Cyber self-defense can help U.S. security

tags: citizen security cyberwar cyberwar discourse event

NSA Director Says U.S. Has a Duty to Secure the Internet

tags: cyber command cyberwar discourse event cyberwar

RIM gives India tools to monitor BlackBerry usage – MarketWatch Annotated

This is yet another story about India trying to monitor secure BlackBerry communications.  This is representative of an increasing trend worldwide where governments want to monitor communications.

tags: week-4 blackberry cell phones surveillance

• India will also soon issue notices for security access to other service providers such as Google Inc.
  (NASDAQ:GOOG)
  on its Gmail email service and firms providing Internet telephony services such as Luxembourg-based Skype Ltd., a senior government official told reporters on condition of anonymity.

RIM gives India tools to monitor BlackBerry usage – MarketWatch Annotated

This is yet another story about India trying to monitor secure BlackBerry communications.  This is representative of an increasing trend worldwide where governments want to monitor communications.

tags: week-4 blackberry cell phones surveillance

• India will also soon issue notices for security access to other service providers such as Google Inc.
  (NASDAQ:GOOG)
  on its Gmail email service and firms providing Internet telephony services such as Luxembourg-based Skype Ltd., a senior government official told reporters on condition of anonymity.

Iran to search for WMDs on its own, thank you

Evgeny Morozov of Foreign Policy magazine uses the announcement of an Iranian search engine to comment upon Google’s corporate policies around the world and the wisdom of the United States’ vocal quest for “Internet freedom.”  In short, he makes a good argument that both are unwise and that the latter is back firing.

tags: internet freedom

Iran to replace Google with ‘Oh Lord’

This article details Iranian plans to develop its own national search engine to replace Google.  The Iranian search engine will be named “Ya Haq,” which is Persian for “Oh Lord.”

tags: internet filtering

Iran to search for WMDs on its own, thank you

Evgeny Morozov of Foreign Policy magazine uses the announcement of an Iranian search engine to comment upon Google’s corporate policies around the world and the wisdom of the United States’ vocal quest for “Internet freedom.”  In short, he makes a good argument that both are unwise and that the latter is back firing.

tags: internet freedom

Iran to replace Google with ‘Oh Lord’

This article details Iranian plans to develop its own national search engine to replace Google.  The Iranian search engine will be named “Ya Haq,” which is Persian for “Oh Lord.”

tags: internet filtering

Coalition to dump ‘flawed’ internet filter

While many countries around the world filter and censor the Internet, Australia has been the poster child for Internet filtering and censorship by a Western-style, liberal, democratic state.  Proposals to filter the Internet have become a centerpiece of the ongoing political campaign, with the opposition vowing to scrap the current government’s filtering plans.

tags: internet filtering

Jihadist blogger thought to be creator of Al Qaeda website could be indicted on terrorism charges

An American, Samir Khan, who ran a radical Islamic website is facing charges that he use his website to aid al-Qaeda in training and recruiting efforts.  He is believed to have fled the U.S. to join Anwar al-Awlaki in Yemen.  al-Awlaki was dubbed the “bin Laden of the Internet” this week by USA Today.

tags: terrorism social media surveillance

US controls threaten Internet freedom

This article from a Chinese news source provides a Chinese perspective on the issues of Internet freedom and governance.  In particular, it argues that recent discussion of offensive cyberwar strategies by the U.S. mean that it is the U.S., not China, that is a threat to global Internet freedom.

tags: internet filtering internet governance cyberwar

SPIEGEL ONLINE – Druckversion – The Two-Tier Internet: Fighting for Control of the Web’s Future – SPIEGEL ONLINE – News – International

This is a lengthy but good article that gives an international perspective on the recent Google/Verizon announcement that has led to concern over the prospects for the future of “net neutrality.”

tags: net neutrality

After BlackBerry, govt turns heat on ISPs

On the heels of the ongoing controversy over pressure on Research In Motion by several governments worldwide, all of whom want to be able to monitor communications on the company’s popular BlackBerry service, India is now also seeking greater access to Internet communications by its law enforcement and intelligence services.

tags: surveillance privacy internet filtering

Cleric al-Awlaki dubbed ‘bin Laden of the Internet’ – USATODAY.com

This story is a profile of the radical, American cleric, Anwar al-Awlaki.  It discusses his successes in recruiting American Muslims to the cause of jihad and, in particular, his use of Internet technologies like YouTube.

tags: terrorism

Coalition to dump ‘flawed’ internet filter

While many countries around the world filter and censor the Internet, Australia has been the poster child for Internet filtering and censorship by a Western-style, liberal, democratic state.  Proposals to filter the Internet have become a centerpiece of the ongoing political campaign, with the opposition vowing to scrap the current government’s filtering plans.

tags: internet filtering

Jihadist blogger thought to be creator of Al Qaeda website could be indicted on terrorism charges

An American, Samir Khan, who ran a radical Islamic website is facing charges that he use his website to aid al-Qaeda in training and recruiting efforts.  He is believed to have fled the U.S. to join Anwar al-Awlaki in Yemen.  al-Awlaki was dubbed the “bin Laden of the Internet” this week by USA Today.

tags: terrorism social media surveillance

US controls threaten Internet freedom

This article from a Chinese news source provides a Chinese perspective on the issues of Internet freedom and governance.  In particular, it argues that recent discussion of offensive cyberwar strategies by the U.S. mean that it is the U.S., not China, that is a threat to global Internet freedom.

tags: internet filtering internet governance cyberwar

SPIEGEL ONLINE – Druckversion – The Two-Tier Internet: Fighting for Control of the Web’s Future – SPIEGEL ONLINE – News – International

This is a lengthy but good article that gives an international perspective on the recent Google/Verizon announcement that has led to concern over the prospects for the future of “net neutrality.”

tags: net neutrality

After BlackBerry, govt turns heat on ISPs

On the heels of the ongoing controversy over pressure on Research In Motion by several governments worldwide, all of whom want to be able to monitor communications on the company’s popular BlackBerry service, India is now also seeking greater access to Internet communications by its law enforcement and intelligence services.

tags: surveillance privacy internet filtering

Cleric al-Awlaki dubbed ‘bin Laden of the Internet’ – USATODAY.com

This story is a profile of the radical, American cleric, Anwar al-Awlaki.  It discusses his successes in recruiting American Muslims to the cause of jihad and, in particular, his use of Internet technologies like YouTube.

tags: terrorism

Pentagon considers preemptive strikes as part of cyber-defense strategy Annotated

Based largely on Deputy Secretary of Defense William Lynn’s recent article in Foreign Affairs, this piece outlines the offensive technologies and policies that the U.S. is considering in the area of cybersecurity.

tags: cyberwar cyber command

• The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary’s computer network overseas – but it is still wrestling with how to pursue the strategy legally.
• But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries’ sovereignty.

• Some officials and experts say they doubt the technology exists to use such capabilities effectively, and they question the need for such measures when, they say, traditional defensive steps such as updating firewalls, protecting computer ports and changing passwords are not always taken.

  Still, the deployment of such hardware and software would be the next logical step in a cyber strategy outlined last week by Deputy Secretary of Defense William J. Lynn III. The strategy turns on the “active defense” of military computer systems, what he called a “fundamental shift in the U.S. approach to network defense.”

• The military’s dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established.
• Still, taking action against an attacker’s computer in another country may well violate a country’s sovereignty, experts said. And government lawyers have questioned whether the Pentagon has the legal authority to take certain actions – such as shutting down a network in a country with which the United States is not at war. The CIA has argued that doing so constitutes a “covert” action that only it has the authority to carry out, and only with a presidential order.
• Policymakers also are grappling with questions of international law. “We are having a big debate about what constitutes the use of force or an armed attack in cyberspace,” said Herbert S. Lin, a cyber expert with the National Research Council of the National Academy of Sciences. “We need to know where those lines are so that we don’t cross them ourselves when we conduct offensive actions in cyberspace against other nations.”
  • Yet another example of someone who should know better manufacturing ambiguity where it does not exist.  What constitutes “use of force” and “armed attack” is the same as it was before, is still based on the same treaties and norms of international behavior as before.  See Michael Schmitt’s work on developing metrics for determining when cyber attacks constitute “used of force” or “armed attack” under international law.

• The industry official said his concern is “the militarization” of the international dialogue. “Any time Pentagon leaders start using the terms ‘active defense,’ ” he said, “then my concern is that foreign countries use that as a basis for their doctrine, starting a cycle of tit for tat.”
  • Exactly.  We have based our narrative thus far on the argument that it is “them”–foreign actors of various sorts, from governments to terrorists–who are developing cyber attack capabilities and threatening “us.”  In actuality, we are finding out that this is all just a cover for our own creation of new weapons systems and, with them, a new “domain” of war.  In turn, we stand the real risk of creating a self-fulfilling prophecy.  If “they” were not developing cyber attack capabilities for use against “us” before, “they” certainly will now.

