Under nearly constant attack from both outside the country and inside, the U.S. military is trying to improve its ability to defend against cyberattack in the same way it works on other types of defense: simulation and practice.
The Defense Advanced Research Projects Agency (DARPA) has been working on what the Department of Defense describes as a simulation of the entire Internet since 2008, when DARPA put out the first RFPs for a cyberattack simulation system called the National Cyber Range.
Lockheed Martin (which was hacked unsuccessfully last month) and the Johns Hopkins University Applied Physics Laboratory are lead contractors on the project, which includes a rapidly reconfigurable test bed that can mimic government and commercial networks.
The Range – actually a series of network operations centers backed by server farms that support the simulations – is designed to run more than one major simulation at a time.
Its goal is to develop new defensive techniques and toolkits from the experience of military "red" and "blue" teams that will go to simulated cyberwar – teaching military penetration-prevention experts what kinds of threats they could face by watching the two teams fight for dominance.
The DoD has used the same technique in the real world to train inexperienced units in combat by sending them to attack "red" forces equipped like the enemy and fighting the blue forces any way they can.
The big problem with that – at least in cyberspace – is that military hackers tend to know military systems and military hacking techniques.
Those -- in the estimation of nearly every intelligence or military representative who has testified before Congress about it – are not good enough to provide any realistic protection against cyberattack from outside the country.
Without at least one red team that is the equal of the enemy likely to attack, how is the DoD going to identify and insert the critical skills necessary into the simulation process?
Would Seal Team 6 have been sufficiently prepared to assault Osama Bin Laden's compound in Pakistan if they'd practiced in buildings that looked like Osama's, but were defended by toddlers with squirt guns?
(It's not true, by the way, that the entire U.S. cyber-defense plan depends on a pre-emptive raid by Seal Team 6, which will move once it figures out where the Internet's secret compound is and whether there's room outside for it to land its stealth helicopters.)
Online the U.S. military barely even knows what rules it's supposed to follow, let alone those the bad guys are likely to break.
Even the defense contractors getting the big money to build and run the Cyber Range and other programs aren't paying that much attention. They're spending more time acquiring new cybersecurity companies than on developing new techniques or defensive system, according to Defense Industry Daily.
The DoD will spend $2.3 billion on cybersecurity during FY 2012, mostly through the new U.S. Cyber Command at Ft. Meade, Md., which is supposed to take point on the defense.
It's not the only military entity working on cyberwar, though. The Cyber Range is DARPA's baby; the Air Force wants almost $1 billion for cybersecurity funding; the army wants three quarters of a billion; the navy wants $600 million.
Most of the spending will go to traditional IT security programs, according to DID. That may plug some holes, but will mainly create better-funded systems just as insecure as they are now.
Between that kind of backfilling, delays that have kept the CyberRange offline until now even though it was approved in 2007 and 2008, and the focus of defense contractors on consolidating their part of the cyberwar market, you can bet the U.S. isn't going to be any more ready for cyberwar a year from now than it was a year ago.
The whole cybersecurity sector of DARPA and DoD will be better funded, better organized and far better equipped when they're penetrated and destroyed by 12-year-olds from Uzbekistan, however.
We can all feel better about that.