There’s a diagram floating around the internet that would give even the staunchest bureaucrat a panic attack. Developed by the Deputy Assistant Secretary of Defense (DASD) for Cyber Identity and Information Assurance, it’s a 193-box behemoth, showing how the various arcane security policies adopted by the Department of Defense fit together. Taken collectively, they describe the security architecture supporting the global information grid (GIG) – the global information network used by the Department of Defense – and they underpin an ongoing effort by the Pentagon to protect itself in cyberspace.
The Pentagon has had its fair share of cultural shifts in the past few decades. Twenty five years ago, the world looked markedly different. Its largest single enemy was on the other side of the Bering Strait, where a young Sarah Palin might have espied it (had she ever traveled to Little Diomede, the only part of Alaska from which you can see the former Soviet Union).
These days, Palin and her contemporaries can see America’s enemies everywhere, and nowhere. The fall of the Berlin Wall, followed by the collapse of the Twin Towers, has created a world in which thousands of non-state actors, and hundreds of state-level ones, all target US interests. Even with its troops involved in two simultaneous operations (considered the gold standard for measuring force capability), an all-out strike against the US would be ill-advised. Why not focus, instead, on permeating increasingly amorphous borders, both physical and digital?
Another Toothless Czar
For all of cyberspace’s William Gibsonesque connotations, the digital and physical worlds are inseparable. Those who attacked the networks of private US military contractors between 2007 and 2009 and stole details of the $300bn Joint Strike Fighter project demonstrated that clearly. They obtained intellectual property about crucial parts of the aircraft’s operation before it had even been completed.
No wonder the Pentagon has been placing increasing importance on the need to defend itself in cyberspace. Its efforts culminated in the launch of a US Cyber Command, which achieved full operational capability in early November. This unit, headed by Gen. Keith Alexander, will be used to coordinate cybersecurity activities operated by the various branches of the military.
"SBIR looks for technology that they may find useful five years down the road" |
Hugh Thomson, People Security |
Alexander is a heavy-hitter in the government’s intelligence community. He serves a dual role as director of the National Security Agency, demonstrating the extent to which the US Cyber Command and the ultra-secretive, technologically advanced NSA will work together.
Alexander represents a fundamental difference in thinking within the Pentagon. The civilian government speaks with many voices, and some think that its attempt to coordinate a cybersecurity response lacks power. Pat Clawson, chair and CEO of IT infrastructure protection company Lumension, argues that the federal government’s deployment of Howard Schmidt to a cyber-czar role is a toothless move.
“In some ways, appointing Howard Schmidt to his role doesn’t do anything to help us. He has zero budget, and zero policy-making capability”, Clawson protests. “The White House needs to wake up.”
Alexander, conversely, draws together a number of existing well-funded cybersecurity efforts within the military. The US Cyber Command marshals the US Navy’s Tenth Fleet (formerly an anti-submarine unit that has been recast as a cybersecurity fleet), the 24th Air Force, which became fully operationally capable in October, and the Marine Corps Forces Cyberspace Command. The US Army Cyber Command is another unit underpinning the broad US Cyber Command effort.
US Cyber Command operates under US Strategic Command (STRATCOM), which is the arm of the military responsible for protecting US global interests. Its Joint Operations Center draws together two formerly separate operations: the Joint Task Force for Global Network Operations and the Joint Functional Component Command for Network Warfare.
It’s ironic that STRATCOM – which has historically been responsible for that most monolithic of US weapons, its nuclear strike capability – should now be controlling a unit that has to fight a different war altogether.
The rules of 21st-century cyberwarfare differ wildly from those of 20th-century physical conflict. William Lynn, US Deputy Secretary of Defense, outlined some of the differences in a recent article for Foreign Affairs, designed to coincide with the Cyber Command’s operational readiness.
He identified asymmetry as one of the biggest differences between the old, physical warfare and the modern, digital one. It takes money and time to build a nuclear weapons program or physical army. Lynn points out that the cost of entry for cyber-attackers is minimal. So, while the Pentagon spends billions on protecting its networks, attackers armed with the digital equivalent of a cheap suitcase bomb or IED need only be lucky once.
"The attribution aspect of cyberwar is very difficult. Who do you launch the missiles at?" |
Eddie Schwartz, NetWitness |
Second, the concept of deterrence that kept the world in check during the Cold War doesn’t work anymore, because it is difficult to assess the source of an attack. The Joint Strike Fighter attacks were mounted from Chinese servers, but it is impossible to prove that the attackers were located there. “The attribution aspect of cyberwar is very difficult. Who do you launch the missiles at?”, asks Eddie Schwartz, chief security officer at network monitoring tools company NetWitness, who works extensively with government clients, including the Pentagon.
