If this article is actually indicative of how our electronic security is being managed, the United States is in serious trouble.
"It was supposed to be a war fighter unit, not a geek unit," said task force veteran Jason Healey, who had served as an Air Force signals intelligence officer.
A fighter would understand, for instance, if an enemy had penetrated the networks and changed coordinates or target times, said Dusty Rhoads, a retired Air Force colonel and former F-117 pilot who recruited the original task force members. "A techie wouldn't have a clue," he said.
Unfortunately, it's unlikely that the warrior would either know how to defend the network, or that it was penetrated at all. The skills necessary for electronic security are so far removed from physical security that the implication that someone that had been involved with physical security would somehow have a better understanding is ludicrous on its face.
The key point: In the world of defending military networks, it takes fighters - not merely techies - to do the job.
All that means is you need someone with domain knowledge. You need someone who can recognize non-technical signs of infiltration, who knows the value of different targets, and who knows the consequences of a particular system being compromised at a particular time. For military work, that means "fighters." The military's mistake, if indeed they're making this mistake, is taking it for granted that the best way to create good leaders and decision-makers is to train military guys in computer security, when they really need to open it up from both sides. Anybody who writes software in business knows that the really effective people who understand the technical and domain ends well enough to coordinate them emerge from both sides of the business, not just from the technical side and not just from the domain side.
P.S. I would be most alarmed by the small size of the Cyber Command, but I assume it's misinformation.
The Cyber Command is a combatant command (like CENTCOM or AFRICOM) - just a staff/HQ organization. It directs the service components (US Navy Cyber Command, US Air Force Cyber Command, etc.) to actually DO things for it.
It won't typically staff actual workerbees - only planning and coordination type personnel, not hackers and firewall geeks.
apart from what dkarl said, the geeks tend to take the moral high ground (at least the good onces). They cannot and will not be able to have that military approach towards this.
I am just saying if you were told that your algorithm will be used to kill a few hundred people, most of the geeks will be caught in a moral jam b/w their patriotic duties and there self righteousness.
On the other hand, deploying a virus to bring Iran's nuclear enrichment effort to an undignified halt sounds enormously preferable to the alternatives of bombing it or getting into a shooting war.
From a historical perspective I can see why Iran would have a chip on its shoulder, a violent distrust of the west, and the belief that nuclear weapons are the only credible path to long-term security. I see no point in antagonizing them for another generation or two. On the other hand, theocratic dictatorships have a bad track record, and the regime's political autonomy has came at the expense of its citizens'. Impeding their progress at no cost in human life or political capital is a win in my view, both strategically and ethically.
I agree that many situations are far more ambiguous. If you asked me to shut down a hospital on the premise that it would destabilize a rotten corrupt regime, I would be skeptical of whether the hoped-for benefit outweighed the certainty of harm. Geopolitics is not an idealists' pursuit, but we can do better than select optimistic expediency as our guiding strategy.
Uhm... You get great pilots to fly planes and great hackers to defend / attack networks. Having a pilot pick programmers is as stupid as having the MBA choose them.
The services haven't had Infosec personnel long enough to really have many senior people with that background. So they pick from the pool of people who need desk jobs - like grounded pilots.
The vast majority of infosec leadership in the services that I've encountered has been grounded pilots.
Your forgetting that some fighter pilots are actually trained in engineering either before they are commissioned, or as part of their training, including test pilot school which as much about engineering as actual flying.
I know a pilot who didn't go to the fleet, went to Ft Meade instead. Flying jets is quite technical, and understanding avionics is not that much different than understanding a network.
I'm pretty convinced that all the publicity accorded to the "US Cyber Command" is a decoy, meant (a) to command the attention of the public, (b) send a message that the government is taking the issue seriously, and (c) deflect questions from the real efforts the national security establishment is making to grapple with offensive technology.
I know much less about military/intelligence computing than a lot of other security people, but in a career spent neck-deep in vulnerability research, you get data points in dribs and drabs. They include:
* The immense role of military contractors in securing DHS/DOD networks.
* The NSA's (incidental) role as a feeder for offensive computing specialists into industry.
* The (very shadowy) network of business fronts for vulnerability purchasing, along with the notional understanding of the kinds of vulnerabilities they seem most interested.
* The large, contractor-run malware research groups set up around the country.
