tag:blogger.com,1999:blog-4088979.post2962318219496552084..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Taking the Fight to the Enemy RevisitedRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-4088979.post-4631722626879842362007-04-08T22:01:00.000-04:002007-04-08T22:01:00.000-04:00I mentioned Gen Hayden earlier. I forgot to menti...I mentioned Gen Hayden earlier. I forgot to mention <A HREF="http://www2.hurlburt.af.mil/news/story.asp?id=123028185" REL="nofollow">Col Gregory Rattray</A>, commander of the <A HREF="http://www.aia.af.mil/library/factsheets/factsheet.asp?id=4704" REL="nofollow">318th Information Operations Group</A>.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-31692543353141969152007-04-08T21:29:00.000-04:002007-04-08T21:29:00.000-04:00Red storm rising: DOD’s efforts to stave off natio...<A HREF="http://www.gcn.com/print/25_25/41716-1.html" REL="nofollow">Red storm rising: DOD’s efforts to stave off nation-state cyberattacks begin with China</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-29077875479126341212007-04-07T08:59:00.000-04:002007-04-07T08:59:00.000-04:00Richard, You are right when you say " something ha...Richard, <BR/><BR/>You are right when you say " something has to change", but wrong when you say that " We cannot code, block, or patch our way out of this situation".<BR/><BR/>This is the work that we do, and we convert commercial IT systems into trusted ones with manageable user-centric, default deny ones, with full MLS, MAC, and tamper proof auditing. We provide access and audit control at the the data level, so if our Chinese friends are not on the white list, they get nothing, period. The trusted computing aspect prevents escalation of privileges; we can separate root user from the system.<BR/><BR/>You may not believe our claims, and that is alright, Perhaps though, you should prove that they are untrue, or provide opportunities for claim validation before you say that something can not be done. Otherwise, when something innovative that can help with positive change comes along, the prevailing mindset will prevent consideration, leaving us with, by default, the status quo.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49276726641874275012007-04-06T11:45:00.000-04:002007-04-06T11:45:00.000-04:00nice post. using more examples such as war strateg...nice post. using more examples such as war strategies .. wud be a bonus for all sec's staffAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44928690082229938062007-04-06T10:54:00.000-04:002007-04-06T10:54:00.000-04:00Rich:I do not think we are winning the battle for ...Rich:<BR/><BR/>I do not think we are winning the battle for cyberspace because there is no battle (except as a metaphor).<BR/><BR/>I have no problem with preparation. I do have a problem with those who would call a skirmish a battle, or a battle a war, especially if the speaker has stars on his shoulders.<BR/><BR/>I know about Titan Rain. Unless the closed mouths you refer to are willing to speak up, I want them to get exactly zero of my tax dollars for fighting (NOT preparing to fight) what, on the evidence available, is a phantom. You'd think that asking for evidence before committing resources to a battle would be, as a previous observer on causus belli recently observed, a "slam dunk". <BR/><BR/>Let's see it, then.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-50579613768329482662007-04-06T02:10:00.000-04:002007-04-06T02:10:00.000-04:00"This is not true. It may not be exceptionally pub..."This is not true. It may not be exceptionally public, but it's not true."<BR/><BR/>And this is an exceptionaly interesting comment.<BR/><BR/>So there is a large entity, maybe even a government, that currently mounts IT-attacks on U.S. military on a scale that actualy makes the US consider it an actual "enemy".<BR/><BR/>However, the information is not "exceptionally public", so in this scenarion the U.S. public can not obtain reliable, consistent info about the "fact" that currently there is supposed to be some kind of an "IT-enemy" (large organisation, government or smth. of that scale) waging an "IT war" against U.S. by mounting hight-tech attacks on U.S. infrastructure, right? <BR/><BR/>There is something terribly wrong with this scenario, and it it has nothing to do with the state of U.S. infrastructure, ITSec or strategy of computer network-bound threat response.