Government Corruption and Treason
Cyber Command: We Don’t Wanna Defend the Internet (We Just Might Have To)
May 28, 2010Wired – Members of the military’s new Cyber Command insist that they’ve got no interest in taking over civilian Internet security – or even in becoming the Pentagon’s primary information protectors. But the push to intertwine military and civilian network defenses is gaining momentum, nevertheless. At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated the idea that the Defense Department might start a protective program for civilian networks, based on a deeply controversial effort to keep hackers out of the government’s pipes.
U.S. Cyber Command (“CYBERCOM“) officially became operational this week, after years of preparation. But observers inside the military and out still aren’t quite sure what the command is supposed to do: protect the Pentagon’s networks, strike enemies with logic bombs, seal up civilian vulnerabilities, or some combination of all three.
To one senior CYBERCOM official, the answer is pretty simple: nothing new. Smaller military units within U.S. Strategic Command coordinated and set policies for the armed forces’ far-flung teams of network operators and defenders. Those coordinators and policy-makers have now been subsumed into CYBERCOM. They’ll still do the same thing as before, only more efficiently.
“Doesn’t expand any authorities. It doesn’t have any new missions,” the official told Danger Room. “It really doesn’t add any significant funding… And really, it’s not a significant increase in personnel; we just reorganized the personnel have we had in a smarter and more effective way.”That may soon change, however. A 356-page classified plan outlining CYBERCOM’s rise is being put into action. A team of about 560 troops, headquartered at Ft. Meade, Maryland, will eventually grow to 1093. Each of the four armed services are assembling their own cyber units out of former communications specialists, system administrators, network defenders, and military hackers. Those units – Marine Forces Cyber Command, the 24th Air Force, the 10th Fleet, and Army Forces Cyber Command – are then supposed to supply some of their troops to CYBERCOM as needed. It’s similar to how the Army and Marines provide Central Command with combat forces to fight the wars in Afghanistan and Iraq. Inside the military, there’s a sense that CYBERCOM may take on a momentum of its own, its missions growing more and more diverse.
Most importantly, perhaps, procedures are now being worked out for CYBERCOM to help the Department of Homeland Security defend government and civilian networks, much like the military contributed to disaster recovery efforts after Hurricane Katrina and the Gulf of Mexico oil spill.
In those incidents, it took days, even weeks for the military to fully swing into action. In the event of an information attack, those timelines could be drastically collapsed.
“There’s probably gonna be a very temporal element to it. It’s gonna need to be pretty quick,” the CYBERCOM official said.Exactly what kind of event might trigger CYBERCOM’s involvement isn’t clear.
“From our perspective the threshold is really easy: it’s when we get a request from DHS,” the official noted. “What’s their threshold? I couldn’t tell you what their threshold is.”The Pentagon might not even wait for an information disaster to move in. The National Security Agency is developing threat-monitoring systems for government networks dubbed Einstein 2 and Einstein 3. Deputy Secretary of Defense William Lynn believes those programs ought to extended to cover key private networks, as well.
“We are already using our technical capabilities… to protect government networks,” Lynn announced at the Strategic Command Cyber Symposium here. “We need to think imaginatively about how this technology can also help secure a space on the Internet for critical government and commercial applications.”Einstein 2 is supposed to inspect data for threat signatures as it enters federal networks. Einstein 3 goes even further — alerting DHS and the NSA before the attacks hit.
“You’re starting to anticipate intrusions, anticipate threat signatures, and try and preventing things from getting to the firewalls rather than just stopping at the firewalls,” Lynn told Danger Room after his Cyber Symposium speech. (Full disclosure: I ran a panel at the event, and the military paid my travel costs.)Given the NSA’s history of domestic surveillance, civil liberties groups fear that the Einstein programs could become a new way to snoop on average Americans’ communications. Lynn said not to worry:
“Individual users who do not want to enroll could stay in the ‘wild, wild west’ of the unprotected internet.”Privacy rights organizations and military insiders also wonder whether CYBERCOM is just another way to extend the NSA’s reach. After all, both organizations are headquartered at Ft. Meade. And both are headed by Gen. Keith Alexander.
“I think it’s gonna have to be voluntary,” he added. “People could opt into protection – or choose to stay out. Individual users may well choose to stay out. But in terms of protecting the nation’s security, it’s not the individual users [that matter most]. I mean, they have to worry about their individual [data], their credit rating, and all that. But it’s the vulnerability of certain critical infrastructure – power, transportation, finance. This starts to give you an angle at doing that.”
The CYBERCOM official swears that won’t happen.
“It’s not NSA taking over military cyber,” he said. “And it’s not military cyber taking over NSA.”
Businesses Could Use U.S. Cyber Monitoring System
May 26, 2010AP — A U.S. government computer security system that can detect and prevent cyber attacks should be extended to private businesses that operate critical utilities and financial services, a top Pentagon official said Wednesday.
William J. Lynn III, the deputy defense secretary, said discussions are in the very early stages and participation in the program would be voluntary. The idea, he said, would allow businesses to take advantage of the Einstein 2 and Einstein 3 defensive technologies that are being developed to put in place on government computer networks.
Extending the program to the private sector raises a myriad of legal, policy and privacy questions, including how it would work and what information — if any — companies would share with the government about any attacks or intrusions they detect.
Businesses that opt not to participate could "stay in the wild, wild west of the unprotected Internet," Lynn told a small group of reporters during a cybersecurity conference.
And in the case of Einstein 2 — an automated system that monitors federal Internet and e-mail traffic for malicious activity — companies already may have equal or superior protections on their networks.
"Einstein 2 is like a 1999 Mustang with a little rust," said James Lewis, a cybersecurity expert and senior fellow at the Washington-based Center for Strategic and International Studies. "For some companies it isn't a big deal. But for others who haven't done much (to secure their networks) it would be a good idea."Lewis said the larger challenges would come with Einstein 3, a separate program being developed which would detect and actively block or prevent cyber intrusions.
Einstein 2 is in place in at least 11 of the 21 government agencies that police their own networks. The other 89 federal agencies will go through one of four major technology contractors for the Einstein monitoring. Einstein 3 is currently in a trial phase.
Managed and run by the Homeland Security Department, the two systems have triggered debate over whether they violate privacy. But the Justice Department concluded last year that it doesn't violate the rights of either the federal employees or the private citizens who communicate with them.
According to Lewis, there are questions about whether companies would share with the government information they collected on malicious Internet traffic. At the same time, the government would find it difficult to share some threat assessment information with industry because it may be classified. And companies might hesitate to share data with each other due to competitive concerns.
One Homeland Security official said the department and the Pentagon are working together to secure government networks, and are relying on private sector and government technical expertise to do that.
That experience will provide insight into ways to protect the privately owned and operated critical infrastructure, said the official, who spoke on condition of anonymity because discussions are in early stages.
Lynn and Air Force Gen. Kevin Chilton, commander of U.S. Strategic Command, on Wednesday also warned of escalating threats from cyber espionage and computer crimes. They called for more cooperation between the federal government and private industry, as well as between nations.
The Pentagon's creation of U.S. Cyber Command, which officially launched on Friday, will help the Defense Department protect its networks and enable it to better assist other federal agencies when they are hit with a cyber attack, Chilton said.
But he acknowledged it will be challenging to develop rules of cyber warfare, including what constitutes a cyber attack and what is an appropriate response. The new Cyber Command will be based at Fort Meade, Md., and it will report to the Strategic Command in Omaha.
U.S. computer networks face persistent attacks, including complex criminal schemes, suspected cyber espionage by other nations such as China, and possible terrorist probes seeking vulnerable systems or sensitive information.
Critics long have complained that defense officials have not yet detailed how and when the U.S. military should conduct cyber warfare, and what constitutes a computer-based attack that requires retaliation.
In other comments Wednesday, Lynn said the Pentagon is setting up a task force to find ways the massive agency can buy information technology programs and equipment more quickly. He said that while it takes the Defense Department as much as 81 months to fund and develop a new program, it only took Apple 24 months to develop the iPhone.
House Cybersecurity Overhaul Included in Defense Authorization Bill
May 28, 2010nextgov.com - An amendment to the Defense authorization bill, expected to pass in the House on Friday, would push through committee efforts to update information security requirements for agencies and establish a separate cybersecurity office in the White House.
The fiscal 2011 National Defense Authorization Act, which moved to the House floor on Thursday, includes an amendment that would speed passage of existing measures from the Oversight and Government Reform Committee to overhaul federal cybersecurity.
"It was appropriate to attach this amendment to the Defense authorization bill because properly securing our cyber infrastructure is a national security issue," said Joy Fox, spokeswoman for Rep. Jim Langevin, D-R.I., who offered the amendment with Rep. Diane Watson, D-Calif.The amendment would mandate agency use of automated monitoring to assess cyber threats. It would involve a major overhaul of the 2002 Federal Information Security Management Act, which often is criticized for forcing IT staffs to spend too much time and too many resources reporting about compliance with certain security procedures. Agencies also would be expected to incorporate security requirements into contracts from the start.
Other provisions in the amendment would establish a National Office of Cyberspace in the White House with budget authority over cybersecurity spending and governmentwide coordinating responsibilities, and codify posts of the federal cybersecurity coordinator, held by Howard Schmidt, and chief technology officer, who is Aneesh Chopra.
The amendment is based on H.R. 4900, sponsored byWatson, and H.R. 5247, sponsored by Langevin.
The security community has widely praised the provisions.
"This is an important step forward," said Allan Paller, director of research for the SANS Institute, noting he expects it will accelerate companion measures in the Senate and create "a real chance of major progress quickly."
No comments:
Post a Comment