Information Operations
Newsletter
Compiled by: Mr. Jeff Harley
US Army Space and Missile Defense Command
Army Forces Strategic Command
G39, Information Operations Division
The articles and information appearing herein are intended for educational and non-commercial purposes to promote discussion of research in
the public interest. The views, opinions, and/or findings and recommendations contained in this summary are those of the original authors and
should not be construed as an official position, policy, or decision of the United States Government, U.S. Department of the Army, or U.S.
Army Strategic Command.
Table of Contents
Page 1
Table of Contents
Vol. 11, no. 02 (1-15 February 2011)
1.
Eighth Annual US Army Global Information Operations Conference
2.
Air Force Embraces New Mindset for Cyber Warfare
3.
China’s Active Defense Strategy and Its Regional Impact
4.
China’s Active Defense Strategy and its Regional Impact
5.
Chinese Use of Cyberwar as an Anti-Access Strategy - Two Scenarios
6.
Social Media as a Tool for Protest
7.
DOD Database Would Sift All Network Traffic for Signs of Attack
8.
Speech and Communications as War
9.
Google Declares War on the Egyptian Government
10. How Rumsfeld Abandoned the Peacemakers
11. Weapons Exist to Defeat Cyber Attacks, But Are Not Being Used
12. General Offers Details on Cyber Command Authorities, Organization
13. U.S. Has Secret Tools to Force Internet on Dictators
14. U.S. State Department starts Farsi Twitter feed
15. Freedom to Connect
16. Somalia's Al-Shabaab Launch TV Channel
17. Hackers Use Hidden Device to Manipulate News at Wi-Fi Hotspots
18. House Armed Services Subcommittee on Emerging Threats and Capabilities Hearing
19. What Should the Department of Defense’s Role in Cyber Be?
20. House Armed Services Committee; Subcommittee on Emerging Threats and Capabilities
21. Revising Information Operations Policy at the Department of Defense
22. Information as Power
Page 2
Eighth Annual US Army Global Information Operations Conference
US Army Space and Missile Defense Command/Army Forces Strategic Command (USASMDC/ARSTRAT) will
host its annual Global Army IO Conference from 4-8 April 2011 in Colorado Springs. The purpose of the
conference is to bring the Army IO Community together to discuss and capture thoughts on how the Army can
operationally support Combatant Commands, and successfully plan and support information operations,
inform and influence activities, and military support information operations. The theme for this year’s
conference is “Information and Mission Command.” Registration is open on SIPRNET at
http://portal.smdc.army.smil.mil/C19/CVTI/default.aspx. Attendees must have a top secret clearance and be
currently SCI indoctrinated with SI and TK. For additional information please contact Mr. Scott Janzen, 719554-6241 (scott.janzen@smdc-cs.army.smil.mil; scott.janzen@smdc-cs.army.mil) or Mr. Jose Carrington,
719-554-8880 (jose.carrington@smdc-cs.army.smil.mil; jose.carrington@smdc-cs.army.mil).
Table of Contents
Air Force Embraces New Mindset for Cyber Warfare
By Henry Kenyon, Defense Systems, Feb 01, 2011
Cyberspace isn’t just a new frontier for military operations. It will also require a new mindset for the
warfighters responsible for defending the nation’s critical IT infrastructure. This new approach to thinking
about cyber warfare is important as the U.S. government establishes a new set of organizations responsible
for defending the Defense Department’s vast network architecture, said a key officer in charge of protecting
the Air Force’s computer networks.
One of the important aspects of this new mindset is that the network itself must be treated as a weapon
system, Brig. Gen. Charles Shugg, vice commander of the 24th Air Force or Air Force Cyber Command
(AFCYBER), said Jan. 25 at the Network Enabled Operations conference in Arlington, Va. This strategy must be
backed up with a deliberate, considered process to install new systems and capabilities. There cannot be any
ad-hoc, “drive-by” fielding of equipment, he said.
Shugg said that the Air Force is moving away from the old perimeter-based network defense strategy to one
of defense in depth. He noted that the service had used the perimeter strategy for more than two decades,
but added that a new strategy must drive operations planning. Network strategies must also be traceable to
operational imperatives, he said.
But despite this new emphasis, the general explained that all parts of the network are not equal.
Administrators must set priorities, with key areas set aside to be defended, he said.
All new fieldings and upgrades must also include components such as training, technical data, procedures and
a sustainment trail. However, Shugg noted that of all of these, training was key. He outlined the training
process for Air Force cyber specialists, which included initial and mission qualification training. And after they
are trained, personnel will require regularly upgraded skills certifications to maintain proficiency.
Shugg also discussed some of the aspects of AFCYBER’s mission. The command’s key requirement is to
support joint forces operations in cyberspace. For the near future, he said that there are several operational
assumptions that AFCYBER is working with. These are:
That cyberspace will remain a contested environment.
The intent of various cyber threats may be impossible to ascertain.
Opponents will use cyberspace operations to support a larger strategy.
