Information warfare is thought to be a product of what, broadly speaking, is considered the ”information” era. However, if we correctly understand what information war is, we can see that it stretches back to the dawn of organized conflict itself.

Dorothy Denning defines information warfare (IW) as “operations that target or exploit information resources.” Information resources consist of containers (information media that contain forms of data), transporters (objects and communication systems that transport information from one location to another), sensors (humans and machines that extract information objects and the environment), recorders (objects that place information in containers), and processors (people and objects that manipulate information). Information resources are important because they have value to people, and thus can be disabled, destroyed, or manipulated to accomplish operational and strategic goals.  Hence, it matters little if you destroy a command and control center with a computer network operation or simply blow it to smithereens with a terminally guided submunition. The effect is largely identical.

Using this definition, information warfare becomes less exotic and part of the general toolbox of the commander. Military deception–one element of IW–has been crucial to the success of many large operations. Operation Bagration, the Soviet destruction of the Wehrmarcht’s Army Group Center, was only successful after a massive campaign of maskirovka designed to hoodwink the German military planners trying to forecast their attack. The deception campaigns that preceded the Normandy invasion and the German invasion of Russia are also well-known to military historians. Although military writers often reach back to Sun Tzu to look at Chinese information warfare theory, some of the biggest influences on current People’s Liberation Army (PLA) is actually the Chinese Civil War. The Beiping-Tianjin campaign, for example, is an example of the seamless employment of psychological operations alongside large-scale maneuver and attrition warfare and looms large in the PLA’s institutional memory.

Military deception also has been extensively utilized in antiquity by the Mongols and the various armies that contested China to not only delay recognition of the point of the blow but also to fool the foe into exaggerating the size of one’s force. Genghis Khan, in this sense, was an IW pioneer.

Khan was widely known for leading hordes of savage horsemen across Russia and into Europe. While not totally unfounded, the Mongols’ image of total, barbaric domination was greatly enhanced by Khan’s use of PSYOP, deception, OPSEC, and targeting his adversaries’ decision-making process. “Agents of influence” were sent in advance of his armies to do face-to-face PSYOP, telling of brutality and large numbers in the Mongol army. Khan also used deception to create the illusion of invincible numbers by using rapid troop maneuver, making his army look larger than it really was. He had a network of horsemen called “arrow riders” to communicate quickly with his commanders, and he targeted enemy messengers to prevent enemy commanders from communicating with each other.

Actual employment of IW capabilities in modern war will not differ much from the means described here–the capabilities in question will change, but the methods of degrading the opponent’s information, attempting to bait them into the wrong decisions, targeting their C3I, practicing proper operations security, protecting one’s own information, and trying to undermine enemy morale are basic and recurring elements of IW throughout history. One can also consider Khan’s “arrow riders” as an ancient attempt at increasing “power to the edge.”

One caution, however. Information warfare has never been decisive in and of itself–it’s always increased the strategic effectiveness of one’s own forces and decreased the effectiveness of the enemy. Strategic information warfare–even in the Gulf Wars, which featured the wholesale destruction of enemy C3I–did not decide the campaign. Rather, ground and air forces operating as part of the AirLand Battle paradigm utilized capabilities, tactics, and operational plans honed in many rotations at the National Training Center (NTC) against the most fearsome Soviet imitation forces the military could provide. Although future wars will certainly raise the importance of IW as more and more enemy information assets and systems can be targeted, history suggests that a “cyber Pearl Harbor” will not in itself be decisive.

You may also like -

The Devil is in the Details: Seven Tests to Apply to any Cyber Conflict ConceptThe Twilight of Network-Centric WarfareI Haven't Trusted My Toaster for 15 YearsCyberattack as Covert ActionAn Assessment on the Cyber ThreatNew ONR technology will enable ship systems to share information seamlesslyBob GourleyArmy establishes Army Cyber CommandCTOvision.comArmy Activates First of its Kind Cyber BrigadeBob Gourley

How would you describe the threat to the US information infrastructure? If you are a technologist or a national security expert or both I hope you would use your background and experience and expertice and produced a fused-all source assessment based on facts. But it is also ok to cite the masters, folks who really know what they are talking about and are paid to produce the most accurate possible reports. Below is an assessment I extracted from a source I know to be reliable, but to most of you technologists and national security professionals I hope this list will be seen as intutive statements that ring true to your experience. Please look it over and let me know what you think (I’ll inject some thoughts at the end):

Judgements:

“The fact is that we are currently building an information infrastructure — the most complex systems the world has ever known — on an insecure foundation. We have ignored the need to build trust into our systems. Simply hoping that someday we can add the needed security before it is too late is not a strategy.”