There are serious infosec people in the DoD --- particular the Air Force[1] --- but I don't have the sense that DoD runs the show on this. I think articles like this are a red herring.
[1] During the early '90s hacker rennaissance (the Operation Sun-Devil era), AF-OSI really did seem to run the table on computer security for the government.
I wholeheartedly agree that DoD isn't running the show on anything infosec related. There's a reason General Alexander is DIRNSA AND COMUSCYBERCOM. That's also the same reason LTG Pollett (head of the Defense Information Systems Agency) isn't COMUSCYBERCOM.
With that said, until USCC realizes that you can't buy security, and that operational units need to be held responsible for their security on the network to the same level that they are in the kinetic space, this is going to just continue to be a money-burning cluster.
There are SMART, talented people working in information security for the government - they're (in general) NOT the ones running the show, or even advising the ones running the show. Most of the ones I've met are working for intelligence agencies - and there is a large amount of rice-bowling and animosity between the services and agencies (such as DISA, NSA and now USCC).
Until someone upstairs (STRATCOM, CYBERCOM, Joint Chiefs, etc.) starts firing people, I don't think anything is going to change though.
This was a great comment, but we might be talking about different things; you're talking about the government securing its own systems (a task it has largely outsourced, much to the detriment of mankind) and I'm talking about the government doing... other things.
> (b) send a message that the government is taking the issue seriously
are you serious? the whole article seems to be written by, for and about 5 year olds. Did you get to the part where they talk about planning to bomb Iraq when it turns out they were hacked by some teenagers? how much attention and seriousness is that inserting into US population?
> The immense role of military contractors in securing DHS/DOD networks.
The immense role of contractors in DoD budget is not exactly news
> The large, contractor-run malware research groups set up around the country.
I don't think you're catching my subtext. The goal of planting this story certainly isn't to make the public more clueful about how infosec actually works.
When it comes to information infrastructure and security issues, the general population's idea is not that far ahead of GI Joe. This seems like such obvious disinformation that I'm surprised they didn't include a reference of operation Screaming Fist as an in-joke.
My hunch is that the purpose of fluff like this is to float the topic of information security just enough to blur the background now that the stuxnet story is hitting the mainstream (http://news.google.com/news/story?hl=en&q=virus+siemens+...).
"It looked as though Saddam was about to take down massive amounts of infrastructure . . . because we were threatening to bomb him," recalled one former intelligence official. Tensions were building. President Bill Clinton was briefed. Senior officials convened another meeting in the Pentagon's "tank," the Joint Chiefs' conference room. The threat was no longer hypothetical, it seemed.
Then the real culprits were identified: A pair of 16-year-old boys in California and a teenager from Israel who had exploited a known vulnerability in the Solaris (UNIX) operating system.
I attended a military conference once on future threats.
They don't understand the Internet.
I mean, at all.
Imagine every stereotype about how old people don't get the Internet. That is the stage of thinking the military is still at.
One of them was trying to futuristically imagine Internet-coordinated mob attacks, and I got up in front of the conference and told them that this was already happening in real life and they needed to ask a fourteen-year-old how it works on 4chan instead of making things up.
24 comments
[ 4.6 ms ] story [ 75.2 ms ] thread"It was supposed to be a war fighter unit, not a geek unit," said task force veteran Jason Healey, who had served as an Air Force signals intelligence officer.
A fighter would understand, for instance, if an enemy had penetrated the networks and changed coordinates or target times, said Dusty Rhoads, a retired Air Force colonel and former F-117 pilot who recruited the original task force members. "A techie wouldn't have a clue," he said.
Unfortunately, it's unlikely that the warrior would either know how to defend the network, or that it was penetrated at all. The skills necessary for electronic security are so far removed from physical security that the implication that someone that had been involved with physical security would somehow have a better understanding is ludicrous on its face.
All that means is you need someone with domain knowledge. You need someone who can recognize non-technical signs of infiltration, who knows the value of different targets, and who knows the consequences of a particular system being compromised at a particular time. For military work, that means "fighters." The military's mistake, if indeed they're making this mistake, is taking it for granted that the best way to create good leaders and decision-makers is to train military guys in computer security, when they really need to open it up from both sides. Anybody who writes software in business knows that the really effective people who understand the technical and domain ends well enough to coordinate them emerge from both sides of the business, not just from the technical side and not just from the domain side.
P.S. I would be most alarmed by the small size of the Cyber Command, but I assume it's misinformation.
