Schneier on Security
A blog covering security and security technology.
« Life Recorder |
| The Effectiveness of Political Assassinations »
April 19, 2010
Lt. Gen. Alexander and the U.S. Cyber Command
Lt. Gen. Keith Alexander, the current Director of NSA, has been nominated to head the US Cyber Command. Last week Alexander appeared before the Senate Armed Services Committee to answer questions.
The Chairman of the Armed Services Committee, Senator Carl Levin (D Michigan) began by posing three scenarios to Lieutenant General Alexander:
Scenario 1. A traditional operation against an adversary, country "C". What rules of engagement would prevail to counter cyberattacks emanating from that country?
Answer: Under Title 10, an "execute" order approved by the President and the Joint Chiefs would presumably grant the theater commander full leeway to defend US military networks and to counter attack.
Title 10 is the legal framework under which the US military operates.
Scenario 2. Same as before but the cyberattacks emanate from a neutral third country.
Answer. Additional authority would have to be granted.
Scenario 3. "Assume you're in a peacetime setting now. All of a sudden we're hit with a major attack against the computers that manage the distribution of electric power in the United States. Now, the attacks appear to be coming from computers outside the United States, but they are being routed through computers that are owned by U.S. persons located in the United States, so the routers are in here, in the United States.
Now, how would CYBERCOM respond to that situation and under what authorities?"
Answer: That would be the responsibility of the Department of Homeland Security (DHS) and the FBI.
Alexander was repeatedly asked about privacy and civil liberties impact of his new role, and gave answers that were, well, full of platitudes but essentially uninformative.
He also played up the threat, saying that U.S. military networks are seeing "hundreds of thousands of probes a day," whatever that means.
Prior to the hearing, Alexander answered written questions from the commitee. Particularly interesting are his answers to questions 24 and 27.
24. Explaining Cybersecurity Plans to the American People
The majority of the funding for the multi-billion dollar Comprehensive National Cybersecurity Initiative (SNCI) is contained in the classified National Intelligence Program budget, which is reviewed and approved by the congressional intelligence committees. Almost all important aspects of the CNCI remain highly classified, including the implementation plan for the Einstein 3 intrusion detection and prevention system. It is widely perceived that the Department of Homeland Security is actually likely to simply extend the cyber security system that the NSA developed for DOD into the civilian and even the private sector for defense of critical infrastructure. DOD is creating a sub-unified Cyber Command with the Director of NSA as its Commander.
24a) In your view, are we risking creating the perception, at home and abroad, that the U.S. government’s dominant interests and objectives in cyberspace are intelligence- and military-related, and if so, is this a perception that we want to exist?
(U) No, I don’t believe we are risking creating this perception as long as we communicate clearly to the American people—and the world—regarding our interests and objectives.
24b) Based on your experience, are the American people likely to accept deployment of classified methods of monitoring electronic communications to defend the government and critical infrastructure without explaining basic aspects of how this monitoring will be conducted and how it may affect them?
(U) I believe the government and the American people expect both NSA and U.S. Cyber Command to support the cyber defense of our nation. Our support does not in any way suggest that we would be monitoring Americans.
(U) I don’t believe we should ask the public to accept blindly some unclear “classified” method. We need to be transparent and communicate to the American people about our objectives to address the national security threat to our nation—the nature of the threat, our overall approach, and the roles and responsibilities of each department and agency involved—including NSA and the Department of Defense. I am personally committed to this transparency, and I know that the Department of Defense, the Intelligence Community, and the rest of the Administration are as well. What needs to remain classified, and I believe that the American people will accept this as reasonable, are the specific foreign threats that we are looking for and how we identify them, and what actions we take when they are identified. For these areas, the American people have you, their elected representatives, to provide the appropriate oversight on their behalf.
(U) Remainder of answer provided in the classified supplement.
24c) What are your views as to the necessity and desirability of maintaining the current level of classification of the CNCI?
(U) In recent months, we have seen an increasing amount of information being shared by the Administration and the departments and agencies on the CNCI and cybersecurity in general, which I believe is consistent with our commitment to transparency. I expect that trend to continue, and personally believe and support this transparency as a foundational element of the dialogue that we need to have with the American people on cybersecurity.
