Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Talking Squids in Outer Space |
| The Continuing Cheapening of the Word "Terrorism" »
August 18, 2008
Air Force Suspends Cyber-Command
The provisional, 8,000-man Cyber Command has been ordered to stop all activities, just weeks before it was supposed to be declared operational.
Posted on August 18, 2008 at 6:46 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Only the (US) government can create a 8.000 man strong unit, only to have someone ask, for the first time, "but, what exactly are we suppost to *do*"
My guess is, somebody high up in the ranks with a vivid imagination read way to many sci-fi books and needing to justify his employment, threw around some buzzwords like "information warfare" and "the digital battlefield of the 21st century".
Russia vs. Georgia-Poland-Estonia are nothing when compared with AF vs. DHS? :-)
Tsk tsk... Was someone playing pirated copies of Halo on the intelligence workstations again? What virus did they infect them with THIS time? ;-7
... or maybe it didn't close, just went underground?
There is no 8,000 person cyber command.
Y'know, I'm just finishing up _Rainbows End_ by Vinge, and this sounds like it was lifted right out of that book, but without an understanding of what it was FOR.
Less flippantly, I think that the Government, as a whole, realized that it was buying the same thing - security in cyberspace - more than once. There will now be a, er, negotiation to figure out if AF (or Army, or Marine Corps) really trust DHS (or Treasury) to secure the area. It should be a fun time, eh.
This is funny, because I've seen articles about this department for some time but in not one of them could I find a coherent explanation of what they were going to do (though Wired did the usual graphic of guys in uniform in front of expensive looking displays). I figured I was looking in the wrong place. Ha ha. What can I say? Wow.
> Only the (US) government can create a 8.000 man strong unit, only to have someone ask, for the first time, "but, what exactly are we suppost to *do*"
This is what blows with government. They set the tax rates at whatever they like and we just have to wear it. Nobody has tea parties these days. They aren't allowed.
@Roxanne: Be careful re who is supposed to "secure" an area.
If you tell the Marines to "secure" a building, they'll storm it and leave nothing alive.
If you tell the Army to "secure" a building, they'll set up a perimiter, and nothing will get in or out without their permission.
If you tell the Navy to "secure" a building, they'll make sure to turn off all the lights and lock all the doors when they leave.
If you tell the Air Force to "secure" a building, they'll take out a ten-year lease with an option to buy.
I suppose if you tell the DHS to "secure" a building, they'll set up checkpoints on one side of it, and make sure nobody gets through (that way) with any bombs, guns, knives, nail files, home-made electronics, pictures of any of the above, or dignity.
> I'm just finishing up _Rainbows End_ by Vinge, and this sounds like it was lifted right out of that book, but without an understanding of what it was FOR.
Frankly I think they just read the descriptions of the Secure Hardware Environment and had a powergasm. From the book, the SHE is basically a hardware-level authentication system that, oh by the way, guarantees government-controlled superuser accounts on every single piece of electronics. Manufacturing gear that can selectively ignore it is highly illegal.
And considering the ubiquitous computing in the novel, with processing power embedded in walls, clothing, basically _everything_, the SHE provides no small amount of surveillance power.
Not sci-fi, but Tom Clancey -- they probably thought the NetForce novels were actual historical accounts...
I'd say they just moved 8,000 people to "Area 52".
IP over AC = Pwn3d.
Politics, as usual:
August 13, 2008 - "... The stand-down of the Cyber Command comes at a difficult time for the Air Force. Defense Secretary Robert Gates in June demanded the resignations of Air Force Chief of Staff T. Michael "Buzz" Moseley and Air Force Secretary Michael Wynne, because of the mishandling of nuclear weapons..."
08/12/08 - "...The decision to ratchet back the Cyber Command may have come from Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, who wants to see a greater role for the Navy in cyberspace, said an Air Force source. Coyle speculated that the Air Force may have been too public in pushing the Cyber Command and is now suffering from its own hubris..."
Just a thought,
If the AF has pulled out of "cyber security" for political reasons. Obviously it's not a job for those with vision and sense of purpose.
Therefor how long befor we see some of GWB's (supposed) ex-advisors and confidents applying to do the job.
Obviously if you can put oil down a pipe you know puting data down a pipe "Shucks it ain't no more O'problem than getting a colt out a mare".
Speaking of pipes, Clive, I suggest you put down your crack pipe before you do serious long term damage to your brain.
On a serious note: who is currently responsible for protecting the US from a Russian style big hack attack? Is anyone responsible? Sure, I suppose if there is some kind of massive, coordinated DOS attack on several major infrastructure networks at once and we don't have (for example) cable TV or ATM machines for a week, all the various agencies and departments will point fingers, but when the dust settles, does any one US agency actually "own" (in the business sense, ie "take responsibility for) cyberspace?
How is it that the US is still in business with this level of incompotence and behind-covering?
The battlefield is largely private, even when you consider the recent vote for immunity.
They tried to deliver a product, complete with advertising, without first developing the policy and doctrine, or more importantly the roles, missions and national command authority.
It didn't go underground. It went to ground. USAF can't even catch a cab inside the beltway these days. I think they realized that and stopped drinking their own kool-aide for a while. Don't worry, the youngest service with the biggest, ugliest monument will be back on this soon enough-- along with more jets to fight the imaginary future war they can't make up yet.
Meanwhile, Soldiers, Marines and Salors figured out that we have to secure the network we do own, feed the people before they hate us, and sometimes grab a rifle and go get the bad guys.
> Nobody has tea parties these days. They aren't allowed.
I hereby nominate that for the most ironic statement of the month.
