Slashdot Mirror
Ask Lt. Col. John Bircher About Cyber Warfare Concepts
The Air Force is not the only U.S. military branch trying to come to grips with the electronic side of warfare, both current and future. The U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent (USACEWP), located at Fort Leavenworth, Kansas — home to the U.S. Army's Combined Arms Center — serves as the Army's hub for cyber-electronic concepts and capabilities. This is the organization responsible for developing doctrine, materiel and training to prepare the Army for cyber-electronic engagements. For example, USACEWP has developed training teams to ensure that U.S. commanders and soldiers around the world are fully informed of cyber-electronic capabilities at their disposal. Leading the Proponent's Futures branch is Lt. Col John "Chip" Bircher; Bircher entered the Army in 1989 as an Infantry officer, then served in various command and staff positions, most recently Information Operations (IO). He was the IO Chief for the 25th Infantry Division (Light), Hawaii, and Director of IO for Combined Joint Task Force -76, Bagram, Afghanistan. If you want to know more about the realities and challenges that face an armed, global IT department in a time when electronic warfare is ever more important and dangerous, now's your chance to ask Lt. Col. Bircher some questions. We'll pass on the highest-moderated questions for Lt. Col. Bircher to answer. Usual Slashdot interview rules apply.
What is the best way to falsify and then pass on phoney intelligence to fool the country in to supporting a war for oil?
Plese give specific ways to manipulate government agencies in pursuit of this goal.
George W Bush used the National Intelligence Estimate to great effect, but is that still the best tool for the job?
Wait a second. Aren't members of the John Birch Society called "John Birchers"? If so, I'd say this poor bastard has an unfortunate name.
I write sci-fi for metalheads
Does the US Army take advantage of traditional misconfiguration and social engineering techniques in order to compromise a network or are the US government developing a home grown list of exploits to gain access to foreign government systems?
How does the military ensure that it is operating within the law regarding online military offensive activities? Are there any laws or oversight, as such? If so, how are those laws and/or oversight affected by a declaration of war?
steampunk web design
I'm interested in why so many sensitive networks are even hooked up to the internet in the first place, or why trivial systems are so often bundled with sensitive ones under the same security frameworks.
Why aren't there more isolated networks that would require physical contact or interception to get to in the first place? Do sensitive systems really need any connection at all to the conventional internet in the first place?
I know that many places in the DoD do take this approach (people having one computer for safe email and browsing, and a completely different computer for sensitive intel), and certainly it's more expensive and less convenient. But when the internet is basically just a big pathway leading directly to your backdoor, why take any chance at all, ever?
The Bad Idea Blog - Science, Skepticism, & Stupid
What, specifically, would be a "cyber-electronic engagement".
Include examples.
Compare/contrast with traditional forms of intelligence gathering (wiretaps, listening devices, etc) and their counter-measures.
With the political tilt as it is, a large part of the software development community is likely prejudiced against helping our country. With this in mind, how do you recruit the most creative and skilled people that this country has to offer?
I doubt you could REALLY answer this, but Is the US military playing any sort of role in the semi-undergroung "hacker war" that appears to be going on between China and the US?
With an ever increasing amount of information on the battle field, how would you limit risk when Murphy's law is not functioning in your favour?
keyboard mouse
If so, would basic training be to train us to stay up all night, living on pizza, soda, Skittles, and porn?
If so, where do I sign up?!?
Since the Air Force is the U.S. military branch claiming dominance in "cyberspace" (along with air and space), how do you view the Army's relationship with the Air Force in "cyberspace"? Will the Army seek to take over all of the "cyberspace warfare", carve out its own niche in cyberspace, or peacefully coexist with the Air Force?
With respect to leadership in this area across the DoD, do you feel that the Air Force being denied the program executive role for all DoD UAV endeavors represents an opportunity for the Army increase its role with respect to UAVs (as many people see cyberspace and UAVs to be inextricably linked)?
Without diving into details that compromise security, can you reveal anything about the types or quantities of attacks that the US military is able to fend off, and how often they are faced?
What is the U.S. Army doing to protect U.S. sensitive information from the frequent number of cyber-attacks originating from inside the People's Republic of China? Is it primarily defensive?
Gentlemen! You can't fight in here, this is the war room!
...about peace, not warfare.
Does the US Air Force, or any branch of the armed services, currently recruit for cyber-related positions directly? Or is it a requirement that all members come out of the standard armed services personnel? If there is currently no system for recruiting the best and brightest CS/IT/Security personnel from the civilian population, would that ever be considered?
Conventional military is bound by the Geneva convention. To date, there is no international law governing military info-war. Are you therefore no longer bound not to attack civilian targets? Is scrambling hospital records to create civilian deaths by mistreatment considered a valid attack?
the worlds most insecure operating sytem? Seriously, I just had to go through the Army accreditation process at work, and all the guidelines basically say that Windows is the most secure according to the army. Several of the policies do nothing to increase security but are windows only features, a not so subtle hint that if you want to be "secure" you should be using Windows. The policies also states that since open source is "unsupported" you should use a commercial OS unless you can find "support" for the open source software. The scrutiny that the Linux/Unix machines are put through is MUCH more than Windows machines are. Windows machines are basically said to be "secure" if you apply all the patches and set a couple of settings. Its as if the Army considers Windows to be the most secure instead of the least secure. The whole security accreditation process seemed to be a giant push for us to move to Windows, which means that in my opinion the whole exercise was intellectually bankrupt. Why does the Army continue to push windows despite its absolutely horrendous security track record?
