« A Syrian Cordon Sanitaire: Is Israel huffing & puffing, or is it serious ? Alastair Crooke | Main | “Syrian Army on the verge of entering Deir Ezzor from Raqqa” - TTG »

20 July 2017

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

doug

FY 2017 National Defense Authorization Act (NDAA) signed into law by Trump on 23 Dec 2016.

???

The Twisted Genius

doug,

Ha! Good catch. Changed it.

mike

About time we woke up. The weaponizing of the internet has gone on too long to be defended against as a secondary side mission by other agencies.

Let's hope their acquisition arm also has a mandate to specify electronics protection in all DoD systems, not just their own. But instead of trying to make every military system impregnable, they should concentrate on resilient systems with a capacity to quickly bounce back after cyber attacks. IMHO.

I also believe that this new Cyber Command should have some sort of a say-so or advisory role in protecting interests of American civilians and the public sector. Perhaps not direct, but in a supporting role at least. There will be pushback against that.

I'd like to be a fly on the wall when they discuss offensive cyber strategy.

b

Does defense within a country (largely) at peace require constant patrolling in the street?
Does (cyber-)defense within a country (largely) at peace require constant bugging of all systems?

My take is "No" and "No". Prepare the tools and keep them ready but stay out of the streets and systems.

--
Another difficulty here will be the delineation of offense and defense. The cyberfolks tend to dislike defense and to play offense. "Let's keep that 'zero-day' alive for our next attack on XYZ" means to do nothing to fix it in your own country's systems. It is a very bad attitude but seems to be the standard position at NSA and CIA.

If Cybercom does not change that it will be pretty useless for real defense.

It will also -inevitably- duplicate functions that are already there elsewhere. But that is probably a typical U.S. issues. You have two (three?) armies (Army, Marines, SpecOps), two air-forces (Air-force, Navy), two navies (Navy, Coast guard)- so why not have multiple cyber-defense/cyber-attack organizations. Cisco etc will be very happy to supply another large customer.

Old Microbiologist

I only see one glaring problem: posse commitatus. However, this never seems to have stopped the NSA which is also a DOD element. A country which fails to execute its own laws is doomed to lawlessness.

Emad

TTG,

I too dislike mass surveillance. But legislative "reforms" purporting to advance the public interest in encryption, ITC and the Internet have a funny way of getting watered down to irrelevance and legitimizing a more dangerous reality on the ground than what they were supposed to have rectified. So I think if left unchecked for a while, brazen government and corporate surveillance are more likely to result in a genuine mass migration to effective privacy technologies than piecemeal efforts to tame the beast as it were.

As my great uncle Akbar used to say, "Legislation enshrines the balance of power among contestants, not the other way around." In this case, IMHO the balance of power is going to tip in favor of the public when on one hand privacy technologies become so cheap and easy to adopt as to make mass surveillance cost-ineffective, and on the other, the economic value of what is being passed off as private lives of individuals tumbles down to negative. The former needs a major shock to wake people up (more likely with mass surveillance as I said above); the latter is the next step in the evolution of the lives of 20 something iPhone wielding baristas devoid of skills and increasingly unable to earn a living: bots can replicate their lives as easily as they can automate their jobs out of existence.

Rodney

I wonder if we really have any power over these organizations anymore. Sounds to me like corporate hit squad.

Arioch The

> CYBERCOM should be prepared to fight in the data centers and in the networks

...against FBI, CIA and other Clintons' anti-American agents.

Philippe T.

IMO, the more datas, the less informations/intelligence.

More and more people to spy, within more countries, with more spying agencies, though more electronic apps... the zillions of collected datas is impossible to process and interpret. The huge infrastructure and manpower, the robots and algorithms, to build up in order to process these datas are becoming as many vulnerabilities and targets to cyber- and kinetic attacks, leakers, public resentment, etc.

Strategy is dialectic, and paradox is omnipresent.

PhT

The Twisted Genius

mike,

If the new CYBERCOM does eventually have a strong role in setting US cyber policies, I hope it is defense-centric much like what existed in the original JTF-CND. I'd like to be a real push for ubiquitous encryption (God, I love that phrase.) and resiliency.

I also want to see CYBERCOM develop a new relationship with the private sector drawing from some of the lessons learned by Russian and Chinese cyber operations and even ground operations in the R+6 in Syria. Companies like Equinix and Verizon should be viewed as local defense forces. They can handle the day to day system attacks on their own with their own and contracted resources. However, whenever large scale, widespread or critical attacks or events occur, CYBERCOM could assume leadership to lead the defense and possible counterattack. These large private companies that control massive swaths of our information infrastructure would be deputized to conduct the defense. One could also use the letter of marque as a model to facilitate these companies in defending the networks. I mention Syria as an example because the SAA is largely dependent on various militias as well as allies to defend Syria. Our government and private sector have to develop a much more effective way of working together than what we have now.

Lastly, I want to see the defensive mission take precedence over the current "collect it all" approach espoused by the IC. Defending the networks at home must take precedence over offensive missions overseas in both resources and mindset.

The Twisted Genius

b,

When a country is under attack, constant patrolling is needed. Our IT infrastructure, information and even our psychological space are under near constant assault. I think we need to defend ourselves. Your point of our current emphasis on offense rather than defense is correct. As I told Mike, the defense needs to take precedence over the offense and the "collect it all" mentality. Encryption and privacy should be cornerstones of this new defensive attitude.

The Twisted Genius

OMB,

That will depend on where the line between criminal activity and foreign attack is made. Even most terrorist attacks are handled as criminal acts rather than foreign attacks on the homeland. The same rational thought has to be applied in cyberspace.

egl

This will end up as one more reason to insist on backdoors in encryption systems--not what you should want if you care about individual liberty and privacy.

mike

TTG -

Letters of Marque? I like the concept but how would that work. Privateers were primarily an offensive against an enemies LOCs. How would you work that into a defense? Guess they could get paid for each foiled attack.

And some privateers later ended up as pirates, or cheats claiming illegitimate prizes. Not that Verizon or Equinix would stoop to that but there are plenty of fringe companies out there teetering on bankruptcy that could be tempted.

Chris Chuba

This looks to be more offensive rather than defensive in nature.

A real operation protecting our NW's would mutually disarm both us and any countries we entered into agreements with. Putin hinted at this by saying that the Russians could provide access to their data centers to track criminals (or by extension state actors) and agreements could be worked out on what meta-data needed to be saved. Now of course the Russians would expect reciprocation and this would in effect shut down our cyber operations against them.

I suspect that we believe that we have an edge against the Russians in cyber warfare which is why we are not interested in pursuing a treaty on the matter.

I'm certain TTG understands the technical matters better than I do and he can tell me if I am way off the chart here. While I do work in software, I don't work in security and I know what I don't know :-).

One thing I'd love to see developed is a means to detect if stolen information has been altered. It's bad enough that information is hacked, but forgery after hacking would be an order of magnitude worse.

The Twisted Genius

egl,

You're reading this wrong. A defensive mindset will insist on the elimination of backdoors, crippled encryption and hoarding of vulnerabilities (0-days) for use in intelligence gathering and offensive operations. There will always be this conflict between the two mindsets, but it's time for defense and security to take precedence.

The Twisted Genius

mike,

The talk of letters of Marque has been around for years in the community. A lot more thought has to go into it beyond legal protection and issuance of get out of jail free cards. But since so much expertise and capability exists outside of government, it's a concept that should be explored.

b

"Our IT infrastructure, information and even our psychological space are under near constant assault. "

Oh, come on. Those ain't IT attacks. It is some white noise and probably some light pin pricks. No one so far set all U.S. bank accounts to zero or induced critical fluctuations in all your electricity network. A real attack would look much different that what you now perceive as attack.