The network is complex and cannot be completely secured.
While mission assurance is a key part of the command’s responsibilities, Shugg said that the Air Force’s
mindset is shifting away from the old view of network assurance, in which the network was key, to a missionoriented view focused on end users. He maintained that warfighters cannot be disconnected from the network.
Providing a brief status update, Shugg reported that the 24th Air Force achieved full operational capability four
months ago. Among its various missions, he noted that the command helps “escort” drone missions by
ensuring the security of their satellite connections. He said command personnel monitor more than 180
circuits and routers for each mission.
The command is also involved in monitoring the launch and spaceflight process for Air Force space operations.
However, he added that the Air Force is only just beginning to provide greater mission assurance in
cyberspace.
Table of Contents
Page 3
China’s Active Defense Strategy and Its Regional Impact
By Dean Cheng, Heritage Foundation, February 1, 2011
Before the U.S.-China Economic and Security Review Commission - Delivered January 26, 2011
Mr. Chairman, Mr. Vice-Chairman, other Members of the Commission.
I’d like to express my appreciation for being invited to appear before you today to address the question of
“China’s Active Defense Strategy and Its Regional Impact.”
In considering the Chinese approach to what the West has termed anti-access/area denial strategies, it is
important to recognize that the Chinese People’s Liberation Army (PLA) has been a careful observer of
Western, and especially American, approaches to what they first termed Local Wars Under Modern, High-Tech
Conditions, and is now termed Local Wars Under Informationalized Conditions. These include the Falklands
conflict, Operation Desert Shield/Desert Storm, NATO’s campaigns in the Balkans, the toppling of the Taliban,
and the March 2003 march to Baghdad. Consequently, PLA defense planning is being shaped, in no small part,
by the lessons that they have derived from observing how potential opponents, but especially the United
States, have been waging their wars.
Under Mao Zedong, the PLA expected to fight “early wars, major wars, nuclear wars,” which would entail
protracted war fought on Chinese soil, with a heavy reliance on guerrilla warfare. Since the rise of Deng
Xiaoping, however, the expectation is for more localized, limited conflicts. PLA analyses of Local Wars Under
High-Tech Conditions, and subsequently of Local Wars Under Informationalized Conditions posit that future
wars:
Will be shorter, perhaps lasting only one campaign;
Will almost certainly not entail the occupation of China, although Chinese political, economic, and military
centers are likely to be attacked;
And will involve joint military operations across land, sea, air, cyberspace and outer space, and the application
of advanced technology, especially information technology.
Chinese analyses of these wars have sought to derive actionable lessons for the PLA from these conflicts. The
evolution of the so-called new “three attacks, three defends,” for example, posits that the PLA should pay
special attention to attacking stealth aircraft, long-range cruise missiles, and attack helicopters, while
defending against precision strike, electronic warfare, and reconnaissance and surveillance. The two I’d like to
address in my testimony are:
The ability of the United States to dictate the operational and tactical terms of the conflict, by conducting
closely coordinated precision strike operations with joint forces through the use of space assets.
The ability of the United States to dictate the strategic terms of the conflict, by influencing domestic opinion,
opposition will, and third-party support.
The theme underlying these aspects is the creation of a defense-in-depth against the United States, not only
at the tactical and operational level through the creation of layered defenses, but also strategically, by
denying the U.S. the ability to set the strategic context of the conflict.
Chinese Concepts of Space Operations and Anti-Access/Area Denial Operations
In the tactical and operational realm, PLA observation of Western conflicts has led them to conclude that, in
order to conduct the high-tempo, dispersed operations typical of recent Local Wars, it is essential to have
access to space. Chinese analyses of the first Gulf War, the conflicts in the Balkans, and the march to Baghdad
are rife with statistics on the number of satellites employed, whether maintaining surveillance over opponents,
providing essential weather information, or guiding munitions and forces.
Thus, as one PLA analysis notes, in places like Afghanistan, when U.S. military forces have identified the
enemy, they have promptly exploited GPS to determine the enemy’s location and satellite communications to
transmit the target’s location to weapons operators, in order to attack targets promptly. Similarly, in Iraq, the
use of space was essential for the U.S. military’s intelligence gathering and battlefield command and
control.[1]
From their perspective, the ability to exploit space is essential for the ability to wage non-contact, non-linear,
non-symmetric warfare. This reliance is so extensive that another Chinese analysis posits that the U.S. could
not conduct the kind of warfare it prefers, but only high-level mechanized warfare, if it could not access space.
The implication is that an essential part of any Chinese anti-access/area denial effort will probably entail
operations against the U.S. space infrastructure, both in order to secure space dominance, zhitian quan, for
the PLA, as well as to deny it to the United States. Space dominance, in this case, is defined as the ability to
Page 4
control the use of space, at times and places of one’s own choosing, while denying an opponent the same
ability.
It should be noted here, first, that there is still no indication of whether the PLA has developed a formal space
doctrine governing military operations in space. The available PLA literature does have, however consistent
themes that emerge.