That's COUNTER-TROLL to you.
What kind of proactive steps are being taken in advance of any cyber dust-ups? We frequently see articles that talk about security holes used for attacks that could have been closer earlier. Is closing these security holes a priority? Also, with increasing numbers of infrastructure control systems (power grid, etc) being attached to the internet, is the defense of targets like these being attended to?
Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
I doubt that he'll answer ANYTHING with any details. This will be a recruiting and PR piece. His "answers" will be vetted by at least 3 different agencies and any content will have been removed.
Given that the most likely targets for cyber warfare are civilian targets, and that the perpetrators will likely be either non-government organizations or non-military employees of foreign governments, how do you see the jurisdiction question playing out? In particular, at what point are there handoffs in investigation, arrest, and prosecution between the US military, the FBI, and local authorities of affected civilian targets?
Everybody gets what the majority deserves.
What steps is the Army taking to avoid overlap with the Air Force's "cyber warfare" program(s)? Is avoiding overlap considered necessary, or is redundancy considered a good thing? Are there plans to collaborate on large scale with the Air Force, or keep the programs isolated from one another?
Can we see some definitive numbers on what the pay scale will be? For example there is http://www.airforce.com/careers/paychart/index.php
In the event of a "Cyber Attack" (read we go after them) would the task force secure source code, to search for hidden vectors of attack?
I realize this is based on the assumption that we know what OS and programs they are running, but Windows for instance, it's reasonable to assume that most computer users use some form of it either legally aquired or illegally.
I am Bennett Haselton! I am Bennett Haselton!
And if there actually is a "Hacker War" between us ... and if our military is currently playing a role in such ... are there any civilian applications that will be released to help defend our non-military assets (corporations, education, etc)?
Example: the NSA has worked on SELinux.
It's common knowledge that what we call the Internet was suckled by the military. Black-hat and white-hat security conferences and practices have been an active part of Internet security for over a decade.
Can you explain what seems to be the US Military arriving at the game in the third inning?
Having had TSEC and observed security processes and procedures, such as tempest precautions some time ago, I'm having trouble understanding why the 'cyber defenses' of the US Military only now seem to be actually realized.
Is the delay due to funding? Priorities? or simply to underestimation of what the rest of the world was up to all this time?
Please be as specific as you are able to be.
Thank you.
Support NYCountryLawyer RIAA vs People
You know, you can go through basic training (or some other physically demanding training course) and get in shape ... and still be a geek. Seriously. Build some muscles, lose some fat, and you'll still be just as smart as you were before. I've done it, and so have lots of other folks on /. We didn't magically forget all our geek skills, or undergo some drastic personality transplant.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
no text
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Do you frequent slashdot often to read news and breakthroughs in IT? How does the government disseminate whether threats of attack are legitimate or just hoaxes?
The country was suckered in to a war for oil and all you can think of is a bunch of mostly irrelivent or made up issues.
Oh, but wait, you also chose to act as though Barack Obama hadn't directly answered specific questions about the future, which of course he has.
You seem to have thoroughly burried your head in the sand.
Great minds like yours have brought America much success! Keep up the good work!
Dude, it's a joke. Get a grip.
As I understand it, every military in the world assess the threat its opponents pose by their capabilities rather than perceived intents.
How do you perform a threat assessment in the area of cyber-warfare where the physical weapons (as was pointed out in an earlier post) is the keyboard and mouse with much of technology being used as a threat being developed in the U.S?
Thanx,
myke
Mimetics Inc. Twitter
Do you foresee a high utilization of civilian contractors? Knowing that there are some restrictions on people that can be recruited into the Army for any number of reasons (asthma, medications, criminal records), do you see a need for either more lax recruiting guidelines for some of the "front line" troops in the cyber warfare field, or a higher use of civilian (or at least non-Army) personnels?
"It is a miracle that curiosity survives formal education." -Albert Einstein
Jooooiiiiiiin uuuuusss. It's bliissssss.......
The Bad Idea Blog - Science, Skepticism, & Stupid
Greetings,
One issue to cyber warfare is linguistics. How does a military unit overcome this? Does the unit consist of people skilled at the various languages used in theater plus the technical concepts required to execute, or are you forced to cooperate with any other agency?
Also, agency cooperation: are there good relationships between the cyberwarfare units and the intelligence community, and can you say whether or not there are SOPs in place that would utilize cyberwarfare units in conjunction with a physical offensive, i.e. disable Three Gorges Dam right before an op.
Thanks for the time!
"Network penetration is network engineering, in reverse."
however, due to human nature, peace is achieved only with a balance of force, not with an absence of force. In other words, to maintain peace, there will always be a need for armed forces in this world.
