Air Force Cyber Command General Answers Slashdot Questions

Here are the answers to your questions for Major General William T. Lord, who runs the just-getting-off-the ground Air Force Cyber Command. Before you ask: yes, his answers were checked by both PR and security people. Also, please note that this interview is a "first," in that Generals don't typically take questions from random people on forums like Slashdot, and that it is being watched all the way up the chain of command into the Pentagon. Many big-wigs will read what you post here -- and a lot of them are interested in what you say and may even use your suggestions to help set future recruiting and operational policies. A special "thank you" goes to Maj. Gen. Lord for participating in this experiment, along with kudos to the (necessarily anonymous) people who helped us arrange this interview.

How do we prevent "mission creep" (Score:5, Insightful)
by Jeremiah Cornelius (137)

It appears that the military is increasingly involved in areas who's jurisdiction was once considered to be wholly in the civil domain. Use of jargon like "cyberspace" seems only to obfuscate and distract from the core issue. This appears an effort to recruit public opinion and defuse the deeper questions that strike at the heart of a free and civil society. I think that if we had a statement that "The private mails are a warfighting domain" would generate a fair amount of debate on the role of the military as opposed to the police, the function of constitutional protection of liberties, and the question of what actually constitutes a state of war.

What are the limits on this jurisdiction? Who enforces these limits, and how is the public informed of that status? How are efforts to extend being safeguarded from creating mission creep that threatens all civil discourse in the United States and abroad form targeting, suppression, propaganda and extra-legal surveillance?

ANSWER:

A very good question. It's a complex issue, but bottom line is that we won't need new laws to be able to fly and fight in cyberspace. The DoD's role in protecting cyberspace is governed by domestic and international law to the same extent as its activities in other domains. Other U.S. agencies, such as the Department of Justice and the FBI, have important and, in many cases, leading roles to play.

Attacks on the US and its Allies by China (Score:5, Interesting)
by Yahma (1004476)

There have been several recent news reports that China has and is engaging in a nationally funded effort to hack into and attack US government computer systems. The German government recently announced that they traced recent aggressive cyber-attacks back to the Chinese government. What, if anything, is being done against this type of cyber-terrorism against us and our allies? Why do we still confer most-favored nation trading status onto a Nation who is actively engaged in efforts to spy on and attacak our government and corporate computer systems?

ANSWER:

Yes, there are lots of news reports on that, but I'm sure you can appreciate the fact that there are other branches of the U.S. government that must answer your foreign policy questions. I can tell you that securing cyberspace is difficult and requires a coordinated and focused effort from our entire society - federal government, state and local governments, the private sector and the American people. The Air Force is working to improve our ability to respond to cyber attacks, reduce the potential damage from such events, and to reduce our vulnerability to such attacks.

Accept, Retain, Solicit good people? (Score:5, Interesting)
by Lally Singh (3427)

General,

Some of the most talented people in computer security tend to have the sort of records that prevent them from getting clearance. Maybe nothing heavily criminal, but enough of a colored background that traditional security clearance mechanisms would throw them out of the room before they get started. Often the same types of minds that are really good at computer security are also the rebel types, who'll have some history. Will you work to get these people in, or are we looking at a bunch of off-the-shelf programmers/admins who've taken a few simple courses in computer security?

Also, how do you plan to attract/retain them? Again, rebel types are some of the best hackers, and they're not likely to go in without incentives. Not due to any lack of patriotism per se, but an unexplored understanding of it. More importantly, they're likely to be anti-establishment types who aren't comfortable in the strict traditional chain of command. Finally, usually the outside industry pays quite well for the good ones. Are you prepared to financially compete for the best?

Finally, will there be any connections back to the research/academic community? You may find academics more happy to help than usual, as cyber warfare can often be nonviolent. Also, will the existing (and immense) capability within the NSA be properly leveraged?

