US Needs Cyber NORAD

In addition to the previous Country v China stories I've been posting, consider the following excerpts. First, from China’s cyber army is preparing to march on America, says Pentagon:

Jim Melnick, a recently retired Pentagon computer network analyst, told The Times that the Chinese military holds hacking competitions to identify and recruit talented members for its cyber army.

He described a competition held two years ago in Sichuan province, southwest China. The winner now uses a cyber nom de guerre, Wicked Rose. He went on to set up a hacking business that penetrated computers at a defence contractor for US aerospace. Mr Melnick said that the PLA probably outsourced its hacking efforts to such individuals. “These guys are very good,” he said. “We don’t know for sure that Wicked Rose and people like him work for the PLA. But it seems logical. And it also allows the Chinese leadership to have plausible deniability.”

On one side we have the Chinese military organizing hackfests and sending work to the best. On the other side we have defense contractors often selected by lowest bidder. Worse, when those contractors are actually clueful and resourceful (like Shawn Carpenter), they are fired. From Cyberspies Target Silent Victims:

The U.S. Department of Defense confirmed last week that cyberspies have been sifting through some government computer systems. What wasn't said: The same spies may have been combing through the computer systems of major U.S. defense contractors for more than a year.

"There's been a massive, broad and successful series of attacks targeting the private sector," says Alan Paller, director of the SANS Institute, a Bethesda, Md.-based organization that hosts a response center for companies with cybersecurity crises. "No one will talk about it, but companies are creating a frenzy trying to stop it..."

None of the companies have publicly reported data breaches, though many have informed the Department of Defense. "Reporting an event like this would kill your stock price," says a source close to the military contractor industry who asked not to be named...

When Carpenter warned government officials in the Army and the FBI of his findings in 2004, he was fired. Sandia officials declined to comment on any subject relating to the Titan Rain hackings. Carpenter says his former employer's attempts to keep the incident quiet are typical.

In China as Victim I noted the following:

Lou said the electronic espionage against China has met with success. It therefore needs to be addressed by President Hu Jintao's government, he added, with additional investment in computer security and perhaps formation of a unified information security bureau.

That's China saying they need a high-level, concentrated group to protect Chinese assets. On what does the US rely? Apparently, the Department of Homeland Security and an assistant secretary for cyber-security and telecommunications.

Let's find this person on the DHS organizational chart.

Missed the assistant secretary for cyber-security and telecommunications? That's because he's not even in the top chart. He's working for the Under Secretary for National Protection Programs, whose peers include an Under Secretary for Management and an Under Secretary for Science and Technology. Seriously.

The more I think about it, the more of a disgrace this is. Consider: every single government agency uses computers. Not only that, every single US company uses computers. (If they don't, I doubt they qualify as a company!)

We often hear that the private sector should protect itself, since the private sector owns most of the country's critical infrastructure. Using the same reasoning, I guess that's the reason why Ford defends the airspace over Dearborn, MI; Google protects Mountain View, CA, and so on.

No? (By the way, I know that the US through the FAA "owns" the airspace over the country, but it's literally not the airspace itself that matters; it's what is underneath -- people, buildings, resources, and so on.)

I plan to develop this thought further, but for now I take comfort in knowing the Air Force Cyber Command is coming. Remember the Air Force started as

a small Aeronautical Division to take "charge of all matters pertaining to military ballooning, air machines and all kindred subjects"

on 1 August 1907. 100 years later, Cyber Command is coming. Hopefully a "Cyber NORAD" might follow. Remember, monitor first.

We might eventually get a new Cyber Force focused solely on defending the digital realm. Stay tuned.


Anonymous said…
I actually worked as a contractor helping the Department of Homeland Security on cybersecurity issues. It was a tough situation - the cybersecurity group has such little authority and there are so many issues to deal with that we felt like we had a new "top priority" every week.

Little progress was made because of the vast complexity of the problem, the large number of parties that must work together (both government and industry), and the lack of authority and backing. We had lots of meetings and published lots of documents but little to show for it.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4