Pentagon’s Plan X and three other cyber worries

20121013-143016.jpg

DeM Banter: TONS OF CYBER today and throughout the week…usually (but not always) means its time to pay attention…somebody is worried…as always…thinking what this looks like in 2022….combine that with an increasing dependence on drones….things that make you go…hhhhuuummmm… Interesting that the first author mentions cadets so often…

There are three stories here from today’s papers that definitely caught my attention, as always…would love to hear thoughts from smart cyber types.

Christian Science Monitor (csmonitor.com)
October 12, 2012

Pentagon’s Plan X: How It Could Change Cyberwarfare By Anna Mulrine

The Pentagon has always been secretive about its desire and ability to carry out offensive cyberwarfare. Now, Plan X makes it clear that offensive cyberattacks will be in the Pentagon playbook.

Washington–The same Pentagon futurologists who helped create the Internet are about to begin a new era of cyberwarfare.

For years, the Pentagon has been open and adamant about the nation’s need to defend itself against cyberattack, but its ability and desire to attack enemies with cyberweapons has been cloaked in mystery.

Next week, however, the Pentagon’s Defense Advance Research Products Agency (DARPA) will launch Plan X – an effort to improve the offensive cyberwarfare capabilities “needed to dominate the cyber battlespace,” according to an announcement for the workshop.

Though the program will be closed to the press, the relatively public message is a first for the Pentagon. For one, it shows that the Pentagon is now essentially treating its preparations for cyberwar the same way it treats its preparations for any potential conventional war. Just as it takes bids from aerospace companies to develop new jet fighters or helicopters, Plan X will look at bids from groups that can help it plan for cyberwarfare and expand technologies.

Moreover, it opens a window into the highly secretive world of offensive cyberwarfare. No longer is it unclear whether the US is in the business of planning Stuxnet-style cyberattacks. Plan X indicates that such capabilities – which experts say could range from taking out electrical grids to scrambling computer networks in top-secret facilities to causing the pacemaker implanted in an enemy official to go haywire – will be an explicit part of the military playbook.

“If we can have a robust public discussion of nuclear weapons why not a robust discussion of cyberstrategy?” says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic and International Studies in Washington. “Up until now, cyber has been kind of ad hoc. What they’re doing now is saying that this is going to be a normal part of US military operations.”

The US is already engaged in offensive cyberwar. Media reports claim that the US helped develop and deploy the Stuxnet digital worm, which inflicted serious harm on Iran’s uranium enrichment program.

In his most wide-ranging speech to date on cyber warfare Thursday, Defense Secretary Leon Panetta hinted at the need for increased offensive capabilities, warning that America “won’t succeed in preventing a cyber attack through improved defenses alone.”

“If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president,” Mr. Panetta said. “For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”

But the lack of discussion surrounding offensive cyber capabilities – and a clear US military plan for pursuing them – has been a significant roadblock for US military forces interested in honing those skills, says retired Col. Joe Adams, a former West Point professor who coached the military academy’s cyber team.

In the past there has been a “skittishness about teaching cadets offensive skills like how to hack” into systems, says Dr. Adams, now executive director of research and cybersecurity for Merritt Network, Inc. “We’ve really ramped up the defensive part, but there hasn’t been any work done to identify people who have the intuitive ability to conduct operations on the offensive side.”

Many of the threats the US faces – and may in turn inflict on other countries and non-state actors – will be nuanced.

The notion of a “cyber Pearl Harbor,” as Panetta has characterized it, is a misnomer, Adams adds.

“Everybody’s looking for a cyber Pearl Harbor – we don’t need a Pearl Harbor to really mess things up. That’s the very nature of this advanced, persistent threat: We’re not kicking people’s doors in anymore.”

Instead, cyber incursions will be more subtle. Just imagine what could happen in a hospital, Adams says. “I don’t even have to turn off the refrigerators. I just have to change the thermostat so they’re too warm, or too cold, or make some blood supplies go bad, or spoil a little medicine, or just reroute where they send ambulance alerts.”

In particular, offensive cyberskills “are more art than science,” says Adams. “These kids need to be screened right, and they need to be utilized. A career path in the military is built on building their skills, but also retaining them. We’ve done really poorly with that.”

Part of the problem is that American military training has long emphasized traditional skills, which are often are at odds with developing cyber warriors. You could have an outstanding cyberthinker in a class, but tradition dictates that “he’s going to be a tank platoon leader, or a rifle platoon – he’s going to have to prove himself as an Army officer before they’re going to make use of his talent,” says Adams.