ANSWER:

I believe even the most unlikely candidate, when working for a cause bigger than himself, turns out to be a most loyal ally. Young men and women come into the military for any number of reasons - education, health care, etc. - but end up staying because they believe what they're doing matters. We know money doesn't create loyalty--a sense of purpose does. We'll take what they have to offer, and in turn they might be surprised by what they get back. It's not just our military members either, it's all those who partner with us . . . academia and private industry, our civilians and contractors, too. In the cyber command, there is a purpose and sense of urgency to be ready. You can bet that we leverage all the expertise out there to help us do our job.

Older recruits? (Score:5, Interesting)
by rolfwind (528248)

It seems that in the military traditionally it was always looking for people fresh out of highschool for EMs and if you wanted to get anywhere in the military you had to be either college educated or, to really have a high end military career, start really young in something like the Valley Forge Military Academy and work from there.

In a traditional branch of the army/navy/airforce that is probably as it should be.

But in this area people have to be trained for years, still not know as much as the older hands in the private industry, and before they really know enough their enlistment would be over. Also, it would be unacceptable for an older IT person to join but take a pay cut to a Private's level or perhaps even a Lieutenant's -- so I imagine this branch would have to be somewhat different.

Is the military going to do to reach out toward the older folks who have extensive experience and knowledge outside the military?

ANSWER:

As I work alongside today's Airmen, many with very specialized skill sets in great demand outside the Air Force, I find them to be incredibly well trained and up-to-speed on current technologies. We bring them in from a general practitioner level and take them to expert level in reasonable time ... and well before retirement age indeed! We train them with specific technical skills as well as overarching abilities required to lead in today's environment. You're right in that we couldn't compete in the cyber world without the experts in the civilian industries who give us the technology in the first place, provide the architectures we use, and even the software we need. People don't have to enlist or take a pay cut to help us out. Certain skill sets can also be brought on board as civilians or contractors, and in many cases we do offer compensation competitive with the commercial sector.

Which acts of war should be illegal in cyberspace? (Score:5, Interesting)
by cohomology (111648)

War is never clean.

In conventional warfare, certain actions such as hiding among civilian populations are forbidden. These actions are considered war crimes because of the collateral damage they are likely to cause. What actions in cyberspace do you think should be outlawed? How about intentionally bringing down hospital IT systems, or destroying undersea cables without regard to the effects on civilian populations?

ANSWER:

The U.S. military complies with all applicable domestic and international laws, and that will certainly apply equally within cyberspace. The Law of Armed Conflict, for example, arose from a desire among civilized nations to prevent unnecessary suffering and minimize unintended destruction while still waging an effective war. It would be possible, as you mentioned in your scenario, that some who ignore the laws of civilized nations could conduct operations in cyberspace that may have unlawful negative consequences on civilian populations. For us, abiding by these laws, being good at we what do and maintaining a technological advantage over our adversaries provides us a first line of defense. Those who commit unlawful acts would certainly face potential criminal liability for war crimes.

Physical Fitness (Score:5, Interesting)
by spacerog (692065)

General, You were recently quoted in Wired as having said "So if they can't run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in." Is this an accurate quote? As a former member of the US Army I must say that passing a PT test is not very difficult and the suggestion that some soldiers should be exempt from basic minimum requirements is rather upsetting. Are you actually advocating the relaxation of military physical fitness standards for 'cyber warriors'? Would this not create a double standard and animosity between the cyber command and other sections of the military? Surely there must be other recruitment incentives that can be applied to attract the talent you need.

ANSWER:

I don't disagree with you . . . and I am not advocating changing our PT test. What I am saying is that we, as a military culture, need to look beyond what we've traditionally recruited. The very nature of our military requires that we be able to work in combat conditions and be able to establish and protect our cyber/communications structures and networks in remote, even austere conditions. As anyone who has worked in these austere locations will tell you, being fit is critical to mission success, so I don't foresee or advocate for a relaxation of standards just to bring in this specific type of talent. But, as we know, some of what we do in cyber can be done at home station as well, so what will our force look like in the future? This is something we need to look at and evaluate as we progress in this area.