Pentagon considers preemptive strikes as part of cyber-defense strategy Annotated

Based largely on Deputy Secretary of Defense William Lynn’s recent article in Foreign Affairs, this piece outlines the offensive technologies and policies that the U.S. is considering in the area of cybersecurity.

tags: cyberwar cyber command

• The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary’s computer network overseas – but it is still wrestling with how to pursue the strategy legally.
• But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries’ sovereignty.

• Some officials and experts say they doubt the technology exists to use such capabilities effectively, and they question the need for such measures when, they say, traditional defensive steps such as updating firewalls, protecting computer ports and changing passwords are not always taken.

  Still, the deployment of such hardware and software would be the next logical step in a cyber strategy outlined last week by Deputy Secretary of Defense William J. Lynn III. The strategy turns on the “active defense” of military computer systems, what he called a “fundamental shift in the U.S. approach to network defense.”

• The military’s dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established.
• Still, taking action against an attacker’s computer in another country may well violate a country’s sovereignty, experts said. And government lawyers have questioned whether the Pentagon has the legal authority to take certain actions – such as shutting down a network in a country with which the United States is not at war. The CIA has argued that doing so constitutes a “covert” action that only it has the authority to carry out, and only with a presidential order.
• Policymakers also are grappling with questions of international law. “We are having a big debate about what constitutes the use of force or an armed attack in cyberspace,” said Herbert S. Lin, a cyber expert with the National Research Council of the National Academy of Sciences. “We need to know where those lines are so that we don’t cross them ourselves when we conduct offensive actions in cyberspace against other nations.”
  • Yet another example of someone who should know better manufacturing ambiguity where it does not exist.  What constitutes “use of force” and “armed attack” is the same as it was before, is still based on the same treaties and norms of international behavior as before.  See Michael Schmitt’s work on developing metrics for determining when cyber attacks constitute “used of force” or “armed attack” under international law.

• The industry official said his concern is “the militarization” of the international dialogue. “Any time Pentagon leaders start using the terms ‘active defense,’ ” he said, “then my concern is that foreign countries use that as a basis for their doctrine, starting a cycle of tit for tat.”

Pentagon’s cybersecurity plans have a Cold War chill Annotated

tags: cyberwar cyberwar-skepticism

• Lynn’s proposals are provocative. But the strategy could be costly and perhaps cumbersome, and it involves threats that aren’t well understood by the public — even by many of the companies that could be targets of attacks. So the first order of business should be more public information: Everyone needs to understand the risks of attack, and the costs and benefits of mobilizing against it.
• In the debate about cyberstrategy, I hope officials will recognize the dangers of militarizing the global highway for commerce and communication. Of course we want to protect ourselves against threats. But as with human viruses, hostile computer bugs will evade our best efforts at quarantine. A new (and expensive) obsession with cybersecurity is not what this traumatized country needs.

CSI Computer Crime and Security Survey 2009 | Computer Security Institute Annotated

The take-away from this summary seems to be that while the number of incidents has risen, the impact of those incidents in terms of losses has continued to decrease.  What’s more, lack of security awareness by insiders remains a significant source of losses.

tags: cyberwar

• Respondents reported big jumps in incidence of password sniffing, financial fraud, and malware infection.
• Average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent), though they are still above 2006 figures.
• Twenty-five percent of respondents felt that over 60 percent of their financial losses were due to non-malicious actions by insiders.
• Respondents were satisfied, though not overjoyed, with all security technologies.
• Most respondents felt their investment in end-user security awareness training was inadequate, but most felt their investments in other components of their security program were adequate.

Pentagon’s cybersecurity plans have a Cold War chill Annotated

tags: cyberwar cyberwar-skepticism

• Lynn’s proposals are provocative. But the strategy could be costly and perhaps cumbersome, and it involves threats that aren’t well understood by the public — even by many of the companies that could be targets of attacks. So the first order of business should be more public information: Everyone needs to understand the risks of attack, and the costs and benefits of mobilizing against it.
• In the debate about cyberstrategy, I hope officials will recognize the dangers of militarizing the global highway for commerce and communication. Of course we want to protect ourselves against threats. But as with human viruses, hostile computer bugs will evade our best efforts at quarantine. A new (and expensive) obsession with cybersecurity is not what this traumatized country needs.

