|
|
|
Last Updated: Jul 4, 2009 - 8:24:03 AM |
The Pentagon's decision last week to establish a unified cybercommand
to defend the military's computer networks and attack those of U.S.
enemies raises at least as many questions as it answers, analysts and
experts in the field say.
"How does it fit into the strategic goals of defending our economy and
our way of life?" asked Marcus Sachs, who helped set up the U.S.
military's first cyberwarfare unit in 1998.
"How will it relate to other government agencies?" asked Mr. Sachs, who
is now director of the Internet Storm Center, a volunteer warning and
analysis service that works with Internet service providers to counter
such threats as computer viruses.
In a memo to military leaders last week, Defense Secretary Robert M.
Gates ordered U.S. Strategic Command -- the military entity in charge
of U.S. nuclear and space weapons -- to set up the new cybercommand by
October this year and to have it fully functioning by October 2010.
However, he also ordered Pentagon policy chief Michele A. Flournoy to
lead a "review of policy and strategy to develop a comprehensive
approach to [Department of Defense] cyberspace operations."
According to a National Research Council study of cyberwarfare
published this year, "an unclassified and authoritative statement of
joint [military] doctrine for the use of computer network attack is
unavailable and it is fair to say that current doctrine on this matter
is still evolving."
Officials say that such questions are acute because of the difficulty
in identifying cyberattackers who can strike anonymously using networks
of home computers infected by specially designed viruses and in
distinguishing between acts of vandalism, crime and war in cyberspace.
"How can we deter and prevent attacks" in cyberspace? asked Deputy
Defense Secretary William J. Lynn III at a talk last week. "Deterrence
is predicated on the assumption that you know the identity of your
adversary, but that is rarely the case in cyberspace, where it is so
easy for an attacker to hide."
Mr. Sachs told The Washington Times that the questions of how to
respond to cyberattacks were thrown into sharp relief by events in
Estonia in 2007 and Georgia last year. Both countries were subjected to
cyberattacks on their infrastructure originating in Russia, but Moscow
denied any role, and it is not clear to what extent the attacks --
largely carried out by nationalistic hacker gangs -- might have been
inspired or coordinated by the Russian government.
"What would happen and who would be responsible [for responding] if
that kind of attack was carried out against the United States?" Mr.
Sachs asked. "All these questions are unanswered."
When it comes to offensive operations in cyberspace, the questions
become even harder to answer, he said.
"We really haven't tested the rules [that] apply to warfare in the
physical world" in cyberspace, Mr. Sachs said. He gave as an example
the requirement under the Geneva Conventions that all combatants be
readily identifiable.
"What does that mean in cyberspace? Should we put a special header on
packets" -- the tiny digital messages that make up Internet traffic --
"saying, 'This is a U.S. Air Force attack packet'? ... We need to start
thinking about these questions," he said.
"We need to have a public debate, not a classified conversation," he
added, noting that U.S. policy on the use of other unconventional
armaments like nuclear weapons had been publicly debated even while the
exact capabilities and technical details of the bombs themselves
remained secret.
In last week's memo, Mr. Gates called for an "implementation plan" for
setting up the new command that would "delineate [its] mission, roles
and responsibilities" and its "command and control, reporting and
support relationships with combatant commands, [military] services and
U.S. government department and agencies."
This last point is key because of the complicated jigsaw of authorities
and responsibilities than different U.S. agencies have in relation to
military, government and private-sector computer networks.
"There are so many stakeholder organizations and individuals in the
cyberdomain it is difficult to know exactly where to start the
collaboration, information sharing, and integration" needed, said Larry
McKee, a computer-security specialist and longtime adviser to U.S.
Strategic Command and the U.S. Air Force.
"What's the long-term vision here?" asked Mr. Sachs. "Is it a small
elite organization just focused on the military networks, or will it
have a broader, almost National Guard-like mission to protect the
nation's critical infrastructure?"
Defense officials have been keen to stress that the new command will be
focused on defending military networks' ".mil" domain and that its
establishment does not represent any attempt by the Pentagon to carve
out a larger role for itself in defending the nation's civilian-owned
and -operated computer systems.
"Responsibility for protecting federal civilian networks would remain
with the Department of Homeland Security," Mr. Lynn said last week.
"Likewise, responsibility for protecting private-sector networks would
remain with the private sector."
However, some privacy and civil liberties advocates have nonetheless
expressed concerns about the role of the military and in particular the
secretive National Security Agency in the cyberarena.
The new cybercommand will be headed by the director of the NSA, and Mr.
Gates said he would recommend that the current incumbent of that job,
Lt. Gen. Keith B. Alexander, be nominated to the new role.
Gen. Alexander is already in charge of the Joint Functional Component
Command Network Warfare, the part of Strategic Command responsible for
offensive cyberoperations.
"Many of the resources to be managed by cybercommand are already under
Gen. Alexander's control," said Alan Paller, director of research at
the SANS Institute, an industry nonprofit that does research and
education on computer security.
"The new piece is that military resources currently outside of
Strategic Command can now be mobilized," Mr. Paller said. "The
action-oriented resource base [of the new command] is much larger."
However, Mr. Paller said leveraging those resources also required
better partnership between the military and the private sector. A key
problem for civilians engaged in trying to defend U.S. networks against
cyber attacks, he said, was that they do not have access to the
military's latest, best information about attackers and the methods
they are using.
Mr. Paller pointed out that the vast majority of the thousands of cyber
attacks against U.S. military computers are carried out across civilian
networks like the Internet, mostly managed by seven or eight large
private-sector companies.
Currently, he said, because the network managers of those firms don't
have security clearances, "the military can't share intelligence about
the latest threat signatures" with them, making it much harder for them
to spot attacks in progress.
Gen. Alexander told a symposium of the Armed Forces Communications and
Electronics Association last week that the military will have to give
network operations people the security clearances they need, so they
can understand the nature of the threats.
Granting such clearances to "a very small set of people" would
"radically improve our capabilities to defend" against cyberattacks,
Mr. Paller said.
Still, many - and not just privacy and civil liberties mavens - remain
unconvinced about the likely performance of the NSA, and by extension
the new cybercommand, in this crucial area of partnership.
"While NSA has improved in both areas since Sept. 11, neither
collaboration nor information sharing [is] exactly NSA core
competencies," Mr. McKee said.
Source:Ocnus.net 2009
Top of Page
|
|
|
|