Ask the Air Force Cyber Command General About War in Cyberspace

We ran an article about the new Air Force Cyber Command and its recruiting efforts on February 13, 2008. Now Major General William Lord, who is in charge of this effort, has agreed to answer Slashdot users' questions. If you're thinking about joining up -- or just curious -- this is a golden opportunity to learn how our military is changing its command structure and recruiting efforts to deal with "cyberspace as a warfighting domain." Usual Slashdot interview rules apply.

Already in, how can I help?

[whereizben]

General Lord, I am currently a member of the VT Air National Guard, and I have a bachelor's degree in computer science and work in IT for my civilian job - is there a good way that someone like me can be put to use in this effort without having to go onto active duty and relocate? Thanks - Ben

Remote work?

[Anonymous Coward]

Do you have telecommuting opportunities? Terrorists and criminals don't work out of a giant call center or office building, so I would hope that those fighting against them might not have to either.

War on blogs?

[KarMann]

So, what's up with that war on blogs [slashdot.org] we read about recently? You know, the one "so utterly stupid, it makes me want to scream." Not quite your area of responsibility directly, I believe, but certainly of interest to the crowd here.

Unplugging

[The AtomicPunk]

Why has the DoD not simply disconnected from the Internet in light of all the threats and (apparently somewhat successful) attacks from abroad?

Cyberwarfare Doctrine

[jlaprise1]

Dear Major General Lord, I'm an academic who has been theorizing and writing about military doctrine in in cyberspace. One problem that I have encountered is in theorizing about what conflict in cyberspace looks like, though Libicki does a fine job. How does your command develop war fighting doctrine in the absence of actual conflict for cyberspace?

Attacks on the US and its Allies by China

[Yahma]

There have been several recent news reports that China has and is engaging in a nationally funded effort to hack into and attack US government computer systems. The German government recently announced that they traced recent aggressive cyber-attacks back to the Chinese government. What, if anything, is being done against this type of cyber-terrorism against us and our allies? Why do we still confer most-favored nation trading status onto a Nation who is actively engaged in efforts to spy on and attack our government and corporate computer systems?

Difference In Culture

[Chabil Ha']

Major, it seems to me (and others at /.) that the cultures that most geeks espouse run counter to the perceptions of the military. This being, for example, showing up at a consistent designated hour, opposition to wearing a standard uniform, having an overly strict form of discipline, etc.

How do you propose to reconcile those conflicts and establish your organization with any semblance of 'geek cred' to get the real talent you sound interested in attracting? What sorts of 'carrots' will you wave to attract people?

relaxing rules

[i.r.id10t]

Is it possible that rules would be relaxed to allow the types of people that can do the job already but may not be "fit" or a "good fit" for/in military service, or is the plan to take airmen and train them to do what you want them to be able to do? Would a civilian with the proper skillset be able to act as a contractor without enlisting, etc?

Older recruits?

[rolfwind]

It seems that in the military traditionally it was always looking for people fresh out of highschool for EMs and if you wanted to get anywhere in the military you had to be either college educated or, to really have a high end military career, start really young in something like the Valley Forge Military Academy and work from there.

In a traditional branch of the army/navy/airforce that is probably as it should be.

But in this area people have to be trained for years, still not know as much as the older hands in the private industry, and before they really know enough their enlistment would be over. Also, it would be unacceptable for an older IT person to join but take a pay cut to a Private's level or perhaps even a Lieutenant's -- so I imagine this branch would have to be somewhat different.

Is the military going to do to reach out toward the older folks who have extensive experience and knowledge outside the military?

A question about requirements

[downix]

A great portion of the minds you would need in order to facilitate this are not of what is traditionally classified as "fit for service." Would those requirements be altered in order to cast a larger net for a talent pool?

Which acts of war should be illegal in cyberspace?

[cohomology]

War is never clean.

In conventional warfare, certain actions such as hiding among civilian populations are forbidden. These actions are considered war crimes because of the collateral damage they are likely to cause. What actions in cyberspace do you think should be outlawed? How about intentionally bringing down hospital IT systems, or destroying undersea cables without regard to the effects on civilian populations?

