Ask Lt. Col. John Bircher About Cyber Warfare Concepts

The Air Force is not the only U.S. military branch trying to come to grips with the electronic side of warfare, both current and future. The U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent (USACEWP), located at Fort Leavenworth, Kansas — home to the U.S. Army's Combined Arms Center — serves as the Army's hub for cyber-electronic concepts and capabilities. This is the organization responsible for developing doctrine, materiel and training to prepare the Army for cyber-electronic engagements. For example, USACEWP has developed training teams to ensure that U.S. commanders and soldiers around the world are fully informed of cyber-electronic capabilities at their disposal. Leading the Proponent's Futures branch is Lt. Col John "Chip" Bircher; Bircher entered the Army in 1989 as an Infantry officer, then served in various command and staff positions, most recently Information Operations (IO). He was the IO Chief for the 25th Infantry Division (Light), Hawaii, and Director of IO for Combined Joint Task Force -76, Bagram, Afghanistan. If you want to know more about the realities and challenges that face an armed, global IT department in a time when electronic warfare is ever more important and dangerous, now's your chance to ask Lt. Col. Bircher some questions. We'll pass on the highest-moderated questions for Lt. Col. Bircher to answer. Usual Slashdot interview rules apply.

Technique?

[Manip]

Does the US Army take advantage of traditional misconfiguration and social engineering techniques in order to compromise a network or are the US government developing a home grown list of exploits to gain access to foreign government systems?

Legal Ramifications

[muellerr1]

How does the military ensure that it is operating within the law regarding online military offensive activities? Are there any laws or oversight, as such? If so, how are those laws and/or oversight affected by a declaration of war?

Why so many directly connected networks at all?

[BadIdea]

I'm interested in why so many sensitive networks are even hooked up to the internet in the first place, or why trivial systems are so often bundled with sensitive ones under the same security frameworks.

Why aren't there more isolated networks that would require physical contact or interception to get to in the first place? Do sensitive systems really need any connection at all to the conventional internet in the first place?

I know that many places in the DoD do take this approach (people having one computer for safe email and browsing, and a completely different computer for sensitive intel), and certainly it's more expensive and less convenient. But when the internet is basically just a big pathway leading directly to your backdoor, why take any chance at all, ever?

What is that?

[khasim]

What, specifically, would be a "cyber-electronic engagement".

Include examples.

Compare/contrast with traditional forms of intelligence gathering (wiretaps, listening devices, etc) and their counter-measures.

Interview Question

[Anonymous Coward]

With the political tilt as it is, a large part of the software development community is likely prejudiced against helping our country. With this in mind, how do you recruit the most creative and skilled people that this country has to offer?

Hacker war...

[Notquitecajun]

I doubt you could REALLY answer this, but Is the US military playing any sort of role in the semi-undergroung "hacker war" that appears to be going on between China and the US?

Increasing Complexity & Risk Management?

[networkconsultant]

With an ever increasing amount of information on the battle field, how would you limit risk when Murphy's law is not functioning in your favour?

Relationship with the Air Force?

[El Cubano]

Since the Air Force is the U.S. military branch claiming dominance in "cyberspace" (along with air and space), how do you view the Army's relationship with the Air Force in "cyberspace"? Will the Army seek to take over all of the "cyberspace warfare", carve out its own niche in cyberspace, or peacefully coexist with the Air Force?

With respect to leadership in this area across the DoD, do you feel that the Air Force being denied the program executive role for all DoD UAV endeavors represents an opportunity for the Army increase its role with respect to UAVs (as many people see cyberspace and UAVs to be inextricably linked)?

Attacks...

[Notquitecajun]

Without diving into details that compromise security, can you reveal anything about the types or quantities of attacks that the US military is able to fend off, and how often they are faced?

China

[je ne sais quoi]

What is the U.S. Army doing to protect U.S. sensitive information from the frequent number of cyber-attacks originating from inside the People's Republic of China? Is it primarily defensive?

Recruitment

[caljorden]

Does the US Air Force, or any branch of the armed services, currently recruit for cyber-related positions directly? Or is it a requirement that all members come out of the standard armed services personnel? If there is currently no system for recruiting the best and brightest CS/IT/Security personnel from the civilian population, would that ever be considered?

What limitations do you observe?

[Anonymous Coward]

Conventional military is bound by the Geneva convention. To date, there is no international law governing military info-war. Are you therefore no longer bound not to attack civilian targets? Is scrambling hospital records to create civilian deaths by mistreatment considered a valid attack?

Why does the Army have a love affair with Windows

[Anonymous Coward]

the worlds most insecure operating sytem? Seriously, I just had to go through the Army accreditation process at work, and all the guidelines basically say that Windows is the most secure according to the army. Several of the policies do nothing to increase security but are windows only features, a not so subtle hint that if you want to be "secure" you should be using Windows. The policies also states that since open source is "unsupported" you should use a commercial OS unless you can find "support" for the open source software. The scrutiny that the Linux/Unix machines are put through is MUCH more than Windows machines are. Windows machines are basically said to be "secure" if you apply all the patches and set a couple of settings. Its as if the Army considers Windows to be the most secure instead of the least secure. The whole security accreditation process seemed to be a giant push for us to move to Windows, which means that in my opinion the whole exercise was intellectually bankrupt. Why does the Army continue to push windows despite its absolutely horrendous security track record?

Jurisdiction?

[Caerdwyn]

Given that the most likely targets for cyber warfare are civilian targets, and that the perpetrators will likely be either non-government organizations or non-military employees of foreign governments, how do you see the jurisdiction question playing out? In particular, at what point are there handoffs in investigation, arrest, and prosecution between the US military, the FBI, and local authorities of affected civilian targets?

Avoiding Redundancy or is it Necessary?

[introspekt.i]

What steps is the Army taking to avoid overlap with the Air Force's "cyber warfare" program(s)? Is avoiding overlap considered necessary, or is redundancy considered a good thing? Are there plans to collaborate on large scale with the Air Force, or keep the programs isolated from one another?

Source Code

[g0bshiTe]

In the event of a "Cyber Attack" (read we go after them) would the task force secure source code, to search for hidden vectors of attack?

I realize this is based on the assumption that we know what OS and programs they are running, but Windows for instance, it's reasonable to assume that most computer users use some form of it either legally aquired or illegally.

And if and if ...

[khasim]

And if there actually is a "Hacker War" between us ... and if our military is currently playing a role in such ... are there any civilian applications that will be released to help defend our non-military assets (corporations, education, etc)?

Example: the NSA has worked on SELinux.

Timing and relevancy

[zappepcs]

It's common knowledge that what we call the Internet was suckled by the military. Black-hat and white-hat security conferences and practices have been an active part of Internet security for over a decade.

Can you explain what seems to be the US Military arriving at the game in the third inning?

Having had TSEC and observed security processes and procedures, such as tempest precautions some time ago, I'm having trouble understanding why the 'cyber defenses' of the US Military only now seem to be actually realized.

Is the delay due to funding? Priorities? or simply to underestimation of what the rest of the world was up to all this time?

Please be as specific as you are able to be.

Thank you.

Are you running botnets?

[advocate_one]

no text

Slashdotter

[slotdawg]

Do you frequent slashdot often to read news and breakthroughs in IT? How does the government disseminate whether threats of attack are legitimate or just hoaxes?

Threat Assessment

[mykepredko]

As I understand it, every military in the world assess the threat its opponents pose by their capabilities rather than perceived intents.

How do you perform a threat assessment in the area of cyber-warfare where the physical weapons (as was pointed out in an earlier post) is the keyboard and mouse with much of technology being used as a threat being developed in the U.S?

Thanx,

myke

"Civilian contractors"

[faloi]

Do you foresee a high utilization of civilian contractors? Knowing that there are some restrictions on people that can be recruited into the Army for any number of reasons (asthma, medications, criminal records), do you see a need for either more lax recruiting guidelines for some of the "front line" troops in the cyber warfare field, or a higher use of civilian (or at least non-Army) personnels?

Hurdles of Cyber Warfare

[Digital Ebola]

Greetings,

One issue to cyber warfare is linguistics. How does a military unit overcome this? Does the unit consist of people skilled at the various languages used in theater plus the technical concepts required to execute, or are you forced to cooperate with any other agency?

Also, agency cooperation: are there good relationships between the cyberwarfare units and the intelligence community, and can you say whether or not there are SOPs in place that would utilize cyberwarfare units in conjunction with a physical offensive, i.e. disable Three Gorges Dam right before an op.

Thanks for the time!

Computer Literacy

[AioKits]

What level of computer literacy do you feel the Commander-In-Chief and those reporting to them should have in order to comfortably and accurately convey the importance of a given situation/threat the USACEWP encounters?

Re:Recruitment

[BadIdea]

This is a really important question going forward. A lot of military recruitment seems to still be somewhat centered around the sorts of "grunt"-based wars we were fighting decades ago. But there's no reason a fat out of shape guy who happens to be a brilliant programmer needs to go through boot camp and get shouted at by a drill instructor, or learn how to march, just to be part of a group devoted to fighting cyber-terrorism.

Obviously quasi-military operations need lots more in the way of security clearance and chains of command, but it seems like civilian-structured government organizations are better suited to many of these tasks than the conventional military. The NSA, DOD, CIA, etc. are full of bright people, many of whom have never done a push-up.

Is it the military that's going to change how it trains and retains, or will it be civilian-based government agencies that start to take over more and more of the functions of technological-based warfare?

Re:Why does the Army have a love affair with Windo

[gardyloo]

Interesting, because at the DoE- (mainly) and DoD- (partly) funded lab at which I work, Linux and Unix (and things like OSX) users are given much *less* scrutiny than those using Windows.

Daemon?

[Viking Coder]

Have you read the book "Daemon" [amazon.com] by Leinad Zeraus? Or how about "The Footprints of God" [amazon.com] by Greg Iles?
Do you think The Singularity is approaching, and if so, do you think you're prepared for it?

Are We At War?

[Doc Ruby]

What is the "cyber command" doing to protect the US from current serious attacks on major Federal government sites, including the attacks on sensitive Congressional sites [slashdot.org] reported this week?

Is there any traditional military precedent for tolerating these attacks to the extent we do? Is that hesitancy making us weaker, so our eventual delayed military (or "cyber-military") response will be compromised from winning the conflict to our satisfaction?

At what point do these attacks constitute acts of war, does that need to be declared by Congress, and how does the "cyber command" change its response at that point?

Re:Why so many directly connected networks at all?

[qbzzt]

Why aren't there more isolated networks that would require physical contact or interception to get to in the first place?

Maybe they have people who can go places and attach wireless / satellite access points to various networks. It's not a safe job, but the military has plenty of jobs that aren't safe.

Re:Why so many directly connected networks at all?

[BadIdea]

You probably meant that as a joke, but that actually might be a good point: perhaps the internet's origins in the military have led to some overexposure in modern use that wouldn't have otherwise been the case if it had its roots elsewhere.

A military brat asks:

[UncleTogie]

In your work as Director of IO for Combined Joint Task Force -76, what were your greatest challenges in Afghanistan? What technology threats other than IEDs were your greatest concern?

Re:Why so many directly connected networks at all?

[Peter Mork]

It is often the case that the sensitive systems aren't directly connected to the Internet. Instead, the sensitive system gets inadvertently connected to another (less-sensitive) system that is connected to the Internet. The second systems gets compromised, which gives the attacker a way to attack the first system.

For example, as I understand it, a nuclear plant was taken offline by attackers. The control system was not connected to the Internet. However, the management system (payroll, timecards, etc.) was connected to the Internet so that managers could get work done via the Web. Based on some insider knowledge, the attackers subverted the management system, which was mistakenly connected to the control system (by the contractors responsible for the management system). Thus, the attackers were able to shut down the plant. So, the people responsible for the sensitive systems know to keep these systems off the Internet, but mistakes happen.

Re:Interview Question

[Anonymous Coward]

No, he's pretty much right. I gave up DARPA contracts and the opportunity to work in the Defense Industry recently because I felt like I had blood on my hands. It wasn't because I thought that the war was bad for America. It's because I didn't want to program guidance systems which lead to the direct death and maiming of civilians. It's because I didn't want to write simulators that teach our soldiers to kill without showing them ramifications of that killing. It's because I don't want to have a hand in collateral damage, no matter how small.

Re:For us geeks who'd be sitting behind a computer

[Anonymous Coward]

to fight. Will we have to go to basic training?

If so, would basic training be to train us to stay up all night, living on pizza, soda, Skittles, and porn?

