Here are the answers to your questions for Major General William T. Lord, who runs the just-getting-off-the ground Air Force Cyber Command. Before you ask: yes, his answers were checked by both PR and security people. Also, please note that this interview is a "first," in that Generals don't typically take questions from random people on forums like Slashdot, and that it is being watched all the way up the chain of command into the Pentagon. Many big-wigs will read what you post here -- and a lot of them are interested in what you say and may even use your suggestions to help set future recruiting and operational policies. A special "thank you" goes to Maj. Gen. Lord for participating in this experiment, along with kudos to the (necessarily anonymous) people who helped us arrange this interview.
How do we prevent "mission creep" (Score:5, Insightful)
by Jeremiah Cornelius (137)
It appears that the military is increasingly involved in areas who's jurisdiction was once considered to be wholly in the civil domain. Use of jargon like "cyberspace" seems only to obfuscate and distract from the core issue. This appears an effort to recruit public opinion and defuse the deeper questions that strike at the heart of a free and civil society. I think that if we had a statement that "The private mails are a warfighting domain" would generate a fair amount of debate on the role of the military as opposed to the police, the function of constitutional protection of liberties, and the question of what actually constitutes a state of war.
What are the limits on this jurisdiction? Who enforces these limits, and how is the public informed of that status? How are efforts to extend being safeguarded from creating mission creep that threatens all civil discourse in the United States and abroad form targeting, suppression, propaganda and extra-legal surveillance?
A very good question. It's a complex issue, but bottom line is that we won't need new laws to be able to fly and fight in cyberspace. The DoD's role in protecting cyberspace is governed by domestic and international law to the same extent as its activities in other domains. Other U.S. agencies, such as the Department of Justice and the FBI, have important and, in many cases, leading roles to play.
Attacks on the US and its Allies by China (Score:5, Interesting)
by Yahma (1004476)
There have been several recent news reports that China has and is engaging in a nationally funded effort to hack into and attack US government computer systems. The German government recently announced that they traced recent aggressive cyber-attacks back to the Chinese government. What, if anything, is being done against this type of cyber-terrorism against us and our allies? Why do we still confer most-favored nation trading status onto a Nation who is actively engaged in efforts to spy on and attacak our government and corporate computer systems?
Yes, there are lots of news reports on that, but I'm sure you can appreciate the fact that there are other branches of the U.S. government that must answer your foreign policy questions. I can tell you that securing cyberspace is difficult and requires a coordinated and focused effort from our entire society - federal government, state and local governments, the private sector and the American people. The Air Force is working to improve our ability to respond to cyber attacks, reduce the potential damage from such events, and to reduce our vulnerability to such attacks.
Accept, Retain, Solicit good people? (Score:5, Interesting)
by Lally Singh (3427)
Some of the most talented people in computer security tend to have the sort of records that prevent them from getting clearance. Maybe nothing heavily criminal, but enough of a colored background that traditional security clearance mechanisms would throw them out of the room before they get started. Often the same types of minds that are really good at computer security are also the rebel types, who'll have some history. Will you work to get these people in, or are we looking at a bunch of off-the-shelf programmers/admins who've taken a few simple courses in computer security?
Also, how do you plan to attract/retain them? Again, rebel types are some of the best hackers, and they're not likely to go in without incentives. Not due to any lack of patriotism per se, but an unexplored understanding of it. More importantly, they're likely to be anti-establishment types who aren't comfortable in the strict traditional chain of command. Finally, usually the outside industry pays quite well for the good ones. Are you prepared to financially compete for the best?
Finally, will there be any connections back to the research/academic community? You may find academics more happy to help than usual, as cyber warfare can often be nonviolent. Also, will the existing (and immense) capability within the NSA be properly leveraged?
I believe even the most unlikely candidate, when working for a cause bigger than himself, turns out to be a most loyal ally. Young men and women come into the military for any number of reasons - education, health care, etc. - but end up staying because they believe what they're doing matters. We know money doesn't create loyalty--a sense of purpose does. We'll take what they have to offer, and in turn they might be surprised by what they get back. It's not just our military members either, it's all those who partner with us . . . academia and private industry, our civilians and contractors, too. In the cyber command, there is a purpose and sense of urgency to be ready. You can bet that we leverage all the expertise out there to help us do our job.
Older recruits? (Score:5, Interesting)
by rolfwind (528248)
It seems that in the military traditionally it was always looking for people fresh out of highschool for EMs and if you wanted to get anywhere in the military you had to be either college educated or, to really have a high end military career, start really young in something like the Valley Forge Military Academy and work from there.
In a traditional branch of the army/navy/airforce that is probably as it should be.
