Thursday, August 21, 2014

Air Force Leaders Should Read This Book

I just finished reading The Icarus Syndrome: The Role of Air Power Theory in the Evolution and Fate of the U.S. Air Force by Carl Builder. He published this book in 1994 and I wish I had read it 20 years ago as a new Air Force second lieutenant. Builder makes many interesting points in the book, but in this brief post I'd like to emphasize one of his concluding points: the importance of a mission statement.

Builder offers the following when critiquing the Air Force's mission statement, or lack thereof, around the time of his study:

[Previous] Air Force of Staff, General John P. McConnell, reportedly endorsed the now-familiar slogan

     The mission of the Air Force is to fly and fight. 

Sometime later, the next Chief, General John D. Ryan, took pains to put it more gruffly:

     The job of the Air Force is to fly and to fight, and don't you ever forget it. (p 266)

I remember hearing "Fly, Fight, Win" in the 1990s as well.

Builder correctly criticizes these mission statements on multiple grounds, none more compelling than this: how are non-flyers supposed to interpret this statement? It's simply a reminder and reinforcement of the second-class status of non-flyers in the Air Force. Furthermore, Builder more or less also notes that "fight" is often eclipsed but non-combat missions, such as airlift or humanitarian relief. Finally, Builder doesn't ask the question explicitly, but how does one define "winning"? Would wars in Iraq or Afghanistan be a "win"? That's a demoralizing way to think in my opinion.

Builder offers a wonkish, but conceptually more useful, mission statement on p 284:

The mission of the Air Force is the military control and exploitation of the aerospace continuum in support of the national interests.

The author immediately notes that one Air Force officer criticized Builder's mission statement as too "academic," but I think this particular policy wonk is on target.

Curious as to what the current Air Force mission statement says, I checked the Our Mission page and read at the top:

The mission of the United States Air Force is to fly, fight and win … in air, space and cyberspace.

Wow. That's even worse than before. Not only does it still insult non-flyers, but now the mission involves "flying" in "cyberspace."

I strongly suggest Air Force leaders read Builder's book. It's as relevant today as it was 20 years ago.

Sunday, June 01, 2014

On the Twenty Years Since My USAFA Graduation

Twenty years ago today, on 1 June 1994, 1024 of us graduated from the United States Air Force Academy, commissioned as brand new second lieutenants. As of September 2012, over 600 members of the class of 1994 were still in uniform. I expect that number is roughly the same today. Reaching the 20 year mark entitles my classmates still in uniform to retire with lifetime benefits, should they choose to do so. I expect some will, but based on patterns from earlier classes I do not expect a massive exodus. The economy is still in rough shape, and transitioning from the military to the private sector after a lifetime in uniform is a jarring experience.

I remember 1994 being a fairly optimistic year, but the personnel situation was precarious for those who wanted to fly. After graduation we found ourselves in the middle of a drawdown, with no undergraduate pilot training (UPT) slots available. One jody (marching song) of the time went as follows:

Oh there are no fighter pilots in the Air Force...(repeat)
Because there is no UPT for 94 or 93
Oh there are no fighter pilots in the Air Force...

I stayed in the Air Force until early 2001, at which point I brought my military intelligence and computer network defense skills to the private sector. I've stayed in the private world since then.

I do not regret my time in uniform, from 1990 to 2001, although I would not repeat the time I spent at the Air Force Academy. Many people are surprised to hear me say that. Upon reflection I believe those four years consisted of a mental, physical, and spiritual endurance test, and I wonder if I could have found a better match for my personality and interests elsewhere.

From an academic perspective, I made the most of my "free" education, graduating 3rd in my class with degrees in history and political science, and minors in French and German. From a leadership perspective I enjoyed my roles as an element leader during my junior year and as a flight commander my senior year. I also met some of the finest young people this nation could have produced, as well as some of the most dedicated professors I've ever known.

After 20 years of consideration, however, I've begun to realize that I endured that four year experience because I thought others expected it of me. I didn't do it for myself, and coincidentally the message the Air Force ingrained into me -- "Service Before Self" -- did nothing to balance my younger personality. In my 40s, I've managed to realize that it's ok to determine and pursue personal interests, but I wish I had figured that out in my late teens.

