[Infowarrior] - The Pentagon's New Cyber Warriors

[Richard Forno]

http://www.reuters.com/article/idUSTRE69433120101005

October 5, 2010

Special Report: The Pentagon's New Cyber Warriors

By Jim Wolf, Reuters

WASHINGTON -- Guarding water wells and granaries from enemy raids is as old
as war itself. In the Middle Ages, vital resources were hoarded behind
castle walls, protected by moats, drawbridges and knights with double-edged
swords.

Today, U.S. national security planners are proposing that the 21st century's
critical infrastructure -- power grids, communications, water utilities,
financial networks -- be similarly shielded from cyber marauders and other
foes.

The ramparts would be virtual, their perimeters policed by the Pentagon and
backed by digital weapons capable of circling the globe in milliseconds to
knock out targets.

An examination by Reuters, including dozens of interviews with military
officers, government officials and outside experts, shows that the U.S.
military is preparing for digital combat even more extensively than has been
made public. And how to keep the nation's lifeblood industries safe is a
big, if controversial, aspect of it.

"The best-laid defenses on military networks will matter little unless our
civilian critical infrastructure is also able to withstand attacks," says
Deputy U.S. Defense Secretary William Lynn, who has been reshaping military
capabilities for an emerging digital battlefield.

Any major future conflict, he says, inevitably will involve cyber warfare
that could knock out power, transport and banks, causing "massive" economic
disruption.

But not everyone agrees that the military should or even can take on the job
of shielding such networks. In fact, some in the private sector fear that
shifting responsibility to the Pentagon is technologically difficult -- and
could prove counterproductive.

For the moment, however, proponents of the change seem to have the upper
hand. Their case has been helped by the recent emergence of Stuxnet, a
malicious computer worm of unknown origin that attacks command modules for
industrial equipment.

Experts describe the code as a first-of-its-kind guided cyber missile.
Stuxnet has hit Iran especially hard, possibly slowing progress on Tehran's
nuclear program, as well as causing problems elsewhere.

Stuxnet was a cyber shot heard around the world. Russia, China, Israel and
other nations are racing to plug network gaps. They also are building
digital arsenals of bits, bytes and logic bombs -- code designed to
interfere with a computer's operation if a specific condition is met,
according to experts inside and outside the U.S. government.

The worms are coming!

In some ways, the U.S. military-industrial complex -- as President Dwight
Eisenhower called ties among policymakers, the armed forces and arms makers
-- is turning into more of a military-cyber-intelligence mash-up.

The Pentagon's biggest suppliers -- including Lockheed Martin Corp, Boeing
Co , Northrop Grumman Corp, BAE Systems Plc and Raytheon Co -- each have big
and growing cyber-related product and service lines for a market that has
been estimated at $80 billion to $140 billion a year worldwide, depending on
how broadly it is defined.

U.S. officials have shown increasing concern about alleged Chinese and
Russian penetrations of the electricity grid, which depends on the Internet
to function. Beijing, at odds with the United States over Taiwan arms sales
and other thorny issues, has "laced U.S. infrastructure with logic bombs,"
former National Security Council official Richard Clarke writes in his 2010
book "Cyber War," a charge China denies.

Such concerns explain the Pentagon's push to put civilian infrastructure
under its wing by creating a cyber realm walled off from the rest of the
Internet. It would feature "active" perimeter defenses, including intrusion
monitoring and scanning technology, at its interface with the public
Internet, much like the Pentagon's "dot.mil" domain with its more than
15,000 Defense Department networks.

The head of the military's new Cyber Command, Army General Keith Alexander,
says setting it up would be straightforward technically. He calls it a
"secure zone, a protected zone." Others have dubbed the idea "dot.secure."

"The hard part is now working through and ensuring everybody's satisfied
with what we're going to do," Alexander, 58, told reporters gathered
recently near his headquarters at Fort Meade, Maryland.

Alexander also heads the National Security Agency, or NSA, the
super-secretive Defense Department arm that shields national security
information and networks, and intercepts foreign communications.

The Pentagon is already putting in place a pilot program to boost its
suppliers' network defenses after break-ins that have compromised weapons
blueprints, among other things. Lynn told Alexander to submit plans, in his
NSA role, for guarding the so-called defense industrial base, or DIB, that
sells the Pentagon $400 billion in goods and services a year.

"The DIB represents a growing repository of government information and
intellectual property on unclassified networks," Lynn said in a June 4 memo
obtained by Reuters.

He gave the general 60 days to develop the plan, with the Homeland Security
Department, to provide "active perimeter" defenses to an undisclosed number
of Pentagon contractors.

