The war on ghosts is fought with magic golden bullets

Written by SoVaSec on August 7th, 2009

The war on ghosts is fought with magic golden bullets

There seems to be some confusion, even among security professionals about the United States command structure for cyber. Keith Alexander is not the Cyber Czar; he is in charge of the Cyber Command. For now the czar position remains vacant, as they have not found someone to take the blame for failure like Michael Brown did after Katrina. Officially there is a triumvirate assigned the duties of defending the nation and its .mil, .com, and .gov networks. However, looking at the arrangement more closely, it’s the same old circle jerk. For once I’m even going to proffer a solution.


Sec. Napolitano reinforced the fact that DOD will have the lead over the entire .mil Internet domain. For its part, DHS would lead on the .gov (non-military side of government) as well as the private sector and the .org domains as well.


Starting with Cyber Command, this is the military cyber defense group. Keith Alexander, Director of the NSA, has been made a four-star general by Robert Gates. I suppose that makes him the first ever Cyber General. This is a good example of how the future of cyber defense is going to be a hybrid of the intelligence and defense communities.

The vast majority of new government spending on cybersecurity is going to the Pentagon. The military has thousands of cyber warriors, many of whom are expected to be housed under the new command. Conveniently for Mr. Alexander, his command is likely to be next door to the NSA’s Ft. Mead, Md., campus. Somewhere an accountant’s job suddenly got easier, as most of our tax money is being funneled into the same accounts. Intelligence, kinetic, and cyber wars fight asymmetric ghosts with golden bullets.

Not all Cyber Warriors will be vaulted away in Maryland. Cyber Command also takes control over existing military groups with similar missions, including field units. Before the first bullets fly, soldiers on all sides will be attempting to compromise their opponent’s netcentric equipment. Tracking and targeting equipment will be turned against its masters. UAV’s will be hijacked and controlled by the enemy. Electronic subterfuge will give away your position and force size, while offering the option to create the false digital footprint of nearby reinforcements.


Though the group does not have computer programmers in their ranks, they figure to be involved with physically deploying assets to defend communications lines against hackers. Simply put, the 5th Combat Communications Group will be the deployed arm of America’s cyber defenses.
Training will include how to design, secure, assess, exploit attack and defend various communication networks, including telephones, Internet protocol, satellite, land mobile radio, industrial control systems, integrated air defense and tactical data link.


The position of cyber czar remains vacant. It is no wonder Melissa Hathaway has stepped down, removing herself from the position of Cyber Czar. It seems that most people approached do not want the position, and most analysist’s agree with the fact the czar will have no real power.


As to the role of the newly created White House Cyber Security Advisor, this individual (when named/selected by the President) will play a “purely coordination” role and not be “operational” in any way.
“If there are policy issues to be resolved, [the White House Cyber Security Advisor] will be there to do that.”

Regardless of who becomes the figurehead for Whitehouse cyber security, the DHS will be responsible for securing government systems, specifically those related to the executive office. Essentially, or officially, there will be the electronic equivalent of FEMA (Fails to Effectively Manage Anything). Instead of just responding to an emergency in a timely matter, a mountain of red tape will have to be moved before the first action is taken.

Homeland Security will also be directing the activity of the commercial sector. Not only will they tie their own hands, but through the usual methods of standards and compliance they will force industry into a sort of stagnation. Even now it has gotten to the point where many people spend more time filling out paperwork then they do performing the tasks for which they were hired.
The commercial sector, which owns and operates much of the information infrastructure, will be directed by homeland security. Private sector areas like utilities will be required to maintain compliance with Homeland Security instructions. So while these services (for the moment) are not directly under government control, they still must obey their master the all mighty contract.

Essentially the same corporations involved in the military industrial complex are now developing hardware for the military and government Cybersecurity programs. In return they will continue to receive lucrative government contracts. In the fine print of these contracts, will be the agreement to comply with standards set by the government. This could cause a situation where the corporations are effectively ‘tanked sharks’. In this scenario the normal predatory nature of the corporation is replaced with complacency of daily feedings. Growth will be stunted by the lack of natural environmental competition. Over time fresh blood (in the form of new ‘hacker’ recruits), will be increasingly be required to stimulate the operation. Eventually, this will oversaturate the system, causing it to fail. The bottom line here is the government’s Cybersecurity plan is doomed. It is destined for failure, and ripe for abuse.

This is the point in the story where you are expecting me to tell you what we can do about it. The answer is nothing. Cybersecurity is a big moneymaking circle jerk. If anyone went around fixing problems, and putting people out of jobs, they’d probably be shot by magic bullets. The natural alternative, a constructive answer to ‘what are you going to do about it’, is the suggestion of development of a sort of grass roots security movement. A sort of cyber militia, organized at the local and state level. People within the community holding weekly meetings to discuss the common defense of their neighbors, and maybe gathering regionally on a monthly basis, state wide on a yearly basis, and nationally every other year. Obviously to keep people entertained there would be competitions and contests, prizes, and fun for the whole family.

Why is this the best solution?

Doing things for ourselves is always the best way. The adoption of a Swiss Army model adapted for Cybersecurity will give every household the training necessary to protect themselves at the personal level from cyber threats. This training would carry over into their professions, integrating it into our culture from the ground up, as opposed to being forced upon us from the top down.

The government has put the corporations in charge of our civil cyber defense, which is tantamount to putting a shark in charge of the fish tank. They only see us as something to feed on. In theory we the people are responsible for the actions of the government, but those the stockholders can usually buy enough people to maintain the status quo.


Sources:

http://securitydebrief.adfero.com/pen-and-pad-session-with-the-secretary/ (missing?)

Keesler to train for Cyber Command

Military Comma
nd Is Created for Cyber Security

Robins unit set to defend America’s cyber systems

 

Leave a Comment





Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player