This, in turn, presents challenges for the Monroe Doctrine for cyberspace, suggested by Oracle CSO Mary Ann Davidson last March.
She said that the US should be prepared to respond to attacks against its ‘cyber-soil’ effectively, but she acknowledged that attribution is a problem. “Just enough attribution may be sufficient for purposes of ‘shot-over-the-bow warnings’, even if it would be insufficient for escalated forms of retaliation”, Davidson suggested.
New Rules of Engagement
The low cost of entry for attackers, combined with the problem of attribution, makes it very difficult to take advantage of what was one of the saving graces of the Cold War nuclear era: arms control.
The US signed a non-proliferation treaty with other countries in 1970, offering them nuclear energy technology in exchange for a commitment not to develop weapons with the know-how. There is no NPT in computer security, however, save for perhaps the International Traffic in Arms Regulations (ITAR) rules that prevent the export of supercomputers for use in decrypting codes. World-class operating systems designed specifically for penetration testing purposes are downloadable for free. In 2008, malware infected a large number of US Army computers after a foreign intelligence outfit injected it via a commodity USB stick.
"In some ways, appointing Howard Schmidt to his role doesn’t do anything to help us" |
Pat Clawson, Lumension |
The DoD has enough of a challenge controlling its own tools. One of the problems Lynn highlighted in his article was supply-chain security. During the Cold War, the only country involved in making the nuclear weapons that rolled out of the Pantex plant in Amarillo, Texas, was the US itself. But today’s computer systems come from the private sector, and thanks to a sea change in the US economy since the seventies, much computing equipment is made in places like China – which has a vested interest in compromising US systems. Ensuring that all of the code and components that make up a switch or server are free of specifically crafted malicious code, for example, is no mean feat – especially when many of these systems may be assembled at sub-tier manufacturing facilities all over Asia.
As Slow as a Government Bureaucrat
The DoD uses a Trusted Foundries Program, originally set up under a contract with IBM to provide it with ‘safe’ chips from its Vermont fabrication plant. In 2008, it expanded this program to cover a far broader range of microelectronics.
This increasing reliance on partnerships with the private sector is crucial to the Pentagon’s security. One of the problems for the DoD as it tries to keep up with its attackers’ increasing velocity is its own sluggishness. Mired in military bureaucracy, the Pentagon takes an average of almost seven years to deploy a new computer system after it has been funded. As Lynn points out, the iPhone was developed in two.
The DoD has been working hard to make itself more agile by increasing its partnerships with private companies, while preserving its security by regulating its interactions with them. It uses its Small Business Innovation Research (SBIR) program to help, explains Hugh Thomson, program committee chairman of the RSA Conferences and founder and chief security strategist at People Security. “SBIR looks for technology that they may find useful five years down the road. They pick a group, fund them with a small amount of money, usually around $100k. Based on phase-one results, they move them to phase two, which is prototype. And then phase three is turning it into a commercial entity that they can buy things from.”
The Internet Sandbox
While it milks the private sector for solutions, what will the Pentagon’s approach to the federal government be? It is significant that the DoD has been omitted from some notable cybersecurity projects, such as the Office of Management and Budget’s Trusted Internet Connection project, and Einstein, the intrusion detection system developed by the feds. The consensus seems to be that the DoD will draw what is useful from the federal effort, while implementing its own technologies, too.
Toeing the federal government’s security line will only be useful up to a point, says Schwartz. “Anti-virus won’t catch half the stuff that’s thrown at [the DoD] anyway”, he argues. “Certain aspects of the government will make a best effort at the stuff that doesn’t matter so much, but will spend a lot of time deploying commercial off-the-shelf products that are forward leaning.”
In the meantime, the DoD has some incredible projects up its sleeve, including the National Cyber Range, an initiative from the Defense Advanced Research Project Agency (DARPA) – the same organization that originally invented the internet. The $130m project is recreating the Global Information Grid as a set of test suites that can be used, either individually or in unison, to create conditions similar to that of large-scale networks, complete with software bots designed to emulate human behavior. Put simplistically, it provides government security experts with a playpen internet to test out various attack and defense techniques.
With this kind of project in the offing, the Pentagon is clearly serious about cybersecurity. Although Cyber Command sits atop the other three branches of the military, it could almost be viewed as a fourth arm altogether. It should provide those wishing to harm the US with food for thought.