27. Designing the Internet for Better Security
Cyber security experts emphasize that the Internet was not designed for security.
27a) How could the Internet be designed differently to provide much greater inherent security?
(U) The design of the Internet is—and will continue to evolve—based on technological advancements. These new technologies will enhance mobility and, if properly implemented, security. It is in the best interest of both government and insustry to consider security more prominently in this evolving future Internet architecture. If confirmed, I look forward to working with this Committee, as well as industry leaders, academia, the services, and DOD agencies on these important concerns.
27b) Is it practical to consider adopting those modifications?
(U) Answer provided in the classified supplement.
27c) What would the impact be on privacy, both pro and con?
(U) Answer provided in the classified supplement.
The Electronic Privacy Information Center has filed a Freedom of Information Act request for that classified supplement. I doubt we'll get it, though.
The U.S. Cyber Command was announced by Secretary of Defense Robert Gates in June 2009. It's supposed to be operational this year.
Posted on April 19, 2010 at 1:26 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How do WE do oversight of our elected representatives, if WE can know very little about the methods that our representatives are supposed to oversee?
How do we know whether they are abdicating their responsibilities, whether they have the necessary technical knowledge (themselves or their staffs), whether they are giving sufficient weight and time to protecting our liberties?
If we can't distinguish between those representatives doing a good or bad job on these issues, in what way is their election in any way reflective of our wills?
Particularly if these systems are abused to target those particularly overseers?
So, on the table we have agencies that routinely abuse their power and our liberties offering highly classified defenses for *our* benefit to provide security against hyped attackers, but not further empower said agencies and erode civil liberties?
*doesn't cough* BULLSHIT! *doesn't cough*
Mandate a low defect rate and at least moderate security in all DOD applications. Ensure that these are dual-use technologies. Subsidize the initial burdens of reengineering from scratch. Tons of useful, medium-assurance platforms will hit the market and the attackers' low-hanging fruit will start dwindling. It must be done this way. It must be mandatory, the metrics useful, and the process profitable for the software companies. Otherwise, national IT security won't happen.
Case study: chip manufacturing offshored to cut costs, but now DOD can't trust the chips. Their proposed solution [in my words]: develop technologies that can look at a chip and tell if it's evil or not. (read: LMAO). My solution: partly subsidize some fabs for chip designers over here, privatized for efficiency and regulated for usefulness. Then, set a date where these chips will be mandatory in DOD systems. Only hire American citizens with no other citizenships that can pass a good background check. Now, the ball is in our court, the employees are American, and the US courts have full jurisdiction over abuses. Is it perfect? No. Is it less likely to be the cornerstone of massive Chinese espionage? Certainly.
At least in the case of IP commo equipment, all we have to do is inspect the packets coming out of it, to see if they have the Evil Bit (http://en.wikipedia.org/wiki/Evil_bit) set.
@kangaroo: "How do WE do oversight of our elected representatives, if WE can know very little about the methods that our representatives are supposed to oversee?"
You can't, really. Basically you have to trust them (ha, ha).
Isn't this the same guy (Alexander) who told the House intelligence oversight committee in December 2005 that the NSA does not eavesdrop on Americans without a court order? Yet they had been doing exactly that for many months...
The question about improved security for the internet was kind of vague. Improved security for who? Do the peons get strong encryption and anonymity or do a few governments get to see everything?
Our educational systems (world-wide) has taught us that knowledge is power. However, it did fail to teach us the difference between knowledge, data, and information.
So, those in power seem to be convinced that more information somehow equals more knowledge. They all grew up in times when informations was scarce and valuable. So scarce that essentially, all information was data and useful knowledge.
So now they act like children that were never allowed to eat sweets, and now, finally get in charge of the candy shop. They will eat until they explode.
They collect ALL information they can get, without caring whether it is correct, useful, or simply noise.
Excellent, 45-minute discussion of cyberwar with Richard Clarke today on Fresh Air. Audio/article at: http://www.npr.org/templates/story/story.php?...
He discusses past US & foreign ops, offensive & defensive capabilities, sleeper software & hardware, etc. Surprised, but glad, that he can say as much as he does out loud.
Re my link above, I did just realize that the article is pretty banal, but the audio I heard is actually much more informative.
@kangaroo: "How do WE do oversight of our elected representatives, if WE can know very little about the methods that our representatives are supposed to oversee?"
We watch what they do in other matters. If they keep passing laws that give government more control over our lives, vote them out. Even if they give you more money or work to stop big [insert evil here] If they work against liberty in visible matters, they will work against you in secret matters.
Learn how the system works and use the primaries. If someone starts working for freedom, keep them in. Even if it means you have to support a [insert other party here]
If they show a history of supporting liberty, then they will provide the oversite we need.
I didn't find anything in his remarks that are particularly alarming, (the comment that DHS and the FBI would be the primary agency to address domestic IA issues spoke volumes to his views on his command's AOR) but lots of snide comments from the peanut gallery that somehow, the military is wasting it's time and that the threat to DoD information assurance is somehow a myth.
Granted, DoD, just like a private organization, is loathe to acknowledge when they've been compromised, but most readers here I'm sure would recognize that it's occurred many times in the past. So I'm a bit puzzled when DoD starts discussing a unified command to deal with these issues that they're met with ridicule.
There is justifiable and wholly appropriate questions being asked on just how DoD intends to defend it's networks, and they and outside individuals correctly recognize that the nature of the internet means that threats will originate from inside and out, across a myriad of state lines, sovereignties, various agencies and organizations. People have a right to know how DoD will respond in these cases, but don't be surprised or offended if they come knocking.
Government agencies, which control VAST networks handling everything from taxes to health care and military communications is starting to finally get serious about network security, and they need our help. (They can start by dropping the "cyber" part of their name. =P ) But the cries of "BULLSHIT", "Buy American!" and "wahhh! Wiretapping!!!" echo Tea Party-like cries of boogymen and conspiracies that are not there.
Be concerned. Question, critique. But please, don't expect them to sit back and do nothing while they're getting lambasted online and off. The Government moves much slower than we'd all like them to, but at least we're starting somewhere. The Cybersecurity Act and this command are at least a starting point. The former got lots of good input and revision before it was done. We can do the same here.
P.S. You all know what a probe is. No, he didn't spell it out for the congressmen in the room, and he didn't need to. Remember, these people interviewing him send "internets" to one another. =P
Talking about attacks coming from particular countries is misguided, because attacks over the internet, for the most part, are inherently anonymous. Routing them through a few compromised intermediaries is pretty much standard, and the attacker can choose whomever they want framed as the last intermediary, so "counterattacking" will probably just hurt some innocent schmuck whose computer got compromised. Of course, a state of war makes it much more obvious who the enemy is; then you don't have to try to reverse-engineer where attacks came from, you already have a pretty good idea.
Am I the only one freaked out by the response to the "What would the impact be on privacy(...)" question? "Classified" - so they're saying they have the right to keep secrets, particularly about not wanting anybody else to? Ironic.
It's a good thing this is in the "redesigning the Internet" section, which sounds like a "boil the ocean"-type project (take a look at how long it's taken to get DNSSEC!)
Well, if I remember my ancient history correctly, the DoD was indirectly responsible for inventing the Internet originally (see also: DARPA, BBN, etc). So if anyone can redesign it, wouldn't they be the ones? :-P
(Yes, yes, compatibility means it's now very much more difficult, etc etc etc. I'm just pointing out another side of things....)
Security "experts" often talk about cyber attacks taking down the US electrical grid, disabling the phone system, erasing all banking data, making trains derail, causing chemical plants to explode, etc. If I was designing a command and control system for the electric grid, rail road switching, chemical plant control, etc I certainly wouldn't connect it to the public internet.
Just how realistic are these threats? They sound more like an attempt to scare the Congress into coughing up money, than a real attack scenario. If these attacks are so easy, why hasn't one occurred yet?
Well it all seems a bit of a farce to me - and little more than an exercise in scare-mongering funds for a fairly superflous agency. Still, you cant blame them for trying.....
I love the double standards:
"I don’t believe we should ask the public to accept blindly some unclear “classified” method. We need to be transparent and communicate to the American people about our objectives"
"What would the impact be on privacy, both pro and con?
(U) Answer provided in the classified supplement."
Tell me they didnt deliver it with a straight face.....
Doesn't everyone get all kinds of random packets and portscans?
