US Cyber Command Wants Greater Attack Mentality

superglaze writes "Lieutenant General Robert J Elder, Jr, a senior figure in US Air Force Cyber Command (AFCYBER), has told ZDNet UK that communication issues are hampering the division's co-ordination. 'IT people set up traditional IT networks with the idea of making them secure to operate and defend,' said Elder. 'The traditional security approach is to put up barriers, like firewalls — it's a defense thing — but everyone in an operations network is also part of the [attack] force. We're trying to move away from clandestine operations. We're looking for real physics — a bigger bang resulting in collateral damage.'"

Fantastic

I think they should start out small by going after spammers all over the world. Just think of the positive publicity!

Re:Fantastic

With that "a bigger bang resulting in collateral damage" line, I thought this guy was a spammer.

Re:Fantastic

With that "a bigger bang resulting in collateral damage" line, I thought this guy was a spammer.

No, he'd just had one too many glasses of grain alcohol and rain water.

Re:Fantastic

Not spammers, bot nets (which often generate spam). Taking down malicious and devious programs like the Storm network would help remove an existing threat and would help them brush up on both offensive and defensive tactics.

Truth in Naming

An attack mentality from an organization called Cyber Defense Command can only mean bad things are about to happen

The organization is call Cyber Defense Command for a reason, because they know that they should be "defending". If they were honest in their naming then perhaps it would be call Cyber Attack Command. Hmmm, I wonder what other countries would think of that.... It's probably the same reason that our Department of Defense isn't call the Department of Preemptive Strikes. It was called The Department of War until 1947. I know some here will say "the best defense is a good offense", but when you have organizations with "an attack mentality" they will always find someone and some reason to attack. War without End.

Cyber??

This is exploiting cyber to achieve our objectives.

I'm sorry, what? All I can picture is a pimply teenager sitting in front a flickering screen, typing "Wanna cyber????" into his chat field. I have no idea how to exploit cybering to achieve military objectives. Maybe they want to paralyze the target's networks by getting all lonely teenagers to respond to mass cyber requests?

Re:Cyber??

All I can picture is a pimply teenager sitting in front a flickering screen, typing "Wanna cyber????"

You can only picture a teenager because for you, the implicit noun modified by cyber- is sex - arguably the default focus of a teen's attention. For the military, the implicit noun is war - that is the default focus of their attention. It is clear that cyber- is an adjective prefix that indicates computation. What it means when the noun is implied is in the mind of the beholder.

Just what we need

Could the US have any more of an "attack mentality" than it already does?

Re:Just what we need

"In the past 10 years the US has initiated 2 military actions against foreign powers."

Off the top of my head, I can think of 4:

1998: US launches cruise missiles at Sudan and Afghanistan
1999: US launches airstrikes against Yugoslavia to get it out of Kosovo
2001: US provides air support to forces in Afghanistan to overthrow the Taliban
2003: US invades Iraq

Re:Just what we need

NATO is not the US.

Re:

2? Just 2? We are actively nation building in 12 countries right now. Nation building is done by peacekeepers and peacekeeping is done by soldiers. Soldiers on the ground in another country with guns, getting shot at = ? ...

-ellie

Hello Citizen

Hello US Citizen,

Your ISP has identified you as subscribing to a connection with >1Mbs upload speed. A recent top-secret national security bill requires all citizens with such bandwidth to become part of the national defense infrastructure. Attached to this email you will find an application. Install it. It will self register with homeland defense and be available for defense of the homeland should the need arise.

Thank you for your cooperation.
ZZ

PS: you have 1 week to register or you will be added to the terrorism watch list and will be subject to extreme rendition if needed.
PPS: we can't show you the bill, this is top-secret national defense stuff.
PPPS: if you are thinking of decompiling or interfering with the operation of this software, see PS:
PPPPS: yes this is MS windows Vista only software. Don't have Vista, see PS:

Great...

This is just what we need. Perhaps if things had been properly defended in the first place there wouldn't be so much of a need for the "Cyber Command" in the first place. Or, here's another idea, perhaps critically important systems
shouldn't
be
connected
to
the
INTERNET!!!

perfect security is impossible, somehow "bringing the fight to the enemy" isn't a solution. Changing the way you think about the internet is.

I can't wait until it's "you're on our side of the internet or you're on their side!!"

Every time a government, or especially its military, does something stupid in regards to the internet, I feel the strong need to drink.

Re:Great...

For example, programs that are written in Java effectively cannot be hacked due to bugs.

Java has so many bugs in it that it can't be hacked?

Re:Great...

Java has so many bugs in it that it can't be hacked?

No, but your English parser does. There was a small defect in the input and instead of handling it gracefully it corrupted the discussion.

That's why you just got the uncontrollable urge to eat brains.

IT Attack mentality?

It's funny - usually the attack mentality gets shot down pretty quickly in the US. There was a thread a few years ago about using your IDS to go after people attacking your server...the consensus was it was a Bad Idea. It's pretty much illegal to do in the US anyway, but it also seen as bad karma.

OTOH, there's no technical reason not use snort + script kiddie tools to automatically detect intruders and try to whack them. You can identify botnet members pretty easily from the pattern of accesses (the probes tend to come in waves, as various parts of the swarm poke your boxes).

The US could just hide in that swarm of accesses, poking servers and doing slow scans to figure out what's where. It's pretty easy these days to do signature profiling on systems, and to just stash this info in a database somewhere. Update each entry every few weeks, and be able to update ranges on demand.

The only really hard part is getting your own botnet up and running. The US Government could, theoretically, tap into the search engines to do this for them, which would be pretty amusing. Nobody pays attention to web spiders, and well, if the spider does a slow port scan 'accidentally' who cares?

It'll be too hard for them to staff up

Too many of the people that they'd want who are freakishly good at networking probably have a criminal record long enough to deter them from ever holding a TS, let alone a TS/SCI.

I would hazard to guess that the reason that China is able to keep its black hats at bay is the ability of their government to make you disappear in the middle of the night and wake up the next day in a labor camp if they even suspect you of compromising government systems.

Good luck with that.

Sorry, but the U.S. military just isn't going to get the best hackers around. The biggest problem is that the entire U.S. educational system actively discourages this type of education, in a hostile manner. Big businesses also work with the educational system to discourage creating knowledgeable and skilled people.

Someone posted about a class of theirs on Security issues that got shut down by one big corporation, who threatened not to hire any of their departments' students if they insisted on teaching that class.

So, the bottom line is that our Education system isn't turning out the skilled people that the Military is looking to hire.

This is compounded by the fact that the ones who DO get this knowledge, and have the right attitude, are snapped up by the Bad Guys. Crime is increasingly playing a big part on the internet, and those folks WILL pay good money for the right talent which can deliver results.

I suppose the Military could consider subcontracting out to the Mafia. That's really their only option if they are serious. Otherwise, the best they can get will just be second-rate talent, and more likely third-rate talent.

Good luck attacking, or defending, with that. As a US citizen, I find this frightening, but I've been saying it for years. I'm glad someone is finally waking up to the matter. But I doubt anything serious will ever be done until it's too late.

Re:Good luck with that.

You're right that the military isn't going to get the best hackers. The NSA will. The educational system isn't the real problem. The best hackers have always been those who had a knack for it and lived and breathed the systems that they enjoyed playing with. Because for the best hackers, hacking is playing. It isn't a job, it isn't a career, it's a hobby that they enjoy. The education system could turn out "computer security professionals", but they will only be as effective as their last class. There simply aren't many people out there with the mental facilities required to be really good at hacking. All the guys I knew weren't wired right. They'd only sleep four hours a night, and had insanely accurate memories.. or they were seriously into drugs, everything from speed and coke to LSD and mushrooms. That's why the end up at the NSA. They can be compartmentalized and their idiosyncrocies can be overlooked. Those people would never make it in a military environment with a rigid chain of command.

Didn't know the Airforce was into this stuff

I put on my robe and wizard hat...

First strike & offense capablity.

I am waiting for them to call me and my buddies.

First they need older hackers, not script kiddies.
Black hats, or at least former black hats.

Lot's of Jolt Cola, Cold Pizza and some dark dungeon supplied with what ever mind altering substances needed and a steady supply of nerdy Asian girls to look after them.

Also the boxed set of all Stargate, Star Wars, Star Trek, Battlestar Galactica and.. Na on second thought, we'll just grab them off Bit Torrent. Same for the HDTV, UPS delivery off some stolen credit card, old habits die hard.

Maybe more useful would be legal immunity/amnesty, from all of the collateral damage from relaxing hobbies like taking down the RIAA or Microsoft in the process, (oops).

But seriously, a License to hack anything domestic and foreign with total immunity as long at it's primarily against the enemy would be totally cool, I think a lot of us who had to give up the black hat because we have kids and just can't afford to go to prison, would be all over this.

Why domestic, I almost don't want to say this publicly but the best way to get in is start in.
http://www.c-program.com/kt/reflections-on-trusting.html [c-program.com]

Anyhow you can't play by the rules, if they think you can launch and offensive attack without some pre-preparation your wrong.

Making an offensive toolkit is fantasy. By definition this is script kiddie and lame.

> where vulnerabilities are introduced into chipsets during manufacturing that an adversary can then exploit, and electronics vulnerabilities.

I have been told years ago that this is already being done at Taiwanese fabs to us.
Chips were designed to be resonant at some Ghz ranges and would be equivalent to an EMP when hit.
This is done at the fab without changes to the chip design but layer thicknesses that is something the fab has total control over.

These attacks should be in any OS, Router, or any other electronic devices that get sold and without the knowledge if it manufactures either. This would hackers the greatest flexibility to exploit them when needed. They key is to make sure it's not detectable or exploitable by other hackers.
An example would be to hack into Microsoft and muck with their distro before it goes out.

Of course with Microsoft and Apple, this would already seem to be unnecessary.

Someday in the Future...

Someday this guy will have a big component of his ships, missiles, and robot vehicles taken down by a friggin' virus spawned by two guys in a garage somewhere in Asia.

And he'll go "Oh my god! We were totally taken by surprise! Who could have ever imagined or prepared for something as astounding as this!", for about the 4,000th time in the history of this administration.

collateral damage

Isn't it some kind of war crime to intentionally TRY to inflict collateral damage?

I thought there was an obligation to try to minimize collateral damage?

Re:Translation

You misunderstand. "Collateral damage" means they want to kill your whole family too.

Re:IPS?

No problem, we will be sending you the bill shortly. The taxes on this work will be calculated at $1.8m per second. We look forward to receiving your payment in a timely manner. -- IRS