The Cyber Command is a combatant command (like CENTCOM or AFRICOM) - just a staff/HQ organization. It directs the service components (US Navy Cyber Command, US Air Force Cyber Command, etc.) to actually DO things for it.
It won't typically staff actual workerbees - only planning and coordination type personnel, not hackers and firewall geeks.
I am just saying if you were told that your algorithm will be used to kill a few hundred people, most of the geeks will be caught in a moral jam b/w their patriotic duties and there self righteousness.
From a historical perspective I can see why Iran would have a chip on its shoulder, a violent distrust of the west, and the belief that nuclear weapons are the only credible path to long-term security. I see no point in antagonizing them for another generation or two. On the other hand, theocratic dictatorships have a bad track record, and the regime's political autonomy has came at the expense of its citizens'. Impeding their progress at no cost in human life or political capital is a win in my view, both strategically and ethically.
I agree that many situations are far more ambiguous. If you asked me to shut down a hospital on the premise that it would destabilize a rotten corrupt regime, I would be skeptical of whether the hoped-for benefit outweighed the certainty of harm. Geopolitics is not an idealists' pursuit, but we can do better than select optimistic expediency as our guiding strategy.
The vast majority of infosec leadership in the services that I've encountered has been grounded pilots.
It goes as well as it sounds like it would.
I know a pilot who didn't go to the fleet, went to Ft Meade instead. Flying jets is quite technical, and understanding avionics is not that much different than understanding a network.
I know much less about military/intelligence computing than a lot of other security people, but in a career spent neck-deep in vulnerability research, you get data points in dribs and drabs. They include:
* The immense role of military contractors in securing DHS/DOD networks.
* The NSA's (incidental) role as a feeder for offensive computing specialists into industry.
* The (very shadowy) network of business fronts for vulnerability purchasing, along with the notional understanding of the kinds of vulnerabilities they seem most interested.
* The large, contractor-run malware research groups set up around the country.
There are serious infosec people in the DoD --- particular the Air Force[1] --- but I don't have the sense that DoD runs the show on this. I think articles like this are a red herring.
[1] During the early '90s hacker rennaissance (the Operation Sun-Devil era), AF-OSI really did seem to run the table on computer security for the government.
With that said, until USCC realizes that you can't buy security, and that operational units need to be held responsible for their security on the network to the same level that they are in the kinetic space, this is going to just continue to be a money-burning cluster.
There are SMART, talented people working in information security for the government - they're (in general) NOT the ones running the show, or even advising the ones running the show. Most of the ones I've met are working for intelligence agencies - and there is a large amount of rice-bowling and animosity between the services and agencies (such as DISA, NSA and now USCC).
Until someone upstairs (STRATCOM, CYBERCOM, Joint Chiefs, etc.) starts firing people, I don't think anything is going to change though.
> (b) send a message that the government is taking the issue seriously
are you serious? the whole article seems to be written by, for and about 5 year olds. Did you get to the part where they talk about planning to bomb Iraq when it turns out they were hacked by some teenagers? how much attention and seriousness is that inserting into US population?
> The immense role of military contractors in securing DHS/DOD networks.
The immense role of contractors in DoD budget is not exactly news
> The large, contractor-run malware research groups set up around the country.
any evidence?
No, I'm not going to offer you evidence.
My hunch is that the purpose of fluff like this is to float the topic of information security just enough to blur the background now that the stuxnet story is hitting the mainstream (http://news.google.com/news/story?hl=en&q=virus+siemens+...).
"It looked as though Saddam was about to take down massive amounts of infrastructure . . . because we were threatening to bomb him," recalled one former intelligence official. Tensions were building. President Bill Clinton was briefed. Senior officials convened another meeting in the Pentagon's "tank," the Joint Chiefs' conference room. The threat was no longer hypothetical, it seemed.
Then the real culprits were identified: A pair of 16-year-old boys in California and a teenager from Israel who had exploited a known vulnerability in the Solaris (UNIX) operating system.
They don't understand the Internet.
I mean, at all.
Imagine every stereotype about how old people don't get the Internet. That is the stage of thinking the military is still at.
One of them was trying to futuristically imagine Internet-coordinated mob attacks, and I got up in front of the conference and told them that this was already happening in real life and they needed to ask a fourteen-year-old how it works on 4chan instead of making things up.