CSI Computer Crime and Security Survey 2009 | Computer Security Institute Annotated

The take-away from this summary seems to be that while the number of incidents has risen, the impact of those incidents in terms of losses has continued to decrease.  What’s more, lack of security awareness by insiders remains a significant source of losses.

tags: cyberwar

• Respondents reported big jumps in incidence of password sniffing, financial fraud, and malware infection.
• Average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent), though they are still above 2006 figures.
• Twenty-five percent of respondents felt that over 60 percent of their financial losses were due to non-malicious actions by insiders.
• Respondents were satisfied, though not overjoyed, with all security technologies.
• Most respondents felt their investment in end-user security awareness training was inadequate, but most felt their investments in other components of their security program were adequate.

U.S. Strategic Command – 2010 Cyberspace Symposium: Keynote – USSTRATCOM Perspective

Speech by head of STRATCOM, Gen. Kevin Chilton.  STRATCOM is the parent organization of USCYBERCOM.

tags: cyberwar cyber command cyberwar discourse event

Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack (Updated) | Danger Room | Wired.com Annotated

A story from Wired Magazine’s Danger Room blog that is getting a lot of attention.  It calls into question the claims made this week by Deputy Secretary of Defense William J. Lynn III about a 2008 cyber attack against the Department of Defense.

tags: cyberwar cyberwar-skepticism cyber attack

• The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.
• n 2007, the security firm Symantec rated SillyFDC as “Risk Level 1: Very Low.”
• The havoc caused by agent.btz has little to do with the worm’s complexity or maliciousness — and everything to do with the military’s inability to cope with even a minor threat.

• But what spy service would launch such a lame attack?

  “It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach and that’s what started a couple years ago. I’ve tried to lay out where we’re going going forward.”

  • So let’s get this straight.  DoD found itself vulnerable to a “Level 1: Low Risk” threat, the kind of threat that could have been taken care of by one of Symantec’s antivirus applications, because it was completely ignorant of its own systems.  And instead of bringing its defense up to date, the response has been to create the U.S. Cyber Command with a mission that includes offensive cyber attack against adversaries, as well as calls from prominent individuals in the defense community to “re-engineer the Internet” to eliminate anonymity online.  Inappropriate, dangerous overkill anyone?

Gov’t hype surrounds ”Operation Buckshot Yankee”

tags: cyberwar cyberwar-skepticism

U.S. Strategic Command – 2010 Cyberspace Symposium: Keynote – USSTRATCOM Perspective

Speech by head of STRATCOM, Gen. Kevin Chilton.  STRATCOM is the parent organization of USCYBERCOM.

tags: cyberwar cyber command cyberwar discourse event

Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack (Updated) | Danger Room | Wired.com Annotated

A story from Wired Magazine’s Danger Room blog that is getting a lot of attention.  It calls into question the claims made this week by Deputy Secretary of Defense William J. Lynn III about a 2008 cyber attack against the Department of Defense.

tags: cyberwar cyberwar-skepticism cyber attack

• The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.
• n 2007, the security firm Symantec rated SillyFDC as “Risk Level 1: Very Low.”
• The havoc caused by agent.btz has little to do with the worm’s complexity or maliciousness — and everything to do with the military’s inability to cope with even a minor threat.

• But what spy service would launch such a lame attack?

  “It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach and that’s what started a couple years ago. I’ve tried to lay out where we’re going going forward.”

  • So let’s get this straight.  DoD found itself vulnerable to a “Level 1: Low Risk” threat, the kind of threat that could have been taken care of by one of Symantec’s antivirus applications, because it was completely ignorant of its own systems.  And instead of bringing its defense up to date, the response has been to create the U.S. Cyber Command with a mission that includes offensive cyber attack against adversaries, as well as calls from prominent individuals in the defense community to “re-engineer the Internet” to eliminate anonymity online.  Inappropriate, dangerous overkill anyone?

Gov’t hype surrounds ”Operation Buckshot Yankee”

tags: cyberwar cyberwar-skepticism

THE WAR ON HYPE / The deadly terror lurking around the corner may not be such a big, ominous threat after all – SFGate Annotated

Vintage James Lewis, apparently before he became chief cyberwar enthusiast.

tags: cyberwar cyberwar-skepticism

• Or cyber terror. In 1995, the first in a long series of warnings of an “electronic Pearl Harbor” was made. Although terrorists have launched many attacks since 1995, none has involved cyber terror.

  The closest thing to a cyber attack occurred in Australia, when a disgruntled employee who had designed the computer system for a sewage treatment plant was able to penetrate the network after 49 consecutive attempts that went unnoticed and release raw sewage. The government report on the incident says this produced an unbearable smell for several days. Residents were unhappy, but able to control their terror.