Some considerations for why C-C news: Wonder if the Terminator 3 movie made a good impression on somebody.
Or was the C-C just a shell for getting results for the TIA program to stay alive?
Deception is critical in warfare, only those who know, know.
Things are getting hot in the world. Sandbagging IT seems a good policy for any advantage to collect intel.
C-C probably would hurt the Republicans at election time, potentially close race, so basic pysch ops?
They finally got the big picture of their role. Air Force doing C-C, seems wrong under some assumptions.
Somebody needs to be a "cyber command" and the AF was a good choice for the service to host it. I was in military communications (which includes networking) for more than a quarter century and as such supported operations of all 4 branches.
AF provides the best computer support, followed by Navy/USMC; Army was the worst. Possibly because people who are into fiddling with computers are also into air conditioning and cable TV; I don't know. I do know however that whenever I supported an Army operation they [the Army personnel I was supporting] always said "Wow you guys are way better at this than the Army is". I chalked it up to a lack of concern for customer support (read that as mission accomplishment) at HQ Army levels.
Maybe they need to create a 5th (or counting USCG - 6th) branch of the service as a cyber command. They could put it under DoT like the coast guard since it would be needed in time of "peace" as much as "war". They could even adopt the unemployed SAC motto, "peace is our profession".
There is no need for "cyber command". Networks need to be secured - but that is done by good network admins. IF there is a network or computer system causing us problems then we need to attack it in the most sure fire way we can...a hack that will always work....blow it the *@$# UP!
The absolute last thing this country needs is a bunch of idiots pretending to be a information warfare organization, with all of the limitations of military rules of engagement.
If you want to engage in defensive information warfare of this sort, you need door kickers and chip-pullers to run with your intel and take down hostile nodes. Noting that most of this work will be domestic in nature, this is not a good role for the military.
Infowar defense is a lot of boring "check your passwords carefully, folks" and systems audits, with a touch of "Red Team" for integrity testing. Sounds like a great role for academia, actually.
This is even funnier given the article on US cyber attack vulnerability being hyped on CNN today....
Sorry the "English sense of the ridiculous" and joking about obviously daft things does not translate ;)
I was simply making the observation that the whole CC idea was so daft that rather than any U.S. Gov / Mil organisations run it perhaps GWBush could hand the job over to the Private Sector.
And select ex Defense Sec Donald Rumsfeld to head it up, who via Haliburton and Bechtel appeared to have an Oil Pipeline fixation.
And further that he could be supported by ex FEMA Director Mike Brown who appears to have got the job from his "fine work" at the International Arabian Horses Association (Horse breeding) prior to it's colapse shortly after Mr Brown was apparently forced to resign.
I thought that the CC Idea would benifit from their insightful abilities ;)
After they spent all that money on commercials!
rant: Will everyone please stop it with the "cyber-" prefix!?! Whew, that feels better. Flame off.
Yes, there's a political struggle over the budget.
Seems to me, however, the real story is one of dissent within the ranks.
My guess is that the USAF thought the president's proposed $6 billion secretive system was bunk, if not downright un-patriotic and wasteful.
Unfortunately, as we know, when you get in front of Cheney he is liable to shoot you in the back. Past cybersecurity work by the USAF means they are now in front of the executive shooter.
What you are probably looking at is a power-play to create a Cheney-esque model of power -- a more centralized system with few or no balances and checks, used to spy on citizens.
Isn't the NSA responsible for auditing and securing critical network infrastructure? I remember that they're the only US organization with legal ability to hack other networks.
As far as accountability, it seems like any massive DDoS attacks would necessarily be a juristic issue. No nation would ever admit to crippling another countries critical networks, and so there will ALWAYS be a fall guy, and never any official state sponsorship.
I've got another question;
Which US agency, if any, is responsible for OFFENSIVE infowar operations? If there are none, why not?
I agree with Andrew that defensive infowar is little more than "make sure your password contains both letters AND numbers" and keeping antivirus program definitions up to date, along with a few white hats to Tiger Team the network on a regular basis.
Information technologies exist in all battlespaces: air, space, land, and sea. A joint command should be established in conjunction with the civilian DoD agencies.
NSA does it and ANG also has a squadron dedicated to "information aggression."
Oh, the irony. Only 11 days after the first war in which there was incontrovertible evidence of a full scale "cyberattack" in support of military operations by a foreign power, the US decides that it isn't sure what a military "Cyber Command" is for, and dismantles it.
On September 11, the FBI came to the credit card marketing company (to track the credit card purchases of plane tickets) with 286 computers for Christ's sake. Since then the FBI, Homeland Security and military has been trying to catch up with the rest of us. Other than weapon control systems, the only ones who seem to have a clue to me are the NSA and Navy. Still, dropping the USAF Cybercommand seems to me to be backtracking, letting budget battles interfere with actually developing top notch computer skills within our military.
Welcome to the wide wide world of military intelligence. (insert oxymoron jokes here)
To comment on several comments of "Why are there so many of these "CCs" popping up?" Different needs. The Navy has different needs than the FBI, than the Army, etc.
The different groups don't trust each other. Sometimes with good reason. Does the FBI trust local law enforcement? Yeah, right, tell me another one.
And finally concentration. Concentration of resources can be good for lots of reasons. Concentration can be bad for some also. If the US' CC was in one spot, then there is only one spot to disrupt. If it is physically, logically, and practically distributed, then it is much more difficult to disrupt.
Why was the plug pulled? Me, I kinda like the Dick Cheney pet project suggestion. Dickie-boy has always been a closet techie you know. I understand he spends hours every night pounding out code. (yeah, I know, that's a real easy setup for someone, but hey...)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.