But in this area people have to be trained for years, still not know as much as the older hands in the private industry, and before they really know enough their enlistment would be over. Also, it would be unacceptable for an older IT person to join but take a pay cut to a Private's level or perhaps even a Lieutenant's -- so I imagine this branch would have to be somewhat different.
Is the military going to do to reach out toward the older folks who have extensive experience and knowledge outside the military?
As I work alongside today's Airmen, many with very specialized skill sets in great demand outside the Air Force, I find them to be incredibly well trained and up-to-speed on current technologies. We bring them in from a general practitioner level and take them to expert level in reasonable time ... and well before retirement age indeed! We train them with specific technical skills as well as overarching abilities required to lead in today's environment. You're right in that we couldn't compete in the cyber world without the experts in the civilian industries who give us the technology in the first place, provide the architectures we use, and even the software we need. People don't have to enlist or take a pay cut to help us out. Certain skill sets can also be brought on board as civilians or contractors, and in many cases we do offer compensation competitive with the commercial sector.
Which acts of war should be illegal in cyberspace? (Score:5, Interesting)
by cohomology (111648)
War is never clean.
In conventional warfare, certain actions such as hiding among civilian populations are forbidden. These actions are considered war crimes because of the collateral damage they are likely to cause. What actions in cyberspace do you think should be outlawed? How about intentionally bringing down hospital IT systems, or destroying undersea cables without regard to the effects on civilian populations?
The U.S. military complies with all applicable domestic and international laws, and that will certainly apply equally within cyberspace. The Law of Armed Conflict, for example, arose from a desire among civilized nations to prevent unnecessary suffering and minimize unintended destruction while still waging an effective war. It would be possible, as you mentioned in your scenario, that some who ignore the laws of civilized nations could conduct operations in cyberspace that may have unlawful negative consequences on civilian populations. For us, abiding by these laws, being good at we what do and maintaining a technological advantage over our adversaries provides us a first line of defense. Those who commit unlawful acts would certainly face potential criminal liability for war crimes.
Physical Fitness (Score:5, Interesting)
by spacerog (692065)
General, You were recently quoted in Wired as having said "So if they can't run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in." Is this an accurate quote? As a former member of the US Army I must say that passing a PT test is not very difficult and the suggestion that some soldiers should be exempt from basic minimum requirements is rather upsetting. Are you actually advocating the relaxation of military physical fitness standards for 'cyber warriors'? Would this not create a double standard and animosity between the cyber command and other sections of the military? Surely there must be other recruitment incentives that can be applied to attract the talent you need.
I don't disagree with you . . . and I am not advocating changing our PT test. What I am saying is that we, as a military culture, need to look beyond what we've traditionally recruited. The very nature of our military requires that we be able to work in combat conditions and be able to establish and protect our cyber/communications structures and networks in remote, even austere conditions. As anyone who has worked in these austere locations will tell you, being fit is critical to mission success, so I don't foresee or advocate for a relaxation of standards just to bring in this specific type of talent. But, as we know, some of what we do in cyber can be done at home station as well, so what will our force look like in the future? This is something we need to look at and evaluate as we progress in this area.
It is good war is so terrible... (Score:5, Insightful)
by MozeeToby (1163751)
A wise man once said "It is good that war is so terrible, lest we grow too fond of it". If cyberwarfare ever becomes a reality, how do we respond to the fact that is isn't "terrible"?
The direct damage from such warfare would be primarily economic or data security related (rather than a cost in human lives) how do you feel we can prevent it from becoming a monthly, yearly, or daily occurance?
The fact is we are dealing with this on a daily basis and it won't be going away anytime soon. Not for any of us. The way to shield ourselves from these attacks is to be at the forefront of technology, tactics and procedures relating to operating in cyberspace. We have systems and software that are protected by multiple layers of security and functional redundancy. We train our people to be on the cutting edge of this technology, and we find ways secure our information. We have to take this very seriously because we rely on our networks to conduct military operations all around the world. The person who hates war the most is the warrior who has to go to it ... we want to prevent that.
Criminal vs Warlike Actions (Score:5, Interesting)
by florescent_beige (608235)
Does the AFCC have a mandate to pursue criminals that use information infrastructure to commit crimes, or is your group intended to defend against warlike attacks only?
If the latter is true, how would you distinguish between criminal activity and warlike activity in cyberspace?
