Comments on: A Ship Without a Captain

By: Jim

Jim — Mon, 16 Mar 2009 14:54:05 +0000

The National Security Agency is part of the Department of Defense. Please do not double-count them. And they are legally prohibited from taking action inside the United States wothout appropriate Attorney General/Court action.
Opinion: Homeland Defense should handle Defense and the (renamed) Department of War should handle offense.

By: Dusitn L. Fritz

Dusitn L. Fritz — Sat, 14 Mar 2009 23:56:58 +0000

All,
We need to create a non-profit organization to start developing solutions and legislation now. Submit to congress ASAP. Contact me if you are interested! Kevin I have emailed you my number.
Dustin L. Fritz
CEO | The Computer Network Defense Group LLC

By: Kevin

Kevin — Fri, 13 Mar 2009 01:38:50 +0000

Eddie V
2 things
From an un biased semi insider view DoD is HIGHLY Effective!!!!!!
As for the cellular network architecture and building them right from the start. You have to defend what we already have invested in while highly resilient, cell-based defense network are developed, procured, installed, validated and implemented and with the government procurement process that could be a decade!
PS I love this type of interaction!!!!

By: Eddie V.

Eddie V. — Fri, 13 Mar 2009 01:14:14 +0000

Kevin;
I’m afraid that’s not what I meant at all. I’m quite aware that the DoD is working overtime on determining what, exactly, cyberwarfare means. I know that it has some of the best defensive cyber tools and systems in operation today.
What I meant by questioning its effectiveness was this: There are so many points of entry that it seems a waste of resources–indeed, beyond the logistical capability of the DoD–to monitor _all_ data traffic entering and leaving the United States. And yet, if they are to be aware of any attack with time enough to prevent/defend/retaliate, they must do exactly that.
To my mind, a resilient, cell-based defense network would be much better. Don’t give corporate America the ability to retaliate (that’s just asking for trouble), but set up programs which encourage them to build security architectures that can withstand vigorous attack. Then, they can inform each other and the government of attacks and leave the deliberate retaliation to whichever agency ends up bearing the responsibility.
What we really have here is the tragedy of the commons–our infrastructure as a whole is no one agency or company’s responsibility, and thus gets left by the wayside. One way to correct this is to make it the government’s responsibility, as you have suggested. Another solution is to create externalities which drive normal citizens to remember the commons. Wouldn’t this method be more effective in this case?

By: Kevin

Kevin — Thu, 12 Mar 2009 22:37:09 +0000

Eddie V
I wanted to address your comment — How then would putting responsibility in their (DoD) hands be an effective tool?
When I worked primarily with the private sector (business) I use to think that the public sector (government including DoD)did not really get it and was behind as you kind of hinted at in your posting. I agree monitoring on both the public and private sector is critical. I must tell you after a significant amount of interaction with the defense and intelligence community as well as DHS they see so many highly sophisticated attacks and the frequency of the attacks are so great, they are much further ahead in their thinking, knowledge and capabilities it is unreal. The private sector has a role but not leadership.

By: pedestrian

pedestrian — Thu, 12 Mar 2009 17:55:56 +0000

Kevin, what do you think about this, your point of view within a new article if you don’t mind.
http://www.spacewar.com/reports/US_Cyber_Head_Quits_Over_Threats_To_Democracy_999.html

By: Carl

Carl — Wed, 11 Mar 2009 22:55:27 +0000

Tim
Perhaps you should relook at the law!!! Because of Posi Comitatus the Army (military) is not allowed to be used on US soil for these matters — thats what the National Guard are for.

By: Eddie V.

Eddie V. — Tue, 10 Mar 2009 21:23:55 +0000

Kevin;
I very much like the last two points of your recommendation, but I have some issues with the first three, issues which rise from the inherent nature of cyberwarfare and which you obviously have a knowledge of.
The spectrum of aggressive actions that actors can take seems to range from probing to active intelligence gathering to brute force attacks ala DDoS. Further, like you mention, these attacks are incredibly difficult to attribute and the workstation making the attack may or may not be in charge.
This causes two issues. First, both state and nonstate actors have an incredible flexibility across that spectrum. Under your situation, who makes the call when an action crosses from DoD’s responsibility to repel “cyber attack” and NSAs responsibility to counter intelligence gathering? And how does the DoD respond?
Second, when botnets can include both foreign and domestic computers, who decides if it’s DHS or DoD which takes responsibility? You say, quite rightly, that DoD can’t operate in the States or against its own citizens, but how do we know where the attack originated?
To my mind, splitting up the responsibility geographically is inefficient and dangerous. I would feel much more comfortable if one agency had full responsibility for cyberdefense. Centralization allows for the coordination and (if done correctly) flexibility which is necessary. That, or every agency needs to be responsible for safeguarding its own systems, including civilian corporations. Either a top-down centralized clearinghouse or a cell-based resilient approach. I would think anything else is asking for trouble.
You’ve obviously put more study into this then I have, however, and I greatly appreciate the thought you’ve put in. Perhaps you see something I don’t?