Security

The next battlefield: Cyberspace and military readiness

Last week, the Pentagon announced a plan for "operating in cyberspace," clearly marking out a new terrain in the world of national defense. John Joyner breaks down the document and what it means for future cybersecurity measures.

In a frank and timely confirmation of the gravity of some recent successful cyber-attacks with strategic consequences to the United States, the Pentagon released on July 14, 2011 an 11-page report on Cybersecurity. A readable and relevant wake-up call to the nation from its military, the report communicates an urgency that has implications to every Internet user. While disturbing news, it is refreshing to see the U.S. government share information with the American people in this transparent way. The findings and recommendations of the document are logical and smack of common sense.

Cyber threats listed in the context section of the document establish the urgency by referring to recent revelations such as the electronic theft in March 2011 of thousands of classified documents from a U.S. defense contractor by a foreign power, and the report this month of malicious components discovered embedded in foreign-manufactured electronics. The document is the first of its kind by the Pentagon, and there was speculation that a new offensive-oriented policy might state that cyber-damage inflicted by hostile agent-states could be answered by physical force.

As released, the document makes no provocative policy statement linking possible physical retaliation to cyber-attacks. The document more basically sounds a clear alarm about significant hostile activities discovered recently, and lets people know what the nation's military planners are doing about it in the short term.  The Pentagon organizes the document in five strategic initiatives; I've simplified and paraphrased them below.

#1 The military will give the effort sufficient resources

An interesting concept the military uses is calling cyberspace a ‘domain', defined by quoting the 2010 Quadrennial Defense Review: "Although it is a man-made domain, cyberspace is now as relevant a domain for Department of Defense (DoD) activities as the naturally occurring domains of land, sea, air, and space."

Here are some examples the document provides of the level of attention the cyberspace domain is to receive in the military:

  • Resources are provided on a scale as if cyberspace were another terrestrial continent; for example, the U.S. Navy's "10th Fleet" was reactivated in 2010, charged now with looking after cyberspace (rather than anti-submarine operations in the Atlantic, as was its mission from 1943-1945). Of note is that a numbered U.S. fleet historically represents a vast geographic region. Establishing a numbered fleet command automatically carries the weight of a three-star admiral and quite a large staff.
  • Cyber red teams will be included in all war games and exercises, anticipating degraded cyberspace operations and disruption in the midst of a mission. Disrupting war games is expensive and even risky; but this seems like a great way to improve our troop readiness across the board.

#2 The military will try and manage IT security better

This initiative includes sub-categories of (1) following cyber hygiene best practices, (2) focusing on insider threat mitigation, (3) deploying a better Intrusion Prevention System (IPS), and (4) a promise to constantly develop new defense operating concepts. These are modern security housekeeping concepts for any large IT organization; including them in the document shows the military has not forgotten about the basics.

#3 The military will partner with other government agencies and the private sector

The military wants to enable a "whole of government" approach to increase national cybersecurity, and the DoD has partnered with the Department of Homeland Security (DHS) to lead the inter-agency efforts. Realistically, the military admits that it depends on the entire private sector IT hardware and software industry, and the same telecommunications carriers and Internet Service Providers (ISPs) that everyone else uses.

The document mentions that incentives to promote private sector participation in national cybersecurity are possible. To date, there has been very little federal government financial support for public-private sector cybersecurity partnerships. An example is the Federal Bureau of Investigation (FBI) InfraGard program; while enjoying broad industry support, the program runs on a shoestring. It would be great news if this DoD document paved the way for the Pentagon to somehow compensate the FBI (which reports to the Department of Justice) for increased resources to support InfraGard.

#4 The military will leverage U.S. allies and international partners to act globally against the bad guys

This is a cyber-defense option that makes great sense. It is right for government to fill the role of leading a collective self-defense effort, and this strategy is a logical underpinning for all kinds of possible new strategic alliances. I hope our government will exploit this opportunity, which might include such physical world concepts as international blockades and embargoes applied against strategic cyber offenders.

#5 The military will recruit patriot geeks to replicate the dynamism of the private sector

This is the most exciting part of the document, where the Pentagon describes how American ingenuity is a cyber-strength we can draw on. For example, I am glad to know there is a National Cyber Range where large scale experiments and network simulations are conducted, and knowing that we have such a facility to attract and retain cyber talent is good news.

