National Guard June 2011 : Page 26
The Next Global War By William Matthews The warfare of tomorrow is emerging as a real threat to computer networks today. This has Pentagon officials increasingly looking to the Guard for cyber expertise HE ELECTRICITY IS out. The phones don’t work. Computers can’t get online. Gas sta-tions can’t pump. Cash machines? Forget it. Planes are grounded. Hospitals and police are getting by with backup generators. That’s one version of what cyber warfare might look like. Others are worse: pipelines explode, planes crash, trains derail, chemical plants release toxic clouds and banks are drained of cash. Or cyberwar might not look much different than life looks today. Let’s face it, says one of the National Guard’s senior cyber decision makers, we’re already at cyberwar. “It’s ongoing now, but in the reconnaissance phase,” says Ted Dmuchowski, the Army Guard’s deputy chief T 26 | Na tional Guard
The Next Global War
The warfare of tomorrow is emerging as a real threat to computer networks today. This has Pentagon officials increasingly looking to the Guard for cyber expertise
THE ELECTRICITY IS out. The phones don't work. Computers can't get online. Gas stations can't pump. Cash machines? Forget it. Planes are grounded. Hospitals and police are getting by with backup generators.
That's one version of what cyber warfare might look like.
Others are worse: pipelines explode, planes crash, trains derail, chemical plants release toxic clouds and banks are drained of cash.
Or cyberwar might not look much different than life looks today. Let's face it, says one of the National Guard's senior cyber decision makers, we're already at cyberwar.
"It's ongoing now, but in the reconnaissance phase," says Ted Dmuchowski, the Army Guard's deputy chief of plans, policy and programs at the Army Guard Readiness Center in Arlington, Va.
In fact, the United States has been under attack for several years, and for the most part it's been unobtrusive.
Foes relentlessly probe U.S. computer networks and the critical cyber infrastructure, looking for weaknesses and identifying targets, Dmuchowski says.
The threat is real, and it's increasing, warn some of the most senior U.S. defense leaders.
"The threat is moving up a ladder of escalation, from exploitation to disruption to destruction," Deputy Defense Secretary William Lynn said in a speech to the RSA cybersecurity conference in February.
So far, most cyber attacks against the United States have been "exploitation of our networks," Lynn said at the gathering of security technology experts in San Francisco.
Foreign intelligence agents, foreign companies, assorted hackers and criminals have penetrated government, commercial and university computer systems to steal military plans, weapons designs, source codes, product designs, research results and money.
The immediate impact isn't dramatic. Power plants don't catch fire. There's no electronic Armageddon and normal life doesn't grind to a halt. But over the long term, the relentless theft "has a deeply corrosive effect," Lynn said. "It blunts our edge in military technology and saps our competitiveness in the global economy."
Elsewhere there have been more belligerent cyber attacks.
In Estonia in 2007 and the nation of Georgia in 2008, attacks shut down key Internet services by flooding them with demands for communication. Botnets–armies of hijacked computers–overwhelmed websites, temporarily knocking them offline.
It was disruptive, but not overly destructive.
"To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, short in duration and narrow in scope," Lynn said.
Meanwhile, a far more dangerous cyber threat has emerged–cyber attacks that can cause physical damage.
"This development, which marks a strategic shift in the cyber threat, is only just emerging," Lynn told the conference.
In 2006, the Energy Department demonstrated that a cyber attack could cause an electrical generator to catch fire. Then in 2010, the Stuxnet virus infected a uranium enrichment plant in Iran, causing hundreds of enrichment centrifuges to spin too fast and destroy themselves.
"It is clear that this capability exists," Lynn said. And "it is possible to imagine attacks on military networks or critical infrastructure, like our transportation system and energy sector, that cause severe economic damage, physical destruction or even loss of life."
But for now, such attacks are being held in check.
Although more than 100 foreign intelligence agencies have tried to break into U.S. computer networks, Lynn said, none has launched a destructive cyber attack. "The risk for them is too great. Our military power provides a strong deterrent," he said.
Still, he said, "We cannot dismiss the threat of a rogue state lashing out." Or the possibility that al-Qaida or other terrorist groups might acquire the technical skill to launch destructive cyber attacks.
