

U.S. Cyber Command has no idea why it exists - cwan
http://reason.com/archives/2010/05/26/meet-your-new-commander-in-gee

======
tptacek
This article is awful. Instead of doing actual reporting, which would quickly
have unearthed the actual purpose of a "cyber" (gag) - command --- which is to
protect the integrity of critical information systems (particularly military
and utilities) and to develop mechanisms to deny those capabilities to
adversaries --- the writer of this piece contents himself with quips like
"commander in geek" and "glasses-wearing general" and "world's most powerful
IT guy".

I sympathize with Reason's philosophy in general (though I'm not a
libertarian), but isn't a strong military one of the very few things that even
libertarians agree we should be letting the government take care of?

~~~
yummyfajitas
_...but isn't a strong military one of the very few things that even
libertarians agree we should be letting the government take care of?_

A fact, which is often lost in modern political discussions: goals != results.
One can oppose a law or program because of poor implementation (or expected
poor implementation) even while agreeing with it's goals.

For instance, I favor some banking regulation to reduce leverage and the
possibility of contagion. However, I oppose the particular bill currently
likely to be passed, because it makes speculation (particularly shorts) more
difficult and codifies bailouts/government forced bankruptcy into law.
Similarly, I expect the author of this article favors national defense, but
opposes this program since it appears to be ineffective and potentially
harmful.

~~~
tptacek
If anything, the most painful complaint you can make about the modern
military's role in information security is their _lack_ of involvement. We're
far more likely to lose billions of dollars due to a concerted attack on our
utilities or financial markets than China is.

So, while I see what you're saying, I don't think it's a coherent response to
my comment or the article.

~~~
CWuestefeld
_the most painful complaint you can make about the modern military's role in
information security is their lack of involvement._

On the contrary. Given that the Internet is the creation of DARPA, indeed, was
once called "ARPAnet", they're already up to their eyeballs. And to their
credit, they've done an excellent job. I don't have citations handy, but I
recall reading over the past year about many supposed "cyber attacks", yet for
the most part, we all go about our business and surfing without even noticing
that anything was going on.

The folks that designed the protocols on which this network runs (everything
from ethernet through TCP/IP through DNS) did a phenomenal job. The network
just may be the most robust thing ever engineered by man.

So perhaps they've already done their job. The front-loaded engineering gave
us something that can withstand huge amounts of abuse, and so doesn't require
an army (literally) to babysit it.

~~~
tptacek
You and I aren't having the same conversation. I tend to agree with everything
you just said, but the issue isn't the government's role in _running_ the
Internet. It's the government's role in offensive and defensive computer
security. In other words: it's preventing China from paying 20 year olds to
shut down the power grid (note: plausible) and directing research that would
allow us to do that to China.

------
ErrantX
Yeh, this is not a new problem. In the 80's there was a lot of "discussion"
over who had exactly what jurisdiction on the internet.#

It's not really got much better since.

------
fintler
It just seems like the Cyber Command is taking over functions traditionally
reserved for the NSA. Consolidating efforts for reverse engineering malware
and other software seems to be the primary focus at the moment.

~~~
tptacek
Since NSA is going to keep doing all that stuff anyways, I doubt they mind too
much; it just means the oversight is getting shifted away from them.

------
bartl
It seems to me that somebody with not much of a clue has read some rather bad
sci-fi novels, and now wants to make it a reality -- with not much of a clue
as to what "it" really is.

~~~
tptacek
I can't tell whether you're talking about the author of the article, or the
federal government. If it's the author, I agree.

------
DanielBMarkham
Nerds. With guns.

All snarky humor aside, the purpose here is to have a military commander to
point the finger at if and when the nation has a crippling attack on internet
infrastructure. When that happens, he'll be the guy getting lots of money.

I agree that it is a bit of a power grab, but the Air Force has been looking
for more elbow room for a while. We don't need a lot of B-2 bombers to find
OBL. The real question is how to determine if they are doing a good job or
not? It's kind of an important thing to know. Especially if you spending a lot
of money.

So I support some kind of planning/organization, but I'm not sure an entire
command should have been created.

There are some very interesting things going on in the cyber warfare arena.
I've seen enough to know it is a risk. We need to pay somebody to keep an eye
on it and prepare for contingencies.

