Thursday, September 02, 2010

The Inside Scoop on DoD Thinking

I wanted to help put some of you in the mindset of a DoD person when reading recent news, namely Defense official discloses cyberattack and Pentagon considers preemptive strikes as part of cyber-defense strategy, both by Washington Post reporter Ellen Nakashima. I'll assume you read both articles and the references.

Deputy Defense Secretary Lynn's article (covered by the first Post story) is significant, perhaps for reasons that aren't obvious. First, when I wore the uniform, the fact that a classified system suffered a compromise was itself classified. To this day I cannot say if a classified system I used ever suffered a compromise of any kind. Readers might be kind enough to say if this policy is still in effect today. So, to publicly admit such a widespread event -- one that affected classified systems -- that is a big deal.

Second, Lynn said "this previously classified incident was the most significant breach of U.S. military computers ever." That is significant. It sets a bar against which other incidents can be measured. Why was it so bad?

Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.

That's serious, and specific.

Third, after citing Google's January admission, Lynn says:

Although the threat to intellectual property is less dramatic than the threat to critical national infrastructure, it may be the most significant cyberthreat that the United States will face over the long term.

Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.

As military strength ultimately depends on economic vitality, sustained intellectual property losses could erode both the United States' military effectiveness and its competitiveness in the global economy.


I interpret this as saying cyberwar is hurting the US specifically because non-military targets are being hit, repeatedly and persistently.

Finally, I'd like to provide a counterpoint regarding the second Post article. Other pundits are calling DoD's potential offensive strategy "beyond stupid." I'd like to know what's stupid: more of the same failed vulnerability-centric policies and approaches of the last, what, 10, 15, 20 years, or taking a threat-centric approach to apply pressure on the adversary? I also wrote about this in 2007, like some other pundits. In the three years since, playing defense hasn't helped much. Expect more on offensive options in the coming years, in all sectors -- not just the military.

9 comments:

kme said...

The problem with "offensive options" is that, as I'm sure you well know, the US has never been particularly good at countering asymmetric warfare. It doesn't come much more asymmetric than "cyberattacks" stealing intellectual property.

The attackers are guerillas - they don't do the online equivalent of marching around in divisions.

The failure of vulnerability-centric techniques implies nothing about the success of threat-centric techniques.

MisterReiner said...

"...the fact that a classified system suffered a compromise was itself classified."

Still true.

"...this previously classified incident was the most significant breach of U.S. military computers ever."

What he should have said was, "This is the most significant breach of U.S. military computers that was declassified so we can talk about publicly."

Don't believe the hype. It's just propaganda to generate support from taxpayers.

"Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies."

I wish he would have sited a specific significant example. I'm pretty sure it's not just a line, but what, exactly, has the enemy done with this so called stolen intellectual property - or is that too classified to put in print? I'm sure there must be something that was stolen over the last 10 years from a business or university that can now be publicly disclosed.

"... or taking a threat-centric approach to apply pressure on the adversary?"

I'm going to side with the "beyond stupid" folks. How will the U.S. ever justify taking out zombie home and business computers in foreign countries? That's a serious breach of protocol in my opinion. Is it going to be okay for foreign countries to take out our zombie home and business computers?

"...more of the same failed vulnerability-centric policies and approaches of the last, what, 10, 15, 20 years..."

Unfortunately, that's were people's heads are at these days. How about we just re-engineer everything instead, like I'm always advocating:

Is it possible to engineer a computer that is 100% secure?

Why the current computer security paradigm is analogous to fixing a leaky dam

An open letter to Bill Gates, Steve Jobs, Paul Otellini, Steve Ballmer, Dirk Meyer, Michael Dell, Larry Ellison and Jim Whitehurst

Keydet89 said...

Of course playing defense hasn't helped much...anything not done correctly can easily be presumed to have failed.

As a 2dLt in the Marine Corps, I learned about defense in depth and maneuver warfare. Map what I learned to the digital realm, and as an IR consultant, I see organizations fall victim to having data stolen, and they weren't even aware of it until someone outside of their organization told them.

What I learned about defenses had to do with what was being protected, what the "terrain" looked like, threats, avenues of attack, etc. Those same basic core principles apply to the digital realm...but if you have no idea where your data resides, nor any concept of who has access to it, and you have NO visibility into your infrastructure...why are you then surprised when data is stolen and exposed/used?

Network "defenses" these days are tantamount to nothing more than a wooden frame of a building, and little more.

The fact of the matter is that if you do not follow basic core principles, it's very easy to say that defense work failed. But a closer look will tell you that you never had what amounted to basic defenses in the first place.

jlc3 said...

Any infosec person knows full well that pure defense is impossible and unrealistic. No matter how good a coder, appliance or combination you have, you will suffer for it.

One thing that our government (and the media) tend to forget is that we are no longer in the wonderful Clausewitz Battlefield. Though this is still being taught to our field grade officers in all the War Colleges. What we have in military terms is Guerilla warfare, unrestricted (not to segue into the Chinese document of the same name - Unrestricted Warfare - which should be required reading) and without the traditional Gentlemanly Causes applied.
We have two basic battlefields- thos folks that are truely motivated by whatever cause or belief (Fundamentalists, for example) and those that are motivated by money. both are quite experienced and prevelent in the Cyber arena.

To extend into this area, we need to move away from the Cold War attitudes, the WWII attitudes and start thinking and acting like guerilla warriors. Times have changed, and traditional processes do not work. NewThink needs to step in and guide our hands in this area. We need to stop thinking that they are diplomatic (they aren't) and that there is some obscure reason they might stop if we ask them nicely and give them a lot of money in aid. They don't care, they will take our money at will, since we can't secure our online transactions, and still attack us.

proactive efforts are NOT revenge. Revenge is a scorched earth policy. This is just letting them know we are not going to sit and let them bleed us dry.

you are correct Richard - we need to step up and be more than defensive in this area.

/john

Steve Miller said...

Hey Richard, I thought I'd chime in that your non-disclosure policy was still in effect as of 2007, when I left the DoD. I don't see why people are leaking information on the breaches, as if this would raise awareness of anyone that is important to the situation.

Anonymous said...

For all the money and resources DoD spends on "security", I find the fact they were so comprehensively rolled by something so easy to defend against (ie, by disabling autorun and forbidding cross-domain rewritable media movements) rather concerning.

Maybe they should at least try getting their own house in order before trying to hit the adversaries for whom they make life so easy?

kme said...

john, the problem is that a nation-state simply does not have the option to "act like guerilla warriors".

Guerilla warfare is only possible when you don't have large, permanent installations that are vulnerable to attack. Guerilla tactics really are a luxury available only to small or decentralised belligerents, who can disappear into the tactical environment and choose when and where to engage their enemy.

Dan said...

"I'd like to know what's stupid"

How about the extreme, real life difficulties in determining the exact source of attacks within any sort of useful time-frame? If we can't do this _after_ attacks, how will we do it with any accuracy _before_ attacks?

Obviously, you blow up comm infrastructure in a war. But do you really let your DoD hack a web server or DoS a hosting provider in a neutral or allied country based on unreliable info?

IMO, We'd be better off with more effective frameworks for international law enforcement action.

Anonymous said...

Law enforcement action isn't of much use when you're dealing with something that you reasonably suspect (or can prove) to be state sponsored.