Slashdot Mirror
US Cyber Command Discloses Offensive Cyberwarfare Capabilities
MojoKid writes "Earlier this week, the newly minted head of the United States' Cyber Command team and NSA head General Keith Alexander told assembled lawmakers that the U.S. has created an offensive cyberwarfare division designed to do far more than protect U.S. assets from foreign attacks. This is a major change in policy from previous public statements — in the past, the U.S. has publicly focused on defensive actions and homegrown security improvements. General Alexander told the House Armed Services Committee, 'This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we're creating are for that mission alone.' This is an interesting shift in U.S. doctrine and raises questions like: What's proportional response to China probing at utility companies? Who ought to be blamed for Red October? What's the equivalent of a warning shot in cyberspace? When we detect foreign governments probing at virtual borders, who handles the diplomatic fallout as opposed to the silent retribution?"
Sure, the saying goes: if you want peace prepare for war.
But what if you do not want peace, what if war proved to be much more profitable for people who are top ranking political officials and their buddies? Well, then you accuse everybody else of wanting war and attack first.
So this here I came up with just now: If you want war, accuse others of warmongering and attack them.
You can't handle the truth.
Stuxnet.
Watch this Heartland Institute video
>What's proportional response to China probing at utility companies?
Redirect all traffic coming from the Peoples Army to goatse.
>Who ought to be blamed for Red October?
Sean Connery. What kind of Russian has a Scottish accent. "I know this book. Your conclusions were all wrong. Halsey acted foolishly."
>What's the equivalent of a warning shot in cyberspace?
Redirecting the Great Firewall to Justin Bieber's Twitter feed. Or making a press release detailing our cyberwarfare capabilites.
>When we detect foreign governments probing at virtual borders, who handles the diplomatic fallout as opposed to the silent retribution?
If there is diplomatic fallout then it wasn't really "silent retribution" was it? Take turns making it alternately look like Anon or Isreal.
joshua is the logon no password needed.
This nonsense is merely a result of defense contractors managing to convince the decision-makers that this kind of capability is necessary. Some imagined threat of "cyberwarfare" (that at most could do about the same damage to the United States as a widespread power outage) is used to justify spending untold billions on a division of... what? Are these people supposed to be hackers? information gatherers? Cyber-warriors just sounds cool I guess. Let's go through the fundamentals: Who is the enemy? What threat do they pose? What damages have we suffered in the past that could have been prevented? What kind of damage could be inflicted using what weapons, exactly? What does international law say about this activity? How closely can this related to actual war? I doubt lawmaker in that hearing could answer any of those questions accurately.
As if American companies like Google aren't already leading experts in online security. Google is full of smart people, they can take care of their own front gate.
We live in an exciting time. Stuxnet opened Pandora's box, so-to-speak. However for all that technology, I'm more worried about lunatics with assault rifles. That stuff is REAL.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
It should be called cyber espionage, and handled as an intelligence issue. Just like there's always spying, there will never be a "cyber peace". Threatening with a counterattack is based on a bad analogy, and doesn't work in this scenario.
I'm deeply troubled by the lack of understanding that most major world governments have regarding information technology. These are people who still believe copying a file is theft, that the internet and the world wide web are synonymous, and that using encryption must mean you're a criminal. As they do not understand many of the fundamentals of information technology, how can we expect them to make reasonable and informed decisions about the use of the military in response to threats against that infrastructure?
We have had a disasterous serious of wars starting with Vietnam due to a lack of understanding (or willful ignorance) by politicians, leading to massive loss of life because they completely lacked situational awareness. In Iraq, the picture of Bush sitting in front of his "Mission: Accomplished" banner is a running joke even to this day, not because we didn't "beat" Iraq, but because we got stuck in a quagmire of tribal politics, shifting political opinions at home, and soldiers that were not trained for the new paradigm of urban warfare. Our military has traditionally not been a police force, and yet increasingly that's what we're using it for, with disasterous results. The road has not been smooth. I mean no disrespect to our military, or any of the militaries of the world in this, but it's something that institutionally has taken a long time to even approach this point.
When we look at this in a historical context, it becomes clear exactly just how dangerous a military response to an IT crisis would be. The President is talking about an "internet kill switch", as are many other governments. This kind of thinking is wrong-headed and shows a remarkable lack of understanding of both the economic and sociopolical consequences of such a thing, let alone were it even technologically feasible without a massive outlay of funds in the middle of a global recession.
The notion that we need to protect ourselves from foreign powers attacking our critical electronic, financial, and informational assets is unquestionably sound. But tasking the military with this protection, with the current command staff and structure, is intrinsically dangerous. In layman's terms, they don't know what they're doing.
There needs to be a radical paradigm shift in military doctrine to even approach this new battlefield, let alone participate responsibly and meaningfully in it. In this field, the idea of units, divisions, generals, etc., have no analogue. Amongst our senior and most capable information technology assets, peer collaboration and decentralized information gathering and sharing is vastly more effective than the traditional military hierarchy. We need the capability to tear down and rebuild teams as needed, in a fluid and dynamic environment where individual soldier-actors within it are afforded a wide degree of freedom to make individual judgement calls. This is not a battlefield that is amiable to traditional tactics like "Throw 10,000 people at it. Stop when it dies."
