Tag Archives: military cyber commander

U.S. preparing for cyber wars

WASHINGTON – As the U.S. military prepares its cyber rules of engagement, Congress wants to help identify computer-borne threats by making it legal for companies to share personal data that they collect with the government.

Cyber intrusions are distinct from cyber warfare, which has the larger purpose of crippling key physical or technological infrastructure. Cyber attacks waged as acts of aggression or war could infiltrate computer systems or technological infrastructure, crippling government entities or economies by attacking energy sources or transportation systems.

Cyber warfare could take on different forms. In a Wall Street Journal piece in April, two officials at the Foundation for Defense of Democracies in Washington D.C, wrote about how an “electronic curtain” in Iran allows the government to engage in electronic repression by controlling what kinds of information the public can send and receive over the Internet. This is just one example of how cyber warfare tactics have the potential to impact hundreds of thousands of citizens, succinctly and swiftly, without inflicting more traditional forms of violent aggression.

Congress has to balance protecting the nation’s infrastructure and citizens with the potential for violating personal rights and privacy in the proposed Cybersecurity Act of 2012. Congress’s aim is to help the U.S government investigate cyber threats and ensure the security of networks against attacks.

Meanwhile, the military is expected to release its rules of engagement for wars fought via the Internet. The rules will outline how the U.S. will define a cyber attack as an act of war or aggression against the state, and the appropriate response.

In addressing what a military response to cyber warfare could look like, the military is navigating uncharted territory. The rules will also define when the military can engage in defensive activities against online adversaries. Can U.S. forces “shoot’’ back with weapons when an attacker sends a massive computer virus or can troops only respond with a similar use of force? What if you can’t definitively identify the enemy? These are some of the complications of identifying and defending against vague threats online.

The potential outcomes and impacts of cyber warfare could look different than those seen in traditional warfare. Most citizens, save for the extraordinarily security conscious, leave a data footprint of their lives that, under the proposal, might be made available to the government for the purposes of identifying, preparing for and containing threats.

Citizen Watchdog organizations including the American Civil Liberties Union and The American Association of Practicing Psychiatrists said in a recent letter that the act would allow too much sharing of individual data, and the groups have proposed amendments to the bill that they say would help to protect civil liberties—things like giving customers effective legal recourse for violations of what little privacy protections the bill offers.

It seems inevitable that American citizens will lose some personal freedoms relating to rights to their e-information, the question is how much personal information does the government need to protect the nation from online warfare.

 

Homeland Security Science and Technology Authorization Act of 2010

According to a New York Times article, the attacks against Google’s systems last December resulted in the theft of a password system that controls access to its applications and services for millions of users.

The system intrusion and theft raises concerns over the security of “cloud computing,” or using third party services such as Google to store and manage data from corporate email to spreadsheets and other documents. It also illustrates the growing threat of cyber attacks, which has not gone unnoticed by Congress. According to the Homeland Security Newswire, in the coming weeks Congress is holding a confirmation hearing on Army Lt. Gen. Keith Alexander, the new military cyber commander, and markup sessions on bills to fund cybersecurity research and development.

One of the bills, Homeland Security Science and Technology Authorization Act of 2010 (H.R. 4842), deals with funding research and development projects that address such issues as:

  • More secure versions of fundamental Internet protocols and architectures, including domain name systems and routing protocols
  • Technologies for detecting attacks or intrusions
  • Mitigation and recovery methodologies, including techniques to contain attacks and develop resilient networks and systems that degrade gracefully
  • Infrastructure and tools to support cybersecurity R&D efforts, including modeling, testbeds and data sets for assessment of new cybersecurity technologies
  • Technologies to reduce vulnerabilities in process control systems
  • Test, evaluate and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the software development lifecycle
  • Liability that subjects software and system vendors and system operators to potential damages for system breaches
  • Required reporting of security breaches that could threaten critical societal functions
  • Regulation that imposes under threat of civil penalty best practices on system operators of critical infrastructure
  • Certification from standards bodies about conformance to relevant cybersecurity standards that can be used as a marketplace differentiation
  • Accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted red team simulated attacks or exercises
  • Cybersecurity risk insurance

The complete bill can be found on the Library of Congress THOMAS website.