It is good war is so terrible... (Score:5, Insightful)
by MozeeToby (1163751)

A wise man once said "It is good that war is so terrible, lest we grow too fond of it". If cyberwarfare ever becomes a reality, how do we respond to the fact that is isn't "terrible"?

The direct damage from such warfare would be primarily economic or data security related (rather than a cost in human lives) how do you feel we can prevent it from becoming a monthly, yearly, or daily occurance?

ANSWER:

The fact is we are dealing with this on a daily basis and it won't be going away anytime soon. Not for any of us. The way to shield ourselves from these attacks is to be at the forefront of technology, tactics and procedures relating to operating in cyberspace. We have systems and software that are protected by multiple layers of security and functional redundancy. We train our people to be on the cutting edge of this technology, and we find ways secure our information. We have to take this very seriously because we rely on our networks to conduct military operations all around the world. The person who hates war the most is the warrior who has to go to it ... we want to prevent that.

Criminal vs Warlike Actions (Score:5, Interesting)
by florescent_beige (608235)

General Lord,

Does the AFCC have a mandate to pursue criminals that use information infrastructure to commit crimes, or is your group intended to defend against warlike attacks only?

If the latter is true, how would you distinguish between criminal activity and warlike activity in cyberspace?

ANSWER:

The speed and anonymity of cyber attacks makes it very hard to distinguish what actions would be those of terrorists, criminals, nation states or just some lone prankster. Our command coordinates with government partners such as the DoD's Cyber Crime Center staff, who work with law enforcement officials to investigate and prosecute criminal acts if necessary. A "war-like activity" can also include presenting misleading information to our battlefield commanders. So, we've got to be spot on about authenticating the trusted source of that information in the first place. But, generally speaking, if something is a coordinated attack that would cause disruption or an attack that required a high level of technical sophistication to carry out, that would cause us to take a closer look and recommend a proper response.

Legal Hacking... (Score:5, Funny)
by JeanBaptiste (537955)

Just post a list of the stuff you want hacked and the more patriotic hackers will enjoy doing it for free.

Due to the nature of hacking and what many people do to acquire such skills, they may not want to 'join up' and all that.

But if you post a list of IP's that are okay to bring down, and networks you want information stolen from, with the understanding that the US will not condemn any attacks, and I'm sure more than enough people would do it for free.

Is there anything like this already in place? Cause I got nothing better to do this weekend. Or most any weekend.

ANSWER:

YGTBKM! LOL! I like your enthusiasm, but you know the Air Force neither encourages nor condones criminal activity.

Could a Cyber Attack Trigger a Real War? (Score:5, Interesting)
by florescent_beige (608235)

General Lord,

I'm curious to know if you have have any criteria that would enable you do decide when a cyber attack is an act of war. Would it be possible for some kind of action inside a network to lead to a shooting war without some kind of overt physical threat occurring first?

ANSWER:

Within the Department of Defense, we are careful not to speculate about what would be considered an act of war. Our nation's elected officials are the ones who will decide what threats to, or actions against our national security will constitute an act of war against the United States. These same leaders will likewise determine what an appropriate response would be, and that could be diplomatic, economic or involve the military to demonstrate the nation's resolve. That's why it's my responsibility to oversee the building of a command that will provide our leaders, through the appropriate chain of command, with many options with which to deter threats in the first place or respond when necessary.

Why was the Air Force tasked with this? (Score:5, Interesting)
by Isaac-Lew (623)

Why should the US Air Force be tasked with this, instead of DISA or NSA, neither of which is tied to a specific branch of the military?

ANSWER:

Don't confuse the fact that we are standing up the Air Force Cyber Command to mean we are the lead for the nation, or the primary command to respond to a particular incident. We are just one part of a combined effort. Our first priority is to work with DoD to defend AF military resources, but many of those resources rely on civilian entities, so we obviously have a keen interest in protecting those items as well. We thought it was the right thing to do to consolidate our efforts and to align all the Air Force cyber-related resources so we can have better command and control. This command will be able to respond better to the needs of our commanders and be the focal point within the Air Force for cyber security and defense missions, as well as respond to emergencies and natural disasters. Make no mistake, we are partners with the other sister services--the Army, Marines, Navy--as well as with DISA, NSA and Homeland Security to name a few. We're all in this together.