If you think it is possible to have a world where there are no armed forces, you are not adovcating for a peaceful world when you say that. You are in fact unknowingly advocating for a more brutal, injust and violent world. This is so simply because you have not yet made yourself acquainted with, or made peace with (no irony intended), certain ugly but unremovable aspects of fundamental human nature.
Or, you could try to remove those aspects of human nature in the name of peace. This sets you down the road to autocracy, and makes you an enemy of free will and free expression. If you wish to continue to respect the notion of free will and free expression, you must understand why a force of arms is always necessary to be at the ready, in the name of peace.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The US armed forces could cut their vulnerability up to 90% by using MacOS or *nix. That isn't religion, it's fact.
So you tell me: if the answer is so plain, why is the military basing so much of the Network-Centric Warfare (NCW) (AKA Network-Centric Operations [NCO]) on known insecure (and non-securable) platforms?
What level of computer literacy do you feel the Commander-In-Chief and those reporting to them should have in order to comfortably and accurately convey the importance of a given situation/threat the USACEWP encounters?
"Quote me as saying I was mis-quoted." -Groucho Marx
Interesting, because at the DoE- (mainly) and DoD- (partly) funded lab at which I work, Linux and Unix (and things like OSX) users are given much *less* scrutiny than those using Windows.
Have you read the book "Daemon" by Leinad Zeraus? Or how about "The Footprints of God" by Greg Iles?
Do you think The Singularity is approaching, and if so, do you think you're prepared for it?
Education is the silver bullet.
There's a "material" tag on the story pointing out an apparent typo. I can't ever seem to get tags to behave for me, so I'll post a reply instead. In military talk, "materiel" is a specific term to refer to the stuff we need to fight a battle. It has specific and distinct connotations in supply management, and it used correctly in this article's summary.
++
What do you do about the problem where a computer is informed that it has made a logic error and it starts spewing smoke and then explodes violently?
Intron: the portion of DNA which expresses nothing useful.
What is the "cyber command" doing to protect the US from current serious attacks on major Federal government sites, including the attacks on sensitive Congressional sites reported this week?
Is there any traditional military precedent for tolerating these attacks to the extent we do? Is that hesitancy making us weaker, so our eventual delayed military (or "cyber-military") response will be compromised from winning the conflict to our satisfaction?
At what point do these attacks constitute acts of war, does that need to be declared by Congress, and how does the "cyber command" change its response at that point?
--
make install -not war
We already know that the USAF has a cyber-warfare division. Given that all network attacks are fundamentally based in IP Packets, it stands to reason that the Army and USAF would be duplicating work, while creating an opportunity for lack of communication.
Would you agree that a special, single cyber-defense branch should be created to assist all branches of the military as well as non-military?
Generally the armed forces are never known for technical prowess. (They are more consumers than creators) The role of creation comes from contractors. Why shouldn't we rely on contractors to perform these functions when contractors already obtain top-secret clearances? Contractors compete for projects which ensures a level of cost limitation (lets face it, Cost+ rips off the tax payer), continual advancement (beyond what the enemy throws at us).
Why should the armed forces be doing this in-house?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
When did /. turn into coward troll central? Is it spill over from Digg or something?
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
In your work as Director of IO for Combined Joint Task Force -76, what were your greatest challenges in Afghanistan? What technology threats other than IEDs were your greatest concern?
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
And your "correction" was just plain idiotic because the military has always been a tool of politicians in carrying out policy.
In helping the military, it helps the country. I just utterly owned and destroyed you.
And I wanted to know the fastest way to level up.
Deleted
Just because I'm in shape and a geek doesn't mean I've stopped eating Mountain Dew and Oreos.
Would you support the release of information and software (Like Security-Enhanced Linux from the NSA) regarding successful defensive configurations and strategies to the general public so that the tax payer can derive additional benefits from your work? Surely the private industries in this country are valuable and may be attacked in order to cause economic harm.
What limitations or rules would you use for release of such information?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Do you protect US assets, or just US military assets? Where do you draw the boundary that says, 'this is a military action, this is a criminal one?' On the Internet it seems that boundary is ambiguous, and there are criminal organizations with offensive assets (botnets, for example) that more than rival the assets of many countries.
Yeah, I've always found it hilarious that the IA (Information Assurance) guys tout the glorious impenetrable securities of Windows, even though nothing missions critical runs on Windows.
Ironically, the reason they are pushing Windows is not the security. It's the control. With windows you can remotely disable pretty much anything within a Domain. A person could have administrative access on their Domain attached work station and still not be able to do anything beyond what the Domain administrator allows.
If you have root access on a Linux machine, they can't do anything short of removing your physical workstation to keep you from installing, or even compiling, your own software. And with Linux, you can manipulate network communication that, while possible, is extremely difficult in Windows.
Most importantly though, with regard to control, is that the DoD knows most of the backdoors in Windows. Linux is watched over by millions of people. Chances are, the DoD doesn't know any more backdoors in Linux than you or I.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
If so, would basic training be to train us to stay up all night, living on pizza, soda, Skittles, and porn?
If so, where do I sign up?!?
Although the parent posted humorously it does lead into an interesting chain of thought:Where can one look to educate "him/her"self on information warfare. When recruiting; do you look for a specific mindset, skillset or qualities in candidates for this line of work?