Reaching out to academic and business resources with an entrepreneurial approach, and developing Reserve and National Guard cyber capabilities are new missions the military will consider -- these sound like great ideas. So does the promise to achieve a cybersecurity technology development lifecycle of 12 to 36 months, compared to seven or eight years as is typical for Pentagon computer projects.

Who's in charge?

Responsibility for coordinating cyber-readiness in the military is given to the Director of the National Security Agency (NSA), General Keith B. Alexander, who is "dual-hatted" as commander of USCYBERCOM. In fact a "key organizational concept is [USCYBERCOM's] co-location with the National Security Agency."

We know the NSA is good at cryptography, exploiting the electromagnetic spectrum, and maintaining secrecy. The ability of NSA to respond in a nimble fashion to changing conditions in "Internet time" is unknown, and the NSA is probably not the best agency when it comes to a track record of public relations. Let's hope the Pentagon does as good a job keeping us informed of their progress in the fight as they have done in announcing the battle in this document.

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

22 comments
gradkiss
gradkiss

The uS must look back to the past, and see when they did not govern what surrounded cyberspace...to eleviate the problem they seem to be so preoccupied with, as the external is the problem...not the internal workings of either the surver or individual at a computer console. Looking back myself...I would not agree that the pentagon is engaged in anything new but what someone else is additionally engaged in and has been for years. This event seems to be common in government today. Repeating the same tasks repeatedly...then seeing themselves seen by others as more efficient when the correct definition of management would find them fired as CEO's or heads of anything else employed upon Earth.

Neurofiber
Neurofiber

I agree that the American Infrastructure is at risk via embedded firmware/software. However, America's greed/competitiveness from outsourcing has put itself in this position. Additionally, if Washington cannot stop the power struggles within and across its agencies and change its culture, then the cyber struggle will be lost much faster than it can begin.

realvarezm
realvarezm

I???m going to write some harsh stuff so please, have an open mind about it. The military invading the cyberspace is like a bully saying im going to confiscate your lunch because you didn???t do my homework, plus the usual beating. Many people see this as a good news, well let me tell you; this mean less freedom for you and many users around the world (yeah, think of me as a hacker, which I???m not) did you know that right now your email sent minutes ago is being scanned by a supercomputer in the NSA or that if you make a call abroad is being sniffed specially if it???s to the middle east. And that is accepted because is in the interest of national security and the good of the American people. But of course hacking the computers of a nuclear plant in Iran is ok. And please don???t tell this was done by anonymous or some other hacking group. And to my final argument the US military has been involved in the cyberspace since its creation; remember ARPA the prototype of the web was created by them. So this announcement is just a reminder to everybody that they are like the Damocles Sword hanging above your head, waiting for a mistake to fall down on you. Finally we all know that the military only understand one thing, the use of force and by any means possible and regardless the collateral damage.

Alpha_Dog
Alpha_Dog

If they were, we wouldn't be seeing the high level handshakes but rather some real training on the ground level. Recruiting a bunch of security pros who can pass an exhaustive background check will yield a bunch of boy scouts with MCSEs. A real cyberwarfare team will have more in common with the dirty dozen than an honor guard. If they want cyberwarriors, they need to recruit from a different pool and let the higher ups do the handshakes after the action is over. When they are serious, you will see military teams registering in root war events at DefCon, PhreakNIC, and the like. The first couple of events will be slaughters with the military team out in the first hour or so. If they get their egos out of it and learn (the real purpose of this kind of event), they will begin to hang with the big dogs. By year five, they could be in the top ten. Hacker events will also give them some insight into the culture. The wanna be's will become evident in the first moments when they are in the company of the gods. It will be clear who to listen to, and who is blowing smoke. Like any special purpose unit, a cyberwarfare unit must have support/logistics, intel/information, command/strategic, and operations. To be effective, all parts must have clearly defined roles which match the real world. While the operations end will get all the glory with books and movies, they are only play relatively a small role that is high profile and high risk. Intel and communications must be top notch, with the best data visualization in the business. Command has to make the hard calls, but primarily keep out of the rest of the organization's hair. Finally logistics keeps everything flowing smoothly, be it equipment, standard supplies, or "hot pockets and Zena tapes". It's a team effort, and the best units never show up in the radar. The job just gets done without showing up on CNN, so they never hit that rock star image. Sorry, seal team six.

