Cyberwar: Pentagon Takes on Cyber Enemies, Other Agencies

7/31/2019 Cyberwar: Pentagon Takes on Cyber Enemies, Other Agencies

1/12

Cyberwar: Pentagon Takes On Cyber Enemies,Other AgenciesNov 08, 2011 23:30 EST

Related Stories: Americas - Other,Asia - China, Contracts - Awards,DARPA, IT - Cyber-Security,IT -General, IT - Networks & Bandwidth,Lockheed Martin,Raytheon,Spotlight articles

Advertisement

Taking on the Cyber Enemy(click to view full)

DARPAs programs. (Nov 8/11)

In response to the growing threats to US military and civilian networks, the Pentagon has unveiling itsfirst formal cyber strategy.

This follows a series of events over the last few years that have escalated cyber attacks againstnetworks and infrastructure to warlike events. For example, an unidentified foreign national penetratedthe internal networks of the Department of Defense (DoD) with an infected thumbdrive in 2008. In2009, a virus known as Stuxnet, suspected of being the product of Israeli-US government collaboration,shutdown an Iranian nuclear power plant. And in 2011, defense contractor Lockheed Martin suffered amajor cyber attack that was suspected of being carried out by the Chinese government.

While the Pentagon has struggled to combat these threats, it has also had to fight some within its ownranks, as well as other agencies, for authority in cyberspace. This article focuses on the growing cyberthreat to US military and civilian infrastructure and the efforts being made by the Pentagon to deal withthese threats.

Stuxnet and Beyond

The China Connection

The Best Defense is Offense

Attribution: The Devils in the Details

Cyber Turf Wars Integration Efforts

Future War

Key Contacts

Additional Reading
http://www.defenseindustrydaily.com/cat/geographical-focus/americas-other/http://www.defenseindustrydaily.com/cat/geographical-focus/americas-other/http://www.defenseindustrydaily.com/cat/geographical-focus/asia-china/http://www.defenseindustrydaily.com/cat/industry/contracts-awards/http://www.defenseindustrydaily.com/cat/innovation/darpa/http://www.defenseindustrydaily.com/cat/innovation/darpa/http://www.defenseindustrydaily.com/cat/electronics-it/it-cybersecurity/http://www.defenseindustrydaily.com/cat/electronics-it/it-cybersecurity/http://www.defenseindustrydaily.com/cat/electronics-it/it-general/http://www.defenseindustrydaily.com/cat/electronics-it/it-general/http://www.defenseindustrydaily.com/cat/electronics-it/it-networks-bandwidth/http://www.defenseindustrydaily.com/cat/corporation/lockheed-martin/http://www.defenseindustrydaily.com/cat/corporation/lockheed-martin/http://www.defenseindustrydaily.com/cat/corporation/raytheon/http://www.defenseindustrydaily.com/cat/corporation/raytheon/http://www.defenseindustrydaily.com/cat/did-site/spotlight-articles/http://www.defenseindustrydaily.com/cat/did-site/spotlight-articles/http://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#stuxnethttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#chinahttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#offensehttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#attributionhttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#turfhttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#agency-integrationhttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#futurehttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#contactshttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#readinghttp://media.defenseindustrydaily.com/images/ELEC_Marines_COC_Deployed_lg.jpghttp://www.defenseindustrydaily.com/cat/geographical-focus/asia-china/http://www.defenseindustrydaily.com/cat/industry/contracts-awards/http://www.defenseindustrydaily.com/cat/innovation/darpa/http://www.defenseindustrydaily.com/cat/electronics-it/it-cybersecurity/http://www.defenseindustrydaily.com/cat/electronics-it/it-general/http://www.defenseindustrydaily.com/cat/electronics-it/it-general/http://www.defenseindustrydaily.com/cat/electronics-it/it-networks-bandwidth/http://www.defenseindustrydaily.com/cat/corporation/lockheed-martin/http://www.defenseindustrydaily.com/cat/corporation/raytheon/http://www.defenseindustrydaily.com/cat/did-site/spotlight-articles/http://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#stuxnethttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#chinahttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#offensehttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#attributionhttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#turfhttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#agency-integrationhttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#futurehttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#contactshttp://www.defenseindustrydaily.com/Cyberwar-US-Takes-It-to-the-Enemy-06931/#readinghttp://www.defenseindustrydaily.com/cat/geographical-focus/americas-other/


2/12

Stuxnet and Beyond

Stuxnet worm targetedIranian nuclear facilities(click to view full)

A major turning point in cyberwar came with the launch of the Stuxnet worm against an Iranian nuclearfacility. Stuxnet was the first malware to specifically target control systems that operate industrialfacilities, such as nuclear power plants.

In late 2009, Iran decommissioned and replaced 1,000 IR-I centrifuges at its nuclear fuel enrichmentplant at Natanz. Iranian President Mahmoud Ahmadinejad later confirmed that the Stuxnet worm wasthe cause of the shutdown of the centrifuges.