One of these themes derived from the available Chinese writings that discuss the establishment of space
dominance is that it does not necessarily require the destruction of satellites, such as in the 2007 anti-satellite
test or last year’s exo-atmospheric test. Rather, it involves a full range of measures, involving both hard- and
soft-kill, aimed at the satellites, the terrestrial infrastructure of launch sites; tracking, telemetry, and control
(TT&C) facilities; and the data links that bind the system together.
Indeed, PLA writings emphasize that the establishment of space dominance requires integrated operations,
involving the use of all available strength, all techniques, and all operational methods.
By integration of all available strength, this refers to two aspects. One is civil-military integration. The PLA, it
is worth recalling, manages China’s terrestrial space infrastructure, and plays a role in satellite design and
manufacturing. It also is presumed to have access to information derived from space-based systems,
consistent with the larger, long-standing Chinese theme of civil-military integration.
The other is integration of space capabilities with those of land, sea, and air forces, with the goal of generating
synergies that will lead to space dominance. Ground, naval, air, and missiles forces, for example, can
suppress enemy terrestrial space facilities, such as TT&C centers, and interfere with data links. This can
prevent an opponent’s space forces from properly operating, as well as help defend one’s own space
capabilities. Meanwhile, space forces can enhance the operation of ground, air, and naval forces by providing
information support that will make them more effective.[2]
By integrated application of techniques, this refers to the combination of destructive and disruptive
techniques. In some cases, disrupting an opponent’s systems may be as effective, and more desirable, than
destroying them. Destruction of systems in orbit may generate diplomatic problems, especially among third
parties whose systems may be affected by debris. Attacking terrestrial targets in third countries may result in
horizontal escalation. Thus, in some cases, one may choose to rely on jamming, cyber warfare, and other less
physically destructive means to attack enemy space infrastructure.[3]
On the other hand, soft-kill systems often cannot permanently destroy physical facilities, and it may be
difficult to assess whether it has succeeded in disrupting normal space operations.[4] In order to inflict longlasting impact on enemy space capabilities, or to be assured of disruption of high-value targets, one may
prefer more kinetic, hard-kill options.
By integrated coordination of all activities, PLA analysts are discussing the importance of defensive as well as
offensive roles. It should be noted that “offensive” and “defensive” are not synonymous with “hard kill” and
“soft kill.” Rather, the objective is to reduce an opponent’s advantage in space.
The general tenor of PLA writings regarding space offensive measures suggests an interest in attacking the full
space infrastructure of an opponent, suggesting attacks against both terrestrial and orbital assets, as well as
the attendant data and communications systems that link them together. In particular, striking at mission
control facilities and launch sites has the advantage of not only disrupting ongoing space operations, but
retarding reconstitution efforts, and is compared with attacking command nodes in more traditional
warfare.[5]
At the same time, the PLA fully expects its own space capabilities to be targeted. In this regard, PLA writings
suggest that there is a role to play in both active and passive defensive measures. Active measures include
the provision of defenses around key terrestrial facilities, including launch sites and mission control centers.
Passive measures include efforts to limit the effectiveness of enemy efforts to detect and track one’s own
space systems and infrastructure. They include efforts at camouflage, concealment, and deception of both
terrestrial and orbital systems, as well as redundancy and mobility.[6] There is also reference to hardening of
both satellites and ground facilities.
All of these efforts suggest that, in the event of a Sino-American confrontation, the PLA would seek to engage
American space systems early in the crisis. This would deny American forces the ability to establish
information dominance (zhi xinxi quan), that all-aspect understanding of an opponent’s forces, deployments,
and capabilities. As important, it would also disrupt the coordination of American forces, including not only
widely dispersed combat forces, but also the essential combat support elements that would sustain U.S.
operations. PLA writings also suggest that there may be demonstrations of anti-space capabilities, the conduct
of space exercises, redeployment and reinforcement of space assets, and most worrisome, actual use of space
Page 5
weapons, in order to deter and dissuade the United States from intervening. The very possession of an
effective space warfare capability, PLA writings note, allows China to effect space deterrence.
Two aspects of space deterrence should be especially noted. In the first place, such measures almost certainly
would not occur in isolation, but would be part of a larger pattern of activities, involving not only the full range
of the PLA but all the assets, economic, diplomatic, political, cyber, available to the Chinese Communist Party
(CCP). And many of these measures, especially ASAT tests and the conduct of space war games, may be
occurring months or even years in advance, so as to influence U.S. decision-making far in advance of any
actual outbreak of hostilities.
Chinese Concepts of the “Three Warfares” and Anti-Access/Area Denial Operations
The issue of space deterrence links space to “psychological warfare,” one of the “three warfares” that was
highlighted in this year’s DOD report. The “three warfares” were publicly set forth in the “Chinese People’s
Liberation Army Political Work Regulations (zhongguo renmin jiefangjun zhengzhi gongzuo tiaoli),” which were
promulgated in 2003. Among the tasks of political work, according to Chapter 2, Section 18 of the
Regulations, is conduct of the “three warfares” of psychological warfare, public opinion warfare, and legal
warfare.
The “three warfares” would seem to serve three purposes:
To sap U.S. will and raise doubts about the justification of intervention, hopefully retarding U.S.
responses;
To attenuate U.S. alliances, thereby affecting access to vital ports and resupply facilities, as well as
limiting foreign support for U.S. efforts;
To reinforce domestic will and sustain the conflict, compelling the U.S. to confront the prospect of a
longer war.
Psychological warfare (xinli zhan), can occur at the tactical, operational, or strategic level. But, according to
some PLA analyses, it is at the strategic level that psychological warfare may have the greatest impact, since
it may undermine the enemy’s entire will to resist. Psychological warfare at that level is aimed not only at an
opponent’s political and military leaders, but also at their broader population. It is also aimed at one’s own
population and leadership cohort, in order to strengthen the will to fight. Finally, it also targets third-party
leaders and populations, in order to encourage support for one’s own side, and discourage or dissuade them
from supporting an opponent.
PLA descriptions of how space deterrence can be effected are consistent with this definition of psychological
warfare. For example, Chinese analysts note that space systems are very expensive. It is possible, then, to
hold an opponent’s space infrastructure hostage by posing a question of cost-benefit analysis: is the focus of
deterrence (e.g., Taiwan) worth the likely cost of repairing or replacing a badly damaged or even destroyed
space infrastructure? Moreover, because space systems affect not only military but economic, political, and
diplomatic spheres, damage to space systems will have wide-ranging repercussions and second-order
effects.[7] Will those impacts also be worth it? Through such psychological pressures as space deterrence, as
opposed to actual attacks, it may be possible to persuade an opponent that they cannot attain victory at an
acceptable price.
In order to generate such effects, Chinese writings suggest that psychological warfare, including its
subordinate areas of public opinion and legal warfare, will often begin before the formal commencement of
open hostilities. Chinese analysts suggest that the record of recent wars shows that even before the war had
sounded, psychological warfare was already heated. This is based in part on the assessment that the purpose
of psychological warfare measures is to influence the audience’s emotions and assessment capacity, which will
eventually influence their actions. In order to do so, it needs to operate not only in the military and diplomatic
realms, but also the political, economic, cultural, and even religious arenas, which cannot easily be done on
short notice. The very fact that you are holding these hearings suggests that there has been some measure of
success, from the Chinese perspective.
Public opinion warfare (yulun zhan) refers to the use of various mass information channels, including the
Internet, television, radio, newspapers, movies, and other forms of media, to transmit selected news and
other materials to the intended audience. It seeks to guide public perceptions and opinion to a previously
established conclusion, so as to effect shifts in the overall balance of strength between oneself and one’s
opponent.[8] The goal is to generate public support both at home and abroad for one’s own position and
create opposition to one’s enemy.
According to PLA analyses, while there has long been interest in public opinion warfare, it could assume
strategic proportions only because of the advent of the Information Age. The media, including not only
Page 6
traditional news organizations but the Internet, news services, social media, etc., has gained unprecedented
access to all sides, and has greatly advanced the ability to influence public opinion. Consequently, the media’s
role has advanced from being a strategic supplement, focusing on battlefield reports, to a type of “combat
multiplier” which can help affect and decide the outcomes of conflicts.[9] In this view, public opinion is now a
distinct, second battlefield, almost independent of the physical one.[10]
As with psychological warfare, public opinion warfare is expected to commence prior to the outbreak of actual
hostilities. The ability to shape the narrative, so to speak, including establishing moral ascendancy and
justification, requires long-term efforts. Notes one Chinese assessment, “Before the troops and horses move,
public opinion is already underway (bingma weidong, yulun xianxin).”[11] The long-standing global presence
of American news organizations such as CNN and Fox News are seen by Chinese analysts in this light. It is in
this context that we should consider the impact both of the creation of the Chinese 24-hour English language
news service, as well as the expansion of Chinese news bureaus around the world.
Legal warfare (falu zhan) is the use of domestic law, the laws of armed conflict, and international law in
arguing that one’s own side is obeying the law, the other side is violating the law, and making arguments for
one’s own side in cases where there are also violations of the law.[12] The essence of legal warfare, like
psychological and public opinion warfare, is to help one side to secure the initiative in wartime, and also to
gain greater support, both at home and abroad.
The Chinese have taken concrete steps towards implementing legal warfare. As one Chinese volume observed,
the Anti-Secession Law, passed on March 14, 2005, serves as a form of military deterrent/coercion (junshi
weishe), through the use of legal warfare. As the law’s preamble sets forth, the goal is to prevent secessionist
behavior and maintain national sovereignty and territorial integrity. Efforts by Taiwan to secede would
therefore violate this law, and would lead to punishing consequences.
