Friday, July 17, 2009

Summer hiatus

I am taking some time off over the next month or so, enjoying the summer weather and gathering new ideas for the coming year. Therefore, posting will probably be hectic at best. Regular posting will resume in late August.

Thursday, July 16, 2009

PowerPoint them!

There is an excellent essay at Don Vandergriff's blog about a horrible cyber weapon - the PowerPoint slide. In the essay T.X. Hammes analyzes how PowerPoint has weakened the [military] decision making process, as well as the ability to reason and write coherently. The main argument is that previously, staff had to provide a short, concise decision paper for the leader to read, think, discuss and decide, now the leader gets a barrage of information, very little time to think and discuss, and finally has to shoot a decision from the hip. However, he also makes a distinction that PP can serve as a very useful teaching tool.

I think the essay makes a valid point.

Tuesday, July 14, 2009

On definitions

A big problem in the field of cyber is the lack of commonly agreed definitions. I think cyber war and cyber terrorism are the worst, each having numerous conflicting definitions. So, in order to clarify my own thoughts, here is my attempt to pin down the meaning of some popular phrases in the context of national security:
  • cyber attack - malicious use of information systems in order to influence the information, systems, processes, actions or decisions of the target without their consent,
  • cyber conflict - a confrontation between two or more parties, where at least one party uses cyber attacks against the other(s),
  • cyber war - a cyber conflict between state actors, where the critical information infrastructure is attacked,
  • cyber terrorism - a cyber conflict where one party is using cyber attacks to cause fear, physical damage, and/or death among the civilian population of the other party.
Note that information collection, an activity usually limited to espionage, intelligence gathering and crime, is not included in the cyber attack definition. [TO DO: better explanation of the concept]

I am sure these definitions will change as my understanding of the topic grows.

Thursday, July 9, 2009

ECIW 09 in Lisbon

I just got back from Lisbon and the 8th European Conference on Information Warfare and Security. This annual conference brings together 60-100 academics from across the world to present and discuss their research during the two-day event.

A paper that I wrote for the conference in the winter got published in the proceedings (see publications). The main idea of the paper is that there are three general ways to create an offensive capability in cyberspace:
  • establish a unit/agency for that mission ("conventional" own forces approach)
  • outsource the problem by hiring digital mercenaries, cyber criminals and the like
  • develop or hijack a volunteer force, or a cyber militia, to attack convenient targets with little or no attribution for the state.
In reality, a combination of two or three is potentially more powerful than any single approach.

While thinking about the last two approaches, I came to some interesting conclusions. First, if a government uses volunteers or mercenaries to conduct an "illegal", or at least unethical, campaign against its political enemies, then there will be a rise in (cyber) crime in the state. This happens because the government cannot alienate the "friendly" attackers by arresting them for non-political crimes (such as sending spam, stealing credit card information or DDoSing commercial sites for blackmail). This also explains why cyber criminals seem to flourish in some states that also seem to have an aggressive stance in cyberspace.

The second idea was that in case of volunteer forces, the government would have to "exercise" these forces once or twice a year, in order to keep them "on mission". A volunteer offensive cyber militia will likely disband for more interesting pursuits, if they are not called to arms for several years. This means that the state would have to provide a steady stream of external or internal "enemies" to keep the militia occupied.

Thursday, July 2, 2009

A time for a Cyber Service of the Military?

I stumbled on an article by COL Surdu and LTC Conti, which was published earlier this year in the IA Newsletter [Vol 12, No 1, 2009 - pdf]. In the article, they argue that US needs a new military service that would handle the cyber warfare mission.

Currently, each service already has small elements dispersed in the structure, but they are not coordinated, nor are they integrated into the bigger picture. I think they bring out a good point that the US military (in fact, other militaries as well) is not fit to fight a cyber war, as its leadership, processes and culture are fundamentally incapable to understand it.

The main problem is that the military does not place enough emphasis on technical expertise, or as they put it:
"Today’s militaries excel at their respective missions of fighting and winning in ground, sea, and air conflict; however, the core skills each institution values are intrinsically different from those skills required to engage in cyberwarfare.
To understand the culture clash evident in today’s existing militaries, it is useful to examine what these services hold dear—skills such as marksmanship, physical strength, and the ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in these areas. Unfortunately, these skills are irrelevant in cyberwarfare.
Consider the awards, decorations, badges, patches, tabs, and other accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments."
I wholeheartedly agree with their arguments, having come to a similar conclusion some time ago. Their proposal to deal with this issue is to create a new service that would be on equal status with the kinetic services. However, I am not so convinced that a transition so profound can be made in one step. Perhaps it would be better to use the USAF model and first create cyber commands (historical Army Air Corps) within the services, then integrate them, and then, maybe, raise them into a new service.

They are right, however, that the root of the problem lies with the personnel management in the military. One could say that a techie should stay in the service, become the top dog and change it from within, but that discounts the fact that techies do not get promoted to top dog. In fact, there are precious little positions near the top that have anything to do with technology. Therefore, a techie must either be a multi-talent or forget his tech aspirations and plod up the traditional leadership/management track. Meanwhile, people who have a talent for tech positions will not be promoted and more than likely get rotated to (technologically) meaningless positions... or they get out. Therefore, any step that will accommodate the requirements and skills of the tech oriented service members while not undermining the traditional services, is a step in the right direction.