US security firm Symantec reversed engineered the worms code and wrote adetailed white paper[PDF] on its operation. Symantec found traces of more than 30 programmers in the Stuxnet wormsource code.

The white paper said that Stuxnet targeted industrial control systems known as supervisory control anddata acquisition (SCADA) systems. The ultimate goal of Stuxnet was to sabotage that Iranian facilityby reprogramming the SCADA systems programmable logic controllers (PLCs) to operate outsidetheir specified boundaries.

A report on the Stuxnet worm by the Institute for Science and International Security (ISIS) said that,Although mechanical failures or operational problems have often been discussed as causing problemsin the IR-1 centrifuges, the crashing of such a large number of centrifuges over a relatively short period

of time could have resulted from an infection of the Stuxnet malware.

A January 2011 reportby theNew York Times claimed that Stuxnet was an Israeli-US project developedat the highly secretive Israeli Dimona complex in the Negev desert. Citing US and European experts,the article judged that US and Israel researchers developed the worm at the facility and tested it onnuclear centrifuges identical to centrifuges at Irans Natanz nuclear facility.

Although Stuxnet appears to have been developed to attack Iranian nuclear facilities, it has spread farbeyond its intended target. The Stuxnet malware is able to be used against industrial facilities inWestern countries, including the US, the Symantec researchers concluded.

While Stuxnet is a targeted threat, the use of a variety of propagation techniques has meant thatStuxnet has spread beyond the initial target. These additional infections are likely to be collateral

damage unintentional side-effects of the promiscuous initial propagation methodology utilized byStuxnet. While infection rates will likely drop as users patch their computers against the vulnerabilitiesused for propagation, worms of this nature typically continue to be able to propagate via unsecuredand unpatched computers.

What does the future hold for Stuxnet-like worms that attack critical infrastructure, particularinfrastructure run by SCADA systems?

Taking down a SCADA system only requires a network connection, a way to route packets to the PLC,and a way to bypass traffic filters, warned Avishai Wool, chief technology officer with AlgoSec.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdfhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdfhttp://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/8#7http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&pagewanted=1http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&pagewanted=1http://media.defenseindustrydaily.com/images/WMD_Arak_Heavy_Water_Reactor_lg.jpghttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdfhttp://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/8#7http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&pagewanted=1


3/12

Wool said that most industrial control systems use antiquated protocols that were designed before thesystems were hooked up to integrated communications networks. Should an attacker gain access to avulnerable network, the attackers could use network links to manipulate the PLC and possibly destroythe infrastructure.

While Stuxnet was sophisticated, its delivery mechanism, a USB drive, was old school, Wool noted.Cyber attacks using vulnerable networks, rather then worms planted in USB drives, could be the next

stage of the war against critical infrastructure, he warned.

The China Connection

Chinese Cyber Events 1999-2009Source: USCC(click to view full)

While the US and Israel were cited as possible sources of the Stuxnet worm, China has been accused ofbeing the source of many high profile cyber attacks against major US and European companies andgovernment networks.

For example, China has been fingered as being behind the 2011 hack of RSAs SecurID database andthe defense contractors that depend on the SecureID token for secure remote access by employees,

according to security analysts.

The RSA breach was carried out using an advanced persistent threat (APT), and China is known forusing the APT attack method, Rich Mogull, chief executive of Securosis, told CNet. APT is aeuphemism for China. There is a massive espionage campaign being waged by [that] country. Its beengoing on for years, and its going to continue, Mogull warned.

RSA admitted that the security breach at Lockheed Martin was the result of information taken from theSecureID database. In addition, cyber attacks on L-3 Communications and Northrop Grumman appearto have been the result of the RSA breach.

China had earlier been named as the source of the 2009 Operation Aurora attack that exploited a zero-day flaw in Internet Explorer to penetrate Googles networks. Google saidthat the attackers stole

intellectual property from the company and also targeted 20 other US companies.

China was also suspected of being behind the 2009 Night Dragon attacks on oil, gas, and energycompanies. Chinese hackers stole sensitive intellectual property from these companies as well. A whitepaper by US security vendor McAfeefound:

Starting in November 2009, coordinated covert and targeted cyberattacks have been conductedagainst global oil, energy, and petrochemical companies. These attacks have involved socialengineering, spear-phishing attacks, exploitation of Microsoft Windows operating systemsvulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools
http://news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/http://www.rsa.com/node.aspx?id=3891http://googleblog.blogspot.com/2010/01/new-approach-to-china.htmlhttp://googleblog.blogspot.com/2010/01/new-approach-to-china.htmlhttp://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdfhttp://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdfhttp://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdfhttp://media.defenseindustrydaily.com/images/MISC_Timeline_Chinese_Cyber_Events_lg.jpghttp://news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/http://www.rsa.com/node.aspx?id=3891http://googleblog.blogspot.com/2010/01/new-approach-to-china.htmlhttp://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdfhttp://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf


4/12

(RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financinginformation with regard to oil and gas field bids and operations. We have identified the tools,techniques, and network activities used in these continuing attacks which we have dubbed NightDragon as originating primarily in China.

In a report on China cyberwar activities[PDF], the US-China Economic and Security ReviewCommission (USCC) concluded that the Chinese Peoples Liberation Army (PLA) is developing

advanced cyber warfare capabilities.

Increasingly, Chinese military strategists have come to view information dominance as the precursorfor overall success in a conflict. The growing importance of [information warfare] to Chinas PeoplesLiberation Army (PLA) is also driving it to develop more comprehensive computer networkexploitation (CNE) techniques to support strategic intelligence collection objectives and to lay thefoundation for success in potential future conflicts.

The PLA has created special computer network attack and exploitation units using civilian as well asmilitary personnel, the report noted. These units are engaged in a long-term, sophisticated computernetwork exploitation campaign against Western targets.

The US information targeted to date could potentially benefit a nation-state defense industry, space

program, selected civilian high technology industries, foreign policymakers interested in US leadershipthinking on key China issues, and foreign military planners building an intelligence picture of USdefense networks, logistics, and related military capabilities that could be exploited during a crisis.

In its 2010 report to Congress [PDF], the USCC charged that state-owned China Telecom divertedinternet traffic from the US and other nations for about 18 minutes on April 8/10 by publishingincorrect routing information that diverted data through Chinese servers.

The USCC said China Telecom actions caused other servers around the world to route all traffic toabout 15% of the internets destinations through servers in China.

This incident affected traffic to and from US government (.gov) and military (.mil) sites, includingthose for the Senate, the army, the navy, the marine corps, the air force, the office of secretary ofdefense, the National Aeronautics and Space Administration, the Department of Commerce, theNational Oceanic and Atmospheric Administration, and many others, the report said. It added that thecommercial websites for Dell, Yahoo, Microsoft, and IBM were also affected.

Richard Clarke, a national security official in three US administrations, warned in a June 15/11 WallStreet Journal op-ed that the US administration is ignoring the growing threat from Chinese cyberattacks.

Senior U.S. officials know well that the government of China is systematically attacking the computernetworks of the U.S. government and American corporations. Beijing is successfully stealing researchand development, software source code, manufacturing know-how and government plans. In a globalcompetition among knowledge-based economies, Chinese cyberoperations are eroding Americas

advantage.

Clarke said that the administration is failing in its responsibility to protect US infrastructure from thedaily cyberwar that China is conducting against the United States.
http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdfhttp://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdfhttp://www.uscc.gov/annual_report/2010/annual_report_full_10.pdfhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdfhttp://www.uscc.gov/annual_report/2010/annual_report_full_10.pdfhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.html


5/12

The Best Defense is Offense

Would you like a missiledown your smokestacks?(click to view full)

To counter these growing threat, the Pentagon has developed its first cyber strategy. The unclassifiedversion of the cyber strategy, unveiled in July 2011, is a superficial discussion of the DoDs cyberspacestrategy.

In releasing the strategy, Deputy Defense Secretary William Lynn admitted that terabytes of data havebeen extracted by foreign intruders from corporate networks of defense companies. In a single intrusionthis March, 24,000 files were taken.

The stolen data range from specifications for small parts on tanks, airplanes and submarines to aircraftavionics, surveillance technologies, satellite communications systems and network security protocols,he added.

The cyber strategy identified five initiatives that the Pentagon is taking to thwart attacks in cyberspace:

treat cyberspace as an operational domain to organize, train, and equip so that DoD can take fulladvantage of cyberspaces potential;

employ new defense operating concepts to protect DoD networks and systems;

partner with other US government departments and agencies and with the private sector toenable a whole-of-government cybersecurity strategy;

build relationships with US allies and international partners to strengthen collectivecybersecurity; and

leverage US expertise through promotion of a cyber workforce and technological innovation.

The unclassified version did not contain the more provocative provisions identified in aMay 31/11Wall Street Journal article, in which US military officials were cited as sources.

According to the article, the Pentagon cyber strategy would classify a major cyber attack against USinfrastructure as an act of war that could trigger a conventional military response. As one Pentagonofficial put it, If you shut down our power grid, maybe we will put a missile down one of yoursmokestacks.

According to the WSJ sources, the Pentagon is developing the concept of equivalence to decide when

a cyber attack would trigger a conventional response. If a cyber attack results in death, damage, or ahigh-level of disruption that a conventional military attack would cause, then it could be grounds for aconventional response.

