Below is an interesting on-line interview conducted by
SlashDot of LTC John Bircher, US Army, a few days back. Bircher stresses the need for a whole-of-government and a civil-military partnership to defending our nation’s portion of cyberspace.
Also, he tries to clarify the military’s role in cyberspace. The AF’s push for the cyber command and the associated ads has created a perception among the public that the military is going to start policing the whole of cyberspace. That is, of course, not the case. As Bircher points out, the military needs to consolidate its own cyber-defense while it partners with the rest of govt and private industry to secure cyberspace.
=================
http://interviews.slashdot.org/article.pl?sid=08/07/03/1913245&from=rssA few weeks ago,
you asked questions of Lt. Col. John Bircher, head of an organization with a difficult-to-navigate name: the U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent's Futures Branch. Lt. Col. Bircher has answered from his perspective, at length, not just the usual 10 questions, but several more besides. Read on for his take on cyberwar, jurisdiction, ethics, and more.
First, Lt. Col. Bircher adds this note:
I'd like to preface my responses to your questions by first remarking on the quality and intensity of the input. I was quite literally blown away by the questions you asked, and humbled. Quite candidly, I had some difficulty answering them all. Part of my responsibility in participating in this forum is sticking to "my lane," which means not speaking about things I don't know anything about and not speculating beyond my level of experience and expertise. In those cases where I either didn't know or couldn't answer the question specifically, I inform you of this fact. Still, you will note that every question has an answer because I use every opportunity to share some aspect of the Army's story. Thank you for this rare chance to engage great minds in an important discussion.
1) "What is that?" by khasimWhat, specifically, would be a "cyber-electronic engagement" Include examples. Compare/contrast with traditional forms of intelligence gathering (wiretaps, listening devices, etc) and their counter-measures.
As I mentioned in my preface, I'll try to stick to my lane. I have been given the challenge of helping the Army map out the concepts for how we will operate in and through cyberspace in the future: specifically, 2015 and beyond. Sometimes I feel like I'm part science fiction writer, part futurist, part planner. Other times I feel as though I'm leaning into the proverbial windmill. All that said, it's an exciting time to be associated with the Army. One of the concepts we're working on is the thought that you can create effects both in cyberspace and through cyberspace. There are a myriad of tasks, actions, and activities that you can do in order to achieve effects in and through cyberspace - we're grouping these "things" under the banner Cyber-Electronics as a place holder for now. For example, you and I are engaged in a cyber-electronic engagement right now: I'm answering you through cyberspace, as opposed to in person, in order to achieve the effect of informing you.
At its foundation, this is what military operations are about: effects generation and management. Traditionally, we tend to think about effects having impact in the physical domain only, but military operations have always been about cognitive effects, too. In cyberspace, most effects are cognitive: they inform, affect and influence our beliefs, values, dogmas and, ultimately, decisions. One of the best aspects of my current job is that I am afforded the luxury of "engaging" (there's that word again) in discussions, debates, and decision processes that actually cause me to think beyond traditional military functions, and I get to "engage" in these forums with some pretty smart, outside-of-the-box thinkers who are not in uniform (and some who are!).
There has long been a debate about the appropriateness of the military participating in influence operations but if we think about it, influence operations are fundamental to everything we as a society do. Rather than shy away from the debate, we are actively embracing it as we strive to articulate an appropriate role for the Army in cyberspace. The American Public, too, has its role - that of defining the checks and balances that proscribe the acceptable limits of these operations.
2) "Threat Assessment" by mykepredko
As I understand it, every military in the world assess the threat its opponents pose by their capabilities rather than perceived intents. How do you perform a threat assessment in the area of cyber-warfare where the physical weapons (as was pointed out in an earlier post) is the keyboard and mouse with much of technology being used as a threat being developed in the U.S?