Physical Fitness

[spacerog]

General, You were recently quoted in Wired as having said "So if they can't run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in." Is this an accurate quote? As a former member of the US Army I must say that passing a PT test is not very difficult and the suggestion that some soldiers should be exempt from basic minimum requirements is rather upsetting. Are you actually advocating the relaxation of military physical fitness standards for 'cyber warriors'? Would this not create a double standard and animosity between the cyber command and other sections of the military? Surely there must be other recruitment incentives that can be applied to attract the talent you need.

- Space Rogue

When the USA finally gets "IT"...

[PC and Sony Fanboy]

When the US military is run by people who are representative of their population, and understand the composition of their country, they may be successful in persuading the best and brightest minds to work for them. As an observer here in canada (and we're not THAT much better for this), the american system tends to use the stick, not the carrot, in order to persuade its citizens to do the right thing - which discourages experimentation! The US military is percieved as being much worse.

Preferred Skillset?

[katch22]

General Lord, I am currently a Computer Science student attending a U.S. university, and I am curious as to what skills you would like to see in potential recruits for the USAF Cyber Command. What areas of expertise are preferred over others?

Are you prepared for this?

[djcapelis]

Security professionals thrive in an environment where authority is questioned, basic assumptions are always challenged and diversity of thought is critical. Even the idea of uniforms is going to drive away the professionals you need to set up this type of institution. Do you believe that setting up this type of institution within the military is even a good idea? Do you think that perhaps there's a more appropriate environment for it? Are you entirely aware of what kinds of challenges you face in recruiting top-notch people for this type of thing? Would you even know a top-notch security professional if you saw one? They're not easy to identity unless you're another security professional. Are you? Do you really have what it takes to try and lead this type of organization?

If so, can you tell me why you chose ASP to run your website? Won't you have enough trouble recruiting as is without alienating some open-source loving folks right off the bat?

So far everything I've seen about this organization is riddled with basic mistakes. I wish you the best of luck but I'm just not convinced you have any idea what you're getting yourself into with this initiative.

Criminal vs Warlike Actions

[florescent_beige]

General Lord,

Does the AFCC have a mandate to pursue criminals that use information infrastructure to commit crimes, or is your group intended to defend against warlike attacks only?

If the latter is true, how would you distinguish between criminal activity and warlike activity in cyberspace?

Will the USAF Cyber Command be full of TPS reports

[Joe The Dragon]

Will the USAF Cyber Command be full of TPS reports and other crap like long wait times with lots of paper work to get small thing like adding ram, getter better systems, install new software and other things?

Will you be forced on to the standard USAF window base image with limited admin accounts like how the navy and marine systems that are a Big mess are setup?

Will you use mac and linux like how the army does?

Re:Benefits?

[WeeLad]

What are some of the differences between this and other parts of the military, in terms of application requirements, benefits, pay, etc?

... and possibly as a follow up ... Why specifically is the Air Force the branch of the U.S. military to pursue this? Is there something about the USAF that makes it a better fit than the Navy or Army?

Could a Cyber Attack Trigger a Real War?

[florescent_beige]

General Lord,

I'm curious to know if you have have any criteria that would enable you do decide when a cyber attack is an act of war. Would it be possible for some kind of action inside a network to lead to a shooting war without some kind of overt physical threat occurring first?

Former Army Research Lab SLAD/IO

[Anonymous Coward]

General Lord,

I spent some time in the Army Research Lab's SLAD/IO Division in New Mexico. When I joined I thought I would be doing exploit development, reverse engineering and so forth. But it never seemed like the direction of the organization was going in going in a way that seemed to take the mission seriously. There were smart people there but they weren't being driven in the right direction. I don't think it was management's fault, either. There just were no hackers there. I still sometimes wonder if I misunderstood during the interview.

So what is life going to be like at AFCC? I know there is work to be done but is it the kind of thing a hacker would want to do? Is it going to be more development, reverse engineering, etc? Also, is it going to *pay* like I would expect?

Re:As A Military Commander...