Question about Existing Contractors (Score:5, Interesting)
by tachyon13 (963336)

General Lord, I currently work as the exact type of 'cyber warrior' you intend to recruit. But I already have a Top Secret clearance, already familiar with DoD systems, etc. The dynamic with what we call 'Information Assurance' is that of a constant struggle with our contractor management (stay within the contract, the budget, etc) and with our 'warfighter' higher ups (educating them on why they can't have full access from their home in the spirit of "operations are a priority, to hell with security"). So assuming you can get the type of expertise that are eligible for clearances, and that are willing to relocate to Offutt/etc, how are you going to address the core issue of security in the DoD: Operations/budget/schedule will always trump security. Or alternatively, security will always be back burner to 'hot' issues. Thank you for your time.

ANSWER:

Certainly the balance between having access to do our mission and having robust security is an issue where not everyone agrees on just how much to restrict or how much to allow. The Air Force takes the security of its computer networks very seriously and has taken several measures to educate our users and to provide secure means for them to operate. As with many other issues, the Air Force through its commanders, must assess the risks and make a decision. I don't agree or I maybe I just haven't seen where security is always a back burner item.

CyberCommand Location (Score:5, Interesting)
by Mz6 (741941)

General,

Can you explain some about the situation developing between Barksdale AFB and Offutt AFB as they try to fight over the eventual final location for CyberCommand? My thoughts are that finding and recruiting talent, and laying the foundation for such a large wired infrastructure in the Omaha, Nebraska area may be easier to accomplish than in and around Shreveport, LA. What types of things is the DoD looking for when they choose the final location for this new Command?

ANSWER:

The government actually has a regulation that covers the whole process for choosing a location for a command and it's a very defined, thorough process. The bases must meet certain criteria -- existing infrastructure would be just one aspect of many items along with communications or square footage requirements, but there are other considerations, such as the impact to the environment that the Pentagon will consider. I would hope that no matter where it was located, we would still be able to attract the talent needed to work in this exciting command and that all communities see the need to protect this domain.

The questions are interesting...

and the answers are content-free.

Oh, well. At least they tried.

Well what did you expect?

Q: Please g3ve u5 r00t to m133ile l3nche5!
A; No.

Q; You suxx0r!
A; I love my job! { must ... control ... fist .. of .. death ...]

Re:The questions are interesting...

and the answers are content-free.

Did anyone seriously expect anything else?

We live in an age where the press routinely goes over every single word spoken by celebrities, politicians, and public figures, and tries to make a scandal out of any off-hand comment that can be construed to embarrass the speaker.

Any officer who has not learned to cover his ass and keep his mouth shut will have a short career in today's military.

AGREED

But I think your second point is most important - they tried. Assuming (hoping?) they really are reading feedback we can hope they will adjust their filters accordingly. being vague on questions such as roles and responsibilities between government agencies will only create a general sense on unease in the general population.

Furthermore, we should remember as a group of large agencies, there's bound to be politicking and may not be the level or coordination desired. Of some of this vague area may reflect reality, they don't really know where lines actually exist...

Re:AGREED, but some caveats:

The general's answers were also interesting because they demonstrate the gap between what we're used to reading on blogs and in /. comments: unfiltered, highly opinionated pseudo-anonymous people who speak only for themselves. There are no or few repercussions for most people if they make a foolish statement or unfairly lay into someone or whatever. But public officials -- and a general is at the very least a semi-public official -- don't have that luxury. So what such a public official will say will be different in tone and content than what we're used to.

This indicates something of a culture gap between the kind of hackers who the general presumably wants to recruit and the generals themselves. Paul Graham states it [paulgraham.com] well:

Most imaginative people seem to share a certain prickly independence, whenever and wherever they lived. You see it in Diogenes telling Alexander to get out of his light and two thousand years later in Feynman breaking into safes at Los Alamos. Imaginative people don't want to follow or lead. They're most productive when everyone gets to do what they want.

Such "prickly independence" is the opposite of the stereotype of the military that's lodged in my mind. Now, I know that stereotype is somewhat inaccurate, but nonetheless the rebel/renegade streak that runs through many -- though by no means all -- of the creative, intelligent people who often know technology well. I'm not sure I'd go as far as Paul Graham's "most," but I'm definitely going to use "many."

Finally, regarding the tone of the answers, remember too that it's easier for an individual speaking for himself (Neal Stephenson, anyone [slashdot.org]?) to answer candidly than it is for someone who represents millions, especially because the military sometimes has PR problems. If the general says anything forceful, it will be spun around the Internet, quoted -- perhaps out of context -- in newspapers, and generally leave the military open to the PR of others.

I'm not sure how to solve such cultural problems between hacker types who need direct unvarnished honesty ("Where is the mistake in this?") versus PR types in public ("How do I make sure my words won't be used against me?").

Re:The questions are interesting...

There is a whole science to reading speech that is attempting to balance many competing interests.

In this case I'd list some of the competing interests as:

Don't want to actually lie.
Don't want to say anything your worst enemy shouldn't know.
Don't want to be *perceived* to be doing either of the preceding.
Want to appear receptive to questions.
Want to remain politically neutral.

I'm sure there are many more.

I did manage to tease out one interesting tidbit from two questions of mine the General was kind enough to answer:

Question #9: When asked if a cyber-attack could lead to a shooting war, the General replies (to paraphrase) that the response to any given scenario is up to elected officials, not the DoD. Fair enough. But...

Question #7: When asked about the difference between criminal and military-like actions online, the General replies that, depending on the nature of the attack, his group would "recommend a proper response".

So, while the ultimate decision is always to be up to the CinC, the DoD isn't without an opinion as the answer to #9 might imply. The real answer would get into operational planning which, of course, can't be revealed.

Actually I find the answers interesting to parse, knowing that they must have been massaged by so many experts.

None of which is meant to belittle the fact that the General actually took time to go though this exercise. Very refreshing.

Re:The questions are interesting...

Although I didn't expect much from a military man.

That's ok - he'll still put his life on the line to protect your right to continue to whine.

Re:The questions are interesting...

no one comments yet on a General's usage of "YGTBKM! LOL!"?

Yes, most of the comments were relatively content free, but a few of them had some interesting tidbits. I mean, I didn't expect him to say "Well, here are our plans, and here are full in depth discussions on some rather sensitive topics". From the position he was coming from, I appreciate that amount he DID say. I think he took the questions seriously and provided those answers he could.

Re:The questions are interesting...

I learned:

- that they don't believe they need new laws to "fight" in cyberspace.
- "People don't have to enlist or take a pay cut to help us out."
- "Within the Department of Defense, we are careful not to speculate about what would be considered an act of war."

Obligatory

I, for one, welcome our William T. Lord overlord.

Right General?

YGTBKM! LOL! I like your enthusiasm, but you know the Air Force neither encourages nor condones criminal activity.

Are you sure this is a general and not some 14 year old girl?

Re:Right General?

Actually, my first response when I read that line was "His PR team are trying to look hip." Like when you see TV ads that try to use street jargon, and miss the mark. Of course, I'm probably being a bit harsh, the truth will be somewhere between the two.

Re:Right General?

Honestly, I kind of felt like the response was a subtle jab at how silly and stupid the question was.

Consider me impressed.

Some of those answers are obviously 'cleaned up' and somewhat evasive... but some are actually quite nice, and the man actually used 'text speak' in an answer... I'd say the questions and answers came across rather well, given that they had to be combed over. I'd love to hear more candid, off-the-cuff answers but I know that's not really an option when dealing with something of this nature.