I'm just not happy with the Air Force. Something about the match of that
agency with that mission doesn't sit well with me. I see lots of expensive
cyber warfare computer infrastructure in the near future. I'd rather see DoD
do some kind of SecDef skunkworks project sub rosa with some of the incredible
tech companies in the states than set up a command. This is time for maximum
impact, not structure. You guys have any idea what kind of BS goes with a
command? It's the wrong move with the wrong guys.

~~~
tptacek
Of the three major service agencies, the Air Force has always been closest to
internet security. They're a feeder for network security people in the
industry, and they've been in the middle of "cybercrime" investigations since
Operation Sun Devil in the early '90s.

So really, you need to start with the question of, "should the DoD be running
information security, or should intelligence"? If it's military, then it's
naturally going to be the Air Force.

Incidentally: this is _not_ an area where the government can simply
collaborate with private industry. Too much of what's required to be effective
(start with intensely sensitive information sharing) is off the table for
private companies.

~~~
DanielBMarkham
I agree with all of that.

Part of the question is whether cyber activities are domestic in nature or
foreign. While it might seem like a moot point to folks from other countries,
we make a distinction about which agencies can do what and where. There needs
to be some thinking about how an actual cyber war would happen. Would Air
Force personnel physically take out internet backbones located inside the
Continental U.S.? Would they serve search warrants? If not, would they direct
the FBI to do so? Can they detain or investigate people?

We focus on the logical structure of a cyber-attack: computers, code, vectors,
etc. But there a are a lot of physical components as well, and they can be
located anywhere.

I completely agree that the AF is best of all the services to do this. If
anything, the eventual solution should probably end up as an equal to DoD and
not as a subordinate -- this subject area is just a weird duck when it comes
to constitutional law. I just don't think taking the idea of a _command_ and
applying it here makes much sense. Sounds like the old "I have the solution,
what is your problem" scenario.

And I can't get into your second point without becoming uncomfortable. Yes,
we're not talking some kind of loose collaboration. But there's a long way
from simple collaboration with industry to having a GS-12 potentially decide
the fate of billions of dollars of e-commerce. The career track here does not
match at all with the other services.

Or to put this in a personal story, I knew a guy who worked with very
sensitive information for the Navy back in the day. He had a PhD from MIT and
never wore a Navy uniform. He showed up to work everyday in sandals and
Bermuda shorts. While he was incredibly effective for the Navy, he also did
not fit into the traditional roles at DoD whatsoever. They had an inspection
and he was supposed to have a uniform. He had no idea what a uniform looked
like or how to wear one, and it was quite an adventure making it all happen on
time. All of the paperwork and procedures the Navy required made absolutely no
sense to him -- so he had other people take care of it.

Now you can get away with this for a while in small isolated units where the
rest of the organization can "cover" for them, but it's another thing entirely
if 90% of the guys doing the work don't fit into the cookie-cutter mold they
are supposed to.

An organization structured to hone young people into super responsible war-
fighting roles, doing so in ways it has learned in wars since Sparta, is going
to have a lot of problems with the people, personalities, and experiences
necessary to fulfill this particular mission. In my opinion.

EDIT: Or to put this in terms of my original joke, which was meant to be
insightful, I'm not so sure that an organization dedicated to cyber warfare
needs to be part of the _armed_ forces.

~~~
tptacek
Your second graf is very sensible and raises many of the big questions here.
At the same time: the threat we're talking about is very real --- it may be
the most cost-effective way to hit the US today. We've done much dumber things
in the name of national security than anything the "Cyber Command" could
possibly execute on.

We're way behind the eight ball here --- at least in terms of the stuff we're
allowed to know about --- and I think it's probably best to reserve criticism
until we actually have something up and running to oversee.

~~~
DanielBMarkham
I like criticism, so I'll take issue there, but for the rest of your comment I
wish I could upvote you about a dozen times.

And that may be the first time that has happened :)

~~~
tptacek
The problem I have is that the notion of "cyber war" is so open-ended, and
runs from immediate practical reality to pure science fiction, that a
discussion of a "Cyber Command" is just going to waste a lot of time on BS
like the government's secret plan to take over civilian computing systems, or
to install spyware on everyone's computer.

Irony: the crazy-sounding stuff, like remote-destroying people's pacemakers or
turning off the power to a whole country --- _more plausible_ than the
government takeover of the Internet.