What I've seen so far is that the people who would call upon these military assets are completely uninformed about what they are realistically capable of, their relative strengths and weaknesses, and the costs and risks involved. Most of the people in the military are underinformed about this as well, but they are improving at (for an institution) a remarkable rate. They are still far behind.
In light of all of this... I have serious reservations about going offensive. We're not even sure what we're defending yet, or how, or why. It's all shades of grey, and when we're talking about taking military action, grey isn't tolerable.
#fuckbeta #iamslashdot #dicemustdie
Cyberwarfare has the potential to do LOT of damage. If every file on your home computer and backups were wiped out, how many of your hours would it take to recover. Multiply by say 100 million. Multiply by the value of the average computer users time. If say 100 million credit card numbers were stolen and used to make say a billion random small on-line purchases, what would it cost to back it all out? What are the digital rights to all of your paid-for content and software worth? Again multiply by 100 million.
We live in a society where information is valuable. I think it is a mistake to only consider the physical damage that cyber-warfare could cause.
I'm not saying that there is a credible attack that could do any of the above, just that low-security systems collectively represent a high value target, so it makes sense to consider how to protect against such an attack. I have no idea if the specific plans of the US make any sense.
I'd like to see some international treaties on cyber warfare to understand what sorts of attacks and responses meet international law.
Ralph Langner (the guy who figured out Stuxnet was designed to attack Iran) has been critical of the US's policies of focusing on offensive capabilities while largely ignoring or grossly underfunding defensive capabilities. He wrote a op-ed in the NYT about this. Hereis his rebuttal to Obama's executive order on critical infrastructure cyber security.
One of the problems with cyber defensive security is that too many companies use "risk assessment", which is inappropriate for security concerns. This is because risk assessment assumes that you are aware of all possible vulnerabilities and what impact these vulnerabilities will have, which is impossible. It is too easy for companies to use a risk assessment model as an excuse for not spending any money on their security, because the costs of security show up on a balance sheet while the benefits do not.
Attacks from identifiable sources in China or Russia are just exploratory research. Any serious attack would be launched from botnets running on computers belonging to citizens and companies in the country being attacked. Counter-attacking will just increase the damage. Poorly designed and maintained computers are like tinder waiting to be set alight and bring down the whole forest.
Their role is to gather intelligence and secure sensitive government information.
That is it.
By developing these capabilities they make themselves a target, which can only negatively impact their primary mission. Maybe another IC member can pick up the SIGINT and crypto role that NSA seems to be abandoning.
I am very small, utmostly microscopic.
I wonder what is meant with US Assets, and when (not if) it will include US Intellectual Property.
If you want to prevent "cyber" war, then let it be known that your policy is to treat every "cyber" action as its physical/kinetic equivalent. If China hacks into and disables a power grid, then treat it as if they sent in a company of paratroopers to take it over or destroy it. If a state steals sensitive information, treat it as if they or an agent walked into a government agency and stole it the old fashioned way, which would at the very least get a diplomat PNG'd. If it is something that would be considered an act of war if a person physically perpetrated the action, then it should be an act of war. Let them know that actions in "cyberspace" will have consequences in "meatspace".
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
That war will be fought in internet, and the innocent bystanders will be all of us, that in a way or another have some part of our lives here. No, won't be bullets, but privacy will dissapear (even pretending that you want it or try to give it to others could lead you to getting into political prosecutions), abuses of people in power will be common (like this, maybe more **AA oriented this time), forbidding not "government approved" encryption, software, technologies and so on.
Considering the investment on space exploration, Mars will be for long time the only "land of the free"
Sure, they keep claiming an "offensive capability" in order to keep the funding flowing, but they can neither target well, nor can they ensure the target is actually vulnerable. What they probably can do is damage civilian infrastructure. That will not impress an attacker and the claim that they can use this to "defend" the US is pure BS. Information attacks done under time pressure are like germ warfare to take out a very specific target: You never know whether your target may turn out to be immune and you will do massive collateral damage. It is no accident it is banned and heavily frowned upon.
The underlying problem is of course that those in power do not get it to any degree. They want an "offensive capability", so one is faked for them as huge cost. It may even have some use, but effective information attacks need a long, long time to be customized for the target and hence are not suitable for use in a war of any degree of dynamics.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So which one is it? Offensive or defensive? Why is it that Americans can't seem to distinguish between the two? Here's a country whose "defensive" military is used entirely to bring war to foreign soil. The "Department of Defense" has not defended actual U.S. soil since Pearl Harbor.
Anyone can be seriously "offensive" in this business. All it takes is $100 laptop and msf.
Defense? That, my friends, is the multi-tens-of-billions industry we're in.
Cyber Command? Show me your defensive game and stop wasting my tax money.
http://tinyurl.com/4ny52