They're not very worrisome provided you have good admins and a good security policy.
The worrisome stuff is when there isn't (yet) a Snort filter to capture something.
Although I curse the day the word "cyber" came into the vernacular to mean "computer-related," it is useful for identifying people spreading FUD.
"If I was designing a command and control system for the electric grid, rail road switching, chemical plant control, etc I certainly wouldn't connect it to the public internet."
Nor would most "experienced engineers". However you have to remember that these systems are always built organically, and accountants have a very big say in what happens as they have to "protect share holder value" in the short term not the long term...
Thus if an accountant says the cost of keeping people on site over night or having leased lines run to their houses when "on call" is to expensive, you can pretty much guaranty what they are thinking. And if an experienced engineer say "No way Jose" you and I know that there is always going to be a young inexperienced "eager beaver" at half the wages who will do it, the accountants "efficient" (ie on the cheap) way.
"Just how realistic are these threats?"
The threats are very real SCADA and other control systems usually have little or no realistic security and although designed for high availability they are in most cases not high assurance systems. So whilst not connected to a network this is obviously not an issue, nor is it an issue on a properly designed and implemented private network. It's what happens when somebody connects it to the PSTN via a modem or worse the Internet that the issues start.
Some attacks have happened in the medical industry where it was "mandated" that certain boxes that controlled medical devices all had to be configured to a "script". The problem was the script left the systems vulnerable and some people got in and records and other things where changed (if deliberately or not does not matter) and patient safety was put at risk over a wide area.
Oh and as for the telecoms industry, it has happened so many times one way or another their security is now some of the best there is when it comes to "engineered security'.
When the Telco's security got above a certain bar, those attacking 'for profit' (ie free phone calls) started attacking PABX's with dial up ports. Some charities got absolutely hammered with phone bills.
When PABX's got closed up the 'for profit' attackers went after cellular phones...
With regards to,
"They sound more like an attempt to scare the Congress into coughing up money, than a real attack scenario."
I'm not saying that they are not trying to 'shake down congress' for a piece of the pie, but the problem with defense spending is you only know when you have not spent enough (ie you get attacked) so making value judgments is at best a gut decision, based on experience.
"If these attacks are so easy, why hasn't one occurred yet?"
1, They may well have but it has not been reported.
2, There is not currently sufficient 'profit' or need in attacking them.
3, The systems may not yet be publicly connected.
4, There are currently 'lower hanging fruit' that provide 'profit'.
And a whole bunch of other reasons...
US Cyber Command
There goes the "cyber" term again. Argh!
This whole thing just doesn't "feel right" even if you assume they have the best of intentions.
I'm now trying to imagine my reaction the first time I see someone sporting a US Cyber Command patch :-)
re: "The threats are very real SCADA and other control systems usually have little or no realistic security and although designed for high availability they are in most cases not high assurance systems."
... and, ironically, recent attempts at imposing "security" regulations have made them less, not more, secure.
@Andy: We watch what they do in other matters. If they keep passing laws that give government more control over our lives, vote them out. Even if they give you more money or work to stop big [insert evil here] If they work against liberty in visible matters, they will work against you in secret matters.
That's the teabagger error. There's no reason to believe that there's a correlation between say, being pro-EPA ("government control"), and being pro-spying.
The point is we CAN watch them in visible matters -- so someone can perfectly well cover their ass in the latter, while acting against our interests in the former.
Just look at all the pseudo-libertarian "conservatives" who yell loudly about personal liberty, but when the leaks come out -- there they are, helping the DOD et. al., at every turn.
The invisible is invisible. It can't be deduced. Even the most honest man steals when he knows no one will ever see.
We know our politicians don't have the knowledge. When our politicians believe that Guam will capsize due to overpopulation, we can be fairly sure they're incapable of understanding pretty much anything above 3rd grade.
'... and, ironically, recent attempts at imposing "security" regulations have made them less, not more, secure.'
It is one of the troubles with regulation...
The focus shifts from trying "to do security" to "trying to avoid penalties" at management level.
The regulators nearly always get it wrong on the US side of the puddle simply because they tend to mandate method not provide a framework by which "results" can be achieved.
Mind you it's not much better in other parts of the world either...
Partly because the US insist with things like SabOx that it has global jurisdiction...