The danger for the U.S. "psychological space" has always been from the U.S. itself (see the current "liberal" neo-McCarthy wave). Even more dangerous are the hyper-nationalistic and militaristic attitudes throughout your culture. The CIA and Pentagon have heavily influenced (if not written) 1,800 movies and TV shows in the last decade or so. All to promote war and torture and to suppress any criticism of those organizations. That is an assault in size and result no (other) enemy of the people could ever hope to achieve.
https://medium.com/insurge-intelligence/exclusive-documents-expose-direct-us-military-intelligence-influence-on-1-800-movies-and-tv-shows-36433107c307

readerOfTeaLeaves

TTG wrote:
"...I think CYBERCOM should be prepared to fight in the data centers and in the networks and not just against some once in a lifetime existential cyber attack. This will require clear policies and procedures to be enunciated at the NCA level and accepted by the American public..."

I'm in the 'amen choir' on this one.
But "...clear policies and procedures..." don't tend to generate as many billable hours as layers of policy machicolations 8(
Here's hoping that someone has the guts and vision to aim for 'simple, doable, and cheap'.

The Twisted Genius

ROTL,

"Here's hoping that someone has the guts and vision to aim for 'simple, doable, and cheap'."

I got roped into the DIA task force addressing the Y2K problem. At the time I thought it was a PITA, but I look back on it now with fond memories. We worked with people from governments and private industry from around the world to solve a problem with a firmly fixed deadline. We came up with hundreds of solutions and work arounds and shared them with everybody. It was like the international cooperation in the film "Independence Day." The solutions were mostly simple, doable and cheap. It ended up being a nothing event, but that was because of the two years of work that preceded Y2K. If we could get a mindset of security, privacy and defense going in the new CYBERCOM, I think we can do this again.

Peter AU

I read, I think a Sputnik article, that china has now linked some of their military with quantum communications. I take it this is short range through fibre optic cable (I think max range for fiber optic a little over 100k's) but recently successfully tested sending via satellite.
Rather than just using quantum entanglement as an encryption key, full text communications are being sent.

"...hopes of intensifying America's ability to wage cyberwar against the Islamic State group"
As soon as ISIS is evoked as a reason for anything, can safely assume it is bullshit.
If the US at any point in time were wanting to destroy ISIS, they would have taken out the oil convoys.
Seems most likely to be used to conduct ongoing cyber warfare against Russia and China, sabotage and so forth, but the way China is moving ahead with quantum computing and coms.. US cyber warfare may be just flailing around in the dark?

The Twisted Genius

Richardstevenhack,

What you describe is a generally accurate view of the present state of play, not totally accurate, but close enough. This new CYBERCOM with new policy powers is a chance to change that and that's worth fighting for.

sid_finster

Celine's First Law Edit

National Security is the chief cause of national insecurity.

steve

Sort of OT question, but only sort of. The rumors I have heard suggest that this CYBERCOM would be recruiting people who would not conventionally fit into the military. Is that true? I certainly have mixed feelings about that. I think there is some value in an organization have shared values, culture, etc. OTOH, from our work with kids at our high school, we have certainly worked with a few math/computer smart kids who would probably, I am guessing, work well with a true cuber unit who would never make it through boot camp.

Steve

The Twisted Genius

steve,

The kind of people who are good at this cyber stuff are not the kind of people good at living in a government bureaucracy. There are NSA and CIA offices that have become safe havens capable of shielding these types from the every day bureaucratic abrasions. One of the proposals put forth for the new CYBERCOM is to allow for more short term assignments so there is more movement between private industry and CYBERCOM. Another point to remember is that CYBERCOM is not going to be very large, no more than a few hundred. DIA has well under a hundred personnel dedicated to this area, now probably exclusively on the analytical side. FireEye dwarfs DIA's capabilities except for DIA's access to classified information.

If CYBERCOM is going to be at all effective, they have to find a way to integrate themselves with the private industry side. And I don't mean the contractors. I mean the big players like Verizon, Equinix, Cisco, Juniper, Microsoft and Apple. That's where the manpower for network defense is located.

The comments to this entry are closed.

My Photo

February 2021

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            
Blog powered by Typepad