We have been covering cyber now for several months and my work in cyber defense and security has been going on for over a decade. In that period of time the U.S. government has failed to establish the command authority needed to protect the nation. Critical questions have gone unanswered for months or even years. One of those questions deals with where the cyber command operation headquarters will be located. The physical location for cyber command is not yet decided. This has been a hot topic now for the last ten months and multiple states are jockeying for position.
If that is not bad enough, the government has failed to establish a command and control structure and authorities for offensive cyber capabilities, defensive cyber capabilities and cyber intelligence. With billions of dollars of budget at stake, the amount of political posturing and verbal war has risen to heights not seen before. The level of infighting became un-tolerable for Rod Beckstrm, Director of the National Cyber Security Center (NCSC) at the Department of Homeland Security. This past weekend he resigned. So what should we do?
I have given this much thought over the past decade and occasionally been asked by those looking into this what I would do. So here it is…
Recommendations:
1. Department of Defense (DoD) Secretary Robert Gates owns the offensive capabilities to fight a cyber war and defenses against cyber attack that originate outside the United States.
2. Homeland Defense (DHS) Secretary Janet Napolitano owns offensive and defensive cyber capabilities for activities within the United States. (Remember a significant number of compromised computers within the U.S. were used in the DDoS attacks against Estonia and Georgia and the uniformed military cannot be used against it own citizens!) U.S. Strategic Command would include cyber in their unified command structure. In addition, DoD must appoint a liason/coordinator to NATO given their role in cyber peace keeping and response to cyber attacks.
3. The National Security Agency (NSA) Director LTG Keith B. Alexander owns cyber intelligence and espionage activities both inside and outside the United States. They continue to collect, analyze and disseminate cyber intelligence as well as any and all counter cyber intelligence activities.
4. A National Cyber Security Executive is added to the Presidential Staff and coordinates all the efforts of DoD, DHS and NSA. Given the civilian, government, business, education interrelationship that cyber has, this matrixed organizational structure is necessary to fully protect and defend our nation (internally and externally).
5. A National Cyber Attach would be appointed by President Obama and serve as special liaison to the United Nations and other countries in pursuit of international cyber relations.
Until the leadership is established and these questions, and other, are answered cyber defense is like a ship without a captain! That is the current situation when it comes to cyber defense in the United States. As long as these questions linger without answers, our nation remains at great risk!
Kevin;
I very much like the last two points of your recommendation, but I have some issues with the first three, issues which rise from the inherent nature of cyberwarfare and which you obviously have a knowledge of.
The spectrum of aggressive actions that actors can take seems to range from probing to active intelligence gathering to brute force attacks ala DDoS. Further, like you mention, these attacks are incredibly difficult to attribute and the workstation making the attack may or may not be in charge.
This causes two issues. First, both state and nonstate actors have an incredible flexibility across that spectrum. Under your situation, who makes the call when an action crosses from DoD’s responsibility to repel “cyber attack” and NSAs responsibility to counter intelligence gathering? And how does the DoD respond?
Second, when botnets can include both foreign and domestic computers, who decides if it’s DHS or DoD which takes responsibility? You say, quite rightly, that DoD can’t operate in the States or against its own citizens, but how do we know where the attack originated?
To my mind, splitting up the responsibility geographically is inefficient and dangerous. I would feel much more comfortable if one agency had full responsibility for cyberdefense. Centralization allows for the coordination and (if done correctly) flexibility which is necessary. That, or every agency needs to be responsible for safeguarding its own systems, including civilian corporations. Either a top-down centralized clearinghouse or a cell-based resilient approach. I would think anything else is asking for trouble.
You’ve obviously put more study into this then I have, however, and I greatly appreciate the thought you’ve put in. Perhaps you see something I don’t?
Tim
Perhaps you should relook at the law!!! Because of Posi Comitatus the Army (military) is not allowed to be used on US soil for these matters — thats what the National Guard are for.
Kevin, what do you think about this, your point of view within a new article if you don’t mind.
http://www.spacewar.com/reports/US_Cyber_Head_Quits_Over_Threats_To_Democracy_999.html
Eddie V
I wanted to address your comment — How then would putting responsibility in their (DoD) hands be an effective tool?
When I worked primarily with the private sector (business) I use to think that the public sector (government including DoD)did not really get it and was behind as you kind of hinted at in your posting. I agree monitoring on both the public and private sector is critical. I must tell you after a significant amount of interaction with the defense and intelligence community as well as DHS they see so many highly sophisticated attacks and the frequency of the attacks are so great, they are much further ahead in their thinking, knowledge and capabilities it is unreal. The private sector has a role but not leadership.
Kevin;
I’m afraid that’s not what I meant at all. I’m quite aware that the DoD is working overtime on determining what, exactly, cyberwarfare means. I know that it has some of the best defensive cyber tools and systems in operation today.
What I meant by questioning its effectiveness was this: There are so many points of entry that it seems a waste of resources–indeed, beyond the logistical capability of the DoD–to monitor _all_ data traffic entering and leaving the United States. And yet, if they are to be aware of any attack with time enough to prevent/defend/retaliate, they must do exactly that.
To my mind, a resilient, cell-based defense network would be much better. Don’t give corporate America the ability to retaliate (that’s just asking for trouble), but set up programs which encourage them to build security architectures that can withstand vigorous attack. Then, they can inform each other and the government of attacks and leave the deliberate retaliation to whichever agency ends up bearing the responsibility.
What we really have here is the tragedy of the commons–our infrastructure as a whole is no one agency or company’s responsibility, and thus gets left by the wayside. One way to correct this is to make it the government’s responsibility, as you have suggested. Another solution is to create externalities which drive normal citizens to remember the commons. Wouldn’t this method be more effective in this case?
Eddie V
2 things
From an un biased semi insider view DoD is HIGHLY Effective!!!!!!
As for the cellular network architecture and building them right from the start. You have to defend what we already have invested in while highly resilient, cell-based defense network are developed, procured, installed, validated and implemented and with the government procurement process that could be a decade!
PS I love this type of interaction!!!!
All,
We need to create a non-profit organization to start developing solutions and legislation now. Submit to congress ASAP. Contact me if you are interested! Kevin I have emailed you my number.
Dustin L. Fritz
CEO | The Computer Network Defense Group LLC
The National Security Agency is part of the Department of Defense. Please do not double-count them. And they are legally prohibited from taking action inside the United States wothout appropriate Attorney General/Court action.
Opinion: Homeland Defense should handle Defense and the (renamed) Department of War should handle offense.