Additionally:

• We are growing increasingly dependent on information systems for commercial and government activities.
• Our adversaries recognize this dependence and are developing tools to attack our information systems.
• Protecting our systems will require an unprecedented level of cooperation between government and the private sector.
• Protecting our critical information systems and the data on them will be key to our survival as the world’s leading economic power and as the world’s leader in information technology.
• Our heavy and growing societal and strategic dependence on information technologies and information systems has created vulnerabilities — vulnerabilities to our economic institutions, to the systems that support public needs, to our privacy, and to our military capabilities.
• The number of known potential adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, military organizations and non-state entities such as terrorism groups.
  Technology will increase the sophistication of their capabilities and will continue to reduce the cost of attack and the risk if security remains where it is today.
• And the attackers have enormous incentives.Trillions of dollars in financial transactions and commerce moving over a medium that has minimal protection and sporadic law enforcement. Increasing quantities of intellectual property residing on networked systems. And the opportunity to disrupt military effectiveness and public safety, with elements of surprise and anonymity.
• The state sponsored terrorists and military Information Warfare people pose the greatest risk to our critical infrastructure because they have the greatest knowledge and resources.
• Foreign governments and their military services are paying increasing attention to the concept of ”Information Warfare”. Foreign military writings discuss the importance of disrupting the flow of information in combat. The battlespace of the future also will extend to our domestic information infrastructure, such as our electric power grids and our telecommunications networks – in short, the very foundations of our economy.
• We cannot keep building new capabilities on a poor foundation of security. We cannot ignore the need to build trust into our information systems any longer.
• It is folly to hope that someday we can add needed elements before it’s too late. The longer we wait, the more our country is exposed, and the costlier it will be to address the problem.If we are going to lead the world in information technology we must recreate the trust that existed between our government and our industry that allowed us to lead the free world for over forty years. We still have the power to lead by our example, and we still have the time to do what is right.

I think the information and assessments and powerful thoughts above are right on and should be considered by anyone in the national security and technology space.

The source?  1998 speeches and testimony by then Director of Central Intelligence George Tenet.  I think he pretty much nailed what would happen with the assessment above (read more online at: https://www.cia.gov/news-information/speeches-testimony/1998/dci_speech_040698.html and https://www.cia.gov/news-information/speeches-testimony/1998/dci_testimony_062498.html

In fact, seems like he provided clear an unambiguous warning.

Since then, it seems like very leader in the national security, DoD and Intelligence Space that comes into office seems to muddle on oblivous to the cyber threat till some incident hits them, like Moonlight Maze or the series of intrusions into DoD and other nets over 2007 or the attacks vs Estonia or the attacks vs. Georgia or the attacks vs. Google.  And in each time you get folks saying something like “oh well that was a wake up call.”

Any thoughts on that?

Is there anything that can be done so 12 years from now we are not asking ourselves why people in key positions are still saying things like “oh that was a wake-up call!”?

You may also like -

The Devil is in the Details: Seven Tests to Apply to any Cyber Conflict ConceptContinued Evolution of DoD Cyber PolicyCTO Perspectives on Cyber Security BillGeospatial TTPs Contribute To Cyber SecurityCalling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...President Mentions Cyber-Threats in State of the Union AddressCrucialPointLLCFederal Cyber Security: Missions, Initiatives, Opportunities and RisksCTOvision.comDefending Against Stuxnet Type ThreatsCTOvision.comThe most well thought out research agenda for cyber security I have seen to dateCTOvision.comMature Models for Healthy and Resilient Cyber SystemsCTOvision.com

I enjoyed listening to the President today as he provided an update on where we are in our efforts to enhance our freedom of action in cyberspace.  All the details are on the White House website and I hope you visit there yourself to download the 60-day cyberspace policy review. Details are here: http://www.whitehouse.gov/CyberReview/

I have been reading the report already– and will also read all the papers and studies referenced there.

So far I have three comments:

1) I really enjoyed hearing the President reference Melissa Hathaway.  She has done an incredible job and to hear him praise her was music to my ears.  Melissa deserves the thanks of the nation.

2) A great deal of work remains to be done. The policy review provides a framework for action and guidance that will help prioritize activities, but don’t expect instant miracles.

3) Number one on the list of near term actions is to appoint a cybersecurity policy official. The President did not do that today.  That will be done in due time.  I should also point out that no one in government is using the term “Cyber Czar” for this position.  That term Czar is used by all the reporters and all the pundits.  It sounds cool.  It also brings lots of baggage.  The typical “Czar” in DC is a powerless position that has little or no effect.

To underscore that point I’d like to close with a little self-plagerization.  A reprint of a blog post I first wrote in January 2009 titled “We have a cyber czar, and he has spoken.“  In the post, now below, I try to make the point that if Putin can accomplish his objectives in our networks then he is our cyber czar.  I also hope to make the point that we should not be happy with him being in this position.

We Have A Cyber Czar, and He Has Spoken

A debate has been running for months both among government thought leaders and the technical literati on whether or not the US should appoint a “Cyber Czar” who can exert authority over IT security in the federal space or perhaps even aspects of the nation’s IT defenses.  This is a complex discussion that has had some of the greatest thinkers in and out of government involved.   A great snapshot of issues and the opinions of many well reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency“   and other thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .

Unfortunately for those who would like to still debate and discuss this issue, there is already a Cyber Czar who can accomplish most all his objectives in our networks.  His name is Russian Prime Minister Vladimir Putin.  This former KGB operative now controls Russia with an iron fist and has shown others again and again he will exert influence anywhere he needs to in order to accomplish his objectives.  He will use tanks when required and cyber when desired and combinations when it suits him.  There are indications his agents are also in our networks now.  If our objectives are to keep players like him out, we cannot say we are accomplishing them.  If his objectives are to get in, then we can say he is accomplishing them.  Till this situation changes, we need to confront then this new reality:  Vladimir Putin is the Cyber Czar.

We have our own great technologists and wizards of cyber, of course. And we have great hero entrepreneurs of technology who have built the cyber world we all use today.  One of those greats is Michael Dell, creator of an idea and corporation that develops, manufactures, sells and distributes personal computers we all depend on.

But he is someone who will now think twice before thinking he can interact as a peer to Cyber Czar Putin.  After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell praised Russia’s technical and scientific prowess and asked a nice, friendly question:  “How can we help.”  As a former govie CTO I would get asked that type of question all the time from industry and really appreciated it whenever a senior thought leader would ask that.  But not Czar Putin.  He did not appreciate that at all.   Putin was offended by the assertion that the mighty Russia might need help in anything Cyber. The exchange is captured here on YouTube:

Fortune: described the exchange this way:

“Putin’s withering reply to Dell: “We don’t need help. We are not invalids. We don’t have limited mental capacity.” The slapdown took many of the people in the audience by surprise. Putin then went on to outline some of the steps the Russian government has taken to wire up the country, including remote villages in Siberia. And, in a final dig at Dell, he talked about how Russian scientists were rightly respected not for their hardware, but for their software. The implication: Any old fool can build a PC outfit.”

Clearly cyber domination is personal with Putin.  He is the Cyber Czar.

I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT:  Please don’t be pleased with this current situation.  Please don’t just think the title of Cyber Czar I’ve now used to describe Putin is something we should be proud of.  It is not.  We should continue to act till we are able to assert that we are masters of our own networks.  Our nation’s intellectual property, including the intellectual property of all our companies and citizens, is too important to let it be given away without at least a cyber fight.

You may also like -

Interested in Cyber Security? Read (and support) the new Cybersecurity Legisl ...FedCyber.com Cybersecurity Summit on Wednesday, September 28Deputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveCTO Perspectives on Cyber Security BillCalling All Federal Cybersecurity Practitioners: Contribute ideas and actions ...The U.S. International Strategy for CyberspaceCTOvision.comIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLCJTF-CND to JTF-CNO to JTF-GNO to CybercomCTOvision.comThe FedCyber.com Cyber Security SummitCTOvision.comCyber Conflict Studies Association History ContestCrucialPointLLC

INSA, the Intelligence and National Security Alliance, is a group of professionals from academia, industry and government who seek to enhance innovation, discussion, debate and progress on key national security issues.  I’ve been involved as a member for years and get the pleasure of interacting with folks from a wide swath of the community.

