Cyber Warfare

Reading the press including national television news sources in recent weeks underscores the need to pursue legal and enforcement options in pursuit of cyber threats. Have you looked at your logs recently? When you do, you will find many attempts at penetrating your network and computer, regardless location.

The Federal Government is taking some action such as protecting the power grid and other utilities. Read http://abcnews.go.com/International/CSM/story?id=3792557 for additional background. However, as our critical infrastructure needs protecting, so do our homes and businesses. Do we need similar approaches — automatic methods to detect, defend, respond and repair?

We certainly need innovation — and action.

Talk about Cyber Warfare! When one of our suppliers (T.J. Maxx) gets attacked and thieves steal our personal information and then use the information to do damage by using credit card information, we need to fight back. It’s not much different then our military forces engaging the enemy but loose the tactical advantage because, while under cyber attack, lack the tools to share data and counter attack.

But what can we do? Obviously be vigilant in reviewing financial transactions showing up on our bank and credit card statements. That’s a defensive move. How about an offensive move? Albeit indirect, let the TJMAXX stores know that they have failed the cyber test and that you will be eyeing to curtail transactions with their companies.

We need the “system” that includes holders of personal information to rapidly detect and respond to intrusions, report that information (privacy concerns considered) to law enforcement, law enforcement armed with the tools to act and apprehend as well as laws (if necessary) for those attacked to respond appropriately to limit damage.

We as a nation, government, industry and private individuals, aren’t equipped with integrated tools and policies to rapidly respond collectively to cyber warfare. The ball rests squarely on the government to take a leadership (proactive) roll as well as industry being better stewards of OUR data. But still, shame on T.J. Maxx.

According to the Defense Department news article posted on DefenseLink, February 28th, reporting on the 18th annual Special Operations and Low-Intensity Conflict Symposium, Army Lt. Gen. William G. Boykin, Undersecretary of Defense for Intelligence and Warfighting Support, said:

“In the information age,” he said, “information should be something we’re good at, … and I do not believe that to be the case.

“It is my view that one of the most underutilized elements of national power is information,” he said. “It should be something we are applying robustly, with a great deal of coordination and synergy.

“The question is ‘on a day-to-day basis, who in this country is responsible for information operations?’” he said. “The answer is ‘nobody.’”

Every organization, agency and department has its own individual responsibilities, but there is no central direction and no one in charge, Boykin said. “That’s problematic,” he added.

Although the need for national information operations is recognized, establishing an Information Operations Czar seems counter productive. We have three departments with significant information operations responsibilities and capabilities — Department of Defense, Department of State and Department of Homeland Security. These three departments also have day-to-day working relationships with other agencies that touch information operations.

Might these departments implement the model that they talk about — wide sharing of information so that information operations can be effectively conducted at all national strategic, operational and tactical levels? Don’t we already have someone in charge?

But then let’s say we need someone new in charge. Should the czar be a new agency with authority to cross departments? Or, a special advisor to the president? Maybe a standards body with enforcement power? At the extreme, reorganize the government around the general’s seven elements of national power? Most certainly information operations is a key component of cyber warfare and leadership is paramount.

Have you been noticing that the anti-virus vendors are becoming less responsive in product support? Although we all know that they need to generate profit, there is a tendency for the major vendors either not supporting older operating systems (Windows 2000) in newer versions or require annual updates to software instead of just the profiles. It seems as though industry is making the cyber defense component more difficult and confusing. I wonder what this annual cycle will cost five years from now?

As we all know Spam continues to increase. Have you noticed an increase during and post holidays? We are receiving Spam in many formats including email, online forms as well as this Blog.  It certainly is true that as reported on a national network last evening that as Spammers are getting caught, they continue to get smarter.

Somewhere in the mix we need to make it costly for the Spammers — both domestic and international.  Not only does it cost us time and money, many spams contain unwanted snipets of code.  Is additional legislation needed? - probably. Do we need to work better together as legitimate networks? - probably. Do we need better tools? - probably.
What’s for certain - we haven’t begun to effectively combat the problem.  Any ideas?

How can we share security related information to better foil intruders? What types of tools are needed? Some important considerations:

- Absolute control is retained by the network device owner.
- Sharing of information is void of personal links.
- Complete logs available to owner.

That said, any remote tool can be miss used, either by the owner, network or by another intruder. For example, read a little about the Kill Switch –
http://www.tbray.org/ongoing/When/200x/2006/11/20/WGA-Nightmares. We certainly don’t need tools that takeover our computers or information on them in the name of cyber security.

But then again, maybe?

Sharing cyber security data is essential to national security and personal security — but has many risks. The real point is to develop the tools and trust to share cyber security information across the public and private sectors to the extent that all nodes are included in the protection structure. The solution may begin by establishing a framework of data definitions that specify security related data while protecting privacy.

Our lawmakers need to become engaged, if not immersed, in the issue. Clearly, enough hasn’t been done at legislative level. Without it, our cyber security will remain a collection of uncoupled islands and stove pipe solutions.

Warfare has been changing. The change, brought on by information technologies, has enriched the command and control of legacy kinetic systems and traditional military forces. As has been widely reported, the US military has been unsurpassed in taking advantage of these technologies on the battlefield. But the battlefield has been expanded to include civilians and private sector enterprises. This is a shift where the civilians can become members of the front-line battle force. How do we deal with this paradigm — technically, organizationally and legislatively.

Going to any technical trade fair or scanning the Web, we find that there are many programs and tools that are addressing the cyber threat. Most are defensive in nature designed to prevent or mitigate cyber attacks. Critical national infrastructure receives much of the spotlight — and rightly so. However, the pervasive use of computer and communications technologies throughout the economy begs to include the distributed technology. More importantly, as cyber may impact critical infrastructure affecting many individuals, it can often affect many individuals on an individual by individual case basis. The spread of computer viruses and the conduct of fraud using phishing techniques are just two examples. Cyber defense tools need to address our personal space as well as the government, industry and the nation.

So, what is really new? The fact that any single person can be attacked by any individual, terrorist group or national state. The individual is also empowered with tools to directly attack (provoked or not) any individual, terrorist group or national state — or even their neighbor. In this free-for-all cyber warfare environment, what are the legal precedents and who is responsible for pursuing the criminals?

These are just a few of the questions that need to be addressed through policy, legislation and technology.