Given that the most likely targets for cyber warfare are civilian targets, and that the perpetrators will likely be either non-government organizations or non-military employees of foreign governments, how do you see the jurisdiction question playing out? In particular, at what point are there handoffs in investigation, arrest, and prosecution between the US military, the FBI, and local authorities of affected civilian targets?
Issues of legality and jurisdiction are outside my lane; however, there are plenty of lawyers around to tell me what can and cannot be done (usually the latter!). Unfortunately, in an increasingly inter-connected electronic world - a world inhabited by both flesh and blood actors, as well as their virtual avatars - the ability to discern "the enemy" with clarity is made incredibly complex. Again, only a whole-of-government approach will enable us to navigate these tricky issues successfully.
11) "Legal Ramifications" by muellerr1
How does the military ensure that it is operating within the law regarding online military offensive activities? Are there any laws or oversight, as such? If so, how are those laws and/or oversight affected by a declaration of war?
Again, I can't speak to specifics, both because I don't know and because the legal issues involved in operations in cyberspace are just now being tackled in earnest. More broadly, the military has a very deliberate process for assuring it adheres to the law and is aggressive in its vigilance. But cyberspace is truly a "brave new world," and we will collectively have to wrestle with questions such as this one. Our ultimate oversight comes from you, the American Citizen...so you have an important role in this conversation.
12) "Making defenses available to the tax payers" by scorp1us Would you support the release of information and software (Like Security-Enhanced Linux from the NSA) regarding successful defensive configurations and strategies to the general public so that the tax payer can derive additional benefits from your work? Surely the private industries in this country are valuable and may be attacked in order to cause economic harm. What limitations or rules would you use for release of such information?
Clearly I don't have the authority to make such a decision. Philosophically, however, I do feel that strong civil-military collaboration in cyberspace is and will be essential to our national security. How this will play out (the degree to which military applications will find their way into the civil and corporate sectors) remains to be seen. I can tell you that my organization is actively looking to partner with industry and academic institutions (and not just the Defense Industrial Complex) in this field to make sure that we not only generate a free-flow of information but also capture the ideas of the best and brightest minds available. It's no secret that industry is well into the notion of operating in and through cyberspace, and in many instances, has paved the way for the military to follow.
13) "Timing and relevancy" by zappepcs
It's common knowledge that what we call the Internet was suckled by the military. Black-hat and white-hat security conferences and practices have been an active part of Internet security for over a decade. Can you explain what seems to be the US Military arriving at the game in the third inning? Having had TSEC and observed security processes and procedures, such as tempest precautions some time ago, I'm having trouble understanding why the 'cyber defenses' of the US Military only now seem to be actually realized. Is the delay due to funding? Priorities? or simply to underestimation of what the rest of the world was up to all this time? Please be as specific as you are able to be.
This question is an important one because it speaks to some of the themes that have echoed in earlier questions. Let me start by citing an observation about our current wars in Afghanistan and Iraq. Last year a reporter from a national magazine asked me what it would take for our nation to win the Global War on Terrorism. I offered the opinion that we're not a nation at war - we're a group of military folks, about 200,000 at a time, who are at war. The difference between the war today and World War II is that in 1941 our entire nation mobilized for war: Detroit began producing more tanks and less cars; when you went to the movies you saw Movietone newsreel releases instead of ads for popcorn and sodas; American citizens had victory gardens, fuel rationing, and metal collection drives. The war affected everyone in America. If you put this in perspective of a future war in cyberspace, I think the best question is what will be the nation's response to cyber war? Are cyber threats, cyber terrorism, cyber attacks, cyber war purely the province of the military or the entire nation? The ways in which we answer this question will determine our future priorities and funding.
Over the last seven years, we have been largely focused on the global war on terror and counter-insurgency operations, within which cyber operations and engagements have emerged as significant threats. If we are late to the game, it is attributable to a complex array of reasons, as it always is for a military within a democracy.