One of the many services INSA provides the community is providing a venue for speakers and community leaders to interact.  INSA did that again just last night when their Distinguished Speaker Series featured Melissa Hathaway.  Melissa, who I have previously called the most effective and efficient senior executive in government today, spoke on the topic  of the White House Cyber Security 60-day review.

I watched Melissa’s RSA presentation, and for those who did or for those who have been engaged with her during this review, last nights presentation was in consonance with what we know of the hard task she has been working on (if you haven’t watched it yet, I’d recommend you take a look now, at:  http://media.omediaweb.com/rsa2009/keynote_catalog.htm )

A couple thoughts from a CTO perspective:

- Like so many other problems, tackling this one requires both a knowledge of technology and of people. Both technology and people must be influenced.

- When it comes to people, Melissa mentioned the book  Influencer: The Power to Change Anything .  I haven’t read it yet, but have just added it to my Amazon wish list and will be getting it soon. Melissa said the authors of the “Influencer” book say there is power in everyone to make a change and therefore everyone should get engaged, and in this cyber context she asked everyone at INSA to stay engaged.  She wants folks to continue to dive in and stay involved and form views and move out.

- One of the most important ways the federal government influences is through law.  Our great government flows from a great Constitution and, although it was not a civics lesson last night, Melissa did mention the incredible legal review that these many cyber issues have been through.  She said over 80 significant legal issues were reviewed.  The report, when it is released, will have a 150 page legal annex that captures some of the opinion of federal legal experts from across the government.   As for me, I intend on reading every page of the report, and will pay particular attention to this legal section.

- Now that I’ve had time to think about what Melissa said, I think we (the nation, and we humans everywhere) are going to need more work to be done on how we influence technology.   I’ve tried hard to think through this from a security perspective, and I know there are things we can do right now to improve things in this regard (and I’ve provided papers to Melissa’s study team on a couple significant constructs like enhancing security through smart use of cloud computing and through smart use of open source).  But there is still much much more work to be done in this area.   CTOs cannot rest on this topic, yet.  In fact, I am not comfortable with the state of technology leadership in this area and I think all of us technologists need to follow Melissa’s advice.  We all need to get engaged and get a view and move out.

Part of the event last night was a networking reception where INSA members from academia, industry and government could chat.  The gist of the conversations confirmed what I have long thought, everyone wants Melissa to succeed and a wide swath of people are lining up to follow her lead.  She has done a great job at building a broad team and we are all looking forward to her continued leadership on things cyber.

For more on this topic see:  http://ctovision.com/category/cyber-initiative/

You may also like -

Melissa Hathaway: Compelling action along a broad frontPrediction: BlueCat Networks is one you should watchDoDIIS Conference Agenda PublishedNew Boeing Intelligence Collaboration Center2010 DoDIIS Worldwide ConferenceHow Much Freedom Will You Give Up to Fight International Cybercrime?CrucialPointLLCUS needs to kick network security intelligence up a notchCrucialPointLLCA First For The Nation: NERC Completes First Grid Security ExerciseCrucialPointLLCFormer Head of National Counterterrorism Center, Michael Leiter, to Keynote C ...CrucialPointLLCSINET Showcase 27 October 2010CTOvision.com

Last week at the InfowarCon my friend Dan Kuehl handed me a copy of Cyberpower and National Security.  Cyberwar has been a topic Dan has been exploring in some detail for quite a while.  I first met Dan in 1996 when I was a student at the USMC Command and Staff College, and at that time Dan was already writing and exploring concepts related to cyber power and information warfare.  His deep focus and insights into this still emerging mission area continues today.