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-71195823334072206692007-04-05T20:53:00.000-04:002007-04-05T20:53:00.000-04:00Hi jbmoore,Again I understand what you're saying, ...Hi jbmoore,<BR/><BR/>Again I understand what you're saying, but there's a difference between taking enemy territory and controlling their airspace. One example that comes to mind was the no fly zone(s) over Iraq prior to the invasion in 2003. Coalition aircraft exercised air supremacy in these zones over Iraq despite the fact that they did not control the land territory.<BR/><BR/>You said:<BR/><BR/><I>[W]e have not defined the enemy yet and we have much to lose.</I><BR/><BR/>This is not true. It may not be exceptionally public, but it's not true.<BR/><BR/>You also said:<BR/><BR/><I>The military cyberwar capacity is there to take out the foreign cyberwar operatives and their equipment and hurt the other country's will to fight. It's not there to catch criminals or bring them to justice.</I><BR/><BR/>I agree with that. Who said the military was going to take out some Romanian carder or bot herder? Leave that to the police.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-40917198116695774692007-04-05T20:28:00.000-04:002007-04-05T20:28:00.000-04:00Richard, You have to have people on the groun...Richard,<BR/> <BR/> You have to have people on the ground to take the territory. Air superiority is the ideal for unhindered operations against an enemy, especially air to ground operations since in all likelihood there are few aerial targets left, hence the superiority designation ( am I missing something? - maybe I am confusing it was air supremacy). However, the Germans launched the Ardennes Offensive in December 1944, during bad weather when the US Army Air Corps had complete air superiority rendering the air superiority moot until the weather cleared.<BR/> Air forces must have secure bases of operations to achieve their goals. England was secure and a launch point to achieving air superiority against Germany. Likewise Pacific Theater bases were secure against Japanese incursion allowing us to firebomb them at will. In spite of this, the US Navy suffered grievous losses due to kamikazes at Okinawa, but our air bases were untouched. Our civilian cyber infrastructure is not anywhere near secure. And who knows about the military? Secrecy hides incompetence as much as it does important secrets. I'm all for cyberwar if a real war breaks out, but we have not defined the enemy yet and we have much to lose. I suppose that our government is attacking other governments' systems as we speak. That's politics. It's allowed in hot and cold wars. But to use the military in a law enforcement function does a disservice to the military. The military cyberwar capacity is there to take out the foreign cyberwar operatives and their equipment and hurt the other country's will to fight. It's not there to catch criminals or bring them to justice.jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-38323781809678510042007-04-05T20:00:00.000-04:002007-04-05T20:00:00.000-04:00Chris,So you think we're "winning the battle in cy...Chris,<BR/><BR/>So you think we're "winning the battle in cyberspace" instead? <BR/><BR/>You said:<BR/><BR/><I>Should we develop skills in our military to deal with what such an adversary <B>might do</B>?</I> (emphasis added)<BR/><BR/>It sounds like you haven't been paying attention to the news. "Might do" is wrong. Try "has done" and "continues to do". <BR/><BR/>The more you know about this situation the worse it is, not better. Unfortunately I do not see anyone in authority willing to speak officially on this matter.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-16443601437805992542007-04-05T19:53:00.000-04:002007-04-05T19:53:00.000-04:00jbmoore:You said:Aircraft are at the mercy of the ...jbmoore:<BR/><BR/>You said:<BR/><BR/><I>Aircraft are at the mercy of the terrain and the elements. The USAF is likely not very keen to deploy expensive systems during severe fog or other weather conditions, especially in the hilly terrain of Afganistan which is why the Army and USMC like to have artillery close by.</I><BR/><BR/>You're thinking in terms of air-to-ground operations. Air superiority/supremacy pertains to <B>the air</B>. The Army and Marines are not going to shoot down opposing aircraft with artillery. They have it to attack ground forces, which is what you mean.