To counter the impression that the cyber strategy was a provocative document, Lynn went so far as tosay in releasing the documentthat attacks in cyberspace are hard to trace to the source, which makesretaliation an ineffective strategy. At the same time, he left the door open for an unspecified response toa major cyber attack. The United States reserves the right, under the laws of armed conflict, to respondto serious cyber attacks with a proportional and justified military response at the time and place of itschoosing.
http://www.defense.gov/news/d20110714cyber.pdfhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://www.defense.gov/news/newsarticle.aspx?id=64682http://www.defense.gov/news/newsarticle.aspx?id=64682http://www.rferl.org/content/pentagon_unveils_new_offensive_cybersecurity_strategy/24266548.htmlhttp://media.defenseindustrydaily.com/images/MISC_Power_Plant_Smokestacks_lg.jpghttp://www.defense.gov/news/d20110714cyber.pdfhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://www.defense.gov/news/newsarticle.aspx?id=64682http://www.rferl.org/content/pentagon_unveils_new_offensive_cybersecurity_strategy/24266548.html


6/12

The cyber strategy includes details of how offensive cyber operations are being designed to protectDoD networks and systems. The Pentagon is working on an active cyber defense capability based ondiscovering, analyzing, and countering cyber threats and vulnerabilities by employing sensors,software, and network intelligence.

While not discussed in the unclassified cyber strategy, the use of cyberwar capabilities in conductingmilitary operations is part of the US Cyber Commands mission.

Cyber Command has the mission to counter cyberspace threats and assure access to cyberspace aswell as support the armed services ability to confidently conduct high-tempo, effective operations aswell as protect command and control systems, and the cyberspace infrastructure supporting weaponssystem platforms from disruptions, intrusions, and attacks.

There has been some confusion over exactly what the Cyber Commands roles and responsibilitieswould be in cyber operations. In a May 2011 report, the Government Accountability Office (GAO)criticized the DoD for not being more specific about the Cyber Commands roles and responsibilities inconducting cyberwar operations, particularly the role of civilians in such operations; the command andcontrol relationships with the military commanders; and the mission requirements and capabilities toorganize, train, and equip a cyber force. GAO was particular critical of the lack of specificity in the

commands Concept of Operations released in November 2010.[G]reater specificity is needed as to the categories of personnel that can conduct various types ofcyberspace operations in order for the military services to organize, train, and equip cyberforces.Service officials indicated that DoD guidance was insufficient to determine precisely whatcivilian activities are permissible for certain cyber activities, that DoD is still reviewing theappropriate roles for government civilians in this domain, and that the military services may beconstrained by limits on their total number of uniformed personnel, among other things. Without thespecific guidance, the services may in the future have difficulty in meeting personnel needs for certaintypes of cyber forces.

The services were also concerned about the lack of direction from Cyber Command about the

command and control relationships between the command and regional military commanders,particularly if cyberwar operations are carried out on a global basis.

Without a clear and specific command and control relationship model, however, the services areunclear as to how, to whom, and in what form they will be required to present forces for cyberspaceoperations. The military services do not know whether they will be required to present trainedindividuals or complete mission-capable units, and they do not know if those individuals or units willbe presented to U.S. Cyber Command or to regional organizations under the control of the geographiccombatant commands.

To provide more direction to the Pentagon, President Obama signed in June 2011 executive orders thatdescribe the rules of engagement for US military commanders in carrying out cyberattacks and othercomputer-based operations against other countries, according to a report by the Associated Press.

The orders provide guidelines as to when military commanders must seek presidential approval forcyberattacks on enemies, the report noted, citing defense officials and cybersecurity experts.

The new White House guidelines would allow the military to transmit computer code to anothercountrys network to test the route and make sure connections work in preparation for an actual assault.The guidelines also provide conditions under which the US military can respond to a cyber attack byblocking cyber intrusions and taking down servers in other countries.
http://www.stratcom.mil/factsheets/cyber_command/http://www.gao.gov/products/GAO-11-421http://www.freep.com/article/20110623/NEWS07/106230512/Obama-signs-rules-engagement-cyberattacks-enemieshttp://www.freep.com/article/20110623/NEWS07/106230512/Obama-signs-rules-engagement-cyberattacks-enemieshttp://www.stratcom.mil/factsheets/cyber_command/http://www.gao.gov/products/GAO-11-421http://www.freep.com/article/20110623/NEWS07/106230512/Obama-signs-rules-engagement-cyberattacks-enemies


7/12

Attribution: The Devils in the Details

The devil you know(click to view larger)

Even after the US military determines that an attacked caused damage equivalent to a conventionalattack, determining that a government was responsible for the attack may be problematic. For example,the Chinese government has denied involvement in any of the cyber attacks traced to China.

Commenting on the Pentagons strategy as reported by the WSJ, David Nicol, director of theInformation Trust Institute at the University of Illinois at Urbana-Champaign, told Scientific American:

Right now, with the infrastructure that we have its very difficult using purely technological means totrace the source of some kind of attack. You cant just look at the connection between one computer andanother because cyberattackers use multiple levels of cutout servers that make it difficult to determinewhere data is being sent. These computers that do the cutoffs are in foreign countries so theres littlerecourse in terms of requesting log files from those computers.