[amtap amazon:asin=1597974234]

About the book, it is big. Not just in pages (it weighs in at 642 pages). It is big in info. Chapters are written by some of the greatest thinkers of the Cyber War mission area. Folks like Dan Kuehl, Edward Skoudis, Greg Rattray, Martin Libicki, Irving Lachow, Tim Thomas, Tom Wingfield and of course the editors Franklin Kramer, Stuart Starr and Larry Wentz. These and the other contributors are all well respected thought leaders and each provide insights I believe will be of use to today’s strategic planners.

As for the content, it starts with a great foundation and overview of what is meant by Cyberspace (building on Dan Kuelh’s well articulated definition) and also spells out key issues that policy makers and national security strategists must tackle. It then analyzes and explores changes in cyberspace including projections into the near future, and ends with an analysis of the impact of all these changes- including the considerations we must think through in our strategic deliberations.

I now consider this book a critical foundational work that should be studied by anyone who seeks to dialog on modern national security issues.  This book does for the strategic domain what the Common Audit Guidelines did for the operational cyber domain.

I know NDU will continue to examine these topics, and look forward to more material from them.  I also look forward to continuing to enage with others in academia via the Cyber Conflict Studies Association, a group that includes many of the authors of this Cyberpower and National Security work.

You may also like -

Congrats To Sony Corp! This is a very good moveA look at GSA's Managed Trusted Internet Protocol ServicePrediction: BlueCat Networks is one you should watchSave the date: Geoint will be 16-19 Oct 2011FedCyber Webinar: The Security Development LifecycleFISMA Mandates Monthly Security Reports For AgenciesCrucialPointLLCDHS Outlines New Monthly FISMA Compliance RequirementsCrucialPointLLCDHS’s National Cyber Security Division and Idaho National Laboratory win cybe ...CrucialPointLLCFedRAMP includes 168 security controlsCrucialPointLLCInteragency group looks to common cyber security language, skillsCrucialPointLLC

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point.

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase.

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

Michael Tanji brings a perspective forged in years of intelligence work and a successful stint protecting information in the financial sector.  He is a well published author who focuses on national security issues and is also a thought leader in the computer security domain.

At Haft of the Spear he writes primarily about technology related/enabled national security issues, which includes a heavy dose of information warfare. 

Read HOTS at: http://haftofthespear.com/

Next week I write about Nicholas Carr and his Rough Type blog.

You may also like -

Increasing “Jointness” and Reducing Duplication in DoD IntelligencePros and Cons: Bill Clinton as DNI2010 DoDIIS Worldwide ConferenceWhat is the Cyber Conflict Studies Association?An Assessment on the Cyber ThreatInformation Warfare: A Historical ApproachCrucialPointLLCIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLC

For enterprise technologists and national security professionals and most of all for those who fit both of those descriptions, please check out Johns Hopkins University’s 2009 Unrestricted Warfare Symposium at: http://www.jhuapl.edu/urw_symposium This symposium seeks to advance our understanding of and solutions for some very complex problems related to our nation’s defense.  I’ll be speaking on a panel at the conference (on issues of cyber war and cyber defense) and hope to see you there.

The following is from an e-mail from Dr. Ron Luman (Johns Hopkins University Applied Physics Laboratory National Security Analysis Department Head)

QUOTE:

National Security Community Colleagues: This is a reminder that the Johns Hopkins University’s 2009 Unrestricted Warfare Symposium will be held 24-25 March 2009, and I encourage you to register now at http://www.jhuapl.edu/urw_symposium/.

The fourth annual symposium is in Laurel, MD at JHU’s Applied Physics Laboratory (APL), and is jointly sponsored by APL and the Paul H. Nitze School of Advanced International Studies (SAIS). Last year more than 300 participants from government, industry, and academia interacted with distinguished speakers and expert panelists who addressed national security issues from three perspectives: strategy, analysis, and technology. In 2009, this uniquely synergistic approach will be applied to the challenge of identifying interagency imperatives and capabilities.

The symposium presentations and panels are organized around four potential unrestricted lines of attack – cyber, resource, economic/financial, and terrorism. We’ll begin each session with a discussion of the potential for such attacks and then expert roundtable panelists will discuss imperatives for interagency action, offering ideas for enhancing interagency capabilities. A fifth session will focus on the role of analysis in identifying and assessing interagency approaches for preventing and combating these types of attacks.