In a matter of weeks the class of 2018 will report for basic training. Would I tell them to go home? Of course not. My hope is that they are there because they believe their personal goals match the needs of the service. I do not believe they should be there only because they expect their country needs them. The Air Force and the nation needs the best this country can provide, but they should not expect those who serve to do so at the expense of their souls.

This fall is my 20 year reunion, and I plan to attend the event with my family. I hope to see some of my former classmates there, likely with their families. My wife and I attended the 10 year reunion in 2004, and it was a powerful and memorable experience. Today though, I would like to thank all of the class of 1994, especially those still in uniform, for their service. I also extend my best wishes to the brave men and women of the inbound class of 2018. You can do it, but do it only if you really want to be there.

Fly, fight, win!

Wednesday, May 14, 2014

Video of Bejtlich at Cyber Crime Conference 2014

On Tuesday the 29th of April I delivered a keynote at the US Cyber Crime Conference in Leesburg, VA.

The video is online although getting to it is more complicated than clicking on a link to YouTube.

Here's what I did to access the video.

First, visit this link for a "SabreCity" account. Fill in your "information" and click Register.

You will then see a rude message saying "Registration for this conference is now closed."

That's no problem. From the same browser now visit this link to go to the SabreCity "lobby."

Click the "On Demand" button on the right side of the screen. Now you can access all of the videos from the conference.

Mine is called "State of the Hack: 2014 M-Trends - Beyond the Breach." Click the green arrow to the left of the title to start the video.

You may be interested in several of the other interesting speakers listed as well. Thank you to Jim Christy and his team for organizing the conference, inviting me to speak, and for providing these videos for free online.

Update: You might want to know what I discuss. For the first part of the talk I summarize three key findings from the 2014 M-Trends Report. In the second part I discuss strategic security using a Civil War example then turn to a network security monitoring example. In the final minutes I answer audience questions.

Saturday, May 03, 2014

Brainwashed by The Cult of the Quick

Faster is better! Those of us with military backgrounds learned that speed is a "weapon" unto itself, a factor which is "inherently decisive" in military conflict. The benefit of speed was so ingrained into my Air Force training that I didn't recognize I had been brainwashed by what Dr. Thomas Hughes rightly identified as The Cult of the Quick.

Dr. Hughes published his article of this title in the Winter 2001 issue of the Aerospace Power Journal. His main point is the following:

At a time when the American military has global commitments arrayed at variable threats, both real and potential, the Pentagon’s single-minded view of speed leaves the nation’s defenders poorly prepared for the range of military opposition and enemies they may face.

Although Dr. Hughes wrote his article in 2001, his prescription is as accurate as ever. I found his integration of Edward Luttwak's point very telling:

In the 1990s, the quest for swift war, replete with exit strategies and premature cease-fires, has led to less, not more, decisive war, as Edward Luttwak argues. For him, wars nowadays rarely “run their natural course” to “burn themselves out and establish the preconditions for a lasting settlement.” Instead, they “become endemic conflicts that never end because the transformative effects of both decisive victory and exhaustion are blocked.” The present struggle against terrorism may well prove an acid test for Luttwak’s point.

These points resonated with me because they reflected what I am learning about the US Civil War. Scott, Grant and Lincoln knew that a quick, early strike against Richmond, whereby the Union seized the capital of the Confederacy, would not decisively end the Civil War and bring the rebels back to the Union. Sad as it may seem, the rebels had to believe that there was no further point in fighting the war. If Richmond had fallen in 1861, only months after the attack on Fort Sumter, it's likely the Confederacy would have transferred their capital and kept fighting. Following the advice of the "cult of the quick" would have been a poor strategy during the Civil War. (That doesn't necessarily justify fighting a four year conflict, but I believe a strategy of quickly capturing Richmond to the exclusion of other objectives would have resulted in Civil War 2, and so on, similar to World War II.)