New capabilities and technological breakthroughs always challenge the ability to assess the threat, but the fundamentals of threat assessment will not change. Today, we use terms such as kinetic and non-kinetic to describe military operations: kinetic meaning motion and physical impact; non-kinetic meaning non-physical impact, something akin to "winning hearts and minds." Cyberspace is an interesting amalgam of both. While largely non-kinetic, it can yet produce kinetic outcomes, especially when you think about not just creating effects in cyberspace but also when you consider creating effects through cyberspace. A virus can crash systems, rendering hardware useless. Malicious rumors on the Internet can result in someone taking their own or someone else's life.
There's a scene in the movie Patton, where Patton is watching a battle unfold on the North African desert against his arch adversary Erwin Rommel. Patton is winning and triumphantly explains why, "I read your book, you son of a b****." Part of threat assessment is not only tallying up an adversary's arsenal of weapons but also getting inside his head. Cyberspace is highly cerebral and highly diffused, where threats can come from any corner. This reality demands new assessment tools. It's all unfolding fast and furiously, and we're working hard to ensure we have the capabilities needed to assess and defeat these new threats effectively. The Army is not acting alone. We work very closely with the Department of Homeland Security, Department of Justice, FBI, and just about every other government organization that operates in cyberspace to make sure we don't overstep our bounds. The Army and all the Department of Defense organizations are very aware of our legal restrictions and requirements, and we go to great pains to make sure we do not cross over into another organization's area of responsibility concerning cyberspace.
3) "Technique?" by Manip
Does the US Army take advantage of traditional misconfiguration and social engineering techniques in order to compromise a network or is the US government developing a home-grown list of exploits to gain access to foreign government systems?
First, it's important to clarify that as far as I'm aware, we're not in the business of compromising networks or gaining access to other governments' systems without just cause. When there is a clear threat to national security, we then employ legal and just means to deal with that threat. Also, I'm not able to discuss specific methods that the Army might or might not be employing but only speak in terms of concepts and capabilities that we should have in order to be successful conducting operations in cyberspace. If you have insights and skills that might broaden our capabilities in this arena, I encourage you to consider joining the emerging DoD cyber-workforce.
As members of the military, we are sworn to uphold the Constitution against all enemies foreign and domestic. The challenge in cyberspace is being able to discern with clarity one's enemy. Social engineering takes advantage of this anonymity. There are significant legal implications with which we are constantly checking. The rules of war have always been their own; yet we have always held American forces to a higher standard, and the same will hold true in cyberspace.
4) "Attacks" by Notquitecajun
Without diving into details that compromise security, can you reveal anything about the types or quantities of attacks that the US military is able to fend off, and how often they are faced?
If the Air Force television commercial is accurate, the Pentagon alone is cyber-attacked at least three million times a day. So military-wide, the number of attacks is likely significant, but I would suspect relatively few of these attacks are pernicious enough to comprise a significant threat and fewer still are successful. Beyond this, I am not privy to details about the nature and magnitude of these attacks.
5) "China" by je ne sais quoi
What is the U.S. Army doing to protect U.S. sensitive information from the frequent number of cyber-attacks originating from inside the People's Republic of China? Is it primarily defensive?
U.S. sensitive information requires safeguarding, no matter who may be probing or attacking our systems in order to gain access to this information. This fact demands that we undertake all protective measures possible ... and we are.
6) "Hacker war..." by Notquitecajun
I doubt you could REALLY answer this, but Is the US military playing any sort of role in the semi-underground "hacker war" that appears to be going on between China and the US?
You're right NQC ... I really can't answer this. Beyond the sensitive nature of the subject, I simply don't know because it is well beyond my scope of responsibility. There's a laundry list of government organizations focusing on the threats to our nation and to our military TODAY. Remember - I'm focusing on how to operate in and through cyberspace in the future.
7) "And if and if ..." by khasim
And if there actually is a "Hacker War" between us ... and if our military is currently playing a role in such ... are there any civilian applications that will be released to help defend our non-military assets (corporations, education, etc)? Example: the NSA has worked on SELinux.
