Foreign Policy
National Security
-
Best Defense
Robots: Killing Our Warrior Spirit?
-
The Cable
Whistleblower: I'm Being Bullied By State Dept.
-
Passport
Syria: Is It the Sunnis' or Shiites' Fault?
Posted By Thomas E. Ricks
Friday, April 16, 2010 - 8:11 AM
Share
By Matthew Acocella
Best Defense deputy congressional bureau chiefNational Security Agency Director Lieutenant General Keith Alexander finally got the chance Thursday to appear before the Senate Armed Services committee for his confirmation hearing to head the Department of Defense's newly formed Cyber Command operation. If confirmed, General Alexander would concurrently run both the NSA and the Cyber Command.
Members of the Senate Armed Services Committee clearly understand that the threat of cyber attacks is real and growing. (During his testimony, Alexander stated that hundreds of thousands of unauthorized probes are made each day into the Department of Defense's networks, and that he has seen a sharp spike in infiltrations and attacks since the beginning of this year.) Despite a six-month delay in holding a hearing, members of the committee expressed a sense of urgency that General Alexander get to work in standing up the command, which would be responsible for defending U.S. military networks against attacks and for launching retaliatory electronic counterattacks. Chairman Carl Levin attributed the significant delay in confirmation for Alexander to the still unresolved questions pertaining to the new command's mission, scope, and oversight.
One of the major themes of Thursday's hearing was questioning where the Cyber Command would fit within the traditional military chain of command and when and how Alexander and his team of computer whizzes would launch a counterattack. General Alexander admitted that we are in uncharted territory, but insisted that his command would defer to standing rules of engagement and that any order to retaliate would come from the Secretary of Defense and the President. In written responses to a Senate questionnaire obtained by the Associated Press ahead of his hearing, General Alexander asserted that commanders have clear rights to self-defense, and that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles... would be lawful."
Senator Levin noted that lawmakers' ability to set cyber policy has not kept pace with the nature of the threat, and both Senators Levin and McCain enthusiastically invited Alexander to submit to Congress a "laundry list" of needed legislative and regulatory updates to clarify Cyber Command's authority, as well as its responsibility to support other government agencies that handle cyber defense domestically, including the Department of Homeland Security and the FBI.
Senator Joe Lieberman, who also chairs the Senate Committee on Homeland Security and Government Affairs, quizzed General Alexander on whether he thought the proposed structure of having Cyber Command defend the dot-mil network with Homeland Security responsible for the dot-gov and civilian networks was the right approach. Gen. Alexander answered "yes," and pledged that his agencies would provide technical support and help DHS build the capacity to protect against attacks. It's common knowledge that the Department of Homeland Security's abilities in this area are seriously lacking, and it remains to be seen how effective interagency cooperation will be between DHS, the notoriously secretive NSA, and the new military Cyber Command. Further, it's not unreasonable to question to what extent the NSA and Cyber Command would overlap or share resources, both being military intelligence agencies headed by the same person. General Alexander clearly stated that the National Security Agency and the Cyber Command would be entirely separate entities with distinct chains of command. Congress should codify this distinction.
One thing never questioned was General Alexander's competence. He has already run the NSA for the past five years and senators of both parties praised his leadership and expressed confidence in his ability to be the first U.S. Cyber commander. Based on the senator's remarks at the hearing, it seems that Alexander is likely to be confirmed. But as General Alexander well knows, the business of defending our networks, identifying our attackers, and formulating the appropriate response is extremely complex. Leaders at Cyber Command deserve a clear legal framework in order to do their job effectively. The consensus in the hearing Thursday morning was that the President and Congress need to identify current gaps in law and regulation pertaining to this new program, and create specific guidelines that provide clear parameters for the Cyber Command to abide by. Considering it took half a year to hold a hearing for General Alexander, we can only wonder when that will actually happen.
Hah. A human. That's pretty quaint. Nobody knows about skynet yet?
I am a software ceo in the decision science/scientific computing space.
I have been inside at the highest research levels of the agencies listed above, and many others.
Roughly, our civil service and military efforts in this area offer approximate skill levels seen in the commercial sector in the late 1980's and early 1990's. This is not a snarky, inflammatory web posting. This is reality.
I admit, they produce really great powerpoint. In the past three years I have met fewer than five people who could even get interviews at a competent commercial corporation.
But again, if you read their powerpoint, everything's cool. We're buying lots of big computers!
Never send a human to do a machine's job
Geek trivia: popular hacker software nmap boasts both Matrix HaXor Trinity and Keith Alexander as users of the powerful port scanner.
http://nmap.org/movies.html
http://nmap.org/nmap_inthenews.html
Readers can fill in President Bush's though bubble as he watches Alexander speak as nmap and other tools run in the background.
Perhaps I should be more prosaic.
