Thom Shanker / The New York Times & Michael Stevens / Security Week & – 2010-09-29 23:47:33
Cyberwar Chief Calls for Secure Computer Network
Thom Shanker / The New York Times
FORT MEADE, Md. (September 23, 2010) — The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.
The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.”
It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks — although even these are not completely invulnerable.
For years, experts have warned of the risks of Internet attacks on civilian networks. An article published a few months ago by the National Academy of Engineering said that “cyber systems are the ‘weakest link’ in the electricity system,” and that “security must be designed into the system from the start, not glued on as an afterthought.”
General Alexander, an Army officer who leads the military’s new Cyber Command, did not explain just where the fence should be built between the conventional Internet and his proposed secure zone, or how the gates would be opened to allow appropriate access to information they need every day. General Alexander said the White House hopes to complete a policy review on cyber issues in time for Congress to debate updated or new legislation when it convenes in January.
General Alexander’s new command is responsible for defending Defense Department computer networks and, if directed by the president, carrying out computer-network attacks overseas.
But the military is broadly prohibited from engaging in law enforcement operations on American soil without a presidential order, so the command’s potential role in assisting the Department of Homeland Security, the Federal Bureau of Investigation or the Department of Energy in the event of a major attack inside the United States has not been set down in law or policy.
“There is a real probability that in the future, this country will get hit with a destructive attack, and we need to be ready for it,” General Alexander said in a roundtable with reporters at the National Cryptologic Museum here at Fort Meade in advance of his Congressional testimony on Thursday morning.
“I believe this is one of the most critical problems our country faces,” he said. “We need to get that right. I think we have to have a discussion about roles and responsibilities: Whatâ€™s the role of Cyber Command? What’s the role of the ‘intel’ community? Whatâ€™s the role of the rest of the Defense Department? What’s the role of DHS? And how do you make that team work? That’s going to take time.”
Some critics have questioned whether the Defense Department can step up protection of vital computer networks without crashing against the publicâ€™s ability to live and work with confidence on the Internet. General Alexander said, “We can protect civil liberties and privacy and still do our mission. We’ve got to do that.”
Speaking of the civilian networks that are at risk, he said: “If one of those destructive attacks comes right now, I’m focused on the Defense Department. What are the responsibilities — and I think this is part of the discussion — for the power grid, for financial networks, for other critical infrastructure? How do you protect the country when it comes to that kind of attack, and who is responsible for it?”
As General Alexander prepared for his testimony before the House Armed Services Committee, the ranking Republican on the panel, Howard P. McKeon of California, noted the Pentagonâ€™s progress in expanding its cyber capabilities.
But he said that “many questions remain as to how Cyber Command will meet such a broad mandate” given the clear “vulnerabilities in cyberspace.”
The committee chairman, Rep. Ike Skelton, Democrat of Missouri, said that “cyberspace is an environment where distinctions and divisions between public and private, government and commercial, military and nonmilitary are blurred.” He said that it is important “that we engage in this discussion in a very direct way and include the public.”
Defense Department’s Cyberwar Credibility Gap
Michael Stevens / Security Week
(August 30, 2010) — Undersecretary of Defense William J. Lynn has published an essay in Foreign Affairs magazine redefining the United States’ stance towards cyberwarfare, and he’s already getting shot at — primarily by IT pundits who find it hard to believe that the incident which led to the Pentagon’s recognizing cyberspace as a new “domain of warfare” could have really happened as described.
In his essay, “Defending a New Domain,” Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by “a foreign intelligence agency.”
Critics such as IT security firm Sophos’ Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn’t stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous.
A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows “autorun” feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec.
Use of Agent.btz Questioned
The question posed by Wisniewski and others is, why would a foreign intelligence agency attack the US government with such a low-powered weapon? While making it clear that he has no insider knowledge of the incident, Wisniewski argues that the scenario put forth by Lynn isn’t credible. In his words, “Either it wasn’t put there by a foreign government or it wasn’t agent.btz.”
Tom Conway, security firm McAfee’s Director of Federal Business Development, doesnâ€™t find it difficult to believe that a foreign government would make use of agent.btz. “Why reveal your trade craft if something that’s widely available on the black market will do the job?” he asks. He is, however, very concerned about what the attack revealed about the state of US military security. “One, the fact that the network was vulnerable shows a lack of governance. Two, it shows that classified information is at risk, not just unclassified. Three, it shows that our adversaries are aware of One and Two.”
When interviewed by the influential security blog Danger Room, Lynn refused to provide any details about the incident or to discuss any retaliatory measures that might have been taken.
An Evolving US Policy
The question of whether the 2008 hack is to become the Tonkin Gulf of cyberspace has to some extent overshadowed the content of the article, which is significant as a new framing of the Obama administrationâ€™s cyberspace policy.
The essay characterizes the threat to US interests as “asymmetrical,” a military term of art that is used to describes conflicts such as the one now taking place in Afghanistan, where skirmishes against guerrilla forces replace conventional battles, and where the enemy may make up for what it lacks in numbers and firepower with agility and cunning. The deterrence models of the Cold War — assured retaliation — do not apply. Rather, “Deterrence will necessarily be based more on denying any benefit to attackers.” Targets may be non-military, such as US power grids, transportation networks and financial systems.
To combat cyber threats, Lynn has ordered the creation of a single, four-star command, the U.S. Cyber Command, which is to become fully operational by October. The new command will have responsibility for day-to-day protection of defense networks, and will work with “a variety of partners” inside and outside the US Government, including the FBI, the Department of Homeland Security, the Justice Department and the Defense Information Systems Agency.
The Pentagon has already deployed three overlapping lines of defense: a new emphasis on basic computer hygiene (e.g. updating patches promptly), the use of intrusion detection sensors, and the use of government intelligence capabilities to provide “highly specialized active defenses.”
Lynn also calls for “dramatic improvements in the government’s procedures of acquiring information technology.” At present, the time from funding to deployment of a new government IT system averages 81 months, which is obviously too slow to keep up with the pace of technology.
UK Already ‘Major World Power’ in Cyberwar
But ultra-nerds required
Chris Williams / The Register
(October 1, 2009) — The UK government already has a “considerable” number of attackers and defenders that make it a “major world power” in cyberwarfare, according to a leading US expert.
Scott Borg of the Washington DC-based US Cyber Consequences Unit, a well-connected research group, told The Register that the British military and security services were on the lookout for talented amateur hackers, but this was just “good recruiting practic.”
Borg’s sober assessment follows excited press reports of an MI5 teenage hacker army and suggestions from the colorful security minister  Lord West that a cadre of “naughty boys” could be hired to defend UK networks.
In fact, the UK’s first national cyber security strategy, launched in June, mostly involves reorganization of existing capabilities. GCHQ, the government’s 5,000-strong electronic spy station in Cheltenham, will now house the new Cyber Security Operations Centre to coordinate efforts.
Borg said: “When it comes to cyber warfare, the UK is clearly a major world power.”
However, he added, as more countries develop cyber war capabilities, recruiters will need to adapt.
“The British government will need a steady stream of new talent and new ideas to maintain the UK’s status in this rapidly changing field. It will not be able to do this if it relies exclusively on conventional recruitment techniques.
“Information technology remains an area where many of the most talented and innovative people have extremely unconventional backgrounds.
“Among the top cyber security experts I personally know, there are people who are or have been punk rockers, special operations soldiers, goths with lots of piercings, motorcycle gang members, aging flower children, serious athletes, total societal drop-outs and ultra-nerds.”
He said there are early signs government security authorities are now recognizing the value of an unconventional CV.
While cyber warfare issues have historically enjoyed a higher profile in Washington than in Whitehall, Borg said the British had better appreciation of their shortcomings.
“One special virtue of British politicians and senior civil servants, when it comes to cyber security, is that they seem more aware of how much they don’t know than their American counterparts,” he said.
â€¢ NSA head confirmed as chief of US cyber command (12 May 2010)
â€¢ ‘Cyber Genome Project’ kicked off by DARPA (26 January 2010)
â€¢ South Korea sets up cyberwarfare unit to repel NORK hackers (12 January 2010)
â€¢ US Matrix-style cyberwar firing range goes to Phase II (12 January 2010)
â€¢ US and Russia begin cyberwar limitation talks (14 December 2009)
â€¢ US Military cyber forces on the defensive in network battle (26 November 2009)
â€¢ Whitehall plans ‘White Noise’ phone network collapse (4 November 2009)
â€¢ ‘Hack Idol’ to find top UK cyberwarriors (12 October 2009)
â€¢ IBM in Â£24m battle with UK spooks (25 September 2009)
â€¢ Secret teen hacker army ridiculed (24 September 2009)
â€¢ US military cyberwar force will work with NSA (24 June 2009)
â€¢ Chinese firm hits back at cyberspy claims (12 June 2009)
â€¢ Jacqui’s secret plan to ‘Master the Internet’ (3 May 2009)
â€¢ UK.gov cautious on EU cyberwar effort (24 April 2009)