Are there sources of internet where one can start to learn about the subject?
The Witty worm was specifically targeting a US Military instiution's intrusion detection systems. Do you have any comments on this incident?
Test your net with Netalyzr
What part of your job is to defend US systems, and what to prepare to attack against systems used by opposing forces?
Also, do you see the existence of your department as a possible deterrent for hostile organizations to use IT effectively?
-- Support a free market in the field of government
Is it possible to work for the USACEWP as a civilian, like it is possible to work as an civilian engineer at research institutions like Picatinny? Would someone who wants to work at the USAVEWP do background checks to obtain proper clearance?
A good education is a bit like a STD - it makes you unsuitable for a lot of jobs and gives you a desire to spread it.
...does the military realize that the only popular use of the prefix "cyber-" to mean "internet-related" is "cybersex?"
Is this really the association they're going for?
The US free market: two halves of a government-granted duopoly are free to set the market price.
Several questions for the Lt. Col. Is his unit responsible for planting bogus media stories to prop up public opinion for their occupations? Do they censor soldiers' blogs, or censor soldiers' access to information via the Internet? And on a more personal note, during his time at Bagram did the screams of tortured prisoners interfere with his concentration or productivity?
What kind of criteria is used to determine targets?
As far as I have been reading many of the potential "Cyber Warfare" targets are infrastructural and there is a significant overlap between civilian and military/economic targets?
It says that you are responsible for developing doctrine, what are the main points of the doctrine that you enforce? Also, what are your predictions on cyber warfare, how do you see it evolving over the next 5 years? What about the next 50 years?
Despite all the fearmongering ("zomg chinese hackers!!!1!!one!"), legitimate or otherwise, about China as a source of threats, the U.S. and China have a lot of cybersecurity concerns in common. They both worry about cyberterrorism (from a common subset of sources), and increasingly rely on electronic infrastructure in their government operations. The U.S. has a direct interest in helping China's military secure their systems, so as to avoid rogue crackers making off with nukes or other dangerous equipment, and also to avoid confusing a rogue botnet attack with a government-sanctioned attack. Furthermore, especially in mid-level and local operations, the Chinese tend to use less secure operating systems (such as unpatched old versions of Windows), which puts them at a greater risk of compromise. Does the U.S. military have an interest in joint training or other kinds of joint operations with the Chinese military? What are ways in which the two countries' armed forces can cooperate in the cyber arena, without either side giving up its treasured secrets?
What kind of criteria is used to determine targets? As far as I have been reading many of the potential "Cyber Warfare" targets are infrastructural and there is a significant overlap between civilian and military/economic targets?
I used to work for a big name defense contractor and I can easily answer this question (and you can probably guess the answer). The classified networks that contain these sensitive systems usually also contain the workstations of people writing up contract bids and the like. These workstations might contain blueprints or other design specs for classified systems, as well as proprietary budget info, and the contract bids themselves.
Eventually, the bids have to go out to the government in an unclassified area, and occasionally businesses have to collaborate with each other through unclassified channels.
While it would be possible to keep ALL classified stuff and ALL unclassified stuff on totally separate networks, some business people work in both areas enough that this becomes inconvenient. So they put them together out of pure laziness. Time is money, after all.
Now, if a classified system that is purely for a functional use (i.e. weapons systems, intelligence gathering, satellite guidance, etc.) ended up on the open internet, that would be retarded.
People seem to be assuming you're some sort of internet vigilante or something. It occurs to me the such a unit has many options at its disposal, so, What is the task of your group?
- Support operations for army units overseas (peacetime/wartime)
- Independent internet warfare during war time (Say WW3)
- Independent internet defense during peacetime
- Independent Offense/intelligence gathering during peacetime
- Consulting for companies/agencies hardening their networks
- Finding backdoors in preparation for an engagement
- Helping companies close backdoors in their product
- etc.
Also, is you unit mostly internet-oriented or do you handle other electronic warfare styles? (DoS/hacking by manipulating power lines, RF interference, etc)?
Boom!! Game over. Cubs WIN !! Cubs WIN !!
If so, would basic training be to train us to stay up all night, living on pizza, soda, Skittles, and porn?
If so, where do I sign up?!?
I'm pretty sure you need a 4 year degree to go to Officer Candidate School, so start with that.Ask his Smart Guy.
Every time we had to talk to the Army in regards to a technical issue, we were always referred to the "Smart Guy", usually a contractor.
I bet if you look in the Army's Table of Allowances you'll find Smart Guys right next to the beans and bullets.
What?
I'm a future Army officer candidate (I leave for Basic/OCS in Sept.).
I'm ok with doing something related to combat arms, but I'd be really interested doing something related to IW or Signals. Is there anything that I could do during MOS selection to increase my chances of getting one of these MOS's? And what can I expect as an IW officer--will I be sitting in Kansas or deployed abroad? Lastly, what role does the Army play in IW that differs from what the Navy or Air Force are doing?
the ego develops on its own, it is a fundamental facet of our biology. selfishness is very much a component of natural behavior in the animal world
;-)
without understanding this simple concept, your opinions, that you hold in great regard, are simply dysfunctional, and yet you cling to them anyway
how very egotistical of you
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The "hacking" of several Congressmens' computers, notably those that contained data on human rights and political dissidents, was in the news recently. The Chinese government has categorically denied any involvement despite the fact that the intrusions originated from Chinese IP address ranges.
Do you believe they're telling the truth? More specifically, do you believe they are as "unskilled" as they claim to be along these lines?
Bruce Lane, KC7GR,
Blue Feather Technologies
Just wondering if the USACEWP (the Bircher Group) and the AFCC (Lord's group) have ever gamed off against one another, or do so routinely?
If not, why the heck not?
If so, who wins most?
=======
Science -- Sealed, Delivered.
Maintaining an edge in computer security is a never ending race between finding new vulnerabilities and patching them. Constantly finding new vulnerabilities just in case war breaks out tomorrow is an expensive endeavor - just like any other arms race but iterating much faster. Only two sort of people are motivated enough to invest enough in it to maintain a lead : intelligence agencies (which probably won't tell anyone about what they find) and organized criminals who are often the origin of the knowledge that percolates through layers of lesser skilled intruders until a defense is set up. China has reputedly set up a mutually beneficial cooperation between the army and the criminals - it makes a lot of sense : the criminals are the peacetime maintainers of skills that the army can mobilize at will in exchange for turning a blind eye to their other activities. The ethics of a western democracy are incompatible with that sort of arrangement. I guess that you will not tell us the budget involved, but could you please paint us a picture of the process of keeping the digital powder dry and the digital knives sharp while remaining within the frame of our ethics ?
I like my Mountain Dew chewy too! On a more serious note, exercise will actually make us geeks think better - increased blood flow to the brain and all that. Proper nutrition doesn't hurt, the goodies are just a nice thing to add on top!
"Little is much when little you need."
What does Lt. Col. John Bircher know about cyber warfare concepts?
we know that he knows how to "point and click".
They're using their grammar skills there.
"Animals do not have ego. They never hunt more than they could eat. Period." Citations? Or is this just one of your fantasies made up to support your nonsense?
Ever watch a mountain lion kill a deer, eat it's fill, then wander off to let the bulk of the deer rot? I have. How about dogs that are not fenced in killing cats for fun, or wildlife? Yep, seen that too...many times. How about the cats killing stuff and bringing it home as a trophy? Yep, all the time again.
You have no clue here on this subject.
"Oh, and btw. I don't really care what anyone thinks about it." and (in the same paragraph) "But I'd really love to see more people discussing peace rather than war."
So, you don't care what anyone else thinks about it, just what you think is important. Right.
The rest of your clueless diatribe is not even worth discussing, so crawl back into your mom's basement and use some of that internet time to get at least a LITTLE education instead of trolling forums, you will benefit from it tremendously.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
The question starts with "Conventional military is bound by the Geneva convention."
The interviewee is known to be a uniformed member of a conventional military.
The question ends with "Are you therefore no longer bound not to attack civilian targets? Is scrambling hospital records to create civilian deaths by mistreatment considered a valid attack?"
Here's an easy way to understand the Geneva Conventions: any technique that is intended "to create civilian deaths" will NEVER EVER be allowed by Geneva Conventions. The Geneva Conventions were devised with the SOLE purpose of protecting both captured soldiers and regular civilians - that's all that it covers. If you want to discuss war conventions, then look elsewhere (like the Hague Conventions of 1899 & 1907 or the Geneva Protocol).
I'll offer to rephrase the question. If someone can do better, then by all means...
Question: the conduct of warfare by the military is bound to international conventions (such as the Geneva and Hague conventions). Given the relatively new theater of "Cyber Warfare", specific conduct has not been codified in depth. What types of limitations/restrictions do you observe in this area?
This is not my sig
after basic training get sent to infantry school then off to the front lines.
or #7 Get moved off your assignment and send to the front lines. As some who got hurt there is taking your assignment.
Wouldn't you prefer a nice game of chess?
"pr0n": An anagram of "porn," possibly indicating the use of pornography. - www.microsoft.com
How does the Army plan to recruit the best of our nations underground that would no doubt be required to wage such cyber battles? It has already been stated, and is well known, that even the non-stereotypes of the hacker culture will not be quick to take huge pay cuts or trade a full head of hair for a crew cut, if they were even able to pass military PRT requirements. The Air Force answered this question with the assumption that our nations great hackers are so patriotic that they would be more than willing accept such drawbacks, but reality is the majority of us are not patriotic sheep and we do not work for peanuts.
The field of cyber-operations is an excellent opportunity for our fighting services to start working together more. Here's a field where many people from all of the services have excellent skills that we can put to work. Furthermore, based on the way we work in the field, our networks are frequently co-dependent. When will we see the political power-struggle common at the "strategic" level of the US Military dropped, in favor of a _truly_ joint cyber-operations group?
Seeing as this is the beginning of a completely new field for Military engagement, this seems like the perfect time to drop as much of the ridiculous, time/money wasting, soldier endangering, political wrangling as possible. A modern generation of military hackers have the motivation to, and are the type that can cut through this BS.
1. According to the Joint Task Force for Global Network Operations (JTF-GNO) assesments, the Army networks are the most hacked and least secure of all the military branches. Why is the Army pitching itself as experts in an area that they are obviously having problems with? Would you go to an obese dietician for advice on loosing weight?
2. Is your groups focus on actively attacking and penetrating enemy networks, or the defense of our own? The enormous financial and tactical loses associated with the ongoing penetrations of our networks is likely more important than being able to penetrate into the enemies network.
3. Most of the network security expertise in the Army is contracted out. Is the Army doing anything to bring expertise in-house?
AND, what do I mean by that? Well, ok, using your words as an example below next in regards to that:
----
This is one such example of such "F'd up DISINFORMATION" (not "fear uncertainty & doubt" as to that acronym's usage here) you guys spread: "Windows machines are basically said to be "secure" if you apply all the patches and set a couple of settings" - by Anonymous Coward on Thursday June 12, @01:51PM (#23767275) THIS is how you secure a Windows rig, the PROPER & CORRECT way:
HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, PLUS make it "fun to do", & easier, via CIS Tool Guidance:
http://www.tcmagazine.com/forums/index.php?showtopic=2662
& it works...
---- " Its as if the Army considers Windows to be the most secure instead of the least secure. The whole security accreditation process seemed to be a giant push for us to move to Windows, which means that in my opinion the whole exercise was intellectually bankrupt. Why does the Army continue to push windows despite its absolutely horrendous security track record?" - by Anonymous Coward on Thursday June 12, @01:51PM (#23767275) Maybe because they've taken a look @ sites like SECUNIA & seen that Linux variants get MORE PATCHING DONE, due to more errors & security holes in them, BY FAR, vs. Windows?
Again - cut the "Pro-*NIX" b.s. already... I can produce information that easily counters & disproves your crap, with ease... take a peek @ SECUNIA yourself, & see what I mean. There also have been studies that back this as well... though you *NIX heads are loathe to admit it & try to put "spins" on facts & findings everytime.
APK
Point taken; I stand corrected.
Let me rephrase:
Until SELinux, if you had root access on a Linux machine, they couldn't... yadda, yadda, yadda...
I'd still argue that there is a general lack of knowledge in the DoD regarding SELinux since it has only recently been added to RHEL. And this further supports the misguided notion that Windows Domains offer more control because the network admins in the military consider them easier to configure due to that lack of knowledge.
Just to satisfy my curiosity (and show my lack of knowledge): is there a way to configure SELinux remotely in real time? For instance, say I found out about a major vulnerability in Adobe Reader version blah.blah.blah. Could I disable versions equal to that and lower remotely the moment I found out, or would it not take effect until some amount of time until the next SELinux policy update (like a restart)?
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
Work for a contractor the military uses and take the civilian route. Better pay, better work.
If you go military, get your assignment on paper. If you don't get what the paper says, that's grounds to be released.
The Kruger Dunning explains most post on
"We didn't ...undergo some drastic personality transplant."
Didn't you? I thought instilling discipline and obedience (signifigant parts of your personality) was as much the point of basic training as the physical aspect.
The Army uses windows for most administrative tasks because they don't want to train every soldier on linux. There's no reason to train an infantry private linux when they'll mainly be using a computer to fill out leave forms (yes I'm exaggerating).
As soon as you get to job specialties that require a computer as part of conducting their mission, you'll find windows gets a lot less common. No it's not being replaced solely by linux. Heck you may even run into custom OSes (why have a general purpose OS when this computer will be only running this small set of applications). Don't expect to see Linux 2.6 though, it's just to plain new for military testing and bureaucracy.
How does the military determine who to recruit for electronic warfare? Do they follow the traditional methods such as advertising in at local high schools, walk-ins at recruitment offices, ect.?
And how do they know the recruit is a good candidate? I mean, theres a big difference between a user and a programmer. I've met a fair number of people who, in my opinion, are borderline tech-illiterate, and yet the military recruiters found them to be good candidates and hired them.
Last but no least, how many geniuses that haven't smoked pot more then just a couple times have been accepted? Come on, its ridiculous to have a policy that says one is not eligible if they smoked pot more then 3 times in there life. People, smart successful people, experiment, even for a short period in their early 20's.
I guess that also unleashes another horde of inequalities: what about the gays? Oh, i guess they aren't really people, so fuck-em, right?
who wouldn't fit into the military, but would love to work long hours helping to investigate foreign vulnerabilities be able to aid the military?
The Kruger Dunning explains most post on
Would banning certain aggressor countries the use of any of Microsoft Windows be construed as to be giving "aid and comfort?"
Last time I wrote out the security standards for defending against SQL injection attacks for a company 100,000 sites went down. Is it a bad idea to write out any guidelines at all? How do we train noobs then?
Sir, what would be the effect of a massive scale well planned cyber attack on the United States financial institutions (ie. Banks)? I am particularly concerned about financial institutions and my personal holdings in US based banking institutions. In essence I can manage my bank account(s) and nearly 100% of my monetary assets through the current "mass" internet. Could a massive scale well planned and well coded cyber attack make me and the rest of the millions of American citizens "bankrupt" overnight? Where would this money go if such a terrorist application could execute? Could let us say China and Russia absorb the monies and use them immediately to persue projects which would obliterate the United States? It seems the current internet infrastructure which is given to the "masses" is not ready for such an attack. If money would simply "dissappear" and go overseas in an instant, what would be done in regards to getting this money back? Since money is basically 1's and 0's on the Internet would an event such as the stated even be something of concern?