[nexuspal]

Sure he can "Look", but in most instances anyone in the military would be unable to say, direct macro policy. Money can be used as a weapon, yet he, and everybody else in the military do not have the skill, or desire, to get involved with addressing the threats of monetary warfare... So in that regard, there are times when they don't even have the standing to recognize what is going on, let alone address ways to handle the threats that come in a non-direct way.

CyberCommand Location

[Mz6]

General,

Can you explain some about the situation developing between Barksdale AFB and Offutt AFB as they try to fight over the eventual final location for CyberCommand? My thoughts are that finding and recruiting talent, and laying the foundation for such a large wired infrastructure in the Omaha, Nebraska area may be easier to accomplish than in and around Shreveport, LA. What types of things is the DoD looking for when they choose the final location for this new Command?

International Development and AFCC's Tool Set

[florescent_beige]

General Lord,

Some of the "hacker" types that I understand the AFCC is looking for probably will prefer to work with Linux and Linux applications.

Due to the international nature of software like Linux that has been developed through the "free" paradigm, would this be allowed? These tools will have been produced by nationals from many different countries, perhaps even those that the United States could find itself fighting a cyber war against.

SCADA Warfare

[StickyWidget]

General, during current war operations it is common procedure to target areas of enemy infrastructure (electricity, water, gas, transportation, communications) with the intent to disable or destroy. As the systems being used to control this infrastructure are becoming more and more interconnected, and increasingly use standard computers and interconnections (i.e. TCP/IP and Internet), this could potentially become another method of attacking enemy infrastructure.

Will there be a doctrine for cyber attacks on enemy critical infrastructure systems for the Air Force Cyber Command? If so, what efforts are currently in place/planned to support war fighter knowledge in the arena of SCADA and control system security, and the methods for causing damage to enemy infrastructure? What importance, if any, do you and Cyber Command place on the having the capability to destroy or disable the SCADA systems that control enemy infrastructure via CyberWarfare?

~Sticky

National Labs?

[nitroamos]

Why doesn't AFCYBER fit at one of the national labs (e.g. LANL, or LLNL) or NSA?

I thought those were the popular destinations for educated people who want to serve their country, they're already technically oriented, and they already have a lot of really smart people, so it would have seemed to me a good fit. When I'm looking at my employment possibilities, I need a way to differentiate you.

Accept, Retain, Solicit good people?

[Lally Singh]

General,

      Some of the most talented people in computer security tend to have the sort of records that prevent them from getting clearance. Maybe nothing heavily criminal, but enough of a colored background that traditional security clearance mechanisms would throw them out of the room before they get started. Often the same types of minds that are really good at computer security are also the rebel types, who'll have some history. Will you work to get these people in, or are we looking at a bunch of off-the-shelf programmers/admins who've taken a few simple courses in computer security?

      Also, how do you plan to attract/retain them? Again, rebel types are some of the best hackers, and they're not likely to go in without incentives. Not due to any lack of patriotism per se, but an unexplored understanding of it. More importantly, they're likely to be anti-establishment types who aren't comfortable in the strict traditional chain of command. Finally, usually the outside industry pays quite well for the good ones. Are you prepared to financially compete for the best?

      Finally, will there be any connections back to the research/academic community? You may find academics more happy to help than usual, as cyber warfare can often be nonviolent. Also, will the existing (and immense) capability within the NSA be properly leveraged?

      I'm glad to see our DoD taking our nation's networked security seriously. Right now it's just a bad, bad joke.

Best of Luck!

-Lally Singh

Why was the Air Force tasked with this?

[Isaac-Lew]

Why should the US Air Force be tasked with this, instead of DISA or NSA, neither of which is tied to a specific branch of the military?

Re:Unplugging

[Lavafish]

Major General Lord, Dear Sir, I am a Civilian Engineer currently working for the Army to implement EPACT05 requirements. The wired.com article discusses competition for the location of the Air Force's new Cyber Command. Given the "more connected, monitored, and controlled" direction of EPACT05 and DoD Energy Strategy, do you see value in a distributed Cyber Command? Do you feel that the deployment of Cyber Command at a single post may discourage job applications from potential Civilian employees and experts living in other areas?

What if this alternative existed for Mitnick?