The Army, especially the Commanding General of the Combined Arms Center, Lt. Gen William B. Caldwell IV, firmly believes that the challenges we face today can only be addressed using a whole-of-government approach. We often use the acronym JIIM, which speaks even beyond our own government. It stands for Joint, Interagency, Inter-governmental and Multinational partnerships and collaborations to deal effectively with increasingly global problems. The defense of cyberspace is akin to the defense of our fledgling nation: it will require that everyone do his or her part. It behooves us all to work together to protect cyberspace, a frontier where a strong civil-military partnership is vital to success.
8) "Are We At War?" by Doc Ruby What is the "cyber command" doing to protect the US from current serious attacks on major Federal government sites, including the attacks on sensitive Congressional sites [slashdot.org] reported this week? Is there any traditional military precedent for tolerating these attacks to the extent we do? Is that hesitancy making us weaker, so our eventual delayed military (or "cyber-military") response will be compromised from winning the conflict to our satisfaction? At what point do these attacks constitute acts of war, does that need to be declared by Congress, and how does the "cyber command" change its response at that point?
In the last question, I spoke about the need for a whole-of-government approach to serious threats but we have a ways to go before we have the equivalent of a national "cyber command." We currently rely on each agency protecting its own assets and working in collaboration when there are overlaps. Without question, the overlaps are rapidly increasing. With this in mind, the Combined Arms Center recently hosted an interagency symposium to discuss ways to strengthen whole-of-government responses and capabilities.
Your second question is both tough and fundamental to the nature of a democracy. Our nation was founded in opposition to a strong standing army. Throughout our history, we have wrestled with the dichotomy of eschewing a strong military even as we recognized the need for one. You will find a compelling analysis of this dichotomy in T.R. Fehrenbach's classic study of the Korean conflict titled This Kind of War.
Recently, historians and pundits have noticed increasing tension within this dichotomy: a continued suspicion of a strong military by the American public coupled with an ever-growing dependence on that military to solve intractable problems. Robert D. Kaplan wrote in The Atlantic Monthly:
The acceleration of technology is driving a wedge between military and civilian societies and bringing about, for the first time, a professional-caste elite. Thus today's volunteer Army is different from all others in our history. Soldiers are becoming like doctors and lawyers -- another professional group we'd like to need less of but upon which we rely more. And just as health reform requires the consent of the medical community, because doctors own a complex body of knowledge, foreign policy will over the decades be increasingly influenced by the military, because war, peacekeeping, famine relief, and the like are becoming too complex for civilian managers.
Given this framework, words like "hesitancy" and "weakness" become problematic. How much do we want the military involved in cyber defense? Is a weaker military the price a democracy pays for being a democracy? Excellent questions and worthy of discussion. I encourage forums such as this one to continue the debate. Quite honestly, my hands are full enough trying to figure out what cyberspace will look like in seven years!
Because we are a democracy, your last question is best answered by our civilian leadership. Only the President can determine what constitutes an act of war.
9) "Recruitment" by caljorden
Does the US Air Force, or any branch of the armed services, currently recruit for cyber-related positions directly? Or is it a requirement that all members come out of the standard armed services personnel? If there is currently no system for recruiting the best and brightest CS/IT/Security personnel from the civilian population, would that ever be considered?
I encourage you to contact Air Force Cyber Command folks to better understand how the Air Force is structuring its newest command.
In the Army, we do not yet have cyber soldiers. That is part of what my office is chartered to do: determine what skills sets are needed, what training is needed to produce these skills sets, what organizations these skills sets will be assigned to, and what doctrine they will employ. We currently have soldiers with related MOS or Additional Skill Identifiers (ASI). These include soldiers who are in intelligence, signal, fires and maneuver specialties, and ASIs such as Electronic Warfare and Information Operations. I do envision that cyber-electronics will evolve into its own specialty for which we will actively recruit both soldiers and civilians.