Which is instant cop out for other jurisdictions...
@ Chris (7pm on April 19)
Your whole post assumes they are doing something worthwhile, against the right foe, etc. This is an incorrect assumption. The problem is that DOD is redefining the problem so that they can do another power grab. The actions of politicians and generals are not isolated: in many cases, particular proposals heavily benefit certain contractors (one in particular for cyberwar). You also see previous [failed] initiatives like this happen, billions of dollars end up in contractors' pockets, and the generals who pushed these initiatives leave the Pentagon and suddenly have six-figure jobs with the companies that they gave the contracts to. This is not a coincidence.
The DOD is an extremely corrupt, wasteful and totally inefficient organization. They've at times "lost" tens of billions of dollars, bought $140,000 coffee makers, committed propaganda against Americans, and can't even do an audit of their inventory. So, when the DOD pops up and says they need tons of money and more power to implement secret measures to stop a controversial threat, strong skepticism is very much warranted. The only boogeymen are produced by the Pentagon's "think tanks." They keep the war machine in business and many Pentagon workers have actually quit because they were too sickened by this. Their claims are often supported by documents released through FOIA requests, so have no doubt Pentagon will make stuff up to start wars. Every American knows this & it's what I think they are doing here.
The real problem is not that there's an imminent cyberwar and we need to build cyberwar commands, cyberwar infrastructure, etc. (read: fill pockets of defense contractors). The problem is that there's no financial or psychological motivation for solution developers to make secure systems. The DOD is part of that problem. They've made these cyberwar claims before, back in the 80's. They said we needed Class A1, "verified" systems to protect classified information. Several companies spent millions to develop them, but then DOD & NSA changed their mind and started buying Windows & Trusted Solaris in mass because they were cheaper and had more convenience features. Honeywell ended up only selling 35,000 of its SCOMP systems. They said they would never develop ultra-secure systems like that again unless they were certain it would pay off.
DOD's own initiatives, with exception of PKI, have usually totally failed, costed taxpayers astronomically, and included more BS expenditures than useful ones. An example is that many companies have to implement wireless intrusion detection for PCI compliance even if they don't have a wireless network, just in case attackers devices use that wireless spectrum. (wtf!?) That's not a good use of limited security budget, but government requires it. Most of us who actually care about *real* security that's integrated with good risk management tradeoffs don't want the government managing, monitoring and dictating practices on the Internet.
If they can't even secure or cost-effectively manage their simplest problems, how are they going to manage the more complex distributed global IT infrastructures that modern businesses use (in multiple countries)? They can't. They will screw it up. They will abuse it. It will cost us greatly in liberty and money. This almost *always* happens with these kinds of projects. It's why we fought the Clipper initiative that was for *our* benefit, it's why we Americans fought Total Information Awareness, it's why we fight pervasive TPM schemes, and it's why I'm fighting the cyberwar doctrine, infrastructure and command.
Want to help solve the problem? Identify key customer requirements and applications. Get some venture capital or open-source volunteers together. Write a major, useful application using Cleanroom or Correct by Construction or similar low-defect process on a good enough platform using a safe language. Have it thoroghly, independently tested, fixing any flaws. Make sure it leverages the security features of the underlying platform. BAM! One problem solved. If the government provides financial or mandatory incentives to companies, they will all start doing this for at least one product line and anyone using those products will have very low risk in that area.
With widespread technical security in place, attackers will shift almost entirely to insider, social engineering or procedural attacks. Then, people will care more about those and we fight that battle. If we make progress in both areas, we win. Otherwise, we loose. As long as the market doesn't want secure software and DOD is untrustworthy/inefficient/incompetant, no "cyber" command or huge defense contracts will solve these problems. Such false sense of security will only make them worse. "Just say NO!" (or BULLSHIT!)
I would agree that at times, DoD is often wasteful and inefficient at best, and has often recommended or been proponents of solutions that were dubious at best.
Still, your post and others suggest to me that the issue you have is a larger distrust of anything DoD or the Government does, regardless of their motives or concerns. Your argument is a handful of anecdotal accounts of their "biggest blunders", interspersed with sarcasm, cynicism, and blanket statements.
