[Infowarrior] - WaPo: Cybercomand Stalls

Richard Forno rforno at infowarrior.org
Sun Jan 3 15:05:04 UTC 2010 

Pentagon computer-network defense command delayed by congressional  
concerns
By Ellen Nakashima
Washington Post Staff Writer
Sunday, January 3, 2010; A04

http://www.washingtonpost.com/wp-dyn/content/article/2010/01/02/AR2010010201903_pf.html
The Pentagon's plan to set up a command to defend its global network  
of computer systems has been slowed by congressional questions about  
its mission and possible privacy concerns, according to officials  
familiar with the plan.

As a result, the Defense Department failed to meet an Oct. 1 target  
launch date and has not held a confirmation hearing for the command's  
first director.

Although officials stress that the cyber command, as it is known, is  
an effort to consolidate existing offensive and defensive capabilities  
under one roof and involves no new authorities or broadening of  
mission, its potential for powerful new offensive capabilities -- some  
as yet unimagined -- have raised questions on Capitol Hill about its  
role, according to national security experts familiar with the concerns.

Key questions include: When do offensive activities in cyberspace  
become acts of war? How far can the Pentagon go to defend its own  
networks? And what kind of relationship will the command have to the  
National Security Agency?

The NSA has the skills and authority to encrypt military secrets and  
break enemy codes, but its involvement in the controversy over  
warrantless wiretapping several years ago has raised concerns about  
any role it will play in a cyber command.

Resolving questions about the command's mission are central not only  
to the effort to defend military networks, which come under assault  
millions of times a day, but to establishing the Pentagon's cyber  
strategy as the United States enters an era in which any major  
conflict will almost certainly involve an element of cyberwarfare.

"I don't think there's any dispute about the need for Cyber Command,"  
said Paul B. Kurtz, a cybersecurity expert who served in the George W.  
Bush and Clinton administrations. "We need to do better defending DOD  
networks and more clearly think through what we're going to do  
offensively in cyberspace. But the question is how does that all mesh  
with existing organizations and authorities? The devil really is in  
the details."

Officials said the initial operating plan for a cyber command is  
straightforward: to merge the Pentagon's defensive unit, Joint Task  
Force-Global Network Operations, with its offensive outfit, the Joint  
Functional Command Component-Network Warfare, at Fort Meade, home to  
the NSA. The new command, which would include about 500 staffers,  
would leverage the NSA's technical capabilities but fall under the  
Pentagon's Strategic Command.

The plan also calls for beefing up "intelligence sensing," or the  
blocking of malicious software and codes entering military networks,  
officials said.

What level of defense?
But the plan becomes more complicated as policymakers assess how  
aggressive to be in their defense of military networks.

Data move at the speed of light along channels owned by commercial  
carriers, entering government networks at "gateways," or at the  
perimeter. Technology exists to detect malware at the gateways and in  
the commercial networks, but the ability to use that technology has  
given rise to policy questions.

One senior defense official said officials are trying to figure out,  
for instance, to what extent it is legal and desirable to remove  
malware outside the gateways as it heads to military networks.

"What can you do at the perimeter?" he said. "What can you do outside  
the perimeter? We haven't had resolution on that."

Privacy advocates are sensitive to government monitoring of  
communications networks at or just outside the gateways, particularly  
if the effort involves private Internet carriers, out of concern that  
purely private, non-government communications could be monitored. But  
defense officials said they are not contemplating the involvement of  
private firms.

The Pentagon is working with the Justice Department, the Department of  
Homeland Security, the White House and other agencies to ensure its  
efforts are legal and synchronized within a national cyber-policy  
framework, officials said. Congressional buy-in is important, they  
said. So far congressional staff have been briefed three times, and  
the Pentagon hopes to brief lawmakers this month.

Officials said members of the Senate Armed Services Committee will  
hold the confirmation hearing for a new director once staff are  
satisfied they understand the command's purpose and operating plan.

"Our goal here is to better protect our forces," said Deputy Assistant  
Secretary of Defense Robert J. Butler. "If someone can intrude inside  
the network, it could impair our ability to communicate and operate."

President Obama has nominated the director of the NSA, Lt. Gen. Keith  
B. Alexander, to head the command. Alexander, who would become a four- 
star general, must be confirmed in that position before the command  
can launch at "initial operating capability." It is scheduled to  
become fully operational by Oct. 1.

Sen. Bill Nelson (D-Fla.), chairman of the Armed Services emerging  
threats subcommittee, said that though there are "some policy  
questions" to be answered, he was confident Alexander would be  
confirmed.

Nonetheless, the NSA's involvement, given the past controversy, has  
raised questions of oversight.

"How do we make sure that if the National Security Agency is involved,  
that we don't have a problem with people seeing other people's  
information?" the defense official said, describing one congressional  
concern. "We've made it very clear. No information will be shared  
other than to support what we need to defend the networks -- the  
defense military information networks. The rest of that information,  
NSA is bound by legal rules" to protect Americans' privacy.

Defining 'defense'
NSA Deputy Director Chris Inglis said in a recent interview that "90  
percent" of the command's focus will be on defensive measures because  
"that's where we are way behind."

"If we led with attack, people would say, 'That's just nuts. That's  
completely irrational,' " he said. "You've got to be about the defense."

Other intelligence experts, however, said that the term "defense" is  
malleable. They argue that the government is spending a significant  
amount of money on classified cyber programs to develop offensive  
capabilities.

Beyond a cyber command, the Pentagon is grappling with a dizzying  
array of policy and doctrinal questions involving cyber warfare.

Who should authorize a cyber attack on an adversary that might be  
capable of undermining the United States' financial system or energy  
infrastructure? What degree of certainty is needed about an alleged  
attacker before authorizing a response? When does an effort to defend  
a U.S. military network cross the line into an offensive action?

Many of these questions will be answered down the road, after the  
command is launched, and perhaps some won't be answered for years,  
defense officials said.

Still, such issues are important ones, said one official familiar with  
the Pentagon's plans, who was not authorized to speak for the record.  
"The rules can vary dramatically depending upon under what authority  
you're doing something," he said. "An offensive action is not a  
decision that can be taken very lightly. It is an extraordinary action  
because of the consequences that could result for either DOD or the  
intelligence community or critical U.S. industries."


Post a Comment

More information about the Infowarrior mailing list