If so, where do I sign up?!?

Although the parent posted humorously it does lead into an interesting chain of thought:

Where can one look to educate "him/her"self on information warfare. When recruiting; do you look for a specific mindset, skillset or qualities in candidates for this line of work?

Are there sources of internet where one can start to learn about the subject?

Re:Attacks...

[legirons]

Personally, I would have phrased it this way: "Please tell us everything you're up to. (It's ok. We're cool.)"

Actually, that's probably a very good question to start the interview with...

Re:Relationship with the Air Force?

[HasselhoffThePaladin]

What you're talking about is similar to the question of who "dominates" the strategic warfare front. Rather than one dominating, each service has its own forces for that mission area, but they all typically fall under the respective Unified Command.

The US Strategic Command often, not always, has its commander come from either the Air Force or the Navy (with one exception, Marine General James Cartwright), as they have the preponderance of strategic nuclear weapons (AF with ICBMs and long-range strategic bombers and Navy with sea-launched ballistic missiles (SLBMs)--the triad).

That all leads to my question: Do you foresee the eventual formation of another unified command like USSTRATCOM whose area of responsibility is that of maintaining US dominance of cyberspace--with each of the services providing their own forces to this unified command? How long until we have USCYBERCOM?

Re:China

[ndogg]

On top of that, do you buy it when China says it lacks the skill to hack our systems?

West Point

[Anonymous Coward]

I'm a future Army officer candidate (I leave for Basic/OCS in Sept.).

I'm ok with doing something related to combat arms, but I'd be really interested doing something related to IW or Signals. Is there anything that I could do during MOS selection to increase my chances of getting one of these MOS's? And what can I expect as an IW officer--will I be sitting in Kansas or deployed abroad? Lastly, what role does the Army play in IW that differs from what the Navy or Air Force are doing?

Re:John Bircher?

[Dahamma]

I just looked at that wiki entry, and found this even weirder:

"It was named after John Birch, a United States military intelligence officer"

Re:Why does the Army have a love affair with Windo

[0p7imu5_P2im3]

Point taken; I stand corrected.

Let me rephrase:
Until SELinux, if you had root access on a Linux machine, they couldn't... yadda, yadda, yadda...

I'd still argue that there is a general lack of knowledge in the DoD regarding SELinux since it has only recently been added to RHEL. And this further supports the misguided notion that Windows Domains offer more control because the network admins in the military consider them easier to configure due to that lack of knowledge.

Just to satisfy my curiosity (and show my lack of knowledge): is there a way to configure SELinux remotely in real time? For instance, say I found out about a major vulnerability in Adobe Reader version blah.blah.blah. Could I disable versions equal to that and lower remotely the moment I found out, or would it not take effect until some amount of time until the next SELinux policy update (like a restart)?

Recruitment Methods?

[jaguth]

How does the military determine who to recruit for electronic warfare? Do they follow the traditional methods such as advertising in at local high schools, walk-ins at recruitment offices, ect.?

And how do they know the recruit is a good candidate? I mean, theres a big difference between a user and a programmer. I've met a fair number of people who, in my opinion, are borderline tech-illiterate, and yet the military recruiters found them to be good candidates and hired them.

Last but no least, how many geniuses that haven't smoked pot more then just a couple times have been accepted? Come on, its ridiculous to have a policy that says one is not eligible if they smoked pot more then 3 times in there life. People, smart successful people, experiment, even for a short period in their early 20's.

I guess that also unleashes another horde of inequalities: what about the gays? Oh, i guess they aren't really people, so fuck-em, right?

Re:Legal Ramifications

[Xaositecte]

In the military, there are legal assistants whose entire job is to ensure military actions are only carried out against legal targets. In theory, you would stand next to the commander and make the call when an important call has to be made. In conventional operations, this means making sure you know what's a hospital or orphanage, what is an acceptable target, what zones the politicians have declared off-limits for troops to go into, etc. Around 95% of the time, this actually works, and the military actually obeys the law!

This is a terrible job to have that other 5% of the time, because it makes you the designated fall guy when something happens. Especially when an order comes down from on high to ignore the law, and just get something done.

I imagine the same legal assistants will be present to inform commanders of whether a target is legal or not in regards to cyber warfare.