SO WITH THE threat escalating, cyber defense is a growth area, and the Guard could become a key player. Increasingly, Guard units like the Virginia Data Processing Unit send small teams of cyber experts around the world to test network security, plug the holes they find and train other troops to defend military cyber networks.
Based in Fairfax, Va., about 17 miles west of the Pentagon, the 166-member DPU draws members from high-tech firms with local operations, such as Lockheed, Cisco and Northrop Grumman.
Other unit members work for Internet service providers, and still others are computer specialists for federal agencies, says Maj. Matthew Wear, the unit's executive officer.
Most are skilled beyond their pay grade. There's an E-4 who in civilian life is vice president for a major bank. There's a sergeant who's the civilian director of operations at a local Army base. And a GS-15, a top-level civilian government manager, is a warrant officer in the DPU.
"It's really nice from a situational-awareness perspective," Wear says. "On a drill weekend, you get a really good picture of the threat just by listening to the other folks talk."
The DPU was created decades ago to keep the Army Guard's punch-card machines running, Wear says. By the early 1990s, the mission had evolved into general information-technology support, and by the end of that decade it had grown into computer defense and network operations.
Today "opsec," or operational security, is a key responsibility. Wear heads the Army Web Risk Assessment Cell, which includes 52 soldiers from the Virginia DPU and Guard soldiers from four other states and two Army Reserve units.
Their job is to search Army networks for information that reveals too much, such as soldiers' blogs, photos, maps and videos that reveal sensitive information.
In one case, cell members discovered photos of soldiers posed in front of a specialized military aircraft. Inadvertently, the photo revealed "all kinds of classified devices" on the plane, Wear says.
The DPU also advises other units on how to harden and secure their websites to defend against cyber attacks. And in their status as part of the state militia, they may be called on to assess state networks and serve as emergency cyber responders.
BUT VENTURING TOO far from military cyber infrastructure puts the Guard on uncharted legal ground. What is the military's role in defending the United States against cyber attacks?
It is clear that military cyber units defend military networks. But what about attacks against critical but nonmilitary cyber infrastructure, such as banks, power grids, air traffic control, water supplies and chemical plants? Who defends them?
That's not entirely clear. Gen. Keith Alexander, the head of the U.S. Cyber Command, told Congress in March that the military does not have the capability or the authority to defend U.S. critical cyber infrastructure, whether it's the electrical grid, banking or the transportation system.
About 85 percent of the critical cyber infrastructure is privately owned, and the owners–banks, utilities, communications companies and the like–might logically be expected to hire cybersecurity staffs to protect their cyber assets just as they hire security guards to protect their physical plants.
But many of them don't.
CYBERSECURITY FIRM MCAFEE reported in April that it surveyed industrial sectors that it thinks "may well be the first targets for a serious cyber attack," including power companies, oil and gas pipelines and water systems.
"What we found is that they are not ready," the company reported.
Clearly, critical industries aren't doing enough to protect themselves, but the government isn't doing much to help them either. A third of the companies McAfee questioned said they have no contact with the government on cybersecurity.
There's a simple explanation.
"Oftentimes, members of Congress will ask me, 'So how are you going to defend the country in cyberspace?' Well, right now, that's not my mission," Alexander said during a cybersecurity symposium in April at the University of Rhode Island. "My mission as the commander of U.S. Cyber Command is to defend the military networks. That's what authority I have today."
"I do not have the authority to look at what's going on in other government sectors nor what would happen to critical infrastructure," said Alexander, who also is director of the National Security Agency (NSA). "That right now falls to the Department of Homeland Security."
But DHS also is limited. It's responsible for protecting the cyber networks of civilian government agencies, but it has no authority to defend private networks.
Many companies aren't anxious to have a government agency poking through their digital documents.
More needs to be done, Alexander said. Cyber attacks are already costing the U.S. economy about $1 trillion a year.
"When we think about the companies that have been hit–Nasdaq, RSA [a cybersecurity firm], Google. Those are companies that you would think are at the top of cybersecurity and cyber defense," Alexander said. "And if they get hit, where does that put companies that are in the electrical sector and other sectors of our government? It's a huge problem."
