Schneier on Security
A blog covering security and security technology.
« Jared Diamond on Common Risks |
| Friday Squid Blogging: Squid Anchor »
February 1, 2013
Pentagon Staffs Up U.S. Cyber Command
The Washington Post has the story:
The move, requested by the head of the Defense Department's Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians.
The plan calls for the creation of three types of forces under the Cyber Command: "national mission forces" to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; "combat mission forces" to help commanders abroad plan and execute attacks or other offensive operations; and "cyber protection forces" to fortify the Defense Department's networks.
This is a big deal: more stoking of cyber fears, another step toward the militarization of cyberspace, and another ratchet in the cyberwar arms race. Glenn Greenwald has a good essay on this.
Posted on February 1, 2013 at 12:36 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think to call it the militarization of cyberspace is a bit strong. Frankly, what this really is is centralizing the defense of their systems. Network defense in the military is such a hodge-podge of poorly organized beaurocratic nonsense which changes structure and procedure depending on where you are and who you report to. USCC is trying to centralize and standardize efforts so they aren't replicating so much effort and such.
"I think to call it the militarization of cyberspace is a bit strong. "
If we treat this article in isolation that might be true. If we consider the greater context, then it is an indication of militarization. That context includes "cyberwar," "cyberoffense," "cyberdefense," "cybercommands," "information warriors," etc. Many militant buzzwords they throw around a lot. Add to it that they're developing "cyberweapons" and stockpiling (rather than fixing) 0-days, then we're closer to the military analogy.
The icing on the cake is when they try to draw battle lines by pointing fingers at countries when sophisticated malware comes from IP's in their country. Regular instances of sophisticated network intrusions become "attacks on the perimeter." And so on.
Wired has covered this stuff plenty. (2010)
And nothing has changed
(Read on the DARPA project and tell me it's not a militarization.)
Newspapers are ostensibly civilian organizations. Noam Chomsky has made compelling arguments otherwise, but at least in theory, they're non-military, civilian.
So these could be considered state attacks on civilians.
This whole stoking the cyber fears to pay the bills is getting old. Really... all these threats are fabricated just to get a bigger budget? Gimme a break. Oh, I know, just stick with a command line, be sure to choose a strong password and everything will be ok.
And as far as those big-pretty-pictures Wired guys are concerned, who cares what they say? When you pick and choose 'references' like that it's nothing more than confirmation bias.
I'm looking at this and other articles today. I have to wonder - what effect are we hoping to have if we go through with this? There's something inherently asymmetric about the stories that I've seen w.r.t. computer system espionage that lead me to conclude that a response in kind is not likely to have a deterrent effect.
These actions seem designed to obtain information by those without it (corp espionage) or to retaliate for the release thereof (e.g. the nyt). If the first kind of attack succeeds, then you can't take that information back - it's been comprised and that's the end of it. The second is more of a nuisance, but the source of this attack has no public presence to maintain or reputation to preserve, so that doesn't work.
To all those that advocate "attack back!", I would ask how such a response would serve to either ameliorate the fallout or to be a deterrent. I just don't see it.
The purpose of the military is to fight wars, and war is the wrong framework.
Suppose the Chinese government sent in an armed commando team to physical occupy the offices of the New York Times. This would be war, and at this point we would be talking in terms of a missile strike or some other military action involving bullets and bombs. However, the thing about a hack attack (or for that matter a non-military spy) is that it would be a seriously bad thing for the US to at this point talk about shooting bullets. If your only options involve "military options" then your responses are either to start World War III or do nothing.
The other problem with "war" as a metaphor is that once you involve national governments you get into the norms and rules that govern the actions of those governments. For example, the US government has been notably quiet about the hacking of the New York Times, and for good reason. If the US government actively condemns the hacking, then they've set up a rule that governments should not use hacking, which means that the US government has pledged not to hack foreign computers. This is something that I don't think the US government is prepared to do, especially since the US government likely has much better hackers than most other governments.
And there are "cure is worse than the disease issues." I'm sure the NY Times is annoyed at being hacked. I don't think that they are willing to let the Defense Department run their computer networks (or even look at their computer networks) in response to it.
One thing about military is that they are kept on a very tight leash because societies and politicians are usually as worried as much about the military having too much power as they are about the people they are tasked with fighting. If you are doing mall security, you are better off with an unarmed civilian guard than you are with a soldier, since an unarmed civilian guard can detain shoplifters whereas (and this is true in both the US and China for the same reasons) soldiers can't arrest shoplifters.
This is a computer security and redundancy problem and not a military problem.
Also "establishing a perimeter" won't work for most multi-national companies. If you have a security model that excludes the office in Shanghai or Tehran, then it's useless for any multinational corporation.
I've said it in the past a number of times it's not cyber-war it's cyber-crime. Even if it's espionage it's still in the main civilian espionage of the sort that was once called Industrial Espionage.
Traditionaly crime is investigated by those who's jobs it is to investigate, detain and prepare a case for prosecution (ie the police) and not those who's investigatory behaviour is to send in a squad of armed recon troops with instructions to use kinetiic means of evidence collection and interrogation.
The real problem is "jurisdictional -v- extrajurisdictional" that is whilst the police have reasonable power within their own jurisdiction their power out of their own jurisdiction is non exisistant without the support of the foreign government. Thus in the past such investigations did not involve either the police or military but Intelligence Officers who had diiplomatic status which conferres a degree of protection against the foreign government in who's jurisdiction they are carrying out their activities.
A rather worrying trend we have seen overr the past fifteen to twenty years has been "peace keeping" activities by the military. In the US troops were rarely if ever trained to do peace-keeping and only a few of the European countries trained troops for peace-keeping activities. The reason is simple Policing is not an activity that fits well on military shoulders be it from the soldiers or civilians perspective.
However since 9/11 we have increasingly seen a bluring of the line not just with the militarizing of the police and the military training in peace keeping, but also with the politico's passing laws that they regard as having extra judicial range and thus are imposed on foreign countries, or foreign citizens in international waters.
As a general rule justice by kinetic means generaly does not end well, history generaly points in the direction of despots, dictators and tyrannical rulers who believe two things, that they have "divine right" and "might is right", thus not just "do as I say" but "do as I say or die", to which in general the response has eventualy been civil inserection and violent deposing of such despots. All in all not good for anyone and a considerable waste of talent ability and resources.
Developing cyber weapons for cyber warfare is a logical course of action for the US, not so much as a result of what's happened, but what could happen. Suppose a foreign country develops a cyber-weapon that is capable of shutting down most of the US electrical grid for a few days. Without its own cyber-weapons, the US lacks the ability to execute a proportional response. Cyber-weapons give the US military something in the middle of joequant's options of doing nothing and starting WWIII.
Would pay good money to see a modern remix of Dr Strangelove with cyberwar as the theme!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.