14) "Hurdles of Cyber Warfare" by Digital Ebola
One issue to cyber warfare is linguistics. How does a military unit overcome this? Does the unit consist of people skilled at the various languages used in theater plus the technical concepts required to execute, or are you forced to cooperate with any other agency? Also, agency cooperation: are there good relationships between the cyberwarfare units and the intelligence community, and can you say whether or not there are SOPs in place that would utilize cyberwarfare units in conjunction with a physical offensive, i.e. disable Three Gorges Dam right before an op?
Having enough trained linguists is challenge enough in "meatspace," so it will likely remain one in cyberspace. In essence, we're essentially asking for dual linguists...those who can speak Farsi, Chinese, Spanish or Urdu, as well as C++, Java, XML, Perl, etc. Sadly, there is a growing gap between the skills we need and the skills brought to us by graduates of our public education system. In many school districts that are struggling for funding, foreign language instruction is considered a luxury they can't afford to sustain. And we have yet to integrate computer science into our high school curriculum fully or effectively.
The military has a long tradition of recruiting, training and employing linguists in support of full spectrum operations. In fact, the Defense Language Institute is a subordinate command of my higher headquarters, the Combined Arms Center. Again, part of my task overseeing the Futures division of the U.S. Army Computer Network Operations-Electronic Warfare Proponent is helping to define the requisite force structure the Army will need to operate in cyberspace successfully. This effort will certainly include an analysis of language needs and capabilities. While we will always need humans involved in this process to deal with the fine nuances of language, cyberspace offers new possibilities (software applications, for example) that facilitate interpretation. Our developmental efforts will also include development of doctrine and capabilities that cross joint, interagency, inter-governmental and multinational boundaries.
15) "Relationship with the Air Force?" by El Cubano
Since the Air Force is the U.S. military branch claiming dominance in "cyberspace" (along with air and space), how do you view the Army's relationship with the Air Force in "cyberspace"? Will the Army seek to take over all of the "cyberspace warfare", carve out its own niche in cyberspace, or peacefully coexist with the Air Force? With respect to leadership in this area across the DoD, do you feel that the Air Force being denied the program executive role for all DoD UAV endeavors represents an opportunity for the Army increase its role with respect to UAVs (as many people see cyberspace and UAVs to be inextricably linked)?
16) "Avoiding Redundancy or is it Necessary?" by introspekt.i
What steps is the Army taking to avoid overlap with the Air Force's "cyber warfare" program(s)? Is avoiding overlap considered necessary, or is redundancy considered a good thing? Are there plans to collaborate on large scale with the Air Force, or keep the programs isolated from one another?
Let me tackle these two questions together.
I applaud the Air Force's aggressiveness in tackling the challenges that confront us in cyberspace. To employ a naval maxim: when the tide comes in, all ships rise. The Air Force's focus and emphasis on cyberspace has helped ensure all of us are placing requisite attention to it. It's important to note that at its recent symposium in Massachusetts, the Air Force made very clear that it is focused squarely on developing Air Force-unique cyber requirements.
I would say that we are doing likewise: focusing on our service-unique requirements, even as we explore collaborative strategies. As a land component force that operates in and amongst populaces that are increasingly connected through cyberspace, the Army must focus on that portion of cyberspace that is virtually contiguous to the land on and in which we operate. Only when we know our own roles and requirements can we adequately integrate our efforts with the other services to support full-spectrum operations. And we have an existing structure in place with the Joint Staff to ensure that internecine turf battles are avoided.
17) "Civilian contractors" by faloi
Do you foresee a high utilization of civilian contractors? Knowing that there are some restrictions on people that can be recruited into the Army for any number of reasons (asthma, medications, criminal records), do you see a need for either more lax recruiting guidelines for some of the "front line" troops in the cyber warfare field, or a higher use of civilian (or at least non-Army) personnel?