DHS Secretary Janet Napolitano made it clear that "at DHS, we believe cyberspace is fundamentally a civilian space."
Last month, the White House released its International Strategy for Cyberspace. In part it says: "We reserve the right to use all necessary means–diplomatic, informational, military, and economic–as appropriate and consistent with applicable international law, in order to defend our nation, our allies, our partners, and our interests."
But the strategy adds, "We will exhaust all options before military force whenever we can."
Privacy organizations such as the Electronic Privacy Information Center, the Electronic Frontier Foundation and the American Civil Liberties Union have long opposed giving the military greater responsibility and authority over private cyber infrastructure.
The NSA is legally forbidden to spy on or intercept and collect information about U.S. citizens, corporations or organizations in the United States. And the military is generally prohibited from exercising law enforcement duties in the country.
But putting the military in charge of cyber defense also would almost certainly put the Cyber Command, the NSA and other parts of the military in a position to regularly dig deep into the contents of U.S. domestic networks, company databases and private communications.
"There is a great need to insure that the NSA's tools for surveillance are not directed at the American public," Marc Rotenberg, executive director of the Electronic Privacy Information Center, says.
"We are very concerned that the line between the military and domestic law enforcement continues to blur," says Laura W. Murphy, the director of the ACLU's Washington legislative office. "The military is trained to fight foreign enemies, not to enforce domestic laws."
But in the cyber realm, foreign enemies can operate in domestic territory with a keystroke.
Lynn has proposed a possible solution: Assign the Guard a greater role in cybersecurity.
During his RSA conference talk, Lynn said, "Our department has many soldiers, sailors, airmen, and Marines who work in the civilian IT world, and who continue to serve their country in the National Guard or Reserves. To make better and more systematic use of their specialized skills, we will increase the number of Guard and Reserve units that have a dedicated cyber mission."
Lynn didn't elaborate, and the Pentagon and the National Guard Bureau say the details of his plan are still being worked out. Adding new Guard units may be impossible under current budget constraints, Guard officials say. But that might not preclude assigning cyber missions to existing Guard units.
The Guard already has a presence in cyberspace with cyber units scattered across the nation, says Col. Jeff Pounding, the Army Guard Operations Division chief at the Army Guard Readiness Center in Arlington, Va.
In Delaware, for example, the Guard's 166th Network Warfare Squadron works closely with the NSA in nearby Maryland. It performs defensive work such as diagnostic analysis of computer and network intrusions for the military, the national security community and law enforcement agencies.
In San Antonio, the 273rd Information Operations Squadron performs vulnerability assessments and supports cyber exercises. Meanwhile, in Vermont, the 229th Information Operations Squadron provides cyber training to Guard and active-component troops through online courses and classroom schooling.
Washington's 262nd Network Warfare Squadron spend their duty hours trying to break into military networks.
If asked by state authorities, the 262nd may do similar vulnerability testing of networks critical to the state, including systems that control power, water and emergency services.
But that kind of activity approaches a realm where the rules still aren't clear.
"Banks are part of the critical infrastructure, but if Capital One gets hit, you don't call in the military," Dmuchowski says. "I don't see it different in cyberspace."
But others are starting to.
The Guard has long listed 10 essential capabilities it needs to respond to domestic incidents, ranging from airlift to medical capabilities.
On March 24, the list was increased to 11 when cyber capabilities were added, Pounding says. Increasingly, Guard officials believe that the states must have some ability to support and defend their cyber networks, he adds.
And the rest–the 85 percent of critical cyber infrastructure that is privately owned?
Dmuchowski says, "How we play that out has yet to be determined."
William Matthews is a freelance writer based in Springfield, Va., who specializes in military matters. He can be contacted at firstname.lastname@example.org.
Foreign intelligence agents, foreign companies, assorted hackers and criminals have penetrated government, commercial and university computer systems.
"Members of Congress will ask me, 'So how are you going to defend the country in cyberspace?' Well, right now, that's not my mission." –Gen. Keith Alexander Commander, U.S. Cyber Command
Read the full article at http://www.nationalguardmagazine.com/article/The+Next+Global+War/755016/72536/article.html.