I am particularly pleased that The Honorable James R. Locher, III, Executive Director of the Project for National Security Reform, will open the symposium as our keynote speaker, providing the Project’s timely findings and recommendations for interagency reform. Throughout the two days featured speakers and distinguished panelists, include: Dr. George Akst, MCCDC; Mr. Eric Coulter, OSD(PA&E); Dr. Richard Cooper, Harvard University; Dr. Stephen Flynn, Council on Foreign Relations; Representative Jane Harman; Professor Bruce Hoffman, Georgetown University; Professor Michael Klare, Hampshire College; Dr. Michael Levi, Council on Foreign Relations; Dr. Matthew Levitt, Washington Institute; Dr. Pete Nanos (DTRA); Mr. James Rickards, Omnis, Inc.; Mr. Frank Ruggiero (Department of State); Dr. Khatuna Salukvadze, Georgian Ministry of Foreign Affairs; Mr. Dan Wolf, Cyber Pack Ventures Inc.; Mr. Bob Work, CSBA, to name a few.

The attached announcement identifies confirmed speakers and other essential information. We encourage dynamic networking, and to facilitate audience participation, we will again be utilizing electronic groupware to collect comments, insights, and questions. The collection of papers and transcripts of discussions will again be published as Proceedings, in both hard copy and electronic form. The 2006 -2008 Proceedings, the current agenda/speakers, and 2009 registration details can be found at the symposium website: http://www.jhuapl.edu/urw_symposium/.

Your experience in national security and defense will contribute unique perspectives and challenging questions to our understanding of Unrestricted Warfare, and I look forward to seeing you next month.

Best regards,

Ron Luman, General Chair

I hope to see you all there.
Symposium Attachment:
URW2009Flyer 4Feb-1.pdf

You may also like -

GEOINT 2010Information Warfare: A Historical ApproachCrucialPointLLCFixmo: The Mobile Risk Management CompanyCrucialPointLLC

This is an update of my now annual assessment of the future of technology associated with good and evil in cyberspace which was first posted here.

But a sad fact of the human condition is that bad people will likely be with us long into the future.  And sometimes good people can be tempted to do bad things, so we really need to engineer solutions that
keep the bad guys from benefiting from technology and keep those who can sometimes be tempted from giving in to their darker side.

So is is possible to engineer perfectly secure systems?  Consider the law of the rodeo:  “There’s not a horse that’s never been rode, and not a rider that’s never been throwed.”  I like the analogy since it reminds us that all computer evil can be mitigated.  But it always fights back.  Good and evil will continue a fast paced rodeo dance long into the future.

To engineer secure systems for the future we need to continually assess where we are and what the near term future holds for our technologies.  Here is a couple short predictions that could be useful
in this discussion.

- Remote power is here today and will soon be widely distributed.  This will allow small power consumption devices (like keyboards, mice, bluetooth headsets, hearing aides, small sensors) to be provided power by RF energy.

You may also like -

CTO Perspectives on Cyber Security BillInterested in Cyber Security? Read (and support) the new Cybersecurity Legisl ...The U.S. International Strategy for CyberspaceFederal R&D PrioritiesPros and Cons: Cyber CommandKilling Trees for CyberspaceHaft of the SpearWhite House roadmap lays out federal cybersecurity R&D prioritiesCrucialPointLLCThe End of Cyber Security (Part IV)Haft of the SpearDodaro: Key challenges remain for DHS in cybersecurity missionCrucialPointLLCCyberterrorism a threat that won’t go awayCrucialPointLLC

Another reason to read this is to take a queue from Melissa on what else is needed in this space.  I’ve known Melissa long enough to say that what ever she supports I support.  She says the nation needs many things to be worked in this area, including more work in alliances and partnering, re-thinking relationships between government and the private sector regarding cyber security, enhancing ways to share sensitive info with industry.

She also calls for a continuing public commitment to securing cyberspace.  I’m certainly with her on that one.   And I hope all our public officials are too.

Here is the Op-Ed:

Melissa Hathaway Op-Ed on Cyber Security

The following Op-Ed by Melissa Hathaway,
Cyber Coordination Executive for the Office of the Director of National
Intelligence, was published by the McClatchy-Tribune News Service on
Wednesday, October 8, 2008:

Safeguarding our cyber borders

By Melissa Hathaway – Op-Ed – McClatchy-Tribune News Service

London shoppers who bought groceries with bankcards over the last two years paid a higher price than they bargained for.