No one would suspect any government or private agency of acting in an entirely altruistic manner all of the time, and the DoD is certainly no exception. But to reflexively attack anything they try to do right and dismiss it out of hand helps no one.
Thanks for the fascinating discussion. I hope that the experts on these matters will write to Senator Levin and the others to make a difference.
Speaking only as a US citizen, I prefer that the DOD or the NSA handle defense issues. Their mission is to protect our country, not to make a profit. As Mr. Clarke pointed out in his talk, I do not see the private sector defending America. How many IT private sector folks would take the pay cut to work for the government to protect us?
How many IT execs go to Congress with these issues besides Bruce? The bottom line for the private sector is the bottom line.
Our government is not perfect, and it is not evil or full of spooky baddies. NSA is not the root of all evil, nor is the DOD. We have a good system in place, we need to bring our checks and balances up to date with technology.
It's not reflexive distrust: it's more like reflexive, intense skepticism. It should be that way: the status quo is that we don't need whatever new intitiave shows up, so the burden of proof is on the promoters (DOD/NSA). There is no proof or anything objectively evaluatable, though. (hmm...). Between people and governments, there's always a power struggle. Government sometimes helps us, but often just helps itself. They constantly try to get more control. My previous statements weren't occasional "anecdotes:" they were a few samples of a mountain of abuses that show a consistent pattern of corrupt behavior overtime. I only listed a few to give the gist of it. If you don't live in the US, don't know of the routine corruption, and need more data to establish a trend, many books and web sites are dedicated to the subject. Finanical waste is a favorite topic in the "funny" section, as the government does enough of it to keep a steady stream of books coming out. Besides, *one* department (Pentagon) loosing hundreds of billions of dollars in waste over over a decade or two is not an anecdote: it's an atrocity for the taxpayers. So, now they want to manage the Internet's security in a useful and cost-effective way. If that doesn't sound crazy, I don't know what does.
The government as a whole causes much measurable damage in the IT regulation space each month, esp. with PCI, for questionable benefit. Most organizations that conform to their CC, FIPS-2, PCI, FISMA, etc. standards are exploited or hit by attackers just as easy as anywhere else. More money appears to be spent on paperwork and compliance issues than security itself. I expect cyberwar intitiaves to be similar. The DOD has never launched *any* initiative that improved commercial security across the board: all initiatives got companies stuck in loads of paperwork and non-essential mandatory features. DOD should only get partial credit for their PKI because that's RSA's independent product that they simply configured/deployed: previous DOD-developed systems failed to achieve their objectives. The NIST has accomplished more positive results, like AES competition and security guides, but they are being overly swayed by NSA recently. After a potential backdoor was found in that ECC random number generator, many are concerned about NSA involvement.
It might seem clear by now that my biggest point is that the DOD is unqualified to do this job. They can't secure their own networks. They make the same financially-motivated decisions businesses do when they use cheaper, less trustworthy guards and OS's. Their plans are classified, making them impossible to evaluate for effectiveness or trustworthiness. Their previous plans gave them control over virtually any American computer, so it's wise to think they might try that again. So far, their version of mandatory regulations has been contradictory to risk management best practices, like how CC demands certain features in a EAL5 system regardless of whether they are needed for the situation at hand. Most studies on DOD show they have too much waste, poor sense of requirements for even most basic systems, and failure within their own systems. GAO's audits have repeatedly confirmed what I'm saying. I haven't even mentioned DHS and TSA's results in their security initiaves. Would you expect the less agile DOD to do better?
So, why should I trust DOD *this* time if they failed most security projects in commercial space? More so, many big attempts included backdoors or policies giving them too much control, so why should we think that's not in their classified plans? Moreover, most of the threat info comes from the specific defense contractors that will make millions on cyberwar efforts. Why should we trust them without carefully scrutinizing their evidence? Wired has a few nice pieces on this below.
Cyberwar Hype Intended To Destroy The Open Internet
Check the Hype - There's no such thing as "cyber"
'Cyber' is short for 'cybernetics', derived from Greek 'kubernetes' (steersman.) It was coined in the 1940s to describe automated control systems--although it applies to biological control mechanisms as well. (Source: Oxford American Dictionary)
Since people don't think of biological cybernetics these days, and mechanical control systems are old fashioned, I see no reason not to use it as a synonym for computer.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.