TaoSecurity Blog

I just read a very interesting article by Sydney Freedberg titled  DoD CIO Says Spectrum May Become Warfighting Domain . That basically summarizes what you need to know, but here's a bit more from the article: Pentagon officials are drafting new policy that would officially recognize the electromagnetic spectrum as a “domain” of warfare, joining land, sea, air, space, and cyberspace, Breaking Defense has learned.  The designation would mark the biggest shift in Defense Department doctrine since cyberspace became a domain in 2006. With jamming, spoofing, radio, and radar all covered under the new concept, it could potentially bring new funding and clear focus to an area long afflicted by shortfalls and stovepipes. The new electromagnetic spectrum domain would be separate from cyberspace, although there’s considerable overlap between the two...  But the consensus among officials and experts seems to be that the electromagnetic spectrum world — long divided between...

Jay Heiser is a smart guy, but I don't know why he became so anti-military when he wrote Military mindset no longer applicable in our line of work last year. He wrote in part: The business world should stop looking to the defense community for direction on information security. I used to believe that the practice of information security owed a huge debt to the military. I couldn't have been more wrong... The business world doesn't need the defense community to help it develop secure technology, and, whenever it accepts military ideas, it winds up with the wrong agenda... It's time our profession stops playing war games and gets in touch with its business roots. I found two responses, Opinion: Military security legacy is one of innovation, integrity and Opinion: The importance of a military mindset , countering Mr. Heiser. I also found poll results showing 77% of respondents answered "absolutely critical" or "somewhat important" when reading the ...

I found the article Is IT security getting short shrift? to be a good reference for other large organizations contemplating digital security spending. In addition to the chart above, this text is illuminating: Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say. “It’s been the source of enormous frustration,” Linton Wells said in a recent interview in which he recounted some of the difficulties he faced during his four-year tenure as principal deputy assistant secretary of Defense for networks and information integration... [C]onvincing senior budget officials from the military services to spend money in that area is a continuing challenge, Wells said. “What they say is, ‘Look, we’re all short on money for things we want to buy — ships, planes, tanks, whatever. Show me how this $2 million you want to put on this today is going to turn cell C17...

Last year I discussed the value of the CISSP with respect to its code of ethics . Today while renewing my ISSA membership, I was presented with the following: The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I have in the past and will in the future: * Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; * Promote generally accepted information security current best practices and standards; * Maintain appropriate confident...

According to Air Force Link , 8th Air Force will become the new Air Force Cyberspace Command. This appears to be the next step following the creation of a Air Force Network Operations Command structure in August. That came on the heels of the Air Force Information Warfare Center being redesignated as the Air Force Information Operations Center . That was a result of the Air Force Tactical Fighter Weapons Center being redesignated as the Air Force Warfare Center . In a related move, the former 67th Information Operations Wing is now the 67th Network Warfare Wing . Follow all that? It also appears the Air Force is centralizing control of network operations and security centers, according to this article : All Air Force network operations security centers, which were previously decentralized among the major commands, will consolidate under the 67th with the stand-up of two integrated network operations and security centers, or I-NOSCs, located at Langley AFB, Va., and at Peterson AF...

I try to attend meetings of the Information Assurance Technical Forum once a year. I last visited in 2003 and 2005 . The following are some thoughts from the meeting I attended two weeks ago. They are not an attempt to authoritatively summarize or describe years of net-centric thought and work by the US Department of Defense. These are just a few thoughts based on the presentations I saw in an unclassified environment. Prior to seeing this diagram I had heard a lot about "net-centric warfare" but I had no real grasp of the underlying. It seemed more of a buzzword. Now I understand the idea of getting information from any source to the people who need it, instead of, say Air Force sensors sending data to Air Force decision-makers who feed Air Force assets. Given the net-centric model, DoD needs to move away from a "System High" model of security to a "Transactional" model. In the System High world, you essentially define a perimeter by classificat...

I've had a chance to read issues of Federal Computer Weekly delivered while I was on vacation. I like reading FCW because it gives me some insight into the madness found inside the Beltway. I enjoyed reading Wanted: Information assurance-savvy people , which discussed DoD's plans for certifying IT staff. I've examined this issue before. Here's a quote by someone who understands the problems with DoD's plan: Alan Paller, director of research at the SANS Institute, said DOD should have no problem meeting its initial target of 80,000-plus employees trained and accredited in information assurance. But he doesn’t think the baseline certification that DOD requires will produce a workforce capable of securing the military’s systems. “The problem is that the bulk of the certifications don’t teach people how to do security,” Paller said. “Certified people will be able to talk about security, but they won’t know how to do it — to actually encrypt data and do the necessar...

I read that DoD plans to hold a security stand-down on 29 November "to focus on information assurance and network security." Apparently United States Strategic Command , one of nine Unified Commands , issued the order. The news came from Air Force Lt. Gen. Charlie Croom , director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations (JTF-GNO). FCW says "some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious code. [Croom] said one way to fight the problem is to require companies to assure DOD that their products are safe and for the military to monitor them closely ." (emphasis added) I like the fact Lt Gen Croom understands the importance of monitoring. A separate article conveys this story, indicating Lt Gen Croom is a fair guy: "The first time Croom showed up for a meeting at DISA, someone announced his presence...