<BR/><BR/><A HREF="http://www.dtic.mil/doctrine/jel/service_pubs/afdd1.pdf " REL="nofollow">AFDD 1-1</A> (.pdf) is helpful for understanding this difference. It states on p 76:<BR/><BR/><I>Superiority is that degree of dominance that permits friendly land, sea, air, and space forces to operate at a given time and place without prohibitive interference by the opposing [air] force. Supremacy is that degree of superiority wherein <B>opposing air and space forces</B> are incapable of effective interference anywhere in a given theater of operations.</I> (word added, emphasis added)<BR/><BR/>I added the word [air] to the first sentence because it is clearly implied by the second sentence, and elsewhere in the document.<BR/><BR/>You make another point: <BR/><BR/><I>[O]ne must secure one's airspace before one hopes to secure the enemy's airspace.</I><BR/><BR/>This is not necessarily true. If you do not destroy enemy aircraft, when you enter enemy airspace you have to contend with their aircraft and their surface-to-air missiles (SAMs). If you destroy their aircraft -- over your terrain or theirs -- you gain air supremacy over your airspace and air superiority over their airspace. Once you knock out their SAMs you gain air supremacy over their airspace too.<BR/><BR/>My point with that last paragraph is I agree with the idea of taking the fight to the enemy. We can't gain even air parity by trying to fight "over here," which is another word for fighting via defensive, vulnerability-centric techniques, all doomed to fail.<BR/><BR/>Regarding clueless generals, I have faith in at least one: <A HREF="http://www.af.mil/bios/bio.asp?bioID=5746" REL="nofollow">General Hayden</A>, currently Director, CIA. I <A HREF="http://taosecurity.blogspot.com/2005/02/lt-gen-michael-hayden-to-be-deputy.html" REL="nofollow">worked for General Hayden</A> at AIA. He absolutely understands the fight.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36959655370636316222007-04-05T18:42:00.000-04:002007-04-05T18:42:00.000-04:00"losing the battle in cyberspace"?This is missile ..."losing the battle in cyberspace"?<BR/><BR/>This is missile gap FUD with a propeller beanie. <BR/><BR/>We're at war alright, but somehow I doubt that Iraq or Afghanistan are formidable threats to our critical domestic communications/networking infrastructure.<BR/><BR/>A nation that is, for example, is China. Should we develop skills in our military to deal with what such an adversary might do? Yes. Should the DoD deploy its own systems with an eye toward resilience against the measures such a threat might take against them? Yes. Should we attempt to maintain an awareness of the inclinations of such a threat, and its likelihood to act? Yes. Does this have anything significant to do with what is currently being thrown at "our" networks right now? No.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27760065271008416912007-04-05T17:38:00.000-04:002007-04-05T17:38:00.000-04:00Aircraft are at the mercy of the terrain and the e...Aircraft are at the mercy of the terrain and the elements. The USAF is likely not very keen to deploy expensive systems during severe fog or other weather conditions, especially in the hilly terrain of Afganistan which is why the Army and USMC like to have artillery close by. <BR/><BR/>Likewise, it's okay to attack a system under some conditions such as if that system is within your corporate network. Often though business and economic decisions overrule security decisions. Until IT security is seen to be as important as physical security, then IT security will suffer and the suffering will continue. Also, one must secure one's airspace before one hopes to secure the enemy's airspace. Likewise, we need to secure our network and computer infrastructure before we have any hope of cleaning out the bad guys elsewhere. Otherwise, for every bad guy you remove, someone else will take his place. You'll be playing whack a mole in cyberspace. <BR/><BR/>My security group rather than protect the employees will be there to protect the company and terrorize the employees. Our company's AUP policy states that people may not use company IT assets for personal use including online shopping and the use of streaming media, yet, nothing is blocked at the web proxies. Instead of putting in place access rules to prevent misuse of resources and protect the majority of employees from themselves, eveything is pretty much wide open. Then my group will have to sift through all that noise to find the really bad apples. It's totally insane policy. Now you want to muddy the waters by playing cyber warrior and going after say botnet operators. Wouldn't you want to take away their bots first to weaken them since it's impossible to take out their command nodes now since