Donate for the Cryptome archive of files from June 1996 to the present

28 March 2013

Cyber Nuclear Hokum

A sends:

http://cryptome.org/2013/03/cyber-nuclear-hokum.pdf (146 pages, 4.0MB)

Defense Science Board Task Force Report

Resilient Military Systems and the Advanced Cyber Threat

January 2013

[Excerpt]

Executive Summary

The United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities (a "full spectrum" adversary). While this is also true for others (e.g. Allies, rivals, and public/private networks), this Task Force strongly believes the DoD needs to take the lead and build an effective response to measurably increase confidence in the IT systems we depend on (public and private) and at the same time decrease a would-be attacker's confidence in the effectiveness of their capabilities to compromise DoD systems. We have recommended an approach to do so, and we need to start now!

While DoD takes great care to secure the use and operation of the ¡§hardware¡¨ of its weapon systems, these security practices have not kept up with the cyber adversary tactics and capabilities. Further, the same level of resource and attention is not spent on the complex network of information technology (IT) systems that are used to support and operate those weapons or critical cyber capabilities embedded within them. This Task Force was asked to review and make recommendations to improve the resilience of DoD systems to cyber attacks and to develop a set of metrics that the Department could use to track progress and shape investment priorities.

Over the past 18 months, the Task Force received more than 50 briefings from practitioners and senior officials throughout the DoD, Intelligence Community (IC), commercial practitioners, academia, national laboratories, and policymakers. As a result of its deliberations, the Task Force concludes that:

  • The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.

Report Terminology

To discuss the cyber threat and potential responses in more detail, it is important to establish some common language. For purpose of this report, Cyber is broadly used to address the components and systems that provide all digital information, including weapons/battle management systems, IT systems, hardware, processors, and software operating systems and applications, both standalone and embedded. Resilience is defined as the ability to provide acceptable operations despite disruption: natural or man-made, inadvertent or deliberate. Existential Cyber Attack is defined as an attack that is capable of causing sufficient wide scale damage for the government potentially to lose control of the country, including loss or damage to significant portions of military and critical infrastructure: power generation, communications, fuel and transportation, emergency services, financial services, etc.

The Task Force developed a threat hierarchy to describe capabilities of potential attackers, organized by level of skills and breadth of available resources (See Figure ES.1).

  • Tiers I and II attackers primarily exploit known vulnerabilities
  • Tiers III and IV attackers are better funded and have a level of expertise and sophistication sufficient to discover new vulnerabilities in systems and to exploit them
  • Tiers V and VI attackers can invest large amounts of money (billions) and time (years) to actually create vulnerabilities in systems, including systems that are otherwise strongly protected.

Higher-tier competitors will use all capabilities available to them to attack a system but will usually try lower-tier exploits first before exposing their most advanced capabilities. Tier V and VI level capabilities are today limited to just a few countries such as the United States, China1,2 and Russia.3

1 Office of the National Intelligence Executive; "Foreign Spies Stealing US Economic Secrets in Cyber Space: Report to Congress on Foreign Economic Collection and Industrial Espionage," 2011

2 Gen Keith Alexander; testimony to US Senate Armed Services Committee on US Strategic Command and US Cyber Command in Review of the Defense Authorization Request for Fiscal Year 2013; Tuesday, March 27, 2012

3 Maneki, Sharon; "Learning from the Enemy: The Gunman Project," Center for Cryptologic History, National Security Agency; 2009