This week I attended Victory in Cyberspace, an event held at the National Press Club. It centered on the release of a report written by Dr. Rebecca Grant for the Air Force Association's Eaker Institute. The report is titled Victory in Cyberspace (.pdf). The panel (pictured at left) included Lt. Gen. Robert J. Elder, Lt Gen. (ret) John R. Baker, and Gen. (ret) John P. Jumper. Dr. Grant is seated at the far right.
As far as the event went, I found it interesting. If you are exceptionally motivated you can download the entire 90 min briefing in .wmv format here. I'd like to share a few thoughts.
First, I was impressed by all the speakers. Lt. Gen. Baker led AIA when I was a Captain there. At the same time Gen. Jumper led Air Combat Command, before becoming Chief of Staff. I learned Lt. Gen. Elder has a PhD in engineering.
Lt. Gen. Elder commented that cyberspace is a domain similar to the ocean, and he specifically drew parallels with the Navy. (This made me wonder why the Navy isn't taking the lead on defending cyberspace.) In order to use the ocean for commercial purposes, the domain must be controlled so ships are protected from harm. Cyberspace is similar, except that in addition to requiring control of the domain in order to use it, the domain must first be created. (No one needs to create an ocean.)
Control, however, does not mean "ownership." Elder specifically stated the Air Force does not plan to "own cyberspace;" cyberspace is more of a "strategic commons" like the ocean. Cyberspace is also not confined only to the Internet. A presentation by Dr. Lani Kass titled Cyberspace: A Warfighting Domain cites the classified National Military Strategy for Cyberspace Operations to define cyberspace as:
a domain characterized by the use of electronics and the electromagnetic spectrum store, modify and exchange data via networked systems and associated physical infrastructures.
(Speaking of the NMSCO, I read a Joint document is en route, according to Joint Staff readies cyber operations plan.)
Elder's presentation featured plenty of military jargon, like the great "OODA loop" (observe, orient, decide, act) and a new "effects chain" (find, fix, target, engage). (That sounds like the OODA loop, doesn't it?)
One of Elder's major points, reflected in the report, is the Air Force's recognition that cyberspace (broadly meaning communications, I believe) is the foundation for all Air Force operations. I would argue that all of the services are equally dependent on cyberspace. That reminds me of the role of United States Transportation Command. It makes sense to me that cyberspace activities are currently part of United States Strategic Command.
USSTRATCOM accomplishes its cyber mission through the Joint Task Force - Global Network Operations (JTF-GNO, led by the commander of Defense Information Systems Agency), Joint Functional Component Command - Network Warfare (JFCC-NW, led by the director of National Security Agency), and Joint Information Operations Warfare Command (JIOWC, led by the commander of Air Force Intelligence, Surveillance, and Reconnaissance Agency).
If cyberspace is truly a warfighting domain (alongside land, sea, aerospace), I don't see who can argue against an independent Cyber Force. (I don't argue for a separate Space Force because I think the Air Force will eventually be the Aerospace Force.) Elder rejects the idea of an individual Cyber Force in Dr. Grant's report, but the Army had the same feeling about the Air Corps before 1947. We can separate the world into physical and virtual, or as the military likes to say, "kinetic" and "non-kinetic." I find it hard to believe that a cyber operator who reads and manipulates hex is going to find much in common with someone who kills people by exploding ordnance.
Elder mentioned some of the tasks the Air Force expects to perform to better secure its networks. These included a "cyber standardization and evaluation team," application assurance testing, software tamper detection via signatures and hashes, clusters of systems voting on proper outcomes, "cyber sidearms" in the form of tools on individual laptops, and a specific cyber Air Force Specialty Code (AFSC). If this had happened 10 years ago my career would have been very different and probably much longer!
Elder finished his talk describing how the US Code affects Air Force activities. For example, Title 10 (Armed Forces) restricts the work of the active duty military. Similar restrictions affect the intelligence community through Title 50 (War and Defense). However, because the Air National Guard operates under Title 32 (National Guard), it has more room to help the commercial sector and local governments with network defense. Elder said he would like to see Guard cyber units in every state, from the size of a squadron up to a wing. I thought this was a fairly exciting concept, since the Guard is likely to contain people with industry experience.
Lt. Gen. Baker and Gen. Jumper only spoke for a few minutes each. Jumper really hammered the acquisition community for providing the "block 40 upgrade to the block 30 capability" and thinking that helps the warfighter. He recommended writing Concepts of Operations before deciding what to buy. (Wow, sounds just like the commercial world; don't let vendors drive your security program!) Jumper said we need a "PhD-quality Weapons School," aggressor forces, and policy and doctrine modeled on offensive and defensive counter-air operations.
In the question phase, when asked why the bad guys are "so much better" than the good guys, Jumper replied "Bad guys don't have policy constraints." I believe Baker stated that the biggest problem he sees in industry is the feeling that "we don't think it [breaches] can happen to us,", he said, "but it's happening every day."
As far as the report itself, I realized the author did not have any experience in the topic of computer network defense, exploitation, or warfare. Having just watched two shows on Army and Marine snipers, it made me think how it must sound to a sniper for a non-sniper to write a report on sniper craft. Disappointingly, the Estonia "cyberwar" was presented as the galvanizing action that should stir everyone's pot. In describing the event, the report author wrote:
The attackers also used illicitly linked computers around the globe to mount an enhanced onslaught. These attacks were conducted by networks of "bots" -- a bot being an automated program that accesses web sites and traverses the site by following links on its pages.
So, it appears we should pin the blame on Web crawlers. Sigh.
I also read about "Windows 1.0" being released in August 1995 and "Windows 2.0" in November 1995.
Apparently no one did a technical edit of this report. It's clear it took a lot of work to write this report, however. There's plenty of history, references and interviews. I would not have wanted to undertake this task, since I would have required a few years to get the history right.
I found this one item immensely interesting, so I'll close with it:
[One] difficulty is estimating the scope of the mission. "We are well past the $5 billion per year mark, and I don't know where the top end is," commented one STRATCOM official. "The $5 billion is mostly on defense. We buy huge amounts of software and people to run that, but it's totally ineffective against Tier III" cyber [advanced persistent] threats, this official noted. (emphasis added)