Ultimately, the combination of the “three warfares” constitutes a form of defense-in-depth, but one that is
executed temporally (in order to delay an opponent) and politically (by fomenting public disagreement and
doubt), rather than physically. It is aimed not only at an opponent’s leadership and public support, but also
that of third parties; given the American reliance on foreign bases and facilities, obtaining allied support is
essential for sustaining U.S. operations. Similarly, given the heavy reliance on third-party space systems,
vitiating their support can be as effective as destroying American systems. The goal remains anti-access/area
denial; it is simply the means and the battlefields that have shifted.
References in this report
[1] Fan Xuejun, “Militarily Strong Nations Are Steadily Developing ‘Space Information Warfare,’” Liberation Army Daily, April
13, 2005.
[2] Zhang Jiali, Min Zengfu, “On Extending Regional War into the Air and Space,” China Military Science (#1, 2005), and
Chang Xianqi, Military Astronautics, 2nd ed. (Beijing, PRC: National Defense Industries Press, 2005), p. 276.
[3] Chang Xianqi, Military Astronautics, 2nd ed., pp. 290-291.
[4] Chang Xianqi, Military Astronautics, 2nd ed., p. 275.
[5] Hong Bin and Liang Xiaoqiu, “The Basics of Space Strategic Theory,” China Military Science (#1, 2002).
[6] Fan Xuejun, “Militarily Strong Nations Are Steadily Developing ‘Space Information Warfare,’” Liberation Army Daily, April
13, 2005.
[7] Li Jingjun and Dan Yuquan, “The Strategy of Space Deterrence,” China Military Science (#1, 2002).
[8] Liu Gaoping, Study Volume on Public Opinion Warfare (Beijing, PRC: NDU Press, 2005), pp. 16-17.
[9] Liu Gaoping, Study Volume on Public Opinion Warfare (Beijing, PRC: NDU Press, 2005), p. 68.
[10] Nanjing Political Academy Military News Department Study Group, “Study of the Journalistic Media Warfare in the Iraq
War,” China Military Science (#4, 2003), p. 28.
[11] Nanjing Political Academy Military News Department Study Group, “Study of the Journalistic Media Warfare in the Iraq
War,” Chinese Military Science (#4, 2003), p. 28.
[12] Han Yanrong, “Legal Warfare: Military Legal Work’s High Ground: an Interview with Chinese Politics and Law University
Military Legal Research Center Special Researcher Xun Dandong,” Legal Daily (PRC), February 12, 2006, and Cheng Hui,
“China’s Military Begins Research and Training in Public Opinion Warfare, Psychological Warfare, and Legal Warfare,”
Xinhuanet, June 22, 2004.
Table of Contents
Page 7
China’s Active Defense Strategy and its Regional Impact
Hearing Statement of Lt General David A. Deptula, USAF (Ret), U.S.-China Economic & Security Review Commission, 27
January 2011
Thank you very much for the opportunity to testify before this hearing on China’s active defense strategy and
its regional impact. In my testimony I will address each of the questions you posed to me in your letter of
invitation as follows:
- Describe the regional security implications of the People’s Liberation Army’s capability to integrate military
operations in the western Pacific across all domains of war.
- Explain the role of space in what the United States calls China’s antiaccess strategy. How might China’s
space operations degrade, disrupt, deny or destroy U.S. military capabilities in the event of a conflict between
China and the United States?
- Explain the cyberspace-related aspects of China’s area control and antiaccess strategy. How might China’s
cyber operations degrade, disrupt, deny or destroy U.S. military capabilities in the western Pacific in the event
of a conflict between China and the United States?
- Discuss other non-traditional strategies that the PRC could use to affect U.S. operations in the western
Pacific, such as what the Chinese military calls “the Three Warfares” (that is, psychological operations,
influence operations, and legal arguments).
Regional Security Impacts of Integrated People’s Liberation Army (PLA) Operations
Question
Describe the regional security implications of the PLA’s capability to integrate military operations in the
Western pacific across all domains of war.
Introduction
Prior to the late 1970’s, PLA operational doctrine was largely defensive, focused on using China’s strategic
depth to gradually wear down an opponent. PLA doctrine has since evolved into a principle called active
defense. Active defense is based on the capability to rapidly project force in response to external threats,
seizing the initiative at the outset of the conflict. The PLA has developed a framework for doctrine-driven
reform with the long-term goal of building a force capable of conducting “local wars under informatized
conditions.” The PLA relies on a body of principles and guidance known as the “National Military Strategic
Guidelines for the New Period” to plan and manage the development and use of its military. This document
most likely dates from 1993 with enhancements in 2002 and 2004. The operational, or “active defense”
component the People’s Republic of China (PRC) strategy, posits a defensive military strategy in which China
does not initiate wars or fight wars of aggression, but engages in war only to defend national sovereignty and
territorial integrity. Once hostilities have begun, the essence of active defense is to take the initiative and to
annihilate the enemy. Strategically, the guidelines emphasize active defense, in military campaigns the
emphasis is placed on taking the initiative in active offense.
Implementing Active Defense
The PLA is developing and implementing supporting doctrine for “active defense” warfare and new operational
methods across the services. PLA modernization has been driven by a Taiwan contingency for most of the past
20 years but recently, modernization efforts have begun looking beyond Taiwan towards a regional power
projection capability.
PLA Air Force (PLAAF) The PLAAF continues its conversion from a force for limited territorial defense to a
more flexible and agile force able to operate off-shore in both offensive and defensive roles. The PLAAF
focuses on improving their ability to conduct air strikes, air and missile defense operations, early warning and
reconnaissance as well as strategic mobility. The PLAAF also has a leading role in conducting a “Joint Anti-Air
Raid” campaign, the operational doctrine for much of China’s antiaccess and area-denial operations. The antiair raid campaign is strategically defensive in nature, but at the operational and tactical levels, it calls for
attacks against adversaries’ bases and naval forces.
China has one of the most sophisticated and dense integrated air defense systems (IADS) in the world. Longrange SAMs include Russian SA-20/GARGOYLE and indigenously-produced HQ-9s. These systems are deployed
in overlapping layers around key population centers and strategic centers, to include full coverage of the
Taiwan Straits. China’s IADS also include numerous medium and short-range systems. The PLAAF also uses
Russian-built Su-27 and Su-30 fighters as well as the indigenously produced F-11B and F-10 multi-role
fighters. The recently unveiled fifth-generation J-20 low-observable fighter will give the PLAAF another air
Page 8
superiority fighter. The PLAAF also has strike capability with their Su-30MKK fighters and long-range B-6
Bombers.
PLA Navy (PLAN) The naval component of active defense is termed “Offshore Active Defense.” The 2008
PRC Defense White paper describes the PLAN as a strategic service continuing to develop the capability to
operate in distant waters. Regionally, the PLAN is focused on the Yellow Sea, East China Sea, the Taiwan
Strait, and the South China Sea, following the contours “first island chain.” The PLAN is also developing
capabilities to operate in the “second island chain,” which reaches out to Guam. PLAN doctrine for maritime
operations focuses on six offensive and defensive campaigns: blockade, anti-sea lines of communication,
maritime-land attack, anti-ship, maritime transportation protection, and naval base defense.
The PLAN is focused on fielding modern destroyers, submarines, cruise missiles, and maritime strike aircraft to
deter or prevent an adversary from operating near China’s coast. China’s submarine force is a key component
of their sea denial strategy. KILO submarines have both land attack cruise missiles (LACM) and anti-ship
cruise missiles (ASCM). The new indigenously produced SHANG nuclear attack submarine gives the PLAN its
first global strike capability, capable of launching conventional LACMs. The PLAN likely will deploy its first
aircraft carrier when the refurbished Russian Kuznetsov-class carrier is deployed next year. The PLAN also has
maritime strike capability with its Su-30MKK force.
Second Artillery (Missile Force) Ballistic missiles play a key role in China’s force projection plans and
efforts to deny foreign military forces access to the region. China has the most active development program
and largest deployed conventional ballistic missile force in the world with a variety of ranges, payloads and
capabilities to strike aircraft carriers, airfields, command and control facilities, logistics nodes, ports, and
military bases. Over 1,000 short, medium and intermediate-range ballistic missiles are deployed opposite
Taiwan. Among the warheads believed to be either fielded or in development are runway penetrators, antiradar seekers, variable delayed-fuse penetrators and other specialized warheads. China has also developed an
anti-ship ballistic missile, the CSS-5 mod 4 anti-ship ballistic missile (range up to 1600 nm), that could
threaten US aircraft carriers, potentially forcing them to operate at a longer range from the Chinese coast.
Complementing ballistic missiles are long- and medium-range LACM that can be launched from aircraft, ships,
submarines and mobile ground-based platforms. China’s medium-range missiles such as the CSS-5 (range up
to 1350 nm) and the DH-10 LACM (range up to 1100 nm) put all US bases in South Korea and Japan at risk,
as well as alternate locations in the Philippines or Malaysia. The Chinese have also developed standoff LACMs
which give them the capability to conduct precision strikes from well outside the range of defensive systems.
These include the long-range air-launched YJ-100 (~1,000NM) and the medium-range YJ-63 (135NM).
Integrated Joint Operations
The Chinese term for integrated military operations is integrated joint operations (IJO). Recent efforts toward
more integrated operations are embodied in the January 2009 edition of the PLA Outline of Military Training
and Evaluation (OMTE). The PLA is focused on training, equipping and sustaining their force to conduct multiservice operations in an informatized environment. IJO specifically refers to multiservice campaigns controlled
by a joint headquarters with an integrated command and control architecture, but the services still conduct
separate operations. IJO are dependent on a well developed C4 environment, integrated and effective
intelligence, surveillance and reconnaissance (ISR) coverage, interconnected weapons platforms as well as
coordinated logistics. As IJO matures over the next 5-10 years, the PLA will increasingly be able to bring to
bear their warfare capabilities in the five domains of war including the land, sea, air, space, and cyberspace
spectrums.