On the cyber side, the article reminded me of an area where speed is often paramount: detection and response. However, I remembered that my guidance on "fast" containment has always integrated one exception, as I noted on page 199 of my newest book, The Practice of Network Security Monitoring:

The speed with which a CIRT and constituent take containment actions is the subject of hot debate in the security world. Some argue for fast containment in order to limit risk; others argue for slower containment, providing more time to learn about an adversary. The best answer is to contain incidents as quickly as possible, as long as the CIRT can scope the incident to the best of its capability.

Scoping the incident means understanding the intruder’s reach. Is he limited to interacting with only the one computer identified thus far? Does he control more computers, or even the entire network by virtue of exploitation of the Active Directory domain controllers?

The speed with which a CIRT can make the containment decision is one of the primary ways to measure its maturity. If the CIRT regularly learns of the presence of advanced (or even routine) threats via notification by external parties, then rapid containment is less likely to be effective. A CIRT that cannot find intrusions within its own environment is not likely to be able to rapidly scope an incident. “Pulling the plug” on the first identified victim will probably leave dozens, hundreds, or thousands of other victims online and available to the adversary.

On the other hand, if the CIRT develops its own threat intelligence, maintains pervasive visibility, and quickly finds intruders on its own, it is more likely to be able to scope an incident in a minimum amount of time. CIRTs with that sort of capability should establish the intruder’s reach as rapidly as possible, and then just as quickly contain the victim(s) to limit the adversary’s options. (emphasis added)

I highly recommend reading The Cult of the Quick. You may find you have also been brainwashed!

Gunfight picture credits: Popular Mechanics

Thursday, April 24, 2014

Five Thoughts on New China Article

I just read a thoughtful article by Michael O'Hanlon and James Steinberg, posted at Brookings and Foreign Policy titled Don't Be a Menace to South (China Sea).

It addresses thorny questions regarding China as President Obama visits South Korea, Japan, Malaysia, and the Philippines.

I wanted to share five quick thoughts on the article, fully appreciating I don't have all the answers to this complex strategic problem.

1. "Many in China see the U.S. rebalance as ill-disguised containment, while many in the United States see Chinese military modernization and territorial assertiveness as strong indications that Beijing seeks to undermine Washington's alliances and drive the United States from the Western Pacific."

I agree with these statements as being perceptions by both sides, but I also think they are closer to the truth than what the authors believe. I recommend Dr Ashley Tellis' monograph Balancing Without Containment: An American Strategy for Managing China as the best strategy I've seen for handling this aspect of the problem.

2. "Compounding this challenge, the long-term intentions of both sides are inherently unknowable. The inclination in the face of such uncertainty is to prepare for the worst -- which all too frequently becomes a self-fulfilling prophecy."

I disagree that long-term intentions are inherently unknowable. Building on the first point, the Chinese want to project regional power without US interference, and the US wants to maintain the ability to protect power globally. That means the two sides will be in conflict in the South China Sea and other regional Chinese waters.

3. "That does not mean Washington must immediately unsheathe the sword if tensions escalate over China's actions near the Senkakus or disputed islands in the South China Sea, but it must make clear that it is prepared to impose significant costs if red lines are crossed -- which is why the response to Russia's actions in Ukraine is so salient to the situation in East Asia."

I believe many commentators and policymakers cringe at the term "red lines" when applied to the current administration. The President's use of the term with respect to Syrian weapons of mass destruction has weakened his position. Perhaps more importantly, just what are the "red lines" in the South China Sea? The authors recommend meeting alliance commitments, but what does that mean?

4. "U.S. allies in Asia worry that China's ability to impose economic costs against the United States might deter Washington from acting -- a concern exacerbated by U.S. and European caution in imposing costs on Russia. The late March expansion of sanctions against Russia should help reassure U.S. allies of Washington's willingness to accept the risks of economic retaliation in order to impose costs on those who cross red lines."

There are few similarities between the US-Russia and US-China economic relationships. The risks of economic retaliation from Russia are far smaller than those that could be applied by China. US allies should worry about China's ability to impose economic costs against the US, but that is tempered somewhat by the effects those sanctions could have against China itself.

5. "The United States and its allies also have an interest in reassuring China that if Beijing acts responsibly, they will not seek to thwart its future prosperity and security... These might include "Open Skies" reconnaissance agreements, where both sides allow territorial overflights to reduce concerns about concealment...