10) "Jurisdiction?" by Caerdwyn
Given that the most likely targets for cyber warfare are civilian targets, and that the perpetrators will likely be either non-government organizations or non-military employees of foreign governments, how do you see the jurisdiction question playing out? In particular, at what point are there handoffs in investigation, arrest, and prosecution between the US military, the FBI, and local authorities of affected civilian targets?
Issues of legality and jurisdiction are outside my lane; however, there are plenty of lawyers around to tell me what can and cannot be done (usually the latter!). Unfortunately, in an increasingly inter-connected electronic world - a world inhabited by both flesh and blood actors, as well as their virtual avatars - the ability to discern "the enemy" with clarity is made incredibly complex. Again, only a whole-of-government approach will enable us to navigate these tricky issues successfully.
11) "Legal Ramifications" by muellerr1
How does the military ensure that it is operating within the law regarding online military offensive activities? Are there any laws or oversight, as such? If so, how are those laws and/or oversight affected by a declaration of war?
Again, I can't speak to specifics, both because I don't know and because the legal issues involved in operations in cyberspace are just now being tackled in earnest. More broadly, the military has a very deliberate process for assuring it adheres to the law and is aggressive in its vigilance. But cyberspace is truly a "brave new world," and we will collectively have to wrestle with questions such as this one. Our ultimate oversight comes from you, the American Citizen...so you have an important role in this conversation.
12) "Making defenses available to the tax payers" by scorp1us Would you support the release of information and software (Like Security-Enhanced Linux from the NSA) regarding successful defensive configurations and strategies to the general public so that the tax payer can derive additional benefits from your work? Surely the private industries in this country are valuable and may be attacked in order to cause economic harm. What limitations or rules would you use for release of such information?
Clearly I don't have the authority to make such a decision. Philosophically, however, I do feel that strong civil-military collaboration in cyberspace is and will be essential to our national security. How this will play out (the degree to which military applications will find their way into the civil and corporate sectors) remains to be seen. I can tell you that my organization is actively looking to partner with industry and academic institutions (and not just the Defense Industrial Complex) in this field to make sure that we not only generate a free-flow of information but also capture the ideas of the best and brightest minds available. It's no secret that industry is well into the notion of operating in and through cyberspace, and in many instances, has paved the way for the military to follow.
13) "Timing and relevancy" by zappepcs
It's common knowledge that what we call the Internet was suckled by the military. Black-hat and white-hat security conferences and practices have been an active part of Internet security for over a decade. Can you explain what seems to be the US Military arriving at the game in the third inning? Having had TSEC and observed security processes and procedures, such as tempest precautions some time ago, I'm having trouble understanding why the 'cyber defenses' of the US Military only now seem to be actually realized. Is the delay due to funding? Priorities? or simply to underestimation of what the rest of the world was up to all this time? Please be as specific as you are able to be.
This question is an important one because it speaks to some of the themes that have echoed in earlier questions. Let me start by citing an observation about our current wars in Afghanistan and Iraq. Last year a reporter from a national magazine asked me what it would take for our nation to win the Global War on Terrorism. I offered the opinion that we're not a nation at war - we're a group of military folks, about 200,000 at a time, who are at war. The difference between the war today and World War II is that in 1941 our entire nation mobilized for war: Detroit began producing more tanks and less cars; when you went to the movies you saw Movietone newsreel releases instead of ads for popcorn and sodas; American citizens had victory gardens, fuel rationing, and metal collection drives. The war affected everyone in America. If you put this in perspective of a future war in cyberspace, I think the best question is what will be the nation's response to cyber war? Are cyber threats, cyber terrorism, cyber attacks, cyber war purely the province of the military or the entire nation? The ways in which we answer this question will determine our future priorities and funding.
Over the last seven years, we have been largely focused on the global war on terror and counter-insurgency operations, within which cyber operations and engagements have emerged as significant threats. If we are late to the game, it is attributable to a complex array of reasons, as it always is for a military within a democracy.
14) "Hurdles of Cyber Warfare" by Digital Ebola
One issue to cyber warfare is linguistics. How does a military unit overcome this? Does the unit consist of people skilled at the various languages used in theater plus the technical concepts required to execute, or are you forced to cooperate with any other agency? Also, agency cooperation: are there good relationships between the cyberwarfare units and the intelligence community, and can you say whether or not there are SOPs in place that would utilize cyberwarfare units in conjunction with a physical offensive, i.e. disable Three Gorges Dam right before an op?
Having enough trained linguists is challenge enough in "meatspace," so it will likely remain one in cyberspace. In essence, we're essentially asking for dual linguists...those who can speak Farsi, Chinese, Spanish or Urdu, as well as C++, Java, XML, Perl, etc. Sadly, there is a growing gap between the skills we need and the skills brought to us by graduates of our public education system. In many school districts that are struggling for funding, foreign language instruction is considered a luxury they can't afford to sustain. And we have yet to integrate computer science into our high school curriculum fully or effectively.
The military has a long tradition of recruiting, training and employing linguists in support of full spectrum operations. In fact, the Defense Language Institute is a subordinate command of my higher headquarters, the Combined Arms Center. Again, part of my task overseeing the Futures division of the U.S. Army Computer Network Operations-Electronic Warfare Proponent is helping to define the requisite force structure the Army will need to operate in cyberspace successfully. This effort will certainly include an analysis of language needs and capabilities. While we will always need humans involved in this process to deal with the fine nuances of language, cyberspace offers new possibilities (software applications, for example) that facilitate interpretation. Our developmental efforts will also include development of doctrine and capabilities that cross joint, interagency, inter-governmental and multinational boundaries.
15) "Relationship with the Air Force?" by El Cubano
Since the Air Force is the U.S. military branch claiming dominance in "cyberspace" (along with air and space), how do you view the Army's relationship with the Air Force in "cyberspace"? Will the Army seek to take over all of the "cyberspace warfare", carve out its own niche in cyberspace, or peacefully coexist with the Air Force? With respect to leadership in this area across the DoD, do you feel that the Air Force being denied the program executive role for all DoD UAV endeavors represents an opportunity for the Army increase its role with respect to UAVs (as many people see cyberspace and UAVs to be inextricably linked)?
16) "Avoiding Redundancy or is it Necessary?" by introspekt.i
What steps is the Army taking to avoid overlap with the Air Force's "cyber warfare" program(s)? Is avoiding overlap considered necessary, or is redundancy considered a good thing? Are there plans to collaborate on large scale with the Air Force, or keep the programs isolated from one another?
Let me tackle these two questions together.
I applaud the Air Force's aggressiveness in tackling the challenges that confront us in cyberspace. To employ a naval maxim: when the tide comes in, all ships rise. The Air Force's focus and emphasis on cyberspace has helped ensure all of us are placing requisite attention to it. It's important to note that at its recent symposium in Massachusetts, the Air Force made very clear that it is focused squarely on developing Air Force-unique cyber requirements.
I would say that we are doing likewise: focusing on our service-unique requirements, even as we explore collaborative strategies. As a land component force that operates in and amongst populaces that are increasingly connected through cyberspace, the Army must focus on that portion of cyberspace that is virtually contiguous to the land on and in which we operate. Only when we know our own roles and requirements can we adequately integrate our efforts with the other services to support full-spectrum operations. And we have an existing structure in place with the Joint Staff to ensure that internecine turf battles are avoided.
17) "Civilian contractors" by faloi
Do you foresee a high utilization of civilian contractors? Knowing that there are some restrictions on people that can be recruited into the Army for any number of reasons (asthma, medications, criminal records), do you see a need for either more lax recruiting guidelines for some of the "front line" troops in the cyber warfare field, or a higher use of civilian (or at least non-Army) personnel?