Cyber
thieves had implanted unauthorized circuitry in keypads sold to
supermarkets in the Barking and Dagenham area of the British capital.
The corrupted keypads were then used to capture account information and
Personal Identification Numbers (PINs). The data were siphoned off and
used to skim from or in some cases empty shoppers’ bank accounts.

The thieves covered their tracks by encrypting the
numbers they stole, then storing them on a computer server abroad. It
took more than a year for the authorities to catch on.

Stories such as that aren’t only sobering news for
consumers. For folks charged with securing and protecting the nation’s
defense and intelligence infrastructure, however, increasingly
sophisticated cyber assaults are a chilling — and increasingly
familiar — challenge.

The same devices that thieves use to sneak into bank
accounts, the same techniques that hackers use to disrupt Internet
service or alter a digital profile, are being used by foreign military
and spy services to besiege information systems that are vital to our
nation’s defense.

Because defense and other national security contractors
share data and systems with their government partners, an attack on one
can be an attack on many. Plans are only as secure as the weakest link
in the information chain. These days, those links are being tested as
never before.

The attackers’ goals fall into three categories:

•
Information theft. Stealing data from a target personal device, system
or network is the most common threat. For example, a disgruntled Boeing
employee was charged last year with lifting more than 320,000 sensitive
company files by using a thumb drive to tap the corporate system.
Boeing estimated that the stolen documents would have cost it between
$5 billion and $15 billion in lost revenue had they been given to
competitors.

• Information disruption. Hackers who sneak into
government systems and alter crucial operating data are a growing
concern. In 2006, a disgruntled Navy contractor inserted malicious code
into five computers at the Navy’s European Planning and Operations
Command in Naples, Italy. Two computers were rendered inoperable when
the program was executed. Had the other three computers been knocked
offline, the network that tracks U.S. and NATO ships in the
Mediterranean Sea and helps prevent military and commercial vessels
from colliding would have been shut down.

• Information denial. Cases in which private or
government computer systems are shut down by floods of automated hits
are also on the rise. In April 2007, Russian nationalists used such a
”distributed denial of service” attack to block access to the
networks of the Estonian parliament, the president’s office and many of
that country’s banks, news organizations and Internet service
providers.

The ”What Ifs” are an even greater concern. Could an
adversary insert erroneous data that would cause weapons, early warning
systems and other elements of national security to fail at critical
times? What if financial or medical records were altered, or rail or
air traffic control systems were corrupted? What if malicious code were
secretly installed during the manufacture or shipping of computer
equipment, to be activated at some future date? How would we even know
what threats we face?

Defensive measures are being taken. In January,
President Bush proposed a 12-point Comprehensive National Cybersecurity
Initiative whose solutions range from a public awareness campaign to
sophisticated new systems for identifying and deterring intrusions.
Congress approved funding in late September.

A key element of the plan — reducing the number of
access points between federal agencies and external computer networks
– is under way. The federal government has closed about 3,500 such
access points this year, leaving about 1,000 still open. The goal is to
reduce the final number to fewer than 100.

Much more needs to be done, however.

We
need stronger international alliances to share the responsibility for
securing cyberspace. We must do more to convince our allies and
strategic partners of the benefits to them of taking an active role.

We also need a fundamental re-thinking of our
government’s traditional relationship with the private sector. A high
percentage of our critical information infrastructure is privately
owned, and industry needs to know what government knows about our
adversaries’ targets and, to the extent we understand them, their
methods of operation.

When it comes to cyber security, government and the
private sector need to recognize that an individual vulnerability is a
common weakness.

There’s time, though not unlimited time, to get the job
done. We must make a continuing public commitment to securing cyber
space — and we must do so now.

Melissa Hathaway is the cyber coordination executive
for the director of national intelligence. The Department of Homeland
Security has designated October National Cyber Security Awareness
Month.

For related posts on this topic see:  http://www.ctovision.com/cyber_initiative/

You may also like -

Melissa Hathaway: Compelling action along a broad frontKeeping Focus on Mission IT at ODNI CIOA First For The Nation: NERC Completes First Grid Security ExerciseCrucialPointLLC