Is the DoD considering internet equivalents to the civil reserve air fleet (CRAF) and similar programs with the merchant marine? In essence, will the military provide monetary or other subsidies/deferments to datacenters and server operators to operate a standby military use client application on servers that is "on call" for military uses? These so called "Allied Botnets", would for example be available for emergency distributed number crunching ala SETI@home, or as on-demand attack botnets.
Considering civil compute power and bandwidth exceeds military capabilities in the internet world, and exisiting civil/military partnership frameworks like CRAF exist, why isn't the DoD paying me to host their little bot?
Rather than have the Air Force, Army, FBI, NSA, and gods-know who else each approaching cyberwarfare, why does the federal government not designate a single agency that jointly manages cyberwarfare and cybersecurity?
!#@%*)anks for hanging up the phone, dear.
What is your command hiding behind that barrier of meaningless techno-babble? There is electronic warfare, which has to do with jamming and spoofing enemy communication and detection capabilities, while extending and protecting one's own. There is "information warfare" a.k.a. psychological operations, carried out through any communication medium including the Internet.
But what exactly are "cyber-electronic engagements"? The phrase is so broad as to be meaningless. I can only hope that it means "shovelling bushel baskets of public money into the coffers of the contractor who is going to give me a massive hiring bonus as soon as I retire". If not that, there is only one other thing you are likely to be hiding.
Donald Rumsfeld's "Information Operations Road Map" included strategic doctrine for handling "hostile bloggers" and other uncontrolled news sources, and wargames featuring this challenge have been reported in mainstream media. Please tell us, and make us believe, that your people do not intend to engage in information warfare against the American people, in the interest of upholding the Constitution and defending democracy.
Like the IAO/TIA program, the Office of Strategic Influence has been de-funded by Congress, and presumably renamed and put under black budget funding. Make us believe that propaganda which will regulate U.S. as well as foreign news reports is not your primary mission.
Will this end in a purely electronic hacking scenario.
Will you take out infrastructure of countries you are attacking to limit their capabilities to defend?
Will this just be information gathering for intel?
What training have you received for dealing with patch tuesday??
What about systems employing RBAC and MAC such as rsbac or selinux, which you will not be able to get around? Will that instead be designated a wetwork mission?
How do you envision cyber warfare being applied to conflicts that are primarily against groups of insurgents (Iraq for instance), as opposed to a war against another nation?
This space reserved for administrative use.
I am not a military historian, but up until recently, it seems as though waging war against another entity primarily meant taking control of their physical territory on the ground and taking out important resources by bombing or some similar high-impact targeted strike. How will Internet warfare change the basic structure of a military campaign? What would a full-scale war incorporating cyber warfare look like?
Some more specific questions in this vein:
This space reserved for administrative use.
Hey, it isn't every day (or year) that the place where I was born gets mentioned on Slashdot. Sweet.
The Gish Bar Times - Blog covering Jupiter's moon Io
And is it called WOPR?
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
2006 interview with Putin revealed that Gian War Robots is one of the most pressing issues of Russian internal policy. What is USACEWP response to Giant Russian Robots ? Could be that US heading to the new Sputnik debacle ? Ah, and can you confirm or deny that USACEWP is staffed by Cthulhu cultists ?
In a situation like this, you would put the files that might have security vulnerabilities on a server. Then, to prevent them from being used, you would remove them from the server. There is no rational reason that today's computers need their own copy of most of the applications that they run. The only reason that they have such a thing is because of the maze of twisty passages called the Windows registry.
You may not know this but I've heard that the US Army has more RHCE's than any other organization on Earth, RedHat included.
unfortunately, in addition to developing muscles, you developing the annoying trait of being a douche bag too
Balancing offense with defense. Though I understand the need to be able to respond to a cyber-threat, I am interested in your plans to improve the existing military, commercial, and civilian infrastructure to prevent and/or lessen the damage that could be caused by cyberwarfare. (eg SELinux.)
What do you see as your role in continuing and supporting the development of such technology to protect all of us from cyber threats?
Technology vs people. And a follow-on: technological solutions, however well-developed or implemented, are not sufficient protection. The best lock in the world is little protection against those who make and distribute duplicate keys to that lock. E.g., those people who paste a sticky note to their monitor which has a list of IDs and passwords.
What are your thoughts and plans to address the human element in these developments?
As a cleared defense contractor, with direct and current experience dealing with top adversaries, I have been wanting to cut out the "middle man" and work directly with the military. The current process for applying for defense positions is both a test in patience and not yielding any leads. If you believe you are some one who can offer value, what agency is the best to contact? The USAJobs.gov website appears to be a resume bucket.