To rectify deficiencies in IJO, the PLA has launched enhanced training and professional military education,
cross-training rotational assignments to different services, war simulations, and multi-military region (MR)
exercises. In 2009, the PLA conducted at least three high-profile joint exercises through mid-September,
including a joint ground-air exercise involving cross-military region deployment of up to 50,000 troops, a joint
campaign exercise to train theater-level commanders in joint operations, and a joint anti-terrorism exercise
with Russia. This effort continued in 2010 with Mission Action, a multi-region air and ground exercise. Ground
forces were transported across military region boundaries and were supported by the PLAAF. The exercise
focused on the operational level of war with group army headquarters responsible for command and control,
overseen by the general staff department.
Regional Implications of IJO
The modernization of the PLA, coupled with an increasing capability to conduct IJO over all domains of war,
represents a growing threat to the US and other countries in the region. These augmented capabilities can be
used in coercive diplomacy and to contest territorial disputes by force, or threat of force. Increasingly, the PRC
is focusing on developing capabilities that project power throughout the region, enhancing China’s position in
Asia and the world military hierarchy. When the PLA is able to effectively conduct IJO, antiaccess operations
Page 9
against the U.S. in the western Pacific will become more effective. U.S. operations, both air, missile and
maritime, from mainland Japan, Okinawa, and the Philippines will be severely impacted. The PLA will likely be
able to degrade and/or deny US air- and space-based surveillance and reconnaissance capabilities in the
region. Command and control of deployed U.S. forces will likely be disrupted and it will be more difficult to
logistically support operations in the western Pacific. It is also likely that U.S. aircraft carriers will be forced to
operate at distances far from the PRC mainland. Lastly, as China continues to fund military modernization in
the smaller Asian countries and invest economically in the region, their control over the military and economic
actions of these countries, will increase. This is likely to push the operating environment to one that is
increasingly unfavorable to the U.S.
Role of Space Operations in China’s Antiaccess Strategy
Question
Explain the role of space in what the United States call’s China’s antiaccess strategy. How might China’s space
operations degrade, disrupt, deny or destroy U.S. military capabilities in the event of a conflict between China
and the United States?
Introduction
China recognizes the overwhelming advantage the US has in the space domain and its key role in our ability
to collect, analyze and rapidly share data. They understand how dependent U.S. warfighters have become
upon space products and services for commanding deployed troops, passing ISR data, and enabling precision
targeting and engagement. China views that reliance as a significant, exploitable vulnerability and has written
extensively about the subject in both open source journals and military doctrine. As a result, they are actively
pursuing a comprehensive array of space and counterspace programs intended to degrade, disrupt, deny or
destroy our ability to gain and maintain access to the region in the event of a conflict.
Space Weapons
China maintains a development and deployment program for space weapons including programs on direct
ascent anti-satellite (ASAT) weapons, high energy laser (HEL) and dazzlers and GPS and other types of
jammers. The PRC is developing these weapons and technologies as a way to counter U.S. space superiority
and to deny the use of space. China understands the U.S. reliance on space for imagery, signals intelligence,
communication, tracking of friendly forces and navigation. As such, they are developing the capabilities to
deny the U.S. information at the time of their choosing. Additionally, the threat of space denial, such as
through the testing of ASAT weapons, is also an effective counterspace strategy.
ASAT Weapons China understands how the U.S. uses our large fleet of military and intelligence satellite
systems to find, fix, target and track Chinese military forces, then use our array of communication satellites
(COMSATs) to pass that data to our deployed forces and finishing with our GPS navigation satellites
(NAVSATs) to target and engage with precision. In January 2007, China successfully tested a direct ascent
(DA) ASAT missile against a Chinese weather satellite, demonstrating its ability to attack satellites operating
in low-Earth orbit (LEO). This test has been widely viewed as a direct challenge to U.S. space superiority. In
addition to ASAT, the PRC is researching methods of co-orbital interception to target our NAVSATs and
COMSATs. Co-orbital ASATs will provide China with a broad range of options beyond kinetic attack to counter
our space-enabled, information advantage. For example, In June 2010, China launched the Shijian-12 (SJ-12)
satellite from Jiuquan Satellite Launch Center in north-central China. According to the State media service
Xinhua, SJ-12’s mission is to carry out “scientific and technological experiments”. However, between Jun 20
and Aug 16, SJ-12 conducted a series of maneuvers to rendezvous with SJ-06F, an older Chinese satellite
launched in Oct 08. SJ-12 made many close approaches with less than 984 feet between the two satellites.
China could conceivably want to experiment with close space maneuvers, given its plans to build a space
station that would require continuous resupply. However, the lack of official Chinese information about the
maneuvers has allowed room for speculation that China has now demonstrated a capability with potential
application to co-orbital ASAT capability.