"We must develop additional initiatives that will rapidly increase the level
of cybersecurity protection for the DIB to a level equivalent to the
(Department of Defense's) unclassified network," Lynn wrote.

The Pentagon, along with the Homeland Security department, is now consulting
volunteer "industry partners" on the challenges private sector companies
envision, said Air Force Lieutenant Colonel Rene White, a Pentagon
spokeswoman, in a status report.

Throwback?

Some see the Pentagon's proposed new ring around certain critical services
as a throwback almost to the dark ages.

"Dot.secure becomes new Target One," says Richard Bejtlich, General Electric
Co's director of incident response. "I can't think of an easier way to help
an adversary target the most critical information on industry computers."

Bejtlich and others say such an arrangement would only be as strong as its
weakest link, vulnerable to compromise in many ways. "I guarantee users will
want to and need to transfer information between their normal company
Internet-connected computers and 'dot.secure'," he says. "Separation is a
fool's goal."

Utilities already use encrypted, password-controlled systems to handle
communication between power plants and large-scale distribution systems.

Trying to move that traffic off the existing Internet onto an independent
computer network would be expensive, and would not necessarily guarantee
security.

"Even a private network is only so secure," said Dan Sheflin, a vice
president at Honeywell International Inc who works on grid-control
technology. "A big threat is employees walk in, unknowingly or knowingly,
with (an infected) thumb drive, plug it in, put their kids' pictures on
their PC and, oh boy, something's on the network. Those are things that even
a private network could be subject to."

Rather than building a new network, a more practical solution could be
improving the security of existing systems.

"The real issue is not letting people in and having layers of defense if
they do get in to isolate them and eradicate them," said Sheflin, of
Honeywell, which makes grid components ranging from home thermostats to
automation systems to run power plants. "This is a very difficult problem.
We are up against well-funded groups who can employ many people who spend
their time trying to do this."

Greg Neichin of San Francisco-based Cleantech Group LLC, a research firm,
says utility companies already are well aware of the need to guard their
infrastructure, which can represent billions of dollars of investment.
"Private industry is throwing huge sums at this already," he says. "What is
the gain from government involvement?"

Companies ranging from Honeywell to General Electric Co -- whose chief
executive, Jeff Immelt, called the U.S. energy grid a relic last month --
are pushing the drive toward a "smart grid."

That model would permit two-way communication between power producers and
consumers, so a utility could avoid a blackout during a peak demand time by
sending a signal to users' thermostats to turn down air conditioning, for
instance. Such a system could also allow variable pricing -- lowering prices
during off-peak demand times, which would encourage homeowners to run major
appliances like dishwashers and washing machines in the evenings, when
industrial demand declines.

Neichin is worried that efforts to wall off grid-related communication could
stifle that kind of innovation.

But even Sheflin of Honeywell argues that private companies are not likely
to solve a problem of this magnitude on their own. "The government needs to
be involved in this," he said. "There is going to have to be someone that
says, 'Wait a minute, this is of paramount importance.' I don't think it's
going to be private industry that will raise the red flag."

A Pentagon spokesman said he could not address industry concerns right now,
but the Defense Department would do so before long. Still, the military's
proposal faces other complications.

Who's in charge?

The U.S. Department of Homeland Security now leads efforts to secure federal
non-military systems, often described as the Internet's "dot.gov" domain. It
also has the lead in protecting critical infrastructure. NSA and Cyber
Command lend a hand when asked to do so, including by U.S. companies seeking
to button up their networks.

The idea of letting the Defense Department wall off certain private-sector
networks is highly tricky for policymakers, industry and Pentagon planners.
Among the issues: what to protect, who should be in charge, how to respond
to any attack and whether the advent of a military gateway could hurt U.S.
business's dealings overseas, for instance for fear of Pentagon snooping.

In addition, the 1878 Posse Comitatus Act generally bars federal military
personnel from acting in a law-enforcement capacity within the United
States, except where expressly authorized by the Congress.

Alexander says the White House is considering whether to ask Congress for
new authorities as part of a revised team approach to cyber threats that
would also involve the FBI, the Department of Homeland Security and the
Defense Department.

There are persistent signs of strains between Cyber Command and the Homeland
Security Department over how to enhance the U.S. cybersecurity posture.

"To achieve this, we have to depart from the romantic notion of cyberspace
as the Wild Wild West," Homeland Deputy Secretary Jane Lute told the annual
Black Hat computer hackers' conference in Las Vegas in July. "Or the scary
notion of cyberspace as a combat zone. The goal here is not control, it's
confidence."

Alexander made a reference to tensions during certain meetings ahead of
Cyber Storm III, a three-day exercise mounted by U.S. Homeland Security last
week with 12 other countries plus thousands of participants across
government and industry. It simulated a major cyber attack on critical
infrastructure.

"Defense Department issues versus Homeland Security issues," he told the
House of Representatives Armed Services Committee on September 23. "And
that's probably where you'll see more friction. So how much of each do you
play? How radical do you make the exercise?"

President Barack Obama's cybersecurity coordinator, Howard Schmidt, is
working with Congress and within the administration to develop policies and
programs to improve U.S. cybersecurity, says a White House spokesman,
Nicholas Shapiro.

Obama, proclaiming October National Cybersecurity Awareness Month, said
protecting digital infrastructure is a "national security priority."

"We must continue to work closely with a broad array of partners -- from
federal, state, local and tribal governments to foreign governments,
academia, law enforcement and the private sector -- to reduce risk and build
resilience in our shared critical information and communications
infrastructure," he said.

Virtual castle walls

Active defenses of the type the military would use to shield a "dot.secure"
zone represent a fundamental shift in the U.S. approach to network defense,
Lynn says. They depend on warnings from communications intercepts gathered
by U.S. intelligence.

Establishing this link was a key reasons for the creation of Cyber Command,
ordered in June 2009 by Defense Secretary Robert Gates after he concluded
that the cyber threat had outgrown the military's existing structures.

"Policymakers need to consider, among other things, applying the National
Security Agency's defense capabilities beyond the ".gov" domain, such as to
domains that undergird the commercial defense industry," Lynn wrote in the
September/October issue of Foreign Affairs.

"The Pentagon is therefore working with the Department of Homeland Security
and the private sector to look for innovative ways to use the military's
cyber defense capabilities to protect the defense industry," he said.

U.S. Senator Sheldon Whitehouse, who led a Senate Intelligence Committee
cyber task force that submitted a classified report to the panel in July,
has floated a similar idea, drawing an analogy to medieval fortresses.

"Can certain critical private infrastructure networks be protected now
within virtual castle walls in secure domains where those pre-positioned
offenses could be both lawful and effective?" he asked in a July 27 floor
speech.

"This would obviously have to be done in a transparent manner, subject to
very strict oversight. But with the risks as grave as they are, this
question cannot be overlooked," said the Rhode Island Democrat. "There is a
concerted and systematic effort under way by national states to steal our
cutting-edge technologies."

The "dot.secure" idea may be slow in getting a full congressional airing.
More than 40 bills on cyber security are currently pending. The chairman of
the House Armed Services Committee, Missouri Democrat Ike Skelton, told
Reuters he was not ready to pass judgment on possible new powers for Cyber
Command.

Cyber warriors

Cyber Command leads day-to-day protection for the more than 15,000 U.S.
defense networks and is designed to mount offensive strikes if ordered to do
so.

The command has already lined up more than 40,000 military personnel,
civilians and contractors under Alexander's control, nearly half the total
involved in operating the Defense Department's sprawling information
technology base.

It is still putting capabilities in place from across the military as it
rushes to reach full operational capability by the end of this month.
Reuters has pinned down the numbers involved for each service.

The Air Force component, the 24th Air Force, will align about 5,300
personnel to conduct or support round-the-clock operations, including
roughly 3,500 military, 900 civilian and 900 contractors, said spokeswoman
Captain Christine Millette. The unit was declared fully operational on
October 1, including its 561st Network Operations Squadron based at Peterson
Air Force Base, Colorado, where it operates, maintains and defends Air Force
networks.

The Navy adds about 14,000 active duty military and civilian employees
serving at information operations, network defense, space and
telecommunication facilities around the world. They are now aligned
operationally under the U.S. Fleet Cyber Command, said spokesman Commander
Steve Mavica.

The Army contributes more than 21,000 soldiers and civilians, including the
Army Intelligence and Security Command, for cyber-related actions, said
Lieutenant Colonel David Patterson, an Army spokesman.

The Marine Corps will assign roughly 800 of its forces to "pure" cyber work,
according to Lieutenant General George Flynn, deputy commandant for combat
development.

Cyber Command's headquarters staff will total about 1,100, mostly military,
under a budget request of about $150 million for the fiscal year that
started October 1, up from about $120 million the year before.

Beside guarding Defense Department computers, the nation's cyber warriors
could carry out computer-network attacks overseas with weapons never known
to have been used before.

"You can turn a computer or a power plant into a useless lump of metal,"
says a former U.S. national security official familiar with the development
of U.S. cyber warfare capabilities. "We could do all kind of things that
would be useful adjuncts to a balanced military campaign."

Such weapons could blow up, say, a chemical plant by instructing computers
to raise the temperature in a combustion chamber, or shut a hydro-electric
power plant for months by sabotaging its turbines.

Scant official information is available on the development of U.S. cyber
weapons, which are typically "black" programs classified secret. They are
built from binary 1s and 0s -- bits and bytes. They may be aimed at
blinding, jamming, deceiving, overloading and intruding into a foe's
information and communications circuits.

An unclassified May 2009 U.S. Air Force budget-justification document for
Congress lifted the veil on one U.S. cyber weapon program. It described
"Project Suter" software, apparently designed to invade enemy communication
networks and computer systems, including those used to track and help shoot
down enemy warplanes.

"Exercises provide an opportunity to train personnel in combined,
distributed operations focused on the 'Find, Fix and Finish' process for
high-value targets," says the request for research, development, test and
evaluation funds.

The U.S. Air Force Space Command has proposed the creation of a
graduate-level course for "network warfare operations." The proposed
five-and-a-half-month class would produce officers to lead weapons and
tactics development "and provide in-depth expertise throughout the air,
space and cyberspace domains focused on the application of network defense,
exploitation and attack," Lieutenant Colonel Chad Riden, the space command's
Weapons and Tactics branch chief, said in an emailed reply to Reuters.

Georgia on their mind

The world got a glimpse of what lower-level cyber warfare might look like in
Estonia in 2007 and in Georgia in 2008 when cyber attacks disrupted networks
amid conflicts with Russia.

Now, the Stuxnet computer virus is taking worries about cyber warfare to new
heights as the first reported case of malicious software designed to
sabotage industrial controls.

"Stuxnet is a working and fearsome prototype of a cyber-weapon that will
lead to a new arms race in the world," said Kaspersky Lab, a Moscow-based
security software vendor. "This time it will be a cyber arms race."

The program specifically targets control systems built by Siemens AG, a
German equipment maker. Iran, the target of U.N. sanctions over its nuclear
program, has been hit hardest of any country by the worm, according to
experts such as the U.S. technology company Symantec.

Asked about Stuxnet, U.S. Navy Vice Admiral Bernard McCullough, head of
Cyber Command's Navy component, told Reuters: "It has some capabilities we
haven't seen before."

Discovered in June, Stuxnet -- named for parts of its embedded code -- is
capable of reprogramming software that controls such things as robot arms,
elevator doors and HVAC climate control systems, said Sean McGurk, who has
studied it for the U.S. Department of Homeland Security at an Idaho lab that
grabs live viruses from the Internet and serves as a kind of digital Petri
dish.

"We're not looking right now to try to attribute where it came from," McGurk
told reporters at the National Cybersecurity and Communications Integration
Center that he runs in Arlington, Virginia. "What we're focusing on now is
how to mitigate and prevent the spread," he said on September 24.

And then there is China. Its cyber clout has been a growing concern to U.S.
officials amid bilateral strains over U.S. arms sales to Taiwan, Beijing's
currency policies, its territorial claims in the South China Sea and other
irritants.

Beijing appears to have thoroughly pierced unclassified U.S. government
networks, said Dmitri Alperovitch, who heads Internet-threat intelligence
analysis and correlation for McAfee, a software and security vendor that
counts the Pentagon among its clients.

"In the U.S. when you're sending an email over an unclassified system you
might as well copy the Chinese on that email because they'll probably read
it anyway because of their pretty thorough penetration of our network," he
says.

Still, Chinese cyber capabilities lag those of the United States, Russia,
Israel and France in that order, adds Alperovitch. He headed McAfee's
investigation into Aurora, a codename for a cyber espionage blitz on
high-tech Western companies that led Google to recast its relationship with
China earlier this year.

Cyber arms entail "high reward, low risk" says Jeffrey Carr, a consultant to
the United States and allied governments on Russian and Chinese cyber
warfare strategy and tactics.

Lynn, the deputy defense secretary steering the military's cyber overhaul,
went to Brussels on September 14 to brief NATO allies on U.S. cyber defense
initiatives. He encouraged them to take action to secure NATO networks, said
Bryan Whitman, a Pentagon spokesman.

Some U.S. computer defenses are already linked with those of its allies,
notably through existing intelligence-sharing partnerships with Britain,
Canada, Australia and NATO. But "far greater levels of cooperation" are
needed to stay ahead of the threat, Lynn says.

NATO's secretary-general, Anders Fogh Rasmussen, "believes that this is a
growing problem and that it can reach levels that can threaten the
fundamental security interests of the alliance," NATO spokesman James
Appathurai said.

A Rasmussen-compiled draft of a new NATO vision statement is due to be
approved by NATO states at a November 19-20 summit in Lisbon and will
endorse a more prominent cyber defense role for the alliance.

They all agree that castle walls alone are no longer an option.

Additional reporting byJim Finkle andScott Malone in Boston; David
Brunnstrom in Brussels.