It is a given that wars are won and lost by hitting an enemies logistical supply chains and disrupting their economic infrastructure to produce goods and services for both units in the field as well as support units. It is also a given that battles are won and lost due to breaking an enemie's codes and reading their operational transmissions (for example: Ultra and Magic), or by inserting false information into their operational networks, and perhaps analyzing signals traffic. (e.g. Battle of Midway, Battle of the Atlantic, etc) I would like to know, what the Army is doing to secure our IT systems and networks which deal with Supply Chain Management for our Forces as well as securing our critical IT infrastructures (Power Grids, Financial Markets, Medical Databases, Petroleum Industries, Shipping Company Networks, etc) necessary to keep our Industrial Complex running in order to support our troops. Perhaps the simplest solution is simply to "pull the plug" and take the US or other countries Offline by hitting their undersea cables for communicating with other nations. Or perhaps going on the offensive and hitting their systems and thus disrupting their IT infrastructure. Comments?
...the majority of systems in-country were running Linux/OpenBSD, instead of
the Storm-(+ fiends)-friendly MS alternative?
Part 2:
Does the lesser liability of running a less-exploited OS
remove/reduce one or more of the "prongs" in the attack against our economic survival?
( direct-costs = loss of resources e.g. file-locking-extortion attacks,
second-level-costs e.g. mop-up & ID-theft,
third-level-costs e.g. being sued by one's former customers )
Part 3:
Does that increase in national security,
& reduction in economic "drag",
matter enough to our survival among a competitive world to consider & implement it?
Not being out of breath just taking the stairs back to my office on the third floor? Yes, yes that would be bliss.
Shift happens. Fire it up.
Where to learn about info warfare? While a fair degree of computer science skills is always good, you can start picking those up with an old PC, a Linux distro, and concentrated reading. If you want to be attacked, put your machine on the Internet.
I'm not nearly as concerned about attackers hitting civilian targets as them hitting effective military targets.
Example: "The Army Moves On Its Stomach" is a very old saying, but still true. Logistics is really important and the area probably the most computerized. I think an attacker would strike there first because of the damage it would do. If the troops can't get fed, there are no water trucks, can't get rounds, can't get artillery, no spare parts for tanks, planes, because the ordering systems are damaged, then the force comes off its wheels very quickly.
I think raising awareness throughout the logistics chain that these systems could be attacked, and have a method of reporting something suspicious, might be a very good idea. People who have been sending MRI's and sabot rounds to forward locations have a pretty good feel for when a new order should be due. If an order for "0" or "1023" comes in, and it's just wildly different, they should be encouraged to report it and check it. If no order comes in, report it and check it. There should never be a penalty for picking up a phone and reporting a suspicion.
One way to overcome a large number of attackers is simply to use a large number of people, doing their normal job, but checking up on things. People are smart about their jobs given a chance. The most frustration I see is people not being allowed to be smart because of their managers.
It seems to me that the military is going to need security in its logistical lines going all the way back to its suppliers to fight any extended war. A World-War-II effort with cyber warfare would be a different thing these days.
My question is simply: Are you going to have a "Who ya gonna call?" phone line to report suspected attacks immediately?
Thanks,
David Small
Is the Army engaging in researching methods and types of electronic warfare? The description of USACEWP refers mainly to doctrine and training - is the Army relying on other agencies (e.g. the NSA) to develop methods, and then collecting that sort of information and developing capabilities mainly through training? Or is the Army engaging in, for example, vulnerability research, or developing the software to take advantage of previously-discovered vulnerabilities?
Speak for yourself.
:P
I was a geek before I joined the Army. I didn't have much time to program, and my skills did get rusty. But I was certainly in good shape.
On the other hand I did learn valuable skills that are applicable in my job today in the civilian sector, like 'call for fire', 'building clearing techniques', 'how to set up an L-shaped ambush', 'land navigation' (critical when trying to find the bus-stop), 'TOW Antitank Weapon System' and many more.
And I was an NCO when I got out, so I definitely had a personality transplant.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
I was a deployed Army IASO/ISSO at one point, but my command gave me no authority to improve security. G-7 spent most of its time on turf battles, thanks to an ill conceived, all encompassing mandate. My G-6 section gave no attention to my unit, as they were always understaffed and busy doing non-mission related tech support for command officers, or being appropriated by CID to investigate hard drives for pornography, or similar distractions from the mission.
A lack of authority and support meant that I invariably turned my attention to other responsibilities. Meanwhile, soldiers were trying to connect classified computers to public internet connections, dozens of classified USB drives were lost, and so on.
I know plenty, but what I don't know is what is going on to changes in the doctrine of integrating Information Operations into the real chain of command. How are we ensuring doctrine and practice are created so that resources and authority are being properly allocated, down to the lowest levels?
Thanks
What is the most interesting cyber warfare concept that you can talk about that would make us /.'ers excited? Please elaborate as much as possible. Thank you.
Is getting telco immunity another part of your cyber warfare strategy? How does one apply traditional wartime concepts like propaganda in cyberspace, where it is said that information wants to be free?
How does China's great firewall impact on the potential for a cyber war between China and the U.S? Does it give them an unfair advantage in regards to propaganda and censorship of information/intelligence? How would you fight against such a disadvantage?
All these moments will be lost in time, like tears in rain..