Pentagon wastes time defining cyberwar rather than trying to fight the one it's already in

Don't waste time trying to define 'attack' until you can actually stop the ones too obvious to miss

The U.S. military command has decided the online world is the fifth domain in which to conduct warfare – in addition to land, sea air, land and space. Seventh if you include Congressional budget hearings; eighth is you include the global media.

According to its own admissions and the evaluation of the non-partisan Government Accountability Office (GAO) – the SAT grading service for the federal government – the Pentagon has been trying and failing for 20 years to define, defend against and fight acts of cyberwar, but in so chaotic and fractious a fashion that the result is very little practical defense against hacks of any type.

Slate's Jeffrey Carr correctly pointed out Friday that the military can't even define what cyberwar or a cyberattack are, let alone how to defend against them.

The Pentagon announced a new cyberstrategy in early July. A week later even pro-military members of Congress were asking the Pentagon to clarify what the hell it was talking about.

One problem is the difficulty in differentiating between a cyberattack designed to destroy rather than those designed primarily for espionage. Another is differentiating between attacks on military command-and-control systems (which show commanders what's going on in the field and allow them to give orders) rather than those that run air traffic control, radar networks and other infrastructure, and attacks on military contractors that are designed for either destruction or to steal critical information about U.S. weapons systems.

Stuxnet, for example, was malware aimed specifically at the systems controlling centrifuges in Iranian nuclear-fuel processing centers. It infiltrated via Windows PCs, then messed with the controls of the centrifuges subtly, slowing down Iran's progress toward developing nuclear weapons.

Shady Rat isn't so much a persistent attack as five years worth of bad security, pathetic attempts at limiting the access foreign intelligence services have to military and government systems in the U.S. and a report giving a single nickname to the whole long fiasco, without specifically blaming the most likely state sponsors of the attack: China, with a little Russian opportunism thrown in, according to many analysts.

So – the military ponders while staring at its navel (the natal kind, not the one with boats) – who should defend against malware attacks on .mil-affiliated businesses and who should defend against penetration attempts?

I'm sure there are a lot of budget issues, organizational holdups, political contretemps, red-tape-untangling and operational-term-defining to be done to answer those questions satisfactorily in terms acceptable to the structure-obsessed bureaucrats in both active military service and the Dept. of Defense.

Here's an idea, though: Since dithering like that has essentially left the U.S. defenseless to all the different versions of digital attack – like leaving the gates to the base open in the middle of a hostile foreign country while you debate where the guards should stand and who should pay them – how about closing the damn gates?

How about collecting some of the enormous cybersecurity resources the military already has (you have a lot) and form them up into a few mission teams made up of the best counter-hackers you have. (Hint: the best anti-hackers are the best hackers you have; check for skills and results, not status of their service records. People with the personal characteristics to be good hackers will almost never have perfect service records unless they're a lot better at getting away with things than you are at catching them.)

Base by base, department by department, have red teams work over your security to find the biggest holes, most idiotically exposed points of entry or pools of sensitive data, and most successful spear phishing and malware attacks.

Once they've worked over one group and made everyone feel bad for having such porus security despite all their topic-appropriate training badges and certification, have them move on.

Red teams are not there to reassure or train other parts of your organization. They exist to attack that organization and find out where its weaknesses are.

Turn them loose on your real systems as if they were engaged in cyberwar and were doing everything they could to take down an enemy installation or specific capability.

Don't let them hang around after for coffee, handholding and additional training. They're the enemy and should behave like one.

Have a second team come in for remediation. They also need to be specialists (pronounce that: "sneaky, superior little weasels"), and should also avoid long visits and lots of socializing.

(Think of the red teams as an assault force and the remediators as Special Forces operators coming in to train native troops and coordinate defense. They're both intense missions with non-negotiable short-term goals; neither involves a lot of sitting around in conference rooms trying to figure out the definition of "attack.")

You, the U.S. military is not only vulnerable, you're under almost constant attack by cyber-enemies whose countries aren't real enemies, just kind-of-enemies.

You have to be able to stop them from stealing all your data and messing with your systems, but you can't do it by blowing anyone up.

You have to plug the holes in your perimeter right away and keep them plugged.

You don't seem to understand this, but digital security is just like physical: you can set up as many walls as you want, but bad guys are going to get through anyway, unless you have sentries that keep watch for suspicious activity and stop it before it anything explodes in places you'd prefer there not be any explosions.

Red teams can find the holes; remediators can plug them.

The third element – ongoing security – means teaching hacker techniques and mentality to people you've always trained to think and behave in ways that leave their security work look laughably rigid and thin to real hackers, for whom warning signs and empty threats are more an enticement than a deterrent.

You also need officers able to nurture, train and direct groups of people who will only be good at their jobs if they're really bad at criteria that get people in the military rewarded, promoted and generally not treated as a criminal: respect, deportment and a strong instinct for whatever the opposite of iconoclasm is.

You can't really define a cyberattack? It means someone is in your system doing something you don't want them to do.

Cyberwar? That means they're in your systems a lot, doing more things you don't want them to do and gearing up to do more of it for an even longer time

That's a good enough definition to work with during an emergency. Worry about definitions later.

First get some defense in place, then get a little offense, using the same red teams to go pay the same kind of visit to the enemy that they did to each of your subnets and domains and agencies.

Still want a definition with some real bones inside it? Solid, real-world experience that can list the risks, exploits, attack vectors, successful means of defense and counterattack?

Ask the red teams.

Don't be surprised if they get back to you by text or IM. They don't really like to talk to people in person, anyway.

I asked a while ago if it was time to take responsibility for cyberdefense away from the military and give it to someone else. I still think we don't have that choice; the military is the only one with access to and knowledge of its systems to mount an effective defense.

If it doesn't quit dithering and just move forward, even lacking the choice to take cyberdefense away from it will be meaningless.

The war will be over without ever being defined and all our base will belong to them.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies