Monday, June 30, 2008

Attacking the internet

Uncle Sam's cyber force wants you

By William J Astore

Recently, while I was on a visit to, my computer screen momentarily went black. A glitch? A power surge? No, it was a pop-up ad for the US Air Force, warning me that an enemy cyber attack could come at any moment - with dire consequences for my ability to connect to the Internet. It was an Outer Limits moment. Remember that eerie sci-fi show from the early 1960s? The one that began in a blur with the message, "There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission ..." It felt a little like that.

And speaking of air force ads, there's one currently running on TV and on the Internet that starts with a bird's eye view of the Pentagon as a narrator intones, "This building will be attacked 3 million times today. Who's going to protect it?" Two army colleagues of mine nearly died on September 11, 2001, when the third hijacked plane crashed into the Pentagon, so I can't say I appreciated the none-too-subtle reminder of that day's carnage. Leaving that aside, it turns out that the ad is referring to cyber attacks and that the cyber protector it has in mind is a new breed of "air" warrior, part of an entirely new Cyber Command run by the air force.

Using the latest technology, our cyber elite will "shoot down" enemy hackers and saboteurs, both foreign and domestic, thereby dominating the realm of cyberspace, just as the air force is currently seeking to dominate the planet's air space - and then space itself "to the shining stars and beyond".

Part of the air force's new "above all" vision of full-spectrum dominance, America's emerging cyber force has control fantasies that would impress George Orwell. Working with the Defense Advanced Research Projects Agency, the Department of Homeland Security and other governmental agencies, the air force's stated goal is to gain access to, and control over, any and all networked computers, anywhere on Earth, at a proposed cost to you, the American taxpayer, of US$30 billion over the first five years.

Here, the air force is advancing the now familiar George W Bush-era idea that the only effective defense is a dominating offense. According to Lani Kass, previously the head of the air force's cyberspace task force and now a special assistant to the air force chief of staff, "If you're defending in cyber [space], you're already too late. Cyber delivers on the original promise of air power. If you don't dominate in cyber, you cannot dominate in other domains."

Such logic is commonplace in today's air force (as it has been for Bush administration foreign policy). A threat is identified, our vulnerability to it is trumpeted, and then our response is to spend tens of billions of dollars launching a quest for total domination.

Thus, on May 12, the Air Force Research Laboratory posted an official "request for proposal" seeking contractor bids to begin the push to achieve "dominant cyber offensive engagement". The desired capabilities constitute a disturbing militarization of cyberspace:

Of interest are any and all techniques to enable user and/or root access to both fixed (PC) or mobile computing platforms. Robust methodologies to enable access to any and all operating systems, patch levels, applications and hardware ... [T]echnology ... to maintain an active presence within the adversaries' information infrastructure completely undetected ... [A]ny and all techniques to enable stealth and persistence capabilities ... [C]apability to stealthily exfiltrate information from any remotely-located open or closed computer information systems ...

Stealthily infiltrating, stealing and exfiltrating: sounds like cyber-cat burglars, or perhaps invisible cyber-SEALS, as in that US Navy "empty beach at night" commercial. This is consistent with an air force-sponsored concept paper on "network-centric warfare", which posits the deployment of so-called "cyber-craft" in cyberspace to "disable terminals, nodes or the entire network as well as send commands to 'fry' their hard drives".

Somebody clever with acronyms came up with D5, an all-encompassing term that embraces the ability to deceive, deny, disrupt, degrade and destroy an enemy's computer information systems.

No one, it seems, is the least bit worried that a single-minded pursuit of cyber "destruction" - analogous to that "crush ... kill ... destroy" android on the 1960s TV series Lost in Space - could create a new arena for that old Cold War nuclear acronym MAD (mutually assured destruction), as America's enemies and rivals seek to D5 our terminals, nodes and networks.

Here's another less-than-comforting thought: America's new cyber force will most likely be widely distributed in basing terms. In fact, the air force prefers a "headquarters" spread across several bases in the US, thereby cleverly tapping the political support of more than a few members of the US Congress.

Finally, if, after all this talk of the need for "information dominance" and the five Ds, you still remain skeptical, the air force has prepared an online "What Do You Think?" survey and quiz (paid for, again, by you, the taxpayer, of course) to silence naysayers and cyberspace appeasers. It will disabuse you of the notion that the Internet is a somewhat benign realm where cooperation of all sorts, including the international sort, is possible. You'll learn, instead, that we face nothing but ceaseless hostility from cyber-thugs seeking to terrorize all of us everywhere all the time.

Ugly babies, icebergs and computers
Computers and their various networks are unquestionably vital to our national defense - indeed, to our very way of life - and we do need to be able to protect them from cyber attacks. In addition, striking at an enemy's ability to command and control its forces has always been part of warfare. But spending $6 billion a year for five years on a mini-Manhattan Project to atomize our opponents' computer networks is an escalatory boondoggle of the worst sort.

Leaving aside the striking potential for the abuse of privacy, or the potentially destabilizing responses of rivals to such aggressive online plans, the air force's militarization of cyberspace is likely to yield uncertain technical benefits at inflated prices, if my experience working on two big air force computer projects counts for anything. Admittedly, that experience is a bit dated, but keep in mind that the wheels of procurement reform at the Department of Defense (DoD) do turn slowly, when they turn at all.

Two decades ago, while I was at the Space Surveillance Center in Cheyenne Mountain, the air force awarded a contract to update our computer system. The new system, known as SPADOC 4, was, as one air force tester put it, the "ugly baby". Years later, and no prettier, the baby finally came online, part of a Cheyenne Mountain upgrade that was hundreds of millions of dollars over budget. One air force captain described it in the following way:

The SPADOC system was ... designed very poorly in terms of its human machine interface ... [leading to] a lot of work-arounds that make learning the system difficult ... [Fortunately,] people are adaptable and they can learn to operate a poorly designed machine, like SPADOC, [but the result is] increased training time, increased stress for the operators, increased human errors under stress and unused machine capabilities.

My second experience came a decade ago, when I worked on the air force mission support system or AFMSS. The idea was to enable pilots to plan their missions using the latest tools of technology, rather than paper charts, rulers and calculators. A sound idea, but again botched in execution.

The air force tried to design a mission planner for every platform and mission, from tankers to bombers. To meet such disparate needs took time, money and massive computing power, so the air force went with Unix-based SPARC platforms, which occupied a small room. The software itself was difficult to learn, even counter-intuitive.

While the air force struggled, year after year, to get AFMSS to work, competitors came along with PC-based flight planners, which provided 80% of AFMSS's functionality at a fraction of the cost. Naturally, pilots began clamoring for the portable, easy-to-learn PC system.

Fundamentally, the whole DoD procurement cycle had gone wrong - and there lies a lesson for the present cyber-moment. The Pentagon is fairly good at producing decent ships, tanks and planes (never mind the typical cost overruns, the gold-plating and so on). After all, an advanced ship or tank, even deployed a few years late, is normally still an effective weapon. But a computer system a few years late? That's a paperweight or a doorstop. That's your basic disaster. Hence the push for the DoD to rely, whenever possible, on COTS, or commercial-off-the-shelf, software and hardware.

Don't get me wrong: I'm not saying it's only the Pentagon that has trouble designing, acquiring and fielding new computer systems. Think of it as a problem of large, by-the-book bureaucracies. Just look at the Federal Bureau of Investigation's computer debacle attempting (for years) to install new systems that failed disastrously, or for that matter the ever more imperial Microsoft's struggles with Vista.

Judging by my past experience with large-scale air force computer projects, that $30 billion will turn out to be just the tip of the cyber-war procurement iceberg and, while you're at it, call those "five years" of development 10. Shackled to a multi-year procurement cycle of great regulatory rigidity and complexity, the air force is likely to struggle but fail to keep up with the far more flexible and creative cyber world, which almost daily sees the fielding of new machines and applications.

Loving big 'cyber' brother
The US military is the ultimate centralized, bureaucratic, hierarchical organization. Its tolerance for errors and risky or "deviant" behavior is low. Its culture is designed to foster obedience, loyalty, regularity and predictability, all usually necessary in handling frantic life-or-death combat situations. It is difficult to imagine a culture more antithetical to the world of computer developers, programmers and hackers.

So expect a culture clash in militarized cyberspace - and more taxpayers' money wasted - as the Internet and the civilian computing world continue to outpace anything the DoD can muster. If, however, the air force should somehow manage to defy the odds and succeed, the future might be even scarier.

After all, do we really want the military to dominate cyberspace? Let's say we answer "yes" because we love our big "Above All" cyber brother. Now, imagine you're Chinese or Indian or Russian. Would you really cede total cyber dominance to the United States without a fight? Not likely. You would simply launch - or intensify - your own cyber-war efforts.

Interestingly, a few people have surmised that the air force's cyber war plans are so outlandish they must be bluster - a sort of warning shot to competitors not to dare risk a cyber attack on the US, because they'd then face cyber obliteration.

Yet it's more likely that the air force is quite sincere in promoting its $30 billion "mini-Manhattan" cyber-war project. It has its own private reasons for attempting to expand into a new realm (and so create new budget authority as well). After all, as a service, it's been somewhat marginalized in the "war on terror". Today's air force is in a flat spin, its new planes so expensive that relatively few can be purchased, its pilots increasingly diverted to "fly" Predators and Reapers - unmanned aerial vehicles - its top command eager to ward off the threat of future irrelevancy.

But even in cyberspace, irrelevancy may prove the name of the game. Judging by the results of previous US military-run computer projects, future air force "cyber-craft" may prove more than a day late and billions of dollars short.

William J Astore, a retired lieutenant colonel (USAF), has taught at the Air Force Academy and the Naval Postgraduate School. He currently teaches at the Pennsylvania College of Technology. He is the author of Hindenburg: Icon of German Militarism (Potomac, 2005). His email is

Original article posted here.

No comments: