LAS VEGAS–The United States should decide on rules for attacking other nations’ networks in advance of an actual cyberwar, which could include an international agreement not to disable banks and electrical grids, the former head of the CIA and National Security Agency said Thursday.

Michael Hayden, who was the principal deputy director of national intelligence and retired last year, said the rules of engagement for electronic battlefields are still too murky, even after the Defense Department created the U.S. Cyber Command last spring. The new organization is charged with allowing the U.S. armed forces to conduct “full-spectrum military cyberspace operations in order to enable actions in all domains,” which includes destroying electronic infrastructure as thoroughly as a B-2 bomber would level a power plant.

Even a formal cyberwar may have rules different from those applying to traditional warfare, Hayden suggested. One option would be for the larger G8 or G20 nations to declare that “cyberpenetration of any (financial) grid is so harmful to the international financial system that this is like chemical weapons: none of us should use them,” he said at the Black Hat computer security conference here.

Another option would be for those nations to declare that “outside of actual physical attacks in declared conflicts, denial of service attacks are never allowed and are absolutely forbidden and never excused,” and a consensus would “stigmatize their use,” said Hayden, who’s now a principal at the Chertoff Group. Nations “do not do it and they do not allow it to happen from their sovereign space.”

In 2008, for instance, Georgia accused Russia of launching a coordinated denial-of-service attack against Georgian Web sites, which coincided with military operations in the breakaway region of South Ossetia.

One complication is that Internet intrusions and denial-of-service attacks are notoriously difficult to trace back to their actual source; is a successful break-in the work of a national government or a 14-year-old hacker in Shanghai or Moscow? The U.S. State Department has linked China to penetrations into Google employees’ computers, but China has officially denied it.

The United States’ current cyberwar policy remains vague. Earlier this year, a congressional committee asked Lt. Gen. Keith Alexander, now the head of the NSA and Cyber Command, when he would “fire back” without consulting the host government first, whether the use of offensive force would be “pre-authorized” below the level of the president, and whether there should be “classes” of networks operated by allies that should be off-limits to infusion.

In his written response (PDF), Alexander refused to answer any of those questions publicly, saying the information was classified.

Power grids are another example of where traditional military doctrine may need to shift, Hayden said. “A power grid is, according to traditional military thought, a legitimate target under some circumstances,” he said. “Mark 82s are kind of definitive and it’s a one-way switch–that thing’s kind of gone.” (An MK-82 is a general-purpose, 500-pound unguided bomb used by the U.S. military since the 1950s.)

But destroying, or at least thoroughly disabling, a power grid through an offensive cyberattack means penetrating it well in advance. And if there are dozens of different nations stealthily invading a grid’s computers and controllers all the time, it’s probably not going to be stable. “There are some networks that are so sensitive that maybe we should just hold hands and hum “Kumbaya” and agree they’re off limits,” he said. “One is power grids…You can’t just have 23 different intelligence services hacking their way through the electrical grid.”

So far, the United States government has been cagey, even reticent, about discussing offensive possibilities in actual cyberwars. Hayden suggested that this should change, saying that one option proposed by the Council on Foreign Relations would provide an example for the rest of the world by saying that “no American service would penetrate any other nation’s power grid absent a presidential finding.”

Then there’s defending against foreign cyberattacks. For the last few years, it was a little unclear about which federal agency would win this important turf battle, which carries with it billions of dollars in cash and the opportunity for bureaucratic or political advancement.

Last year, a top DHS official quit in disgust, saying that the NSA’s attempted takeover of cybersecurity functions could threaten “our democratic processes.” Earlier this month, though, the White House published a memo saying that Homeland Security “will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity” for civilian agencies. (The military’s Cyber Command will handle the defense of other federal agencies.)

“I’m told that at the new Cyber Command, 90 percent of their thinking is about attack,” Hayden said, but at least 90 percent of their actual work is spent on defense.

Hayden used the opportunity to challenge attendees of Black Hat–thousands of programmers, analysts, and security researchers–to devise ways to reshape the Internet’s security architecture.

“You guys made the cyberworld look like the north German plain–and then you bitch and moan because you get invaded,” he said. “We made it flat. We gave all advantages to the offense. The inherent geography in this domain plays to the offense. There’s almost nothing inherent in the domain that plays to the defense.”

http://news.cnet.com/military-tech/8300-13639_3-42.html?keyword=Cyber+Command

If you attended today’s still-unfolding big cybersecurity confab in Washington, sponsored by the Armed Forces Communications & Electronics Association, you heard a parade of military officers and Obama administration officials say — well, not a whole lot.

It’s hard to defend against a cyberattack… Everyone — civilian and military, public and private sector — needs to work together and pool resources and information… Incentivize cooperation… The supply chain is vulnerable… U.S. Cyber Command is developing integrated planning and operational frameworks…

And then there was Bruce Held.

Held is the Department of Energy’s intelligence chief and he said he spoke from the perspective of a longtime intel hand. His answer to the cybersecurity problem: diplomacy.

Well, sort of. For Held, it’s a probability issue. “A static cyber defense can never win against an agile cyber offense,” he told a panel this morning discussing the prevention of catastrophic cyberattacks. “You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you.” If you want to protect the nation’s electricity grid, beefing up security for it — physical security, cybersecurity, etc. — quickly becomes prohibitively expensive. “You need a protection strategy,” he said, and that means you have to change the game.

How? For starters, don’t compartmentalize cybersecurity as a job for the military’s new U.S. Cyber Command or the guardians of civilian networks at the Department of Homeland Security. Treat cybersecurity as component of a broad national defense strategy, rather than a techie-driven deviation from it. Unleash the diplomats and prepare the economic sanctions packages, in other words, if you want to prevent your servers from getting fried.

To take it a step further: it’s about making an adversarial foreign power reconsider launching an attack. “If you wish to influence my behavior, you have to impose risks and consequences on me,” Held continued. “It does not have to be perfect. You just have to impact my behavior.” Someone’s been playing Diplomacy.

Can you spot the presumptions behind Held’s contention? Sure you can. One: we’ll be able to attribute attacks to specific state actors. Well, will we? You can launch a cyber attack from proxy servers in third countries to conceal your identity. Brigadier General John Davis, the director of current operations for Cyber Command, said forthrightly during the same panel discussion that his “number-one challenge” was developing “situational awareness” of the cyberthreats that the U.S. faces.

As an intel guy, Held said he thought the “cyber people tend to make it impossible” to figure out who’s going after your networks. “You don’t need the specific computer it’s coming from. You need to know what country it’s coming from.” But what about those third-country servers?

Two: big cyberattacks are instruments of state power. Bands of hackers and cybercrooks aren’t diplomatic problems. They’re law enforcement problems. So Held at least implicitly reserved his remarks for something like a hypothetical bot attack that took out tens of millions of cellphone subscribers and then followed up with a strike on part of the nation’s electricity grid. That’s a nightmare scenario dreamed up by the Bipartisan Policy Center, an inoffensive Washington think tank earlier this year, for a kind of breathless dramatization of the threat, called Cyber Shockwave.

Something like that is unlikely to be “just a hacker,” Held said. “It’s close to a very unfriendly act. Some might say an act of cyber war.”

General Davis indicated that Cyber Command is on a similar wavelength. One of the challenges for the new command is to “wipe some of the routine threats off the radar,” he said, thereby allowing “the intelligence community to focus on the sophisticated threats.” Whoa, say what? Does that mean that the new military command co-located within the National Security Agency is going to leave the most challenging cyber-defense — and offense – tasks to the spooks?

Davis later clarified to Danger Room that he meant that the command wanted to “put the basic cyber standards in place” across users of the military’s networks (you know, the sites ending in .mil) so the command wouldn’t waste time responding to phishing efforts. “Don’t click on unknown or malicious software,” Davis said. “Basic blocking and tackling.” CYBERCOM: your military tech support. Unfortunately, I wasn’t able to draw Davis out on what he meant by leaving the intel folks to focus on the “sophisticated threats.” Cybercom remains something of a military/intelligence cipher text.

Held, though, capped his point with an analogy. “We never secured New York City from a Soviet nuclear attack,” he observed, “but we protected it very well through the use of broader national deterrent powers.” In other words: Get ready for a Cyber Cold War.

http://www.wired.com/dangerroom/2010/07/how-to-stop-cyberattacks-diplomacy-well-maybe/

The federal government is launching an expansive program dubbed “Perfect Citizen” to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program.

The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said.

Defense contractor Raytheon Corp. recently won a classified contract for the initial phase of the surveillance effort valued at up to $100 million, said a person familiar with the project.

An NSA spokeswoman said the agency had no information to provide on the program. A Raytheon spokesman declined to comment.

Some industry and government officials familiar with the program see Perfect Citizen as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide.

“The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security,” said one internal Raytheon email, the text of which was seen by The Wall Street Journal. “Perfect Citizen is Big Brother.”

Raytheon declined to comment on this email.

A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It’s a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.

Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind. Many of those systems—which run everything from subway systems to air-traffic control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.

The goal is to close the “big, glaring holes” in the U.S.’s understanding of the nature of the cyber threat against its infrastructure, said one industry specialist familiar with the program. “We don’t have a dedicated way to understand the problem.”

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector, officials said, serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

The U.S. government has for more than a decade claimed a national-security interest in privately owned critical infrastructure that, if attacked, could cause significant damage to the government or the economy. Initially, it established relationships with utility companies so it could, for instance, request that a power company seal a manhole that provides access to a key power line for a government agency.

With the growth in concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.

The NSA years ago began a small-scale effort to address this problem code-named April Strawberry, the military official said. The program researched vulnerabilities in computer networks running critical infrastructure and sought ways to close security holes.

That led to initial work on Perfect Citizen, which was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.

The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which started at the end of the Bush administration and has been continued by the Obama administration, officials said. With that infusion of money, the NSA is now seeking to map out intrusions into critical infrastructure across the country.

Because the program is still in the early stages, much remains to be worked out, such as which computer control systems will be monitored and how the data will be collected. NSA would likely start with the systems that have the most important security implications if attacked, such as electric, nuclear, and air-traffic-control systems, they said.

Intelligence officials have met with utilities’ CEOs and those discussions convinced them of the gravity of the threat against U.S. infrastructure, an industry specialist said, but the CEOs concluded they needed better threat information and guidance on what to do in the event of a major cyber attack.

Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.

Raytheon, which has built up a large cyber-security practice through acquisitions in recent years, is expected to subcontract out some of the work to smaller specialty companies, according to a person familiar with the project.

http://online.wsj.com/article/SB10001424052748704545004575352983850463108.html?mod=WSJ_article_MoreIn

The arrest of 11 people on charges of espionage for the Russian government was a case of old-fashioned spy craft straight from the annals of the Cold War: dead drops, moles and communicating in code, known as steganography. Yet Russia is not alone in trying to crack U.S. secrets. China is engaged in a massive espionage effort against the United States that exceeds Russian efforts on a crucial front: Cyber espionage.

The Chinese military — namely the People’s Liberation Army — is behind many of the cyber intrusions into U.S. government and corporate computer networks as part of a broad effort to steal technological, military and political secrets. This form of espionage costs the United States hundreds of billions of dollars per year and represents a dangerous threat to U.S. national security.

In early 2010, news reports from Washington indicated that Google, along with other U.S.-based corporations, was being hacked by unnamed parties in China. A progressive political organization, Patriot Majority, asked me and a team of journalists and researchers to investigate the likeliest source of the attacks. After combing through government documents, military land technical literature we concluded the Chinese military was likely behind many cyber intrusions against the United States.

Why? In 1995, the U.S. Navy humiliated the PLA during the Taiwan Strait Crisis by a massive show of force, as not one but two aircraft carrier battle groups sailed unmolested between the mainland and Taiwan, quelling mainland threats of force. That episode underscored the PLA’s technological inferiority in case of an actual shooting war.

And it set off a rush within China’s huge but antiquated military to modernize. The military ramped up its spending to improve its technological quality in areas such as space and cyber warfare, as well as its traditional military’s precision-strike capabilities. The conception of this effort came in the form of a book in 1999 called “Unrestricted Warfare.” Written by two Chinese colonels and promoted as required reading for officers, it said, “The first rule of unrestricted warfare is that there are no rules, with nothing forbidden.”

As a result, and under orders from President Hu Jintao, the PLA reorganized to engage in cyber warfare in case of war — and to engage in cyber espionage during peace. In 2004, a PLA white paper stated that its primary goal in modernizing was “building an informationalized force and winning an informationalized war.” The military shed 200,000 troops while investing between $50 billion and $100 billion per year. The government has even conscripted entire civilian companies, in fact, and rolled them into the PLA as cyber warfare units.

One interesting focus of the PLA’s modernization efforts — and a potential source of the cyber intrusions against the United States — is a military complex on Hainan Island in the South China Sea. Hainan features a space launch complex, an underground submarine base and it is home to a large signals intelligence unit that seems to have been converted from eavesdropping on satellite transmissions to cyber missions.

Hainan has for years also been the scene of confrontations and collisions between U.S. efforts to gather intelligence and China’s efforts to safeguard its own secrets. In 2001, for instance, a U.S. Navy EP-3E Aries II spy plane collided with a Chinese fighter and landed there. And in 2009, Chinese trawlers intercepted and harassed the U.S. spy ship Impeccable approximately 75 miles from the island.

In addition, in 2009, Canadian researchers at The SecDev Group and The Munk Center concluded that a series of cyber intrusions against political and government targets around the world included many that emanated from an Internet protocol address on Hainan. “The attacker(s)’ IP addresses examined here trace back in at least several instances to Hainan Island,” researchers wrote. Later, Rafal Rhozinski, one of the report’s authors and chief executive of The SecDev Group, told the U.S-China Commission in testimony there was “a high degree of certainty that the attackers were located in Hainan Island, China.”

A commission member, Larry Wortzel, said that he has not seen confirmation of attacks originating in Hainan but there is no question about the involvement of the Chinese military in cyber espionage against the United States. “China has one of the most sophisticated and well-manned cyber operations around the world,” Wortzel said in response to questions. “And the effort is supported by what seems to be a well-thought through military doctrine consistent with China’s military structure and capabilities.”

“This is a reasonable and sensible conclusion based on decades of knowledge and work on the domestic politics of China and the workings of China’s government, the People’s Liberation Army, intelligence and security services and the Communist Party,” according to Wortzel, who recently wrote in the Federal Times that at least 43,785 reported incidents cyber intrusions were directed at the U.S. Defense Department alone in just the first half of 2009

China’s efforts to steal U.S. secrets, however, are not confined to the realm of computers. Cyber espionage is part of an unprecedented wave of espionage at large against the United States. Chinese intelligence agencies have begun to change tactics, including recruiting Americans, as well as sifting huge amounts of digital information. In the first three quarters of 2009, the U.S. Justice Department prosecuted 9 espionage cases involving spying for China and the Customs Department is investigating 540 cases of potentially illegal technology transfers to China.

Intelligence-gathering and military modernization is the normal business of governments around the world, particularly in peacetime. China’s military would not be doing its job if it wasn’t trying to steal secrets and train for conflict; the United States maintains a massive offensive cyber war capability as well and recently established a unified military command.

However, the price of China’s cyber-spying is high. By one estimate it costs at least $200 billion to the United States alone annually — a cost borne by both taxpayers and shareholders. Yet the national security cost is the highest price tag of all, particularly as the Chinese military focuses on attempting to cripple U.S. forces in case of an armed conflict.

There are plenty of warnings: The U.S.-China Commission provides a roadmap for both Congress and the administration to follow, in tracking the PLA’s cyber espionage and offensive warfare capabilities and dealing with them. Cyber espionage may not be as spell-binding as the Russian spy ring. But right now China’s cyber spying is far more damaging to U.S. national security.

http://www.vancouversun.com/technology/just+Russians+spying/3228905/story.html

The Economist has published a couple of good pieces that put the threat of Cyber war in context.

While the scope of the threat is disputed by many experts, there are enough credible examples of Internet attacks and sabotaged software to raise eyebrows.

The Economist provides this sobering assessment:

Cyber-weapons are being developed secretly, without discussion of how and when they might be used. Nobody knows their true power, so countries must prepare for the worst. Anonymity adds to the risk that mistakes, misattribution and miscalculation will lead to military escalation—with conventional weapons or cyberarms.

President Obama has outlined a plan to deal with the possibility that foreign powers, terrorists or others with nefarious designs could penetrate sensitive computer systems in the U.S.

In May of last year, I wrote a small feature for NPR looking at how experts viewed the situation. Interestingly, the ones I spoke to dismissed North Korea’s capabilities just two months before Pyongyang was blamed for a massive cyber assault on arch-nemesis South Korea.

As another piece in The Economist points out, perhaps the earliest example of this kind of warfare resulted in a massive explosion at a Siberian oil pipeline in 1982 that was witnessed by U.S. surveillance satellites.

According to former Air Force Secretary Thomas Reed, the Soviets had stolen computer control software for the pipeline from Canada but were unaware that the CIA had encoded a “logic bomb” in the programming that “after a decent interval … reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds.” Ouch.

At the time (June 1982), Reed was serving in the National Security Council. In his memoir At the Abyss: An Insider’s History of the Cold War, he described the result as the “most monumental non-nuclear explosion and fire ever seen from space.”

Reed implies that the incident, which he says resulted in “significant damage to the Soviet economy” contributed to the fall of the USSR.

“In time the Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.”

http://www.npr.org/blogs/thetwo-way/2010/07/02/128264641/another-take-on-the-cyberwar-threat

OTTAWA, June 14, 2010 – U.S. and Canadian servicemembers are working side by side in defense of North America and fighting side by side in defense of freedom in Afghanistan. Now officials want to expand that cooperation to the cyberworld.

Deputy Defense Secretary William J. Lynn III is in the Canadian capital to discuss ways the two nations – already the closest of allies – can cooperate to defend critical computer networks and cyber infrastructure.

Lynn said the cyber threat to the United States and Canada is real and growing, and affects national and economic security.

“For most of our history, we have been shielded by geography – shielded by our oceans from attack,” he said. “Those natural geographic defenses are of no use when it comes to cyber attack. The Internet can transmit malicious code in the blink of an eye.”

And intrusions are growing more frequent. More than 100 foreign intelligence organizations are trying to hack into various aspects of the U.S. information technology infrastructure, Lynn said.

“Foreign militaries are developing offensive cyber capabilities, and some governments have the capacity to disrupt elements of the U.S. information grid,” he said.

Lynn stressed that cyber attacks are not just military threats, but threats to the critical infrastructure and economic well-being.

“A shared approach, an alliance approach to cybersecurity is critical,” he said.

The speed of attacks – measured in milliseconds – will require quick decisions and even quicker responses, the deputy secretary noted.

“To have the highest levels of protection, you want the widest set of allies so you understand and anticipate the broadest set of threats,” he said. “In the cyber arena, knowing who your adversary is, and what they’ve done, is a key part of mounting an effective response.”

Yet determining where an attack originates is tough. The U.S.-Canadian cooperation during the Cold War is a model for how to move forward, Lynn said.

“It is always best when searching for markers of intrusions and attacks to cast the widest net possible,” he said.“International cooperation is imperative for establishing the chain of events for an intrusion, and for quickly and decisively responding. The reality is that we cannot defend our networks by ourselves. We need a shared defense.”

And that defense must include moré than just military networks, Lynn noted. “We need to develop a shared cyber doctrine that allows us to work fluidly with each other and with our other allies,” he said.

The secretary also discussed challenges facing both nations in the 21st century during a speech to the Conference of Defence Associations Institute.

The U.S.-Canadian alliance has changed since the end of the Cold War, Lynn said. The alliance works together on maritime surveillance and infrastructure protection. The United States worked with Canada on security for the Vancouver Olympics and in providing relief to Haiti.

“Our enduring collaboration has risen to meet challenges that frankly our predecessors could not have foreseen,” he said.

The secretary particularly praised the role of Canadian servicemembers in Regional Command South in Afghanistan.

“Your soldiers are on the front lines in the south where we face some of the most severe threats,” he said. “They are in a campaign to restore governance to regions where the Taliban has long held sway.”

Canada has paid a high price, with 147 Canadian servicemembers killed in Afghanistan.

“I want to say on behalf of the president and the American people that we recognize and honor the sacrifice and commitment that the Canadian people and armed forces have made to the fight,” he said.

The deputy secretary said the last decade has led both Canada and the United States to a new understanding of what threats they face, and what must be done to combat them.

“Seen from a broader perspective, the conflict in Afghanistan reflects important changes that are under way in the nature of warfare,” he said. “These changes have important implications for our defense planning.”

The first and most prominent change in the nature of warfare has to do with lethality, Lynn said. In the past, the more sophisticated an adversary, the more lethal the threat. The Soviets had nuclear weapons and sophisticated conventional capabilities. Rogue states, terrorists and insurgents did not.

But this has changed. “Terrorist organizations and rogue states seek weapons of mass destruction,” he said. “Insurgents are armed with improvised explosive devices that are capable of penetrating even the most advanced armored vehicles. We even see criminal organizations that possess world-class cyber capabilities.”

To combat this, the military force must become more agile, and more capable through the spectrum of conflict.

“We need to be as proficient at waging a counterinsurgency campaign as we are at waging high-end conventional campaigns,” the deputy secretary said.

The duration of conflicts also has changed. U.S. military planning has been based on fighting two near-simultaneous wars.

“Planners anticipated that these conflicts could be quite intense, but they also anticipated that they would be rather short,” he said. “This construct no longer fits our reality.”

In the two current wars, it was not the intensity of the initial combat phase that was most challenging, it’s the length of time the United States has been involved.

“These wars have now lasted longer than the United States’ participation in World War I and World War II combined,” Lynn said.

Repeated deployments exact a high cost on troops and their families. The United States has added numbers to the Army and Marine Corps and is halting reductions in the Navy and Air Force. And defense planners also are giving the possible duration of conflicts more attention, Lynn said.

The third change in the global security environment is the move toward foes using asymmetric warfare. The conventional dominance that NATO enjoys “has led potential adversaries to seek asymmetric tactics, to seek out vulnerabilities in our conventional forces rather than face those forces head-to-head,” he said.

They use IEDs and guerilla tactics, or they launch cyber attacks to disrupt global command and control, logistics and transport. Some countries also are investing in anti-access weapons such as surface-to-surface missiles, cyber capabilities and anti-satellite technologies to force the United States and its allies away from the battlefield.

“We have irrevocably entered an era of new threats,” the deputy secretary said. “But we have done so together, each committed to the collective defense, and each sure that whatever the future brings, we will face it standing shoulder-to-shoulder.”

http://www.defense.gov/News/NewsArticle.aspx?ID=59628

During last year’s election turmoil in Tehran, the Iranian regime’s biggest foe often seemed to be 21st-century technology. While the regime cracked down on supporters of opposition candidate Mir Hossein Mousavi — the so-called Green Movement — with decidedly pre-Web 2.0 tools like truncheons and tear gas, protesters used Twitter, YouTube, and other Web-based applications to publicize their cause, and the regime’s brutal response, to the rest of the world.

A year later, however, Iranian dissidents’ techno-euphoria is mostly a thing of the past. The regime’s Islamic Revolutionary Guard Corps (IRGC) declared victory over the opposition this February, after the Green Movement’s call for massive demonstrations to mark the 31st anniversary of the Islamic Revolution were effectively blocked by the regime’s nationwide shutdown of both Internet and cell-phone access. The Greens, deprived of communications in a society where mass media are under complete state control, suffered a lackluster turnout, prompting some Iran watchers in Washington to (prematurely) declare the movement dead.

That period of triumph, however, seems to be a distant memory for Iran’s hard-line leadership. Today, the IRGC and Supreme Leader Ali Khamenei are obsessed with a more formidable foe in cyberspace: the U.S. government. The United States, the regime avers, is engaging in a cyberwar to loosen its own hold on power. Nearly every day, the state-run newspapers warn of Washington’s well-planned strategy to overcome the Iranian regime’s control of the Internet. “The U.S. military enters the arena of cyber wars in an organized manner,” read a large headline carried by the Fars news agency on May 10. Kayhan newspaper, which distributes Khamenei’s views, has accused the U.S. government of using Iran’s Internet-savvy youth to launch a cyberspace “soft war” against the regime. “The target of this new American plan are the youth who use the Internet more frequently than older people and are easier to deceive,” the paper reported.

The attacks sometimes verge on the obsessive. On April 20, Kayhan devoted an entire column to condemning Haystack, a program that uses sophisticated mathematical algorithms to allow users to circumvent government Internet filters and cover the tracks of their online activities. The paper called the program “a CIA plan.” (Actually, it was these guys.) Kayhan also responded immediately to news of a conference in Washington convened by the Century Foundation (my employer) and the National Security Network on communications technology and dissent in Iran, declaring the event to be proof that the “CIA was stepping up its efforts for Internet freedom” in Iran and tarring its participants — including me — as American spies. Iranian authorities have warned that the “enemy” is gearing up in its Internet war to help protesters fight Iran’s security forces this Saturday; the Green Movement’s de facto leaders had suggested large protests that day, but released a statement today saying it was too dangerous to demonstrate on the the first anniversary of the disputed presidential election.

Why all the concern with an alleged U.S. government plot to overthrow the regime through cyberspace? Well, for one thing, the United States actually is mounting a number of efforts to liberate Iran’s virtual society, even if those efforts don’t quite amount to the fiendish plot of the regime’s imagination. Secretary of State Hillary Clinton gave a major policy speech on Jan. 21, announcing a new Internet freedom initiative, in which she singled out Iran and China as the countries of most concern to Washington. “[D]espite an intense campaign of government intimidation, brave citizen journalists in Iran continue using technology to show the world and their fellow citizens what is happening inside their country,” Clinton said. “And their courage is redefining how technology is used to spread truth and expose injustice.”

Iran is also aware of a little-known U.S. government fund established last year, called the Near East Regional Democracy Program (NERD), which is intended to fund technology initiatives to promote Internet freedom. President Barack Obama has requested $40 million from Congress for it, and the program enjoys broad bipartisan support. While the funds are not restricted to Iran, there is a movement in Congress to allocate the money specifically for the Islamic Republic. In Iran’s eyes, NERD is reminiscent of the notorious $75 million pot of money that former President George W. Bush earmarked for regime change in Iran.

The program is still far from getting off the ground, however — the U.S. government has yet to sort out how it would actually use the money if it received it, much less coordinate with the software companies that would be necessary partners in the endeavor. This delay matters: Anticipating a U.S.-led cyberspace attack, the IRGC is likely to deploy its most advanced technology to shut down Internet access, email, and cell-phone traffic ahead of the anniversary of the presidential election and the expected protests that will accompany it. So far, Washington has shown that it is acutely aware of the communications and other technological difficulties facing Iranian dissidents, but there is no sign that it has come up with a concrete response plan. If the opposition is waiting for U.S. help, it might be slow in coming.

http://www.foreignpolicy.com/articles/2010/06/10/tehrans_lost_connection

A new U.S. Senate bill would grant the president far-reaching emergency powers to seize control of or even shut down portions of the Internet.

The legislation announced Thursday says that companies such as broadband providers, search engines, or software firms that the government selects “shall immediately comply with any emergency measure or action developed” by the Department of Homeland Security. Anyone failing to comply would be fined.

That emergency authority would allow the federal government to “preserve those networks and assets and our country and protect our people,” Joe Lieberman, the primary sponsor of the measure and the chairman of the Homeland Security committee, told reporters on Thursday. Lieberman is an independent senator from Connecticut who caucuses with the Democrats.

Because there are few limits on the president’s emergency power, which can be renewed indefinitely, the densely worded 197-page bill (PDF) is likely to encounter stiff opposition.

TechAmerica, probably the largest U.S. technology lobby group, said it was concerned about “unintended consequences that would result from the legislation’s regulatory approach” and “the potential for absolute power.” And the Center for Democracy and Technology publicly worried that the Lieberman bill’s emergency powers “include authority to shut down or limit Internet traffic on private systems.”

The idea of an Internet “kill switch” that the president could flip is not new. A draft Senate proposal that CNET obtained in August allowed the White House to “declare a cybersecurity emergency,” and another from Sens. Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) would have explicitly given the government the power to “order the disconnection” of certain networks or Web sites.

On Thursday, both senators lauded Lieberman’s bill, which is formally titled the Protecting Cyberspace as a National Asset Act, or PCNAA. Rockefeller said “I commend” the drafters of the PCNAA. Collins went further, signing up at a co-sponsor and saying at a press conference that “we cannot afford to wait for a cyber 9/11 before our government realizes the importance of protecting our cyber resources.”

Under PCNAA, the federal government’s power to force private companies to comply with emergency decrees would become unusually broad. Any company on a list created by Homeland Security that also “relies on” the Internet, the telephone system, or any other component of the U.S. “information infrastructure” would be subject to command by a new National Center for Cybersecurity and Communications (NCCC) that would be created inside Homeland Security.

The only obvious limitation on the NCCC’s emergency power is one paragraph in the Lieberman bill that appears to have grown out of the Bush-era flap over warrantless wiretapping. That limitation says that the NCCC cannot order broadband providers or other companies to “conduct surveillance” of Americans unless it’s otherwise legally authorized.

Lieberman said Thursday that enactment of his bill needed to be a top congressional priority. “For all of its ‘user-friendly’ allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets,” he said. “Our economic security, national security and public safety are now all at risk from new kinds of enemies–cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”

A new cybersecurity bureaucracy

Lieberman’s proposal would form a powerful and extensive new Homeland Security bureaucracy around the NCCC, including “no less” than two deputy directors, and liaison officers to the Defense Department, Justice Department, Commerce Department, and the Director of National Intelligence. (How much the NCCC director’s duties would overlap with those of the existing assistant secretary for infrastructure protection is not clear.)

The NCCC also would be granted the power to monitor the “security status” of private sector Web sites, broadband providers, and other Internet components. Lieberman’s legislation requires the NCCC to provide “situational awareness of the security status” of the portions of the Internet that are inside the United States — and also those portions in other countries that, if disrupted, could cause significant harm.

Selected private companies would be required to participate in “information sharing” with the Feds. They must “certify in writing to the director” of the NCCC whether they have “developed and implemented” federally approved security measures, which could be anything from encryption to physical security mechanisms, or programming techniques that have been “approved by the director.” The NCCC director can “issue an order” in cases of noncompliance.

The prospect of a vast new cybersecurity bureaucracy with power to command the private sector worries some privacy advocates. “This is a plan for an auto-immune reaction,” says Jim Harper, director of information studies at the libertarian Cato Institute. “When something goes wrong, the government will attack our infrastructure and make society weaker.”

To sweeten the deal for industry groups, Lieberman has included a tantalizing offer absent from earlier drafts: immunity from civil lawsuits. If a software company’s programming error costs customers billions, or a broadband provider intentionally cuts off its customers in response to a federal command, neither would be liable.

If there’s an “incident related to a cyber vulnerability” after the president has declared an emergency and the affected company has followed federal standards, plaintiffs’ lawyers cannot collect damages for economic harm. And if the harm is caused by an emergency order from the Feds, not only does the possibility of damages virtually disappear, but the U.S. Treasury will even pick up the private company’s tab.

Another sweetener: A new White House office would be charged with forcing federal agencies to take cybersecurity more seriously, with the power to jeopardize their budgets if they fail to comply. The likely effect would be to increase government agencies’ demand for security products.

Tom Gann, McAfee’s vice president for government relations, stopped short of criticizing the Lieberman bill, calling it a “very important piece of legislation.”

McAfee is paying attention to “a number of provisions of the bill that could use work,” Gann said, and “we’ve certainly put some focus on the emergency provisions.”

Last updated at 9:14 p.m. PT.

http://news.cnet.com/8301-13578_3-20007418-38.html

Security experts said this week that they were cheered by calls from General Keith Alexander, head of the new U.S. Cyber Command, for global rules of engagement for cyber-war, and for increased engagement with nations that are major sources of cyber crime and espionage, including Russia and China.

Following through on these calls will be crucial to securing cyberspace, says Ronald Deibert, who directs the Citizen Lab Internet think-tank at the University of Toronto. “There is a major imperative for governments to negotiate the ‘rules of the road’ for engagement in this domain, or risk increasing chaos and mutual insecurity,” he says.

Alexander, director of the National Security Agency, was confirmed to his additional post on May 7. The command merges existing military cyber operations, and would defend against–and potentially launch–cyber attacks in times of war. “Their primary function is military, and he made it sound mainly defensive: it’s to give the combatant commanders an edge in cyberspace,” says James Lewis, a senior fellow at the Center for Strategic and International Studies (CSIS) who directs its technology and public policy program.

But the role will be more expansive than that, as Alexander made clear in his June 3 talk at CSIS, his first public appearance since his confirmation. The Cyber Command will also support military and counterterrorism missions, work with the Department of Homeland Security to help protect government and private networks and–if his speech was any indication–serve as a means to advance global cyber accords. (Highlights and a full transcript can be found here.)

Alexander called for global agreements to crack down on espionage such as the China-based attacks that hit Google earlier this year. “It’s going to take all take all of the countries together to fix that,” Alexander said, referring to the lack of incentives for nations and corporations to refrain from cyber espionage. “And when all countries can come up and agree: ‘This is going to be the way we’re going to operate and the way we’re going to defend and the way we’re going to do this,’ and we all agree to it, that will go a long way.”

He also suggested that the U.S. might follow up with Russia’s proposal for a cyber arms control treaty–an idea Russia advanced after declining to join a global cyber-crime accord sought by the United States and many European nations. “I do think that we have to establish the rules and I think what Russia’s put forward is, perhaps, the starting point for international debate–not at my level, but at levels above me.”

In 2007, when Estonia was hit by extensive cyber attacks directed largely from Russia, the Russian government blamed “patriotic Russians” and denied involvement. Lewis says that the U.S., if it were to join any such agreement, would want Russia and other countries to take responsibility for attacks launched from their soil. “If pirate ships were to set sail from Leningrad, we wouldn’t let them get away with that,” he said.

He also suggested that the U.S. might follow up with Russia’s proposal for a cyber arms control treaty–an idea Russia advanced after declining to join a global cyber-crime accord sought by the United States and many European nations. “I do think that we have to establish the rules and I think what Russia’s put forward is, perhaps, the starting point for international debate–not at my level, but at levels above me.”

In 2007, when Estonia was hit by extensive cyber attacks directed largely from Russia, the Russian government blamed “patriotic Russians” and denied involvement. Lewis says that the U.S., if it were to join any such agreement, would want Russia and other countries to take responsibility for attacks launched from their soil. “If pirate ships were to set sail from Leningrad, we wouldn’t let them get away with that,” he said.

He also suggested that the U.S. might follow up with Russia’s proposal for a cyber arms control treaty–an idea Russia advanced after declining to join a global cyber-crime accord sought by the United States and many European nations. “I do think that we have to establish the rules and I think what Russia’s put forward is, perhaps, the starting point for international debate–not at my level, but at levels above me.”

In 2007, when Estonia was hit by extensive cyber attacks directed largely from Russia, the Russian government blamed “patriotic Russians” and denied involvement. Lewis says that the U.S., if it were to join any such agreement, would want Russia and other countries to take responsibility for attacks launched from their soil. “If pirate ships were to set sail from Leningrad, we wouldn’t let them get away with that,” he said.

Leningrad, of course, is now known as St. Petersburg, a city that is a major center of cyber crime. Lewis adds that the U.S. is accelerating its shift away from Bush-era unilateralism. “For a long time the U.S. focused on unilateral action and no engagement and cooperation, and we appear to have realized that doesn’t work in a global network.”

Last month, a leading Russian cyber official, Vladimir Sherstyuk, who directs the Institute of Information Security Issues at Moscow State University and sits on the nation’s National Security Council, told Technology Review that Russia was willing to work with the United States. Efforts to reach Sherstyuk this week were unsuccessful.

Alexander also outlined the extreme difficulty of gaining “situational awareness” in cyberspace, especially with regard to espionage. “There are many takeaways [from Alexander's talk] but a major one is that they have insufficient ability to understand what is transpiring on networks quickly,” said John Mallery, a researcher at MIT’s Computer Science and Artificial Intelligence Lab. “Advanced cyber threats, like those posed by the Russians or Chinese, are hard to detect. Their exploits are professional and supported by large skilled intelligence bureaucracies.” Defending against such threats may require more access to private networks to detect subtle and sophisticated attack patterns, he added.

Deibert says one major question now is how to preserve privacy amid such efforts. “The key questions, as always, will concern the substance of those negotiations: will we see a charter for global cyberspace that protects and preserves this domain as an open, global commons of information? Or will we see the further imposition of digital controls, nationalized communications spaces, and widespread surveillance?”

In April, Alexander reassured Congress that he would work to protect civil liberties even as he sought to gain a clearer picture of cyberspace. Elaborating, on June 3, he explained that the new command will operate under the same umbrella as the NSA, meaning it would consult with Congress, the Department of Justice, and would seek approval from the Foreign Intelligence Surveillance Court–which oversees surveillance on foreign agents inside the United States–to ensure the constitutionality of its actions.

In terms of waging actual cyber warfare, Alexander also said the new command is reviewing how it will handle different situations–such as a direct attack on the United States, one passing through a third country, or a case of espionage that resembles an attack. In general, Alexander said, he is reviewing the complex nuances of the rules of engagement. “Do those comport with the laws, the responsibilities that we have? Can we clearly articulate those so that people know and expect what will happen? And I think we have to look at it in two different venues, what we’re doing here in peacetime and what we need to do in wartime to support those units that are in combat,” he explained.

http://www.technologyreview.com/web/25526/page2/

The chief of the Pentagon’s new cyber-security command on Thursday endorsed talks with Russia over a proposal to limit military attacks in cyberspace, representing a significant shift in U.S. policy.

The U.S. has for years objected to Russian proposals to establish a kind of arms-control treaty for cyber weapons, arguing that international cooperation should first focus on reducing cyber crime. Russia has been working to marshal support for a United Nations treaty to limit the use of cyber weapons, such as software code that could destroy an enemy’s computer systems.

“What Russia’s put forward is, perhaps, the starting point for international debate,” Gen. Keith Alexander said Thursday at the Center for Strategic and International Studies, a Washington think tank. “It’s something that we should, and probably will, carefully consider.”

In the past, the U.S. has also frowned on Russian proposals because a treaty wouldn’t necessarily prohibit countries from using third parties to conduct cyber warfare. Cyber-security specialists say Russia and China rely on proxy groups to conduct attacks on enemies, as Russia allegedly did in 2008 against Georgia. China and Russia deny such accusations.

The Obama administration has begun to reconsider its position on the issue as it emphasizes engagement with U.S. adversaries across a range of national-security issues.

Administration officials have made low-level overtures to Russian officials in the last couple of months, according to people familiar with the matter. Russian officials also visited the U.S. late last year to meet with State Department, Homeland Security and law-enforcement officials to discuss cyber-security matters.

Gen. Alexander’s remarks were the first public comments from a U.S. official indicating a new openness to negotiations. “We do have to establish the lanes of the road” for what governments can and can’t do in cyberspace, he said. The administration should take the Russian proposal and use it to develop a counterproposal, he added.

“It shows a major shift in administration thinking and could be interpreted as an overture” to the Russians, said James Lewis, who directed an influential cyber-security report for CSIS.

Gen. Alexander’s comments could help tamp down concerns many foreign governments have privately expressed regarding the intentions of the Pentagon’s new Cyber Command, Mr. Lewis said. Some fear it will be a mechanism for the U.S. to dominate cyberspace. The U.S. has said the Cyber Command is primarily focused on protecting military networks and conducting military operations in cyberspace.

Gen. Alexander, who also serves as director of the National Security Agency, sought to allay similar concerns about the Cyber Command’s impact on domestic privacy.

Cyber Command, if asked, would provide “support” to the Department of Homeland Security to protect networks running the government or key infrastructure, he said. The military also has a strong interest in ensuring the security of some private networks, such as power, because 90% of the military’s power is provided by the private sector, he said.

Privacy concerns “are valid,” he said, but the public shouldn’t be worried about NSA working closely with Cyber Command because NSA officials are trained to follow “robust and rigorous procedures” to protect Americans’ privacy.

He acknowledged the need to earn public confidence, noting that he has four daughters who are heavy Internet users, and he wants to protect their privacy, too. “The real key to the issue is: How do we build the confidence that we’re doing it right with the American people, Congress and everyone else?” he said. “That’s going to be the hard part.”

The government too has to work hard to protect its cyber secrets. The government was spurred to improve protections for its military networks, Gen. Alexander said, after a series of breaches of classified systems in 2008. In comments after his speech, he also acknowledged for the first time publicly, that the military’s Joint Strike Fighter weapons program had been infiltrated and data had been stolen. The Wall Street Journal reported that breach last year.

http://online.wsj.com/article/SB10001424052748703340904575284964215965730.html?mod=WSJ_Tech_LEFTTopNews