Redsheep
Redsheep

Now, consider the resources and effort in obtaining manufacturing of the highest electronic level possible and editing code to Linux by Chinese programmers in massive amounts. Take into consideration that they are still a communist country, reiterating that the current "loosening" of the economic structure in no way affects the philosophy of the Communism, I have to wonder. The Red Chinese, have no organized spying capabilities. They go by most available contact, making their espionage very difficult to track. Freeware is great and Linux is being used by more people out there than ever before. Free utilities, like Clonezilla, could easily aid the infection of all computers that have hard drives cloned by this utility. Virtualizing the GUI is the way to commandeer a computer right out from you under your nose. Plus, the user has no idea that he is running a virtual machine. AND it HAS been accomplished on Windows 7 (R). Good morning America. The world is out there and most of it is NOT friendly.

Michael Kassner
Michael Kassner

Your quote: "An example is the Federal Bureau of Investigation (FBI) InfraGard program; while enjoying broad industry support, the program runs on a shoestring." I am curious about the broad-industry support comment.

Alpha_Dog
Alpha_Dog

The last time the US was engaged in the solution was when NSA was putting out the security guides and contributed to the Linux code base. SE Linux became the reference standard in Linux security when properly set up and used. If the US government would get involved like they did before and stay there, we would develop those industry partnerships they are crowing about now as a matter of course instead of having to schmooze or pay for them. In addition, they would be solving problems before they become major issues.

Gem in VA
Gem in VA

Greed and competition aren't the only, or even the main, reasons outsourcing happened. Stupid, inept, ill-thought-out, punitive tax and regulatory policy makes it difficult for many businesses to stay afloat (which is what competitive means because you're either in the game or your business dies and your employees go to the bread lines). Those who could responded by moving overseas. If they had not, many of them would have collapsed, making our economic situation even worse than it already is. Businesses don't have to be Hitler's brother-in-law to make such decisions, they can merely be trying to do what makes the most sense in order to keep going. If those tax policies were eased (our business taxes are some of the highest in the world), perhaps those companies could be enticed back home. Think it through instead of making knee-jerk emotional comments based on stereotypes.

Alpha_Dog
Alpha_Dog

It takes a pearl harbor to wake up the bureaucrats and populous alike, then they react rather than act yielding an inefficient but usually effective response. It's too bad too. We could spend less money and get better results by acting upon a threat rather than react to an event.

Alpha_Dog
Alpha_Dog

...but you're not. If you consider cyberspace as a piece of physical real estate, the government in cooperation with higher education planted the flag. Like most colonies, businesses and settlers showed up and began to use the land in the way that benefited them best. The government, while still there, was largely forgotten. As more commerce occurred in this fertile land, foreign nations began to get interested. Most simply traded with the colonists and businesses, but some who thought the planet was their destiny, eyed the nation of cyberspace with a greedy eye. Seeing a golden opportunity with the government asleep at the switch (no pun intended), other nations began to send incursions into the land to see what would happen. These weren't really raiding parties so much as a scouting unit with the mandate to test the government's ability and willingness to defend their land. We know that one day nations will fight over the ability to control information. This is a resource like any other, and wars are fought over them. When this happens, what are the possible solutions? How would you like it to happen? In truth, the US government is regarding this as an invasion, but is unsure about how to react because it is not a physical venue. What I would like to see is the equivalent of a national militia. No real government involvement other than communication, but a solid wall of protection from every business and the personal ISPs need to have security equivalent to a walled city. Yes, this will make some things like remote administration a pain in the a$$, but I would be willing to forgo a little convenience for security. I am not willing to abridge my freedoms for security, which is what would be the effect if governments engaged in full cyberwarfare. It would be like a couple of teenage boys kicking all the toddlers out of the sandbox so they can fight over the love of a girl. The toddlers don't care about the issue, but it impacts their activities, and in the end, everyone is unhappy.

jggiii2
jggiii2

Each of the service academies DO field teams in these events, and participate regularly in the various conferences. While it takes time for the expertise to filter up in the ranks, the establishment of these clubs and course tracks indicate that they are working on the problem.