The average civilian analyst working in the area of network analysis and intruder detection could not get a job modeling consumer behavior for a credit card company -- not today, but circa 1999. They lack the math and abstract thinking skills. They are operators of tools they do not understand. They know that if the boss likes the (powerpoint) report, they will get the next paycheck and eventual promotion.
There are a few lonely defense and civilian executives who understand how little their communities understand. If they rock the boat, they will be expelled. They don't read the (powerpoint) reports. They'll tell you the truth, if no one is around. Then they disappear, because that government pension is not available in the private sector, and why put it at risk?
The generals and admirals exist in a strange world where other people are supposed to solve problems for them (that they cannot articulate, actually), and if they don't solve the problems that they themselves cannot articulate, well, they should be replaced! Did I tell you about this golf outing ...
The big contractors don't do research because there's no money in it. There's money in iron, not math. They put the sidetracked welfare cases on such matters as software-based security. And that's good enough for the purchasers on the government side because they don't think abstractly either, and why threaten a stable program by asking questions people are not able to answer?
I guess I am a bit weary of people promoting this or that person as a solution to a problem neither the principals nor the reporters can summarize in two sentences.
in the dark ages of cyberwar...
In 1982, US malware deliberately sabotaged and over-pressured a Siberian gas pipeline, resulting in a 3 kiloton explosion that was observed by US early warning satallites. NORAD, not being in on Bill Casey's gag, alerted to an unscheduled Soviet rocket launch, at the height of Reaganite paranoia. Or maybe it never happened at all...
http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage
Natural disaster (flood, hurricane, left-coast earthquake, solar flares, pandemic) are at least as likely as cyber-catastrophe, with actuarial track records. Garden variety traffic, medication and diet stupidity are guaranteed to kill many multiples of 9/11 each month.
It's good to keep things in perspective. We are our own malware.
Government and technology don't mix well
I don't know, I've been knee-deep in the Phreaking/Hacking scene since the early 1970s and I find it questionable that any appendage of officialdom had the skills to pull of a stunt like that in 1982. Also, to speak to the tech level of govt. users, the vast majority of folks in our rather insular community that I have met over the years would not use their skills to further ANY government's agenda. When it comes to computer science graduates, the government is not getting the best and brightest, only the most jingoistic patriots. During my hitch in the US Army (infantry, baby, infantry) the computer systems we used were a good decade behind commercially available systems and soldiers routinely chose as their access passwords stupid things such as "airborne", "top kick", & "hooaah", making it VERY easy for someone to brute force a dictionary attack. Look at the FBI, in the aftermath of 9/11, we learned that they were still using a mix of DOS & Windows that made it impossible to send attachments via email. The FL office had to use the USPS to send pics of the hijackers. In 2003 the Feebs started a modernization program, it was to cost $170,000,000.00 and be completed by 2005. Well it now stands at $325,000,000.00 and might be complete by 2011.
Folks who work in the 'J. Edgar Hoover' HQ
Legacy administrators who work in the 'J. Edgar Hoover' HQ building may see a lot of downside to sharing their files and activity data. I suspect that some of the delay and over-run cost was in the service of building in exclusivity, not functionality. ("Sorry, I can't do that Dave...") However, the current guy in J. Edgar's chair has assured Congress that a paperless file system will finally be running next year.
Whether relay-based Soviet pipeline remote controls were even capable of responding to malware is a reasonable caveat. But NSA and CIA contractor capabilities were much different from the FBI in 1982.
As to whether Bill Casey's team would sabotage something as dangerous as a nat gas pipeline, it was an era when using a civil airliner to game Soviet air defense radar was on the table as an acceptable risk.
Tom, and anyone else out there; what are your thoughts on where cyber attacks lie on the levels of war. Are kinetic strikes reasonable options in response? If an enemy cripples a section of the U.S. economy, and it can be tied to a gov't or group, is a similar cyber attack the only option? should the US use the threat of kinetic response as a deterrent option?
Read More
May/June 2013
-
Profile
-
FP Power Map
-
Think Again
Follow us on Twitter | Visit us on Facebook | Follow us on RSS | Subscribe to Foreign Policy
About FP | Meet the Staff | Foreign Editions | Reprint Permissions | Advertising | Writers’ Guidelines | Press Room | Work at FP
Services:Subscription Services | Academic Program | FP Archive | Reprint Permissions | FP Reports and Merchandise | Special Reports | Buy Back Issues
Privacy Policy | Disclaimer | Contact Us
11 DUPONT CIRCLE NW, SUITE 600 | WASHINGTON, DC 20036 | Phone: 202-728-7300 | Fax: 202-728-7342
FOREIGN POLICY is published by the FP Group, a division of The Washington Post Company
All contents ©2013 The Foreign Policy Group, LLC. All rights reserved.
(10)
HIDE COMMENTS LOGIN OR REGISTER REPORT ABUSE