they've gone P2P on their Command and Control? You can't go to war without the capacity to wage the war and we aren't there yet. Likewise, you need to pick your fights carefully, or you'll do more harm than good. I'll bet most of these generals are clueless on how to fight such a war, so they're advocating such a stance now in order to learn. The problem is that they'll inadvertantly strengthen their enemy as well. Military History is replete with examples of generals and admirals ignoring technology and intelligence to their detriment. Custer had muskets against repeating rifles and he left his machine guns behind. We know how that turned out. <BR/><BR/>The current tools and tech provide both sides with a level playing field. Then it becomes a game of skill. We have a poor track record training Stonewall Jacksons and Pattons. We generally end up fighting wars of attrition instead of manuever. You can say that Vietnam and the current engagements were manuever wars, but we were attrited out of Vietnam and the jury is still out on Iraq. Do you really want to start something ( a cyberwar ) we might not be able to finish?jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-86895766531465072242007-04-05T14:11:00.000-04:002007-04-05T14:11:00.000-04:00Hi Thomas,If we want to speak properly we would pr...Hi Thomas,<BR/><BR/>If we want to speak properly we would probably say the Joint Forces Commander for whatever theatre of war has established air supremacy. The JFCC would probably rely on the Air Force for that mission, although Naval air power could also be used. All fights these days are Joint with the uniformed services acting as force providers to the JFCC.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66289833067603774132007-04-05T14:06:00.000-04:002007-04-05T14:06:00.000-04:00Well, you've got all the warfighting doctrine mojo...Well, you've got all the warfighting doctrine mojo; I just have what I read in The Atlantic. So let me ask: does the USAF have "Air Supremacy", or does The United States? <BR/><BR/>If it's the former then what you're saying makes sense.<BR/><BR/>If it's the latter then you're talking about "potential"; "actual" Supremacy depends on the decisions the commanders make about how to allocate and exploit that potential.Thomas Ptacekhttps://www.blogger.com/profile/14479575601987181670noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-72439659283958279282007-04-05T12:26:00.000-04:002007-04-05T12:26:00.000-04:00Thomas, I see where you're coming from. However (...Thomas, I see where you're coming from. However (and this doesn't relate to cyberspace) the Air Force is perfectly capable of achieving air supremacy without much (if any) help from the other services. The Air Force is not going to take or hold territory with airpower but it can (and does) completely control airspace with airpower alone.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-45446382712558706992007-04-05T12:20:00.000-04:002007-04-05T12:20:00.000-04:00Challenging your argument that we can't "block or ...Challenging your argument that we can't "block or patch our way out of this situation":<BR/><BR/>The Air Force has Air Supremacy because of the way it's designed. However, but for the JDAM securing the USAF's fixed-wing close air support role, the joint service agencies would not necessarily have Supremacy.<BR/><BR/>Without an effective close-air support role for the USAF, control and use of airspace would fall more heavily on helicopter gunships. Parity/Superiority/Supremacy-wise: aren't gunships less commanding? Can't guerillas just knock them out of the sky?<BR/><BR/>The USAF, Army, Navy, and USMC: network, host, code, cryptography. DECISIONS made to allocate roles and resources in the different agencies and settings grant supremacy or yield parity.<BR/><BR/>Bringing this back to security: you're advocating a change to the rules of engagement for how we handle "enemies" in cyberspace. You're basing this on the empirical evidence that network, host, code, and crypto are failing under the current rules. <BR/><BR/>But we can change more than the rules of engagement. We can also re-evaluate how we allocate security --- budget, mindshare, user interface conveniences and concessions, time, and effort --- among the different settings in which security is implemented.<BR/><BR/>I'm not convinced that we can't make a dent in the problem just by shaking up where we stick the countermeasures.Thomas Ptacekhttps://www.blogger.com/profile/14479575601987181670noreply@blogger.com