Just as important as formal agreements is the willingness of both sides to exercise restraint in defensive actions that might appear threatening; to enhance transparency to dispel misunderstandings; and to reciprocate positive actions to stimulate a virtuous circle of enhanced confidence. This might mean Chinese willingness to slow the rate of its military buildup rather than race for parity." (emphasis added)

What does "act responsibly" mean? In US eyes, it probably means the Chinese allow the US to project power globally, including in the South China Sea. As I mentioned above, the Chinese don't want this to be the case in the medium and long term.

"Open skies" agreements and "enhanced transparency" are non-starters for China, just as they were non-starters for the Soviet Union in the 1950s. Strategic theory explains why. China is militarily weaker than the United States. They fear that the more the US learns about Chinese capabilities, the more accurately and effectively the US will be able to target and neutralize those capabilities. The Chinese follow this approach with nuclear weapons and cyber weapons, as we saw with the latter recently (see Adam Segal's What Briefing Chinese Officials On Cyber Really Accomplishes.)

I see few situations where China would slow its military buildup, with the exception of nuclear weapons. With nuclear weapons, the important feature is a first-strike-survivable retaliation capability. The Chinese don't need to match the US warhead-for-warhead if the US knows we can't get away with a first strike against China. (To learn more about this dynamic, see Strategic Stability: Contending Interpretations.)

On the conventional side, the Chinese are more likely to try to outbuild the US, because they still lack a qualitative advantage compared to US forces. Given declining US budgets, the Chinese should be able to out-spend and out-build the US Navy and Air Force, the two most critical services for a future US-China conflict.

Overall, this is a very tough problem, but I recommend reading the piece by Dr Tellis for the best answer I've read concerning strategic approaches to the US-China issue in the South China Sea.

Thursday, March 20, 2014

Are Nation States Responsible for Evil Traffic Leaving Their Networks?

During recent talks to various audiences, I've mentioned discussions within the United Nations. One point from these discussions involved certain nation states agreeing to modes of behavior in cyber space. I found the document containing these recent statements: A/68/98, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (pdf). This document is hosted within the United Nations Office for Disarmament Affairs, in the developments in the field of information and telecommunications section.

Fifteen countries were involved in producing this document: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of Great Britain and Northern Ireland and the United States of America.

Within the section titled "Recommendations on norms, rules and principles of responsible behaviour by States," I found the following noteworthy:

19. International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment...

23. States must meet their international obligations regarding internationally wrongful acts attributable to them. States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-State actors for unlawful use of ICTs.

The first statement is important because it "imports" a large body of external law and agreements into the cyber field, for good or ill.

The second statement is important because, if States obey these principles, it has interesting effects upon malicious activity leaving State networks. Collectively these sentences imply that States are responsible for their networks. States can't claim that they are only innocent intrusion victims, and that any malicious activity leaving their State isn't their fault or problem.

Whether States try to meet these obligations, and whether others call them out for not meeting them, is another matter.

Sunday, March 16, 2014

Five Thoughts from VADM Rogers Testimony

I had a chance to read Advance Questions for Vice Admiral Michael S. Rogers, USN (pdf) this weekend.

I wanted to share five thoughts based on excerpts from the VADM Rogers' answers to written questions posed by the Senate Armed Services Committee.

1. The Committee asked: Can deterrence be an effective strategy in the absence of reliable attribution?

VADM Rogers responded: Yes, I believe there can be effective levels of deterrence despite the challenges of attribution. Attribution has improved, but is still not timely in many circumstances...

Cyber presence, being forward deployed in cyberspace, and garnering the indications and warnings of our most likely adversaries can help (as we do with our forces dedicated to Defend the Nation). (emphasis added)

I wonder if "cyber presence" and "being forward deployed in cyberspace" means having access to adversary systems? There's little doubt as to the source of an attack if you are resident on the system launching the attack.

2. The Committee asked: Is it advisable to develop cyberspace officers as we do other combat arms or line officers? Why or why not?

VADM Rogers responded: ...We must find a way to simultaneously ensure combat arms and line officers are better prepared to contribute, and cyberspace officers are able to enjoy a long, meaningful career with upward mobility. A meaningful career should allow them to fully develop as specialized experts, mentor those around them, and truly influence how we ought to train and fight in this mission space. 

I am especially interested in the merit of how a visible commitment to valuing cyberspace officers in our ranks will affect recruitment and retention. I believe that many of today’s youth who are uniquely prepared to contribute (e.g. formally educated or self-developed technical expertise) do not feel there is a place for them in our uniformed services

We must find a way to strengthen the message of opportunity and I believe part of the answer is to do our part to ensure cyberspace officers are viewed as equals in the eyes of line and combat arms officers; not enablers, but equals. Equals with capabilities no less valued than those delivered by professional aviators, special operators, infantry, or surface warfare. (emphasis added)

In my opinion, the best way to meet these goals is to create a separate Cyber Force. Please read the article Time for a US Cyber Force by Admiral James Stavridis (ret) and David Weinstein.

3. The Committee asked: The Unified Command Plan (UCP) establishes U.S. Cyber Command as a subunified command reporting to U.S. Strategic Command. We understand that the Administration considered modifying the UCP to establish U.S. Cyber Command as a full combatant command.
What are the best arguments for and against taking such action now?

VADM Rogers responded: ...The argument for full Unified Command status is probably best stated in terms of the threat. Cyber attacks may occur with little warning, and more than likely will allow only minutes to seconds to mount a defensive action seeking to prevent or deflect potentially significant harm to U.S critical infrastructure. 

Existing department processes and procedures for seeking authorities to act in response to such emergency actions are limited to Unified Combatant Commanders. If confirmed, as the Commander of U.S. CYBERCOM, as a Sub-unified Combatant Commander I would be required to coordinate and communicate through Commander, U.S. Strategic Command to seek Secretary of Defense or even Presidential approval to defend the nation in cyberspace. 

In a response cycle of seconds to minutes, this could come with a severe cost and could even obviate any meaningful action. As required in the current Standing Rules of Engagement, as a Combatant Commander, I would have the requisite authorities to directly engage with SECDEF or POTUS as necessary to defend the nation. (emphasis added)

I'm dismayed but not surprised by this argument. I'm dismayed because it sounds like the most important reason to establish a unified cyber command is the perception that "cyber attacks...allow only minutes to seconds to mount a defensive action." This is just not true for any strategically significant attack.

If you only have "minutes to seconds" left for defense, you are way too far down the kill chain. You need to be intercepting the adversary in the reconnaissance phase, or at least no earlier than the stage whereby the threat explores the target searching for critical elements. I fear the "minutes to seconds" camp is a legacy of the bad old days of Internet worms from 10 years ago.

4. The Committee asked: How could the Internet be redesigned to provide greater inherent security?

VADM Rogers responded: Advancements in technology continually change the architecture of the Internet. Cloud computing, for instance, is a significant change in how industry and individuals use Internet services... 

Several major providers of Internet services are already implementing increased security in email and purchasing services by using encryption for all transmissions from the client to the server. It is possible that the service providers could be given more responsibility to protect end clients connected directly to their infrastructures. 

They are in a position to stop attacks targeted at consumers and recognize when consumer devices on their networks have been subverted. The inability of end users to verify the originator of an email and for hackers to forge email addresses have resulted in serious compromises of end user systems... (emphasis added)

So, we see reference to cloud computing, encrypting client-to-server communications, ISPs protecting end users, and email verification. Think of all the tactical and technology options that were not mentioned here. Also notice the lack of discussion of better operations/campaigns and strategies. Finally, notice the Committee asked about redesigning the Internet, an engineering-focused approach.

5.  I am glad to live in a country where a candidate to lead important military and intelligence agencies can be questioned in then open for public benefit. However, I am disappointed that the Unified Command Plan (UCP), referenced several times in the Q&A, remains a classified document.

The best we seem to have is The Unified Command Plan and Combatant Commands: Background and Issues for Congress, (pdf) a 2013 Congressional Research Service document hosted by FAS, and History of the Unified Command Plan (pdf), hosted by The 2012 CRS report is posted on a Web site. It would be helpful to read an unclassified version of the next UCP, which is due anytime it seems.

PHOTO CREDIT: Gary Cameron, Reuters.