As Robert Hahn, director of economics at Oxford Universitys Smith School, and Peter Passell, seniorfellow at the Milken Institute in San Monica, commented in a June 4/11 op-ed inForbes magazine:

The source of a nuclear weapon can be traced relatively easily from the radioactive signature of thefissile material. But sophisticated hackers have a good shot at completing attacks without leavingfingerprints. And if you dont know who did it, the threat of retaliation isnt much of a deterrent.

As an example of the attribution problem, researchers at McAfee confessed that they had no directevidence to name the originator of the Night Dragon attacks on US oil, gas, and energy infrastructurebut rather relied on circumstantial evidence.

While we believe many actors have participated in these attacks, we have been able to identify oneindividual who has provided the crucial [command and control] infrastructure to the attackers thisindividual is based in Heze City, Shandong Province, China. Although we dont believe this individualis the mastermind behind these attacks, it is likely this person is aware or has information that can helpidentify at least some of the individuals, groups, or organizations responsible for these intrusions.

Beyond the curious use of the zw.china password that unlocks the operation of the zwShell[command and control] Trojan, McAfee has determined that all of the identified data exfiltration

activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdaysfrom 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals werecompany men working on a regular job, rather than freelance or unprofessional hackers. In addition,the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese undergroundhacking forums.

So researchers from a leading US information security firm were only able to obtain circumstantialevidence that the attackers were Chinese company men working for an organization on a regular timeschedule. This would hardly constitute sufficient evidence to support retaliation against the Chinese
http://www.scientificamerican.com/article.cfm?id=fog-of-cyber-warfarehttp://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/http://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/http://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/http://media.defenseindustrydaily.com/images/MISC_Devil_lg.jpghttp://www.scientificamerican.com/article.cfm?id=fog-of-cyber-warfarehttp://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/


8/12

government, even if the damage done to the US energy infrastructure was severe. The problem ofattribution would only be compounded if the perpetrators were non-state actors, such as Al-Qaeda.

Cyber Turf Wars

Proposed AFCYBER Logo

The Pentagon has not been unchallenged in its efforts to assert its authority in cyberspace. It has facedpush back within its own ranks, from the Air Force in particular, and from other federal agencies, mostnotably the Department of Homeland Security.

The Air Force made an early grab to be the dominant force in cyberwarfare capability, asserting itsauthority over the cyberspace domain back in 2005. The Air Force then pushed to set up an 8,000-manstrong cyber command to be called the Air Force Cyber Command (AFCYBER).

However, after a shakeup in the top levels of the Air Force in 2008, in which both the Air Forcesecretary and chief of staff stepped down, the service decided to suspend its efforts to set up thecommand. An internal Air Force memo dated Aug 11/08 obtained by Nextgov said that transfers ofmanpower and resources, including activation and reassignment of units, shall be halted.

The delay was ostensibly instituted to give the new chief of staff, Gen. Norton Schwartz, time to makea final decision on the scope and mission of the command. But service sources told Nextgov thedecision was in response to fierce opposition from both the Army and the Navy, which were both

developing expertise in cyber operations.In fact, the Air Force never did set up the Air Force Cyber Command. Instead, responsibilities for thecyberspace mission were transferred to the 24th Air Force,which was set up in 2009[PDF] under theAir Force Space Command. Its designation was official changed from Air Forces Strategic to AirForces Cyber in 2010.

The 24th Air Force is now the services component of the US Cyber Command, along with the ArmyForces Cyber Command, the Fleet Cyber Command, and the Marine Forces Cyber Command.

In addition, DHS, which has cybersecurity authority over civilian federal government networks, haspushed back on the Pentagons efforts to expand its cyberwarfare authority over US criticalinfrastructure, which is primarily privately owned.

DHS Secretary Janet Napolitano made clear in a December 2010 speech that she considers defendingUS critical infrastructure to be her domain, not the markets or the militarys:

Now, there are some who say that cybersecurity should be left to the market. The market will takecare of it, and there are some who characterize the Internet as a battlefield on which we are fighting awar. So its the market or the war. Those are the two analogies that you hear. Not surprisingly, I take adifferent position. In my view, cyberspace is fundamentally a civilian space, and government has a roleto help protect it, in partnership with responsible partners across the economy and across the globe.

At the same time, DHS and the Pentagon have agreed to cooperate on the defense of critical
http://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.htmlhttp://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.htmlhttp://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.htmlhttp://www.nextgov.com/nextgov/ng_20080812_7995.phphttp://www.24af.af.mil/shared/media/document/AFD-090821-046.pdfhttp://www.24af.af.mil/shared/media/document/AFD-090821-046.pdfhttp://www.24af.af.mil/shared/media/document/AFD-090821-046.pdfhttp://www.af.mil/news/story.asp?id=123233993http://www.stratcom.mil/factsheets/cyber_command/http://www.stratcom.mil/factsheets/cyber_command/http://www.dhs.gov/ynews/speeches/sp_1292622750273.shtmhttp://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.htmlhttp://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.htmlhttp://www.nextgov.com/nextgov/ng_20080812_7995.phphttp://www.24af.af.mil/shared/media/document/AFD-090821-046.pdfhttp://www.af.mil/news/story.asp?id=123233993http://www.stratcom.mil/factsheets/cyber_command/http://www.dhs.gov/ynews/speeches/sp_1292622750273.shtm


9/12


10/12

Homeland Security, and 20 companies that operate DOD networks. When the pilot was first announcedback in June, the Washington Post listed AT&T, Verizon and CenturyLink as the involved InternetService Providers (ISPs), while Lockheed Martin, SAIC, CSC and Northrop Grumman are among thedefense contractors.

Threat signature information is shared by U.S. Cyber Command and NSA members with theparticipating companies, whose number is going to be increased. Lynn said the pilot is intended to

demonstrate that we can utilize this public-private partnership to protect critical infrastructurenetworks with other government agencies in mind for possible replication of this dual model. USAFrelease.

Future War

Constant Vigilance(click to view full)

So what does the future hold in cyberspace? It seems that the Pentagon is finally taking the threats ofcyber attack seriously. Offensive cyber operations will be a part of the US arsenal, whether as aresponse to a cyber attack by an adversary or as a component of a military strategy to defeat an enemyin the physical and cyber realms.

As noted above, worms like Stuxnet are likely to proliferate in the coming years, targeting criticalinfrastructure of industrialized economies. Countries like China can be counted on to developsophisticated cyber attack methods in an effort to level the strategic playing field with the US.

Perhaps the most enduring question coming out of the Pentagons new cyber strategy is: Will the US

military use conventional military power to respond to a major cyber attack on US infrastructure. If acountry or non-state group succeeds in crippling the US energy grid, for example, will the US militaryput a missile down the smokestacks of the perpetrator. Can the perpetrator even be identified withenough confidence to provide justification for an attack?

These are questions that will need to be answered as the Pentagon refines its strategy. Two things arecertain, however. First, cyber attacks against US military, government, and industrial targets willincrease in number and severity. And second, the Pentagon will need robust cyberwar capabilities todefend the US in the 21st century.

Selected Contacts as of June 2011

Larry Burger, US Armys Future Warfare Center, tel: 256-955-3887, email larry.burger @smdc.army.mil

Dan Kuehl, Information Resources Management College, National Defense University, tel: 202-685-2257, email: kuehld @ ndu.edu

Lt Gen Robert E. Schmidle Jr., deputy commander, US Cyber Command, email robert.schmidle@ usmc.mil
http://www.washingtonpost.com/national/major-internet-service-providers-cooperating-with-nsa-on-monitoring-traffic/2011/06/07/AG2dukXH_story.htmlhttp://www.af.mil/news/story.asp?id=123268383http://www.af.mil/news/story.asp?id=123268383http://media.defenseindustrydaily.com/images/ELEC_US_Navy_Network_Intrusion_Detection_System_lg.jpghttp://www.washingtonpost.com/national/major-internet-service-providers-cooperating-with-nsa-on-monitoring-traffic/2011/06/07/AG2dukXH_story.htmlhttp://www.af.mil/news/story.asp?id=123268383http://www.af.mil/news/story.asp?id=123268383


11/12

Col Robert J. Skinner, Commander, USAF 688th Information Operations Wing, tel: 210-925-4425.

Col. Glenn Zimmerman, DoD Cyber Space Task Force, tel: 703-697-2807, email:Glenn.Zimmerman-02 @ pentagon.af.mil

Additional Reading Reuters (November 7/11) U.S. says will boost its cyber arsenal

DoD (July 14/11) Department of Defense Strategy for Operating in Cyberspace

DID (June 2011) DoD Cybersecurity Spending: Wheres the Beef?

Associated Press (June 23/11) Obama signs rules of engagement for cyberattacks on enemies

Wall Street Journal (June 15/11) Chinas Cyberassault on America (Op-ed by Richard Clarke)

Scientific American (June 13/11) The Fog of Cyberwar: What Are the Rules of Engagement?

Nature (June 8/11) Computer security: Is this the start of cyberwarfare?

Bloomberg (June 8/11) FBI Will Increase Efforts to Battle Computer Hacking, MuellerTestifies

Forbes (June 4/11) Cyberwar with China? More Likely, the Enemy Will Be Anonymous

Center for a New American Security Conference (June 2/11) Cyber Security in theInformation Age (C-SPAN video)

C-SPAN/Washington Journal (June 1/11) US Response to Cyber Attacks Interview withDaniel Gallington of the Potomac Institute for Policy Studies

The Guardian (June 1/11) Google phishing: Chinese Gmail attack raises cyberwar tensions

Air Force Magazine (June 2011) Cyber Futures

Wall Street Journal (May 31/11) Cyber Combat: An Act of War

Bloomberg (May 29/11) U.S. Offers Lockheed Help After Tenacious Cyber Attack

GAO (May 20/11) Defense Department Cyber Efforts: More Detailed Guidance Needed toEnsure Military Services Develop Appropriate Cyberspace Capabilities

Survival (February-March 2011) Stuxnet and the Future of Cyber War

CSO (Feb 16/11) DoD: Military Must be Capable Within Cyber Domain

The New York Times (Jan 15/11) Israeli Test on Worm Called Crucial in Iran Nuclear Delay Institute for Science and International Security (Dec 22/10) Did Stuxnet Take Out 1,000

Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment

Air Force (Dec 8/10) 24th Air Force Becomes AFCYBER

The Atlantic (Nov 4/10) The Stuxnet Worm? More Than 30 People Built It

House Armed Services Committee (Sept 23/10) Operating in the Digital Domain: Organizingthe Military Departments for Cyber Operations(Testimony of Maj Gen Richard E. Webber,
http://www.reuters.com/article/2011/11/07/cyber-usa-offensive-idUSN1E7A61YQ20111107?feedType=RSS&feedName=everything&virtualBrandChannel=11563http://www.defense.gov/news/d20110714cyber.pdfhttp://www.defenseindustrydaily.com/cyber-security-department-defense-spending-06882/http://www.freep.com/article/20110623/NEWS07/106230512/Obama-signs-rules-engagement-cyberattacks-enemieshttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://www.scientificamerican.com/article.cfm?id=fog-of-cyber-warfarehttp://www.scientificamerican.com/article.cfm?id=fog-of-cyber-warfarehttp://www.nature.com/news/2011/110608/full/474142a.htmlhttp://www.nature.com/news/2011/110608/full/474142a.htmlhttp://www.bloomberg.com/news/2011-06-08/fbi-will-focus-on-fighting-computer-hacking-mueller-says.htmlhttp://www.bloomberg.com/news/2011-06-08/fbi-will-focus-on-fighting-computer-hacking-mueller-says.htmlhttp://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/http://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/http://www.c-spanvideo.org/program/SecurityintheIhttp://www.c-spanvideo.org/program/SecurityintheIhttp://www.c-spanvideo.org/program/CyberAthttp://www.c-spanvideo.org/program/CyberAthttp://www.guardian.co.uk/technology/2011/jun/01/google-hacking-chinese-attack-gmailhttp://www.airforce-magazine.com/MagazineArchive/Pages/2011/June%202011/0611cyber.aspxhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://www.bloomberg.com/news/2011-05-29/lockheed-offered-help-after-cyber-incident-u-s-government-says.htmlhttp://www.gao.gov/products/GAO-11-421http://www.gao.gov/products/GAO-11-421http://pdfserve.informaworld.com/456535__932871523.pdfhttp://www.csoonline.com/article/665063/dod-military-must-be-capable-within-cyber-domainhttp://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&pagewanted=1http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/8#7http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/8#7http://www.af.mil/news/story.asp?id=123233993http://www.theatlantic.com/technology/archive/2010/11/the-stuxnet-worm-more-than-30-people-built-it/66156/http://www.theatlantic.com/technology/archive/2010/11/the-stuxnet-worm-more-than-30-people-built-it/66156/http://democrats.armedservices.house.gov/index.cfm/files/serve?File_id=8b28f10f-e164-481f-93cc-0c0734195fb1http://democrats.armedservices.house.gov/index.cfm/files/serve?File_id=8b28f10f-e164-481f-93cc-0c0734195fb1http://democrats.armedservices.house.gov/index.cfm/files/serve?File_id=8b28f10f-e164-481f-93cc-0c0734195fb1http://www.reuters.com/article/2011/11/07/cyber-usa-offensive-idUSN1E7A61YQ20111107?feedType=RSS&feedName=everything&virtualBrandChannel=11563http://www.defense.gov/news/d20110714cyber.pdfhttp://www.defenseindustrydaily.com/cyber-security-department-defense-spending-06882/http://www.freep.com/article/20110623/NEWS07/106230512/Obama-signs-rules-engagement-cyberattacks-enemieshttp://online.wsj.com/article/SB10001424052702304259304576373391101828876.htmlhttp://www.scientificamerican.com/article.cfm?id=fog-of-cyber-warfarehttp://www.nature.com/news/2011/110608/full/474142a.htmlhttp://www.bloomberg.com/news/2011-06-08/fbi-will-focus-on-fighting-computer-hacking-mueller-says.htmlhttp://www.bloomberg.com/news/2011-06-08/fbi-will-focus-on-fighting-computer-hacking-mueller-says.htmlhttp://blogs.forbes.com/econmatters/2011/06/04/cyberwar-with-china-more-likely-the-enemy-will-be-anonymous/http://www.c-spanvideo.org/program/SecurityintheIhttp://www.c-spanvideo.org/program/SecurityintheIhttp://www.c-spanvideo.org/program/CyberAthttp://www.c-spanvideo.org/program/CyberAthttp://www.guardian.co.uk/technology/2011/jun/01/google-hacking-chinese-attack-gmailhttp://www.airforce-magazine.com/MagazineArchive/Pages/2011/June%202011/0611cyber.aspxhttp://online.wsj.com/article/SB10001424052702304563104576355623135782718.htmlhttp://www.bloomberg.com/news/2011-05-29/lockheed-offered-help-after-cyber-incident-u-s-government-says.htmlhttp://www.gao.gov/products/GAO-11-421http://www.gao.gov/products/GAO-11-421http://pdfserve.informaworld.com/456535__932871523.pdfhttp://www.csoonline.com/article/665063/dod-military-must-be-capable-within-cyber-domainhttp://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&pagewanted=1http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/8#7http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/8#7http://www.af.mil/news/story.asp?id=123233993http://www.theatlantic.com/technology/archive/2010/11/the-stuxnet-worm-more-than-30-people-built-it/66156/http://democrats.armedservices.house.gov/index.cfm/files/serve?File_id=8b28f10f-e164-481f-93cc-0c0734195fb1http://democrats.armedservices.house.gov/index.cfm/files/serve?File_id=8b28f10f-e164-481f-93cc-0c0734195fb1


