A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
DOD and Cybersecurity
September 3, 2010 at 11:45 am #110068
INTERESTING! Hope there is significant discussion both within the DOD community and security community…
From the Washington Post
Pentagon considers preemptive strikes as part of cyber-defense strategy
By Ellen Nakashima
Washington Post Staff Writer
Saturday, August 28, 2010; 10:00 PM
The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary’s computer network overseas – but it is still wrestling with how to pursue the strategy legally.
The department is developing a range of weapons capabilities, including tools that would allow “attack and exploitation of adversary information systems” and that can “deceive, deny, disrupt, degrade and destroy” information and information systems, according to Defense Department budget documents.
But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries’ sovereignty.
Some officials and experts say they doubt the technology exists to use such capabilities effectively, and they question the need for such measures when, they say, traditional defensive steps such as updating firewalls, protecting computer ports and changing passwords are not always taken.
Still, the deployment of such hardware and software would be the next logical step in a cyber strategy outlined last week by Deputy Secretary of Defense William J. Lynn III. The strategy turns on the “active defense” of military computer systems, what he called a “fundamental shift in the U.S. approach to network defense.”
Though officials have not clearly defined the term and no consensus exists on what it means, Lynn has said the approach includes “reaching out” to block malicious software “before they arrive at the door” of military networks. Blocking bad code at the border of its networks is considered to be within the Pentagon’s authority.
On the other hand, destroying it in an adversary’s network in another country may cross a line, and officials are trying to articulate a clear policy for such preemptive cyber activity.
“We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us,” Gen. Keith Alexander, the head of the Pentagon’s new Cyber Command, told an audience in Tampa this month.
The command – made up of 1,000 elite military hackers and spies under one four-star general – is the linchpin of the Pentagon’s new strategy and is slated to become fully operational Oct. 1.
Military officials have declared that cyberspace is the fifth domain – along with land, air, sea and space – and is crucial to battlefield success.
“We need to be able to protect our networks,” Lynn said in a May interview. “And we need to be able to retain our freedom of movement on the worldwide networks.”
Another senior defense official said, “I think we understand that in order for us to ensure integrity within the military networks, we’ve got to be able to reach out as far as we can – once we know where the threat is coming from – and try to eliminate that threat where we can.”
One senior defense official said that active defense is akin to being in a battle zone when someone is firing a machine gun at you, detecting the bullets, putting up a shield and knocking down the bullets. “Wouldn’t it be a far better idea to get the machine gun? So that’s an extension of a real-time defense – just shut the threat down.”
Perhaps the most difficult issues are technological and operational. Because the precise configuration of an adversary’s computer is difficult to discern through the Internet, it can be very difficult to, for example, disrupt that computer’s ability to attack without affecting other computers that might be connected to it. The military’s dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established.
“Why are you talking yourself into this massive debate when no one has said this works 100 percent of the time and it’s worth the fight?” said an industry official who formerly worked at the Pentagon.
But a senior defense official familiar with state-of-the-art technology said, “I would tend to say that we can be much more precise than people could imagine.” The official, like others quoted for this story, was not authorized to speak on the record.
Alexander, who also heads the National Security Agency, which was set up in 1952 to spy electronically overseas, acknowledged in Tampa that offensive capabilities must be based on “the rule of law,” according to the Military Tech blog Cnet News.
And that is the crux of the debate. For the better part of a year, defense officials have been discussing the options with the White House, Justice Department, Department of Homeland Security and Congress. “I have seen clearly changes in the last two or three months where there’s willingness of the senior leaders to start thinking through those scenarios, and that’s something I don’t think we were seeing a year ago,” said a military official who was not authorized to speak for the record.
Still, taking action against an attacker’s computer in another country may well violate a country’s sovereignty, experts said. And government lawyers have questioned whether the Pentagon has the legal authority to take certain actions – such as shutting down a network in a country with which the United States is not at war. The CIA has argued that doing so constitutes a “covert” action that only it has the authority to carry out, and only with a presidential order.
Policymakers also are grappling with questions of international law. “We are having a big debate about what constitutes the use of force or an armed attack in cyberspace,” said Herbert S. Lin, a cyber expert with the National Research Council of the National Academy of Sciences. “We need to know where those lines are so that we don’t cross them ourselves when we conduct offensive actions in cyberspace against other nations.”