[Anonymous Meoward]

One of the storied stereotypes of the hacker domain is that of the nabbed "black hat" being impressed Into a "white hat" role. (Think Leonardo DiCaprio's role in "Catch Me If You Can".) However, the US armed forces no longer offer service as an alternative to prison (last I checked anyway), even though it offers a hacker in such a position the best deal he or she may ever get.

Would you seriously consider trying to exploit the talents of convicted hackers if you thought those talents could be a viable asset?

Question about Existing Contractors

[tachyon13]

General Lord, I currently work as the exact type of 'cyber warrior' you intend to recruit. But I already have a Top Secret clearance, already familiar with DoD systems, etc. The dynamic with what we call 'Information Assurance' is that of a constant struggle with our contractor management (stay within the contract, the budget, etc) and with our 'warfighter' higher ups (educating them on why they can't have full access from their home in the spirit of "operations are a priority, to hell with security"). So assuming you can get the type of expertise that are eligible for clearances, and that are willing to relocate to Offutt/etc, how are you going to address the core issue of security in the DoD: Operations/budget/schedule will always trump security. Or alternatively, security will always be back burner to 'hot' issues. Thank you for your time.

Cyberwarfare and the Law

[arik181]

During times of war, special laws come into effect. The killing of another human being, normally considered one of the most heinous of crimes, is a legitimate practice under combat conditions. My question is this: Does the law come into play at all during cyberwarfare, or is "code" the new law, as far as the USAF is concerned? Does cyberwarfare relate more closely to a covert operation? If there is a strict legal framework for cybercombat, what are its fundamental aspects?

How does it affect people outside the US?

[baboonlogic]

I am an Indian and what the US does have non-trivial effects on my day to day life. US military publicly and actively declaring meddling with the internet to be a part of their job can amongst other things motivate my political overlords into some kind of action.

Like everything else this has both good and bad effects for me. I don't think our establishments here have a very good idea of what freedom of speech means and they could easily do some wrong here. On the other hand it opens up business opportunities for people like me which is the part I would be interested in.

So, here are my questions. What kind of stuff does your division do? Do you outsource any of it to the private sector? Do you outsource any of it to India or other countries? :P

I suppose data mining the internet would be a key part of your operations. What kind of tools and cyber-technologies would you consider? Which are you already investing in? What kind of tools/techs could I work on that could benefit operations such as the ones you plan to undertake?

The military entering new domains has historically benefited the research and development in these sectors and I look forward to the new cool civilian tech this could bring along with it.

Supermilworms

[cybrpnk2]

General Lord-

Superworms [wormblog.com] such as Storm [wired.com] represent perhaps the greatest threat to the internet becasue their stealthy natures allows the organization of millions of computers into a covert zombie botnet before their true exploit is finally launched. Will Cyber Command launch offensive operations to hunt down and destroy superworms already imbedded in cyberspace civilian computers, or create supermilworms (new word for CC use if you wish, with zero Google hits) that covertly draft millions of civilian cyberspace computers as secret War Reserve resources available for future callup and deployment in a future cyberspace battle?

National Guard Role?

[BanjoBob]

Dear Gen Lord:

In major campaigns, the National Guard (and Air National Guard) play a significant role and are often the front line service. How do you see the individual state Guard units participating? In addition, what Civilian roles will be both a part of the Guard and contracted to the Guard?

I really hope this gets asked

[Nemilar]

This is something I really hope gets asked. A lot of the comments here seem to be of the "the people you need aren't going to fit in with the military structure" as well as, "are you sure you even know what you're getting into doing this?"

I think Internet Privateers, a sibling-comment suggests, would be perfectly legitimate - and as effective, if not more effective, than an organized USAF "cyber attack" on, e.g, the PRC. I don't doubt the need for a "cyber command" to protect American information infrastructure, but I strongly suspect that an distributed, head-less method of attack is a better offensive strategy than a monolithic one. And I think most people on Slashdot would agree (although I am eager to hear arguments against it).

So really - what is your response to what the parent suggests? In the case that an offensive is required against enemy information targets, would the USAF be willing to publish a list of IP addresses for private citizens to crack?