JCitizen
JCitizen

"in the company of the gods"? Sounds like some of the folks in cyber space are full of themselves! :)

Alpha_Dog
Alpha_Dog

...tell me again, who came up with Gh0st_RAT and several other remote admin kits? What OS does it run on? Linux is more secure no matter what they do to the code because it is open. The review process has a few million eyes on it. Also, If I don't like a function, I comment it out and recompile. As far as ghosting a drive, that's old news. Peter Norton came up with that under DOS back in the 80's. China also has a long history of using and underwriting the espionage activities of other nations... they learned that from watching the Soviet Union in Vietnam. Do you honestly believe that North Korea can have such a huge intelligence net without putting themselves in the poor house? If the NK operation isn't heavily underwritten by other nations, the intel is up for grabs with NK as a clearing house who gets first dibs.

John Joyner
John Joyner

Hi Michael - In my region at least (Southern U.S.) the large membership of the state InfraGard chapters well represents the critical infrastructures in those states. Members include CIO/CSO-types from many industries, and they are a rich resource to help establish public-private sector cybersecurity partnerships.

jonrosen
jonrosen

Many of them would have gone under from bad or honestly stupid business practices. Part of which being a CEO who makes solo in a year more than half his company, or the Financial Officer who does similar, and still outsources overseas so he doesn't have to take a pay cut. Then they wonder why their business plans are failing, because next thing they know their customer service quality is failing, because no one can understand the outsourced people, and there's no proper direct line of control over them. Then of course there are the companies who pay these 'miracle worker' C*O's a truckload of money, where they then fail, and get a truckload more as a severance package. Lets get common sense back in corporations, and we'll do better as a whole

Alpha_Dog
Alpha_Dog

They're generally the wall flowers in the event, not participating, and certainly not socializing. There are notable exceptions, but the fact that these are the notable exceptions indicates that we need more of this, not less. The other problem is that the government is stamping classified on everything making it difficult to talk about it with those you meet at events. Hypothetical only goes so far, and the golden bullet to the problem may come from the guy with the long hair and tats, giggling in the elevator in the tail end of a good acid trip (yes there's a story there). The other thing is a lot of the data is not shared at keynotes and talks (particularly with DCMA lawyers), but rather at the social end of the events which the government keepers frown upon. They need to know that the participation in illegal activities is optional, but they should be tolerant of it, or at least turn a blind eye. Ideally, the service academy needs to contribute to the event, in every way; monetarily, logistics, and content. Yes, they will be heckled at times, but you need to engage the audience anyway. Learn from the heckler if he;s good... if he's not, give him enough rope to hang himself and the rest of the audience will solve your problem. Bottom line... if you are going to participate, DO SO! Don't dress alike and stand in the back in a little herd leaving immediately after the talk. Get there early, and leave late. OD on alcohol and caffeine. Stay awake or suffer the consequences. Make friends as well as contacts. Become more than the pet Fed.

Alpha_Dog
Alpha_Dog

Ever been to DefCon or PhreakNIC? They're all full of themselves... some with good reason.

Alpha_Dog
Alpha_Dog

I should be able to defend myself in cyberspace, particularly since I will have log files to back up my claims to self defense if and when the lawyers get involved. Good security pros, particularly the ones who have been there since the Internet was mostly focused on the first couple OSI layers, can really make life interesting for folks. For the doubters... research how bus mastering works. Research how Wake on Lan works, particularly in the NIC firmware. Now research hard drive controller firmware, particularly the controller board hardware test utilities used during factory QA processes and low level format. Synthesize the above research into an exploit. Extra points for doing so without an application the user needs to download as a payload. Learn to find your attacker's computer (not the zombied machines used in a DDoS) and deliver a strategic strike with no collateral damage. Extra points for writing a script which grabs the system names and administrative contacts of the zombied machines, removes duplicates, and sends the relevant data in an email to the respective admin. ...not that we would ever do such a thing ;)

Editor's Picks