The senior defense official who spoke about the military’s capabilities said if cyber operators detected that some attacker was about to issue a network command to a device installed somewhere in the United States that would have “a disastrous effect” causing mass destruction, “I’m hard pressed to imagine that anyone would argue you shouldn’t preempt that – even if it was sitting on neutral territory.”
But short of that, noted a military official, “there’s a lot of reluctance to go into foreign cyberspace and take actions that are preemptive.”
Officials have noted they can use other non-cyber options, including diplomatic action, to respond to threats. The United States might approach a foreign government for help in blocking a threat, using the appeal that “it might be aimed at us now, it could be aimed at you later, it might be aimed at us collectively” in terms of the instability it induces in the global networks, said the senior defense official. “That’s an approach that is often ignored.”
The industry official said his concern is “the militarization” of the international dialogue. “Any time Pentagon leaders start using the terms ‘active defense,’ ” he said, “then my concern is that foreign countries use that as a basis for their doctrine, starting a cycle of tit for tat.”
The Pentagon has standing rules of engagement for network defense, such as the right of self-defense. But the line between self-defense and offensive action can be difficult to discern.
“This is a big, big problem,” said one former intelligence official who noted that it took years to develop nuclear deterrence doctrine. “We are just at the beginning of figuring this out.”
September 3, 2010 at 11:52 am #110070
Believe this article/column from FCW could be at least somewhat related
Does NSA’s cybersecurity mission extend to the dot-com domain?
Interrelated nature of Internet leads DOD security arm outside of military networks
* By William Jackson
* Aug 30, 2010
The National Security Agency appears to be suffering a case of mission creep.
For years, NSA, the Defense Department’s lead agency for information gathering and protection, has said that it has its hands full with protecting military networks and has no interest in networks outside the .mil domain. The .gov domain is the responsibility of Homeland Security, NSA said, and the .com and other private-sector domains are the responsibility of the private sector, with DHS help.
Of course, NSA would also be willing to lend a hand if needed, but it has no direct responsibility for non-military networks.
These statements have been taken with a grain of salt by many in the security world, especially with the revelation of wholesale illegal wiretaps that were discovered sweeping up traffic from commercial networks during the Bush administration. Now, DOD is admitting the obvious by saying that its interests extend beyond .mil.
“The military networks do not exist in a vacuum,” Deputy Defense Secretary William Lynn said last week in outlining DOD’s strategy for defending against and responding to cyberattacks. The third pillar of that strategy is to extend DOD protection to critical infrastructure in the civilian government and private sectors. “We cannot just protect only the .mil world.”
DHS is the lead agency in this civilian mission, Lynn said. Asked how far NSA is prepared to go in defending civilian critical infrastructure, he reiterated that DHS would call the shots. “We would follow the Homeland Security [Department’s] lead,” he said.
It is hard to imagine NSA sitting back during a crisis and waiting for orders from the same department that was responsible for the government’s response to Hurricane Katrina. DHS simply does not have the expertise or the authority to effectively defend critical infrastructure within the .gov domain, let alone in the much larger .com and other private-sector domains.
This is not necessarily DHS’ fault. The nation does not have an overarching policy or strategy for defending an unregulated, decentralized but interconnected critical infrastructure. Each entity is expected to be responsible for protecting those segments of the infrastructure it controls, but outside of government there are few standards that must be met or best practices to be implemented. Even within government, DHS is not equipped to audit and monitor agency compliance, enforce regulations or respond to incidents.
NSA and DOD’s new U.S. Cyber Command are the government’s most effective and powerful federal cybersecurity actors, said Paul Rosenzweig, former deputy assistant secretary for policy at DHS and now a visiting fellow at the Heritage Foundation’s Center for Legal and Judicial Studies. If other provisions are not made to establish a framework of authority and responsibility for protecting critical infrastructure, they will fill the power vacuum with military or pseudo-military control, Rosenzweig warned during a recent discussion on cybersecurity.
Proposals already have surfaced calling for NSA to establish monitoring capabilities within Internet service providers in order to extend its protection to defense contractors in the dot-com domain.
Arguments can be made whether or not NSA should have the job of protecting our civilian critical infrastructure. Many security experts and civil libertarians would argue that this job should not be given to an agency cloaked in secrecy and with a record of surveillance abuses. But absent another agency with the authority and responsibility to do the job, we can expect DOD and NSA to become the de facto defenders of our networks.
You must be logged in to reply to this topic.