I definitely see that operations in cyberspace have the potential to alter the composition of our military, as well as broaden civil-military alliances. I mentioned earlier that cyberspace is highly cerebral. The key prerequisite becomes, therefore, "brain" rather than "brawn," and recruitment standards should probably be adjusted accordingly. Because cyberspace is also highly diffused, operating within it will demand wide participation and collaboration. Some observers have suggested the notion of creating a Cyber National Guard or Cyber Reserve, which merits consideration. How the mix of formal military, auxiliary forces, civilian allies and civilian contractors plays out will require further study, but you're right to suggest that it will need skill sets that currently exist mostly outside the military.
18) "What value does doing it in the Army add?" by scorp1us
We already know that the USAF has a cyber-warfare division. Given that all network attacks are fundamentally based in IP Packets, it stands to reason that the Army and USAF would be duplicating work, while creating an opportunity for lack of communication. Would you agree that a special, single cyber-defense branch should be created to assist all branches of the military as well as non-military? Generally the armed forces are never known for technical prowess. (They are more consumers than creators) The role of creation comes from contractors. Why shouldn't we rely on contractors to perform these functions when contractors already obtain top-secret clearances? Contractors compete for projects which ensures a level of cost limitation (lets face it, Cost+ rips off the tax payer), continual advancement (beyond what the enemy throws at us). Why should the armed forces be doing this in-house?
The notion of a single cyber-operational force merits strong consideration. Yet if we use our recent experience with the creation of the Department of Homeland Security as a benchmark, the consolidation of the cyber divisions of multiple agencies is likely to be difficult. Earlier, I spoke about the need for each service to focus on its service-unique requirements, even as we explore collaborative strategies. For now, I believe we must each master our corner of "the sandbox" completely. Over the past three decades, in particular, our emphasis on joint inter-operability has helped to ensure that we mitigate duplication of effort and collaborate wherever possible. For example, because the Marine Corps is also a land component force, the USACEWP is working with the Marine Corps Combat Developments Command to develop joint cyber-electronic concepts and capabilities.
To your observation about the role of contractors, they will play (and are playing already) an important role in the development of cyber-electronic concepts and capabilities. We clearly recognize that we can't go it alone. Beyond the use of contractors, we are leveraging academia and industry to help devise the way forward. As I've said repeatedly, the cyber environment demands such collaboration.
"A military brat asks:" by UncleTogie
In your work as Director of IO for Combined Joint Task Force -76, what were your greatest challenges in Afghanistan? What technology threats other than IEDs were your greatest concern?
The challenges in Afghanistan are immense and include: a population that is 18-20% literate, and it drops to less than 5% once you leave the seven major population centers; the need for basic infrastructure to take root and flourish, like sewage systems, clean water, electricity, schools, medical care, and jobs; a fledgling government trying to allow a concept called Democracy to grow; and a criminally-minded, terrorist organization willing to assassinate anyone who buys into that concept called Democracy.
But the biggest challenge was expectation management, and it's a challenge I deal with every day still. We are a society of instant results and instant gratification: I get upset when I can't get a doctor's appointment that fits perfectly into my personal schedule. What we lose sight of is that we, as a nation, have been experimenting with (and trying to perfect) Democracy for 232 years - our Constitution was adopted in 1787 and has since been amended ("changed") 27 times; we suffered a pretty major Civil War over it; the Supreme Court interprets it every day. My point is that we've worked mightily at it for nearly two and half centuries and are still perfecting it. We're viewed as the hallmark for Democracy (how humbling is that?), which only means we can't let up in this grand endeavor...nor back away from the responsibilities it requires of us. I believe that what we are doing in Afghanistan and Iraq is absolutely critical to the defense of our Nation, but Democracy takes time...and sacrifice.
The ability to develop concepts and capabilities that will provide our country enduring capacity in cyberspace will also take time. While technology may be developing faster than Moore's Law ever forecasted, we cannot afford to react to the current problem in a shortsighted way. Any capabilities we develop must be enduring. At the same time, they must flexible - adaptable as technology adapts or, lead technology development. Finally, they have to be tied to the JIIM community - like I said earlier, the Army isn't going this alone.
Subscribe to:
Posts (Atom)
Posts