Security clearence dodged... too bad

The security clearance question was dodged. That's too bad. I would love to work for such an organization, and might even have signed up with the Air Force if I thought I could make it into that group when I was younger. However, I know that for silly reasons that have to do more with red tape than any actual wrong-doing on my part, a security clearance is out of the question. If he'd given people some hope that the typical rules regarding security clearances would be relaxed in favor of a more "are you a potential threat" based analysis, he might have won some hearts and minds.

Re:Security clearence dodged... too bad

A security clearance of Secret is much easier to obtain than many expect. Top Secret can also be obtained somewhat easily, even given a set of questionable actions in the past, based on good interviews with people from your sphere of influence. Special allowance cases are made all the time for either. Many people assume (wrongly) that a past arrest or drug use immediately rule out either. The important parts here are complete honesty, showing a changed "nature" if needed and that your versions of past events match up with other witnesses.

Answer #5 about hacking sites

YGTBKM! LOL! I like your enthusiasm, but you know the Air Force neither encourages nor condones criminal activity.

p.s. and we know where you live.

p.p.s. and we told the FBI, DHS and your state and local PD where you live.

p.p.p.s. and we all have guns.

"Cyber Command"? What time is it on Disney?

"Cyber Command"? What time does that show air on the Disney channel?

Legal Hacking

This is actually quite a traditional thing; what we used to call Letters of Marque [wikipedia.org] were issued to pirates to 'legalize' their attacks on the enemy. While these were banned by the 1856 Declaration of Paris, the US is not a signatory to that treaty, and theoretically Congress could issues these permissions (it's a power specifically granted them in the Constitution).

Not prepared to back up financially

The General's answer to the third question ("Accept, Retain, Solicit good people?") clearly shows that his answer to "Usually the outside industry pays quite well for the good ones. Are you prepared to financially compete for the best?" is "No."

So, US Government, please let us know when you're ready to put your money where your mouth is, and we'll subsequently give you the best damn computer security on Planet Earth. Until then, you're just another employer trying to get more than he's paid for out of his staff.

Urgent Message

From: Joint Chiefs
To: General Lord
Encoding: S00per Seekrit COd3 #5

Ixnay on the LOL-ay, mkay?

Major General Lord?

My God, how many stars is that?

Re:Suggestions

Using people's suggestions is not the Air Force way. Though, in this instance, they can't rebut with the normal "Deal with it, you're in the military."

Actually, the Air Force, or "Chair Force" as we in the Army liked to call it, was the most "civilian" military branch.

We in the Army had Billets (dorm like rooms). Air Force personnel had what looked like apartments.

Our Billets were subject to inspection at any time, 24/7. Air Force living quarters were more of less off limits to their NCO's and officers.

We worked from 7:00am to whenever we were done, weekends were worked about 50% of the time. Air Force personnel worked from 9:00 to 5:00, with weekends off.

When we went to the field, we slept on our tanks. Air Forcer personnel stayed in air conditioned tents or hotels(!!!).

It seemed to me that those in the Chair Force had jobs. We were in the military.

Of course, this is all from my personal experience. There are some more lax army positions that the one I had and I'm sure that there are some hard-core Air Force jobs, but on average, the Air Force people had it so much better than we did.

Re:Suggestions

I just got out of the Air Force after six years. I'm not making things up -- that was the response to suggestions that there were no better arguments against. Perfect example: the hot water in the dorms was brown (not tinted -- BROWN) for years. "We had it tested. It's safe." Um.. IT'S FUCKING BROWN! I sat at a computer 8 hours a day. Sometimes 6 if no one was looking. I lived in an air conditioned tent for 4 months. I lived in a closet, where I had the ability arranged my furniture only because I had played Tetris and I ate garbage served by the laziest, dumbest people I've ever met in my life for 3 years. The Air Force sucks, and I'm sure you're right -- the Army was worse.

Re:As A Retired USAF Senior NCO All I Can Say Is

WTF?

Don't you mean, "Whiskey Tango Foxtrot"?