In the meantime, his cyberskills atrophy. “The cadets I was teaching, there just wasn’t another outlet for them in the military yet.”

Plan X is designed to help the Pentagon “understand the cyber battlespace” and to develop skills in “visualizing and interacting with large-scale cyber battlespaces,” according to the DARPA proposal.

These, too, are unique skills that must be cultivated within the military, says Adams. “Another art piece is mapping a network [that could be a potential target]. How do you do it – and how do you do it subtly – without knocking things over and turning things off? And if it’s hostile, how do we do it without getting caught?”

Plan X hints at some of these needs – and makes it clear that the Pentagon is grappling with how to establish a framework for fighting cyberwar, too.

“Plan X is an attempt by the national security bureaucracy to come to grips with the multitude of issues around use of cyberweapon in an offensive form – the legal, diplomatic, ethical issues,” says Matthew Aid, a historian and author of “Intel Wars: The Secret History of the Fight Against Terror.”

“We can’t have a public discussion about Stuxnet, about these brand new weapons – or their ethical implications – until the White House pulls back just a little the veil of secrecy that surrounds the entire program,” Mr. Aid adds.

For example, Stuxnet revealed how unwieldy such weapons can be when it inadvertently “jumped” into friendly computer systems that were never meant to be targeted.

Indeed, “One of the biggest problems in cyberwarfare is the potential for collateral damage,” says Mr. Lewis of the Center for Strategic and International Studies.

“You just can’t attack stuff and not worry that innocent civilians will be harmed – you have to take steps to mitigate the risk.”

Aid says now is the time to have these conversations. “We can only see one tenth of one percent lurking beneath the surface – what’s beneath the surface scares … me,” he says. “This is combat – this is war by a different name.”

—————————-

Panetta Sounds Alarm on Cyber-War Threat

by Mark Thompson, nation.time.com

Photo by: dod photo / Erin A. Kirk-Cuomo
Defense Secretary Leon Panetta issued what he said is a “clarion call” Thursday for Americans to wake up to the growing threat posed by cyber war.

“The whole point of this is that we simply don’t just sit back and wait for a goddamn crisis to happen,” Panetta told Time. “In this country we tend to do that, and that’s a concern.”

Panetta came to the nation’s financial hub – New York City – to issue his battle cry. The city is the brightest bulls-eye on the American target for foes wishing to cripple the U.S. economy with computerized “worms” and “malware” that can infect computer networks via the Internet or insider sabotage.

“It is the kind of capability that can basically take down a power grid, take down a water system, take down a transportation system, take down a financial system,” he told Time editors. “We are now in a world in which countries are developing the capability to engage in the kind of attacks that can virtually paralyze a country.”

Aware his alarmn might be drowned out by Thursday night’s vice presidential debate, Panetta stopped by the magazine’s midtown offices Thursday afternoon to detail his concerns to a Time editorial board gathering.

“Everybody knows what their iPhone can do, everybody knows what their computer can do, but I think there are too few people out there who understand the potential for the kind of attack that could cripple this country,” Panetta said. “The American people just have to be made aware of that.”

Panetta cited a series of “disruptive” attacks against U.S. companies, and detailed the far more serious so-called “Shamoon” virus attack on the Saudi Arabian state oil company, Aramco. That August strike wiped out 30,000 of the companies computers. It created the image of a U.S. flag in flames on the infected computers and “it basically burned [the computers] up,” Panetta said. It marked, he said, a significant escalation in cyber warfare.

In the hour-long session with the magazine’s editors, he also said:

– “We are facing the threat of a new arena in warfare that could be every bit as destructive as 9/11 — the American people need to know that. We can’t hide this from the American people any more than we should have hidden the terrorism-attack threat from the American people.”

– “The three potential adversaries out there that are developing the greatest capabilities are Russia, China, Iran.”

– “Out of a scale of 10, we’re probably 8 [in cyber-war skills. But potential foes] are moving up on the scale – probably the others are about a 3, somewhere in that vicinity, but they’re beginning to move up.”

He also said the U.S. military is stepping up its offensive cyber war capability:

– “I think we have to develop the ability to conduct counter-operations against a country we know, or anticipate, that they’re going to launch that kind of attack. So we have to have both defensive and offensive capabilities.”

Beyond merely shutting down enemy systems, the U.S. military is crafting a witch’s brew of stealth, manipulation and falsehoods designed to lure the enemy into believing he is in charge of his forces when, in fact, they have been secretly enlisted as allies of the U.S. military. The U.S. already has deployed a cyber-war offensive technology against Iran’s nuclear program, the New York Times has reported.

But the U.S. is also a target. Panetta said “potential aggressors” are probing for weaknesses in the nation’s cyber defenses. “They’re beginning to exploit transportation systems, power systems, energy systems,” he said. “Our concern is that in doing that kind of exploration, they’re doing it for purposes of determining how could they attack.”

The defense chief added that the Pentagon’s still-fuzzy rules of engagement for waging war in cyber space are being tightened, and will allow the Pentagon to defend other U.S. networks, in and out of government. But such technology isn’t cheap: major defense contractors see cyber defense as the next post-9/11 money pot – annual cyber spending is about $12 billion.

In his speech Thursday night before Business Executives for National Security from the hangar deck of the Intrepid Sea, Air and Space Museum, Panetta warned of cyber terrorists derailing U.S. passenger trains – as well as trains laden with lethal chemicals. He told Time’s editors that both Congress and U.S. businesses have been hesitant to pass legislation – and make the investments necessary – to defend the nation’s critical cyber infrastructure from attack. Part of the reason for speaking out, he said, is to generate public pressure on lawmakers to act.

That’s one reason President Obama designated October as National Cybersecurity Awareness Month. Private-sector companies wonder if the government is exaggerating the threat. They seem willing to wait for an “electronic Pearl Harbor” to justify the investments they would need to make to protect their info-infrastructure. But Panetta and others fear that could be too late.

“Government depends on these networks to defend this country,” Army General Keith Alexander, chief of U.S. Cyber Command, told the U.S. Chamber of Commerce Oct. 4. “And it depends on the power grid to operate. So we have a vested interest in making sure that that works.”
Panetta said his prior job – running the CIA – gave him a close-up look at the damage a cagey cyber-warrior could do to the U.S. “I can tell you from my old job, the level of expertise that I saw – and I don’t consider myself to be schooled in the art of knowing what the hell cyber systems [do] and how it all works –- I’m not close to being there — but I saw people that are extremely bright, extremely able,” he said

“They can develop the kind of malware that has tremendous potential to bring down systems very effectively,” Panetta continued, making clear the U.S. is exploring offensive cyber weapons. ”Frankly, in my past capacity, having seen that potential — and now, as secretary of defense, I’m now beginning to see how that is beginning to get in to the arena of other countries that are saying: `Whoa, this has got some great potential.’”

————————————-

ForeignPolicy.com
October 12, 2012

Ready Player One
Did the Pentagon just take over America’s cybersecurity?

By James Andrew Lewis
It was bound to happen. The Senate fumbles and the House proffers only magical solutions for cybersecurity. The task of improving cybersecurity reverts to the executive branch, but the Department of Homeland Security does not inspire confidence. So the Department of Defense (DOD) is given a larger role in protecting cyberspace — a responsibility that Defense Secretary Leon Panetta finally claimed in an important speech he delivered Oct. 11, “Defending the Nation from Cyber Attack.” Panetta may have said that the Pentagon will only play a “supporting role,” but make no mistake: When it comes to cybersecurity, the center of action just shifted.

Given the feeble state of U.S. cyberdefenses, an astute antagonist could use cyberattacks to disrupt critical services and information. This is a standard military doctrine for America’s likely opponents. An expanded role for the DOD makes sense when the United States is so vulnerable — not only from sophisticated opponents but, surprisingly, from less advanced countries that may be more aggressive and less able to calculate risk.

The driver for immediate action is Iran. “Iran has also undertaken a concerted effort to use cyberspace to its advantage,” Panetta said. His speech laid the dots alongside each other without connecting them, but many sources in and out of government suggest that Iran was likely responsible for the disruptive attacks on Aramco and RasGas that the secretary mentioned. Iran may also have been behind recent denial-of-service attacks against U.S. banks. Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it.

The specifics of Iranian involvement are murky, but there is a general consensus that Tehran was either witting or supportive of the attacks. Iran has been working to acquire cyberattack capabilities for years — well before Stuxnet — and those who believe that the allegations of Iranian involvement are true do not believe the recent attacks were in retaliation for that piece of malware, which disrupted Iran’s centrifuges. If anything, some speculate they were a reaction to the new U.S. sanctions. A more active Iran creates a new layer of problems in cyberspace that the United States cannot wait for Congress to address. An initial problem is how to credibly signal to Iran to refrain from further attacks. Panetta’s speech was an attempt to do so. There is a message for Iran that, while indirect, is unlikely to miss.

This is not “cyberdeterrence,” a term that makes little sense. The United States has one of the world’s most powerful cyberforces, and it did not deter Iran, nor can it deter espionage and crime. Deterrence doesn’t work because the United States can’t make a credible threat. Against Iran, what would it be? More sanctions? A naval blockade? An airstrike? Even if the United States made these threats, Iran would be unlikely to assess them as credible. The Iranians know U.S. cybercapabilities better perhaps than any other country, and the threat of cyber-retaliation appears not to have frightened them. What Panetta is offering is not deterrence but prevention and preemption.

Panetta laid out a number of steps to harden defenses. Investing in new technology is a traditional American solution to defense problems. The secretary’s most significant remark about new technology is that “we’re seeing the returns on that investment” in the form of better attribution. Anonymity will offer less protection to attackers and may make some reconsider an attack. If nothing else, better attribution offers improved targeting.

More importantly, Panetta defined an active role for the DOD in cyberdefense, something that has been under discussion since 2009. An early question asked was, if NORAD can defend U.S. airspace, why can’t Cyber Command defend cyberspace. The answer is to use the National Security Agency’s unparalleled signals-intelligence capabilities and relationships to intercept incoming malicious traffic and define when and where it is legal for the agency to do so. The National Security Agency (NSA), with the right authorities, could block many future attacks.

A greater defensive role for the DOD is a good idea and a key element of any cybersecurity strategy, but there are obvious problems. Say “NSA” to privacy advocates, and they scream. To intercept malicious traffic from Iran or other opponents, you need to monitor all incoming traffic. Remember that we are ultimately talking about streams of ones and zeros, the code transferred among machines and only translated into human languages at the end. It is possible to screen these ones and zeros to look for patterns that indicate an attack without ever looking at content, but some doubt the NSA would be able to resist temptation. An expanded role for the DOD also requires expanded privacy protections.

The DOD’s new role also requires defining the space for action. Forget the dot-com mythology about cyberspace having no borders. Cyberspace depends on a physical infrastructure of computers and fiber, and this physical infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet “backbone.” International traffic, including attacks, enters the United States over this “backbone.” The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with (as are the other major powers that engage in signals intelligence). Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked. An analogy is that the Navy defends the ocean approaches (pace forward deployment) but not the inland waterways.

But how far down the Internet’s spine should the DOD go? Should it also monitor the networks of large corporations or Internet service providers? Should it be able to go onto consumer devices when they are infected? The precedent in the United States is for military or intelligence agencies to perform domestic security functions only in a crisis, not on a routine basis. Panetta makes clear that the DOD does not envision playing this role.

What he does envision is something that might be called preemption, using new rules of engagement for Cyber Command. He says, “We won’t succeed in preventing a cyberattack through improved defenses alone. If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president.” The United States, using national technical means, often has advance knowledge of an opponent’s plans, intentions, and capabilities for cyberattack. Panetta seems to be saying that when an attack appears imminent, the president can direct the DOD to strike first. If it were a precise attack that avoided collateral damage, the political risk of striking another country could be manageable. There would still be risk of creating a wider conflict, and this, as the speech makes clear, is a decision only the president should make.

An active defensive role for the military is one of the three key elements needed for effective cybersecurity. The second is better protection for consumers. Last summer, the Federal Communications Commission began a program with major service providers to block or clean malware from their customers’ computers. The third missing piece in a comprehensive defense is protection of critical infrastructure. Panetta says members of Barack Obama’s administration “are considering” an executive order on cybersecurity. The drafts of this order are not public, but would likely take much of Section 104 of the bill put forward by Sen. Joseph Lieberman and Sen. Susan Collins — which failed to pass this summer but which would have implemented protections for critical infrastructure — and instead implement it under existing authorities.

The defense secretary said that there is no substitute for legislation and that Congress has a responsibility to act, but few expect to see this anytime soon. With a dysfunctional Congress unable to provide authorities for better cybersecurity, an executive order that mandates security at selected critical infrastructure may be the best the country can do. There are tensions within the Obama administration over Internet orthodoxies, but if the White House can manage to issue a credible order on critical infrastructure (not voluntary, and not dependent on imaginary incentives) to complement protections from Internet service providers and a larger role for the Pentagon, it will have done much of what needs to be done to begin building an adequate cyberdefense.

James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s