I definitely see that operations in cyberspace have the potential to alter the composition of our military, as well as broaden civil-military alliances. I mentioned earlier that cyberspace is highly cerebral. The key prerequisite becomes, therefore, "brain" rather than "brawn," and recruitment standards should probably be adjusted accordingly. Because cyberspace is also highly diffused, operating within it will demand wide participation and collaboration. Some observers have suggested the notion of creating a Cyber National Guard or Cyber Reserve, which merits consideration. How the mix of formal military, auxiliary forces, civilian allies and civilian contractors plays out will require further study, but you're right to suggest that it will need skill sets that currently exist mostly outside the military.
18) "What value does doing it in the Army add?" by scorp1us
We already know that the USAF has a cyber-warfare division. Given that all network attacks are fundamentally based in IP Packets, it stands to reason that the Army and USAF would be duplicating work, while creating an opportunity for lack of communication. Would you agree that a special, single cyber-defense branch should be created to assist all branches of the military as well as non-military? Generally the armed forces are never known for technical prowess. (They are more consumers than creators) The role of creation comes from contractors. Why shouldn't we rely on contractors to perform these functions when contractors already obtain top-secret clearances? Contractors compete for projects which ensures a level of cost limitation (lets face it, Cost+ rips off the tax payer), continual advancement (beyond what the enemy throws at us). Why should the armed forces be doing this in-house?
The notion of a single cyber-operational force merits strong consideration. Yet if we use our recent experience with the creation of the Department of Homeland Security as a benchmark, the consolidation of the cyber divisions of multiple agencies is likely to be difficult. Earlier, I spoke about the need for each service to focus on its service-unique requirements, even as we explore collaborative strategies. For now, I believe we must each master our corner of "the sandbox" completely. Over the past three decades, in particular, our emphasis on joint inter-operability has helped to ensure that we mitigate duplication of effort and collaborate wherever possible. For example, because the Marine Corps is also a land component force, the USACEWP is working with the Marine Corps Combat Developments Command to develop joint cyber-electronic concepts and capabilities.
To your observation about the role of contractors, they will play (and are playing already) an important role in the development of cyber-electronic concepts and capabilities. We clearly recognize that we can't go it alone. Beyond the use of contractors, we are leveraging academia and industry to help devise the way forward. As I've said repeatedly, the cyber environment demands such collaboration.
"A military brat asks:" by UncleTogie
In your work as Director of IO for Combined Joint Task Force -76, what were your greatest challenges in Afghanistan? What technology threats other than IEDs were your greatest concern?
The challenges in Afghanistan are immense and include: a population that is 18-20% literate, and it drops to less than 5% once you leave the seven major population centers; the need for basic infrastructure to take root and flourish, like sewage systems, clean water, electricity, schools, medical care, and jobs; a fledgling government trying to allow a concept called Democracy to grow; and a criminally-minded, terrorist organization willing to assassinate anyone who buys into that concept called Democracy.
But the biggest challenge was expectation management, and it's a challenge I deal with every day still. We are a society of instant results and instant gratification: I get upset when I can't get a doctor's appointment that fits perfectly into my personal schedule. What we lose sight of is that we, as a nation, have been experimenting with (and trying to perfect) Democracy for 232 years - our Constitution was adopted in 1787 and has since been amended ("changed") 27 times; we suffered a pretty major Civil War over it; the Supreme Court interprets it every day. My point is that we've worked mightily at it for nearly two and half centuries and are still perfecting it. We're viewed as the hallmark for Democracy (how humbling is that?), which only means we can't let up in this grand endeavor...nor back away from the responsibilities it requires of us. I believe that what we are doing in Afghanistan and Iraq is absolutely critical to the defense of our Nation, but Democracy takes time...and sacrifice.
The ability to develop concepts and capabilities that will provide our country enduring capacity in cyberspace will also take time. While technology may be developing faster than Moore's Law ever forecasted, we cannot afford to react to the current problem in a shortsighted way. Any capabilities we develop must be enduring. At the same time, they must flexible - adaptable as technology adapts or, lead technology development. Finally, they have to be tied to the JIIM community - like I said earlier, the Army isn't going this alone.
Posts