  Cyber terror was at first suspected in the 2003 Northeast blackout. The cause turned out to be incompetence and falling trees. The widespread blackout did not degrade U.S. military capabilities, did not damage the economy, and caused neither casualties nor terror.

  One lesson to draw from this is that large, modern economies are hard to defeat. Their vulnerability — to cyber attack or dirty bombs or the other exotic weapons — is routinely exaggerated.

  Yes, computer networks are vulnerable to attack, but nations are not equally vulnerable. Countries like the United States, with its abundance of services and equipment and the ability and experience in restoring critical functions, are well equipped to overcome an attack.

• What explains this discrepancy between risk and perception?

• When the cold war ended, the United States reassessed what kinds of threats it would face in the future. A series of influential commissions concluded that new kinds of opponents would use asymmetric attacks and unconventional weapons against the American homeland. They would attack vulnerable civilian targets, as no one could challenge the U.S. military and win.

  This assessment proved, unfortunately, to be correct, but its corollary — that the new opponents would use unconventional weapons like cyber or bio — missed the mark.

• There are important differences between experts and terrorists. Experts imagine exotic attack scenarios. Terrorists are conservative. They prefer guns and bombs.
• Attacks using exotic, untried weapons are more likely to be detected, more difficult to carry out and may not even work.

THE WAR ON HYPE / The deadly terror lurking around the corner may not be such a big, ominous threat after all – SFGate Annotated

Vintage James Lewis, apparently before he became chief cyberwar enthusiast.

tags: cyberwar cyberwar-skepticism

• Or cyber terror. In 1995, the first in a long series of warnings of an “electronic Pearl Harbor” was made. Although terrorists have launched many attacks since 1995, none has involved cyber terror.

  The closest thing to a cyber attack occurred in Australia, when a disgruntled employee who had designed the computer system for a sewage treatment plant was able to penetrate the network after 49 consecutive attempts that went unnoticed and release raw sewage. The government report on the incident says this produced an unbearable smell for several days. Residents were unhappy, but able to control their terror.

  Cyber terror was at first suspected in the 2003 Northeast blackout. The cause turned out to be incompetence and falling trees. The widespread blackout did not degrade U.S. military capabilities, did not damage the economy, and caused neither casualties nor terror.

  One lesson to draw from this is that large, modern economies are hard to defeat. Their vulnerability — to cyber attack or dirty bombs or the other exotic weapons — is routinely exaggerated.

  Yes, computer networks are vulnerable to attack, but nations are not equally vulnerable. Countries like the United States, with its abundance of services and equipment and the ability and experience in restoring critical functions, are well equipped to overcome an attack.

• What explains this discrepancy between risk and perception?

• When the cold war ended, the United States reassessed what kinds of threats it would face in the future. A series of influential commissions concluded that new kinds of opponents would use asymmetric attacks and unconventional weapons against the American homeland. They would attack vulnerable civilian targets, as no one could challenge the U.S. military and win.

  This assessment proved, unfortunately, to be correct, but its corollary — that the new opponents would use unconventional weapons like cyber or bio — missed the mark.

• There are important differences between experts and terrorists. Experts imagine exotic attack scenarios. Terrorists are conservative. They prefer guns and bombs.
• Attacks using exotic, untried weapons are more likely to be detected, more difficult to carry out and may not even work.

Defending a New Domain

Article in Foreign Affairs by William Lynn, Deputy SecDef.

tags: cyberwar cyberwar discourse event

Defending a New Domain

Article in Foreign Affairs by William Lynn, Deputy SecDef.

tags: cyberwar cyberwar discourse event

Audio: Military Strategy Forum: Robert O. Work, Undersecretary of the Navy (Main Speaker) | Center for Strategic and International Studies

tags: military theory future war ncw

Work: U.S. losing networked warfare monopoly

tags: military theory future war ncw

BlackBerrys and encryption: Spies, secrets and smart-phones

Spies, secrets and smart-phones

tags: cell phones surveillance privacy

Audio: Military Strategy Forum: Robert O. Work, Undersecretary of the Navy (Main Speaker) | Center for Strategic and International Studies

tags: military theory future war ncw

Work: U.S. losing networked warfare monopoly

tags: military theory future war ncw

BlackBerrys and encryption: Spies, secrets and smart-phones

Spies, secrets and smart-phones

tags: cell phones surveillance privacy

The shift to net-enabled warfare

tags: ncw military theory Network-Centric

The shift to net-enabled warfare

tags: ncw military theory Network-Centric