The speed and anonymity of cyber attacks makes it very hard to distinguish what actions would be those of terrorists, criminals, nation states or just some lone prankster. Our command coordinates with government partners such as the DoD's Cyber Crime Center staff, who work with law enforcement officials to investigate and prosecute criminal acts if necessary. A "war-like activity" can also include presenting misleading information to our battlefield commanders. So, we've got to be spot on about authenticating the trusted source of that information in the first place. But, generally speaking, if something is a coordinated attack that would cause disruption or an attack that required a high level of technical sophistication to carry out, that would cause us to take a closer look and recommend a proper response.
Legal Hacking... (Score:5, Funny)
by JeanBaptiste (537955)
Just post a list of the stuff you want hacked and the more patriotic hackers will enjoy doing it for free.
Due to the nature of hacking and what many people do to acquire such skills, they may not want to 'join up' and all that.
But if you post a list of IP's that are okay to bring down, and networks you want information stolen from, with the understanding that the US will not condemn any attacks, and I'm sure more than enough people would do it for free.
Is there anything like this already in place? Cause I got nothing better to do this weekend. Or most any weekend.
YGTBKM! LOL! I like your enthusiasm, but you know the Air Force neither encourages nor condones criminal activity.
Could a Cyber Attack Trigger a Real War? (Score:5, Interesting)
by florescent_beige (608235)
I'm curious to know if you have have any criteria that would enable you do decide when a cyber attack is an act of war. Would it be possible for some kind of action inside a network to lead to a shooting war without some kind of overt physical threat occurring first?
Within the Department of Defense, we are careful not to speculate about what would be considered an act of war. Our nation's elected officials are the ones who will decide what threats to, or actions against our national security will constitute an act of war against the United States. These same leaders will likewise determine what an appropriate response would be, and that could be diplomatic, economic or involve the military to demonstrate the nation's resolve. That's why it's my responsibility to oversee the building of a command that will provide our leaders, through the appropriate chain of command, with many options with which to deter threats in the first place or respond when necessary.
Why was the Air Force tasked with this? (Score:5, Interesting)
by Isaac-Lew (623)
Why should the US Air Force be tasked with this, instead of DISA or NSA, neither of which is tied to a specific branch of the military?
Don't confuse the fact that we are standing up the Air Force Cyber Command to mean we are the lead for the nation, or the primary command to respond to a particular incident. We are just one part of a combined effort. Our first priority is to work with DoD to defend AF military resources, but many of those resources rely on civilian entities, so we obviously have a keen interest in protecting those items as well. We thought it was the right thing to do to consolidate our efforts and to align all the Air Force cyber-related resources so we can have better command and control. This command will be able to respond better to the needs of our commanders and be the focal point within the Air Force for cyber security and defense missions, as well as respond to emergencies and natural disasters. Make no mistake, we are partners with the other sister services--the Army, Marines, Navy--as well as with DISA, NSA and Homeland Security to name a few. We're all in this together.
Question about Existing Contractors (Score:5, Interesting)
by tachyon13 (963336)
General Lord, I currently work as the exact type of 'cyber warrior' you intend to recruit. But I already have a Top Secret clearance, already familiar with DoD systems, etc. The dynamic with what we call 'Information Assurance' is that of a constant struggle with our contractor management (stay within the contract, the budget, etc) and with our 'warfighter' higher ups (educating them on why they can't have full access from their home in the spirit of "operations are a priority, to hell with security"). So assuming you can get the type of expertise that are eligible for clearances, and that are willing to relocate to Offutt/etc, how are you going to address the core issue of security in the DoD: Operations/budget/schedule will always trump security. Or alternatively, security will always be back burner to 'hot' issues. Thank you for your time.
Certainly the balance between having access to do our mission and having robust security is an issue where not everyone agrees on just how much to restrict or how much to allow. The Air Force takes the security of its computer networks very seriously and has taken several measures to educate our users and to provide secure means for them to operate. As with many other issues, the Air Force through its commanders, must assess the risks and make a decision. I don't agree or I maybe I just haven't seen where security is always a back burner item.
CyberCommand Location (Score:5, Interesting)
by Mz6 (741941)
Can you explain some about the situation developing between Barksdale AFB and Offutt AFB as they try to fight over the eventual final location for CyberCommand? My thoughts are that finding and recruiting talent, and laying the foundation for such a large wired infrastructure in the Omaha, Nebraska area may be easier to accomplish than in and around Shreveport, LA. What types of things is the DoD looking for when they choose the final location for this new Command?
The government actually has a regulation that covers the whole process for choosing a location for a command and it's a very defined, thorough process. The bases must meet certain criteria -- existing infrastructure would be just one aspect of many items along with communications or square footage requirements, but there are other considerations, such as the impact to the environment that the Pentagon will consider. I would hope that no matter where it was located, we would still be able to attract the talent needed to work in this exciting command and that all communities see the need to protect this domain.