12/12

Commander of the 24th Air Force

Foreign Affairs (September/October 2010) Defending a New Domain: The PentagonsCyberstrategy (authored by William Lynn, US deputy secretary of defense)

InformationWeek (Aug 25/10) Pentagon Confirms Flash Drive Breached Military Network

The Sunday Times (March 8/10) Cyberwar declared as China hunts for the Wests intelligence

secrets

Air & Space Power Journal (Fall 2009) Cyberspace Leadership: Towards New Culture,Conduct, and Capabilities

Wired (Aug 18/09) Air Force Establishes Reduced Cyber-War Command

Reuters (Aug 4/09) White House still seeking cybersecurity

Air & Space Power Journal (Fall 2008) Redefining Air, Space, and Cyber Power

Arts Technica (2008) Black Hat is the new Jarhead for cyber warfare

Signal magazine (August 2007) Cyberspace Command Logs In

Air & Space Power Journal (Spring 2007) Dominant Air, Space, and Cyberspace Operations

Space War (Oct 9/06) US Air Force Prepares for Cyber Warfare
http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domainhttp://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domainhttp://www.informationweek.com/news/security/attacks/227001122http://www.informationweek.com/news/security/attacks/227001122http://technology.timesonline.co.uk/tol/news/tech_and_web/article7053254.ecehttp://technology.timesonline.co.uk/tol/news/tech_and_web/article7053254.ecehttp://www.airpower.maxwell.af.mil/airchronicles/apj/apj09/fal09/chilton.htmlhttp://www.airpower.maxwell.af.mil/airchronicles/apj/apj09/fal09/chilton.htmlhttp://www.wired.com/dangerroom/2009/08/air-force-establishes-new-reduced-cyber-war-command/http://www.wired.com/dangerroom/2009/08/air-force-establishes-new-reduced-cyber-war-command/http://www.reuters.com/article/2009/08/04/us-usa-cybersecurity-idUSTRE5736ZI20090804http://www.airpower.maxwell.af.mil/airchronicles/apj/apj08/fal08/focus.htmlhttp://arstechnica.com/tech-policy/news/2008/04/black-hat-is-the-new-jarhead-for-cyber-warfare.arshttp://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1362&zoneid=212http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1362&zoneid=212http://www.airpower.maxwell.af.mil/airchronicles/apj/apj07/spr07/focusspr07.htmlhttp://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.htmlhttp://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domainhttp://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domainhttp://www.informationweek.com/news/security/attacks/227001122http://technology.timesonline.co.uk/tol/news/tech_and_web/article7053254.ecehttp://technology.timesonline.co.uk/tol/news/tech_and_web/article7053254.ecehttp://www.airpower.maxwell.af.mil/airchronicles/apj/apj09/fal09/chilton.htmlhttp://www.airpower.maxwell.af.mil/airchronicles/apj/apj09/fal09/chilton.htmlhttp://www.wired.com/dangerroom/2009/08/air-force-establishes-new-reduced-cyber-war-command/http://www.reuters.com/article/2009/08/04/us-usa-cybersecurity-idUSTRE5736ZI20090804http://www.airpower.maxwell.af.mil/airchronicles/apj/apj08/fal08/focus.htmlhttp://arstechnica.com/tech-policy/news/2008/04/black-hat-is-the-new-jarhead-for-cyber-warfare.arshttp://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1362&zoneid=212http://www.airpower.maxwell.af.mil/airchronicles/apj/apj07/spr07/focusspr07.htmlhttp://www.spacewar.com/reports/US_Air_Force_Prepares_For_Cyber_Warfare_999.html

Documents

Cyberwar: Pentagon Takes on Cyber Enemies, Other Agencies