Space Object Surveillance and Identification (SOSI) Implementation of these ASAT options requires not
only the weapons themselves, but also information about the physical characteristics and orbits of the
satellites to be targeted and attacked. China currently is developing a SOSI network to improve its space
situational awareness. This network will give it the ability to track and identify most satellites for offensive
actions while allowing for deconfliction with Chinese satellites. Beijing will continue to enhance its satellite
tracking and identification network, as it is the first step in establishing a credible ASAT capability.
Directed Energy Weapons (DEW) The PRC also plans to interfere with the flow of information by targeting
high-altitude GPS and communications systems using ground-based jammers. In this way they can degrade
GPS/communications reception or employ deception against our combat aircraft and precision-guided
Page 10
munitions. Techniques such as radiofrequency jamming, laser attack, high-power microwave or
electromagnetic pulse detonation will allow China to deny us these data sources without generating debris that
might impact their own military use of space. PLA-affiliated publications assert that while China does not yet
possess the capability to destroy satellites with high-powered lasers, they are capable of damaging optical
reconnaissance satellites.
Role of Counterspace Operations in China’s Antiaccess Strategy
Publicly, China opposes the militarization of space, and seeks to prevent or slow the development of antisatellite (ASAT) systems. Privately, however, China’s leaders probably view ASATs, and offensive
counterspace systems as force multipliers. As one Chinese defense analyst noted: “For countries that can
never win a war with the United States by using the method of tanks and planes, attacking the US space
system may be an irresistible and most tempting choice”. Even a limited ASAT capability would be extremely
useful to the PLA in contingencies involving the Taiwan Strait.
Prior to hostilities, the Chinese would likely use directed-energy weapons (DEW) such as high energy lasers
(HEL) to dazzle or blind our imagery satellites. This technique would be intended to negatively impact our
ability to monitor Chinese military activities while maintaining a degree of deniability and reversibility for
Beijing since these are not permanent kill weapons. Once combat operations begin (or are imminent), the PRC
would likely turn to destructive means like direct-ascent (DA) ASAT missile systems in an attempt to destroy
our ISR satellites and permanently remove them from the fight.
In addition, PRC officials have publicly indicated their intent to acquire radiofrequency (RF) weapons as a
means of defeating technologically advanced military forces. Chinese writings have suggested that RF
weapons could be used against C4ISR, guided missiles, computer networks, electronically-fused mines,
aircraft carrier battle groups, and satellites in orbit. An ASAT mission is undoubtedly one of the most stressing
RF weapon applications. For a ground-based system beaming RF energy into space, very high power levels as
well as a large high-gain transmitting antenna would be required. In contrast, an RF weapon delivered via a
DA ASAT or deployed as an orbital system, would suffer severe constraints on system size and mass. Even if
the Chinese commit significant resources to an RF ASAT development program, they are unlikely to be able to
deploy such a weapon for at least fifteen years.
In conclusion, China has an aggressive space and counterspace program that is just one element of their
comprehensive antiaccess strategy to degrade, disrupt, deny or destroy our ability to exploit our asymmetric
advantage in information-enabled military operations. Continued Chinese investment in the design,
development, deployment and employment of space and counterspace systems will increasingly challenge our
traditional space dominance and could dramatically reduce our freedom of action in the event of a conflict in
the region.
Cyberspace and China’s Antiaccess strategy
Question
Explain the cyberspace related aspects of China’s area control and antiaccess strategy. How might China’s
cyber operations degrade, disrupt, deny, or destroy U.S. military capabilities in the western Pacific in the
event of a conflict between China and the United States?
Introduction
The word antiaccess does not appear in PRC writings, but PRC authors often reference sets of strategies
designed to deny access to a physical space or information realm. Exploitation of the cyber realm can be used
as an antiaccess or area control tool when cyber attacks or computer network exploitation is used to deny
information to the enemy. Additionally, control and exploitation of the cyber realm is a key element of the
Chinese information superiority strategy, which is an integral part of their overall antiaccess strategy. A key
component of the PRC antiaccess strategy is denial of information to the enemy. Cyber capabilities can be
used to deny information, either by network attacks or planting false information
Antiaccess Strategy
A Chinese antiaccess measure can be considered to be any action that has the effect of slowing the
deployment of friendly forces into a theater, preventing them from operating from certain locations within that
theater, or causing them to operate from distances farther from the area of conflict than they would normally
prefer. Chinese writings suggest that key elements of a comprehensive Chinese strategy for defeating a
military power like the U. S. would consist of actions designed to impede U.S. military access to the Asian
theater in the event of a U.S.-China conflict. Writings emphasize “gaining mastery by striking first,” possibly
through surprise attack or preemption. This suggests that Chinese leaders might consider preemptively
attacking U.S. forces as they are deploying to a region in what U.S. policymakers intend as an action to deter
Page 11
a conflict. Attacks on C4ISR targets have an antiaccess effect by disrupting the deployment of U.S. military
forces to a region or by interfering with command, control, and communication or early warning capabilities to
the extent that a decision would be made to withdraw forward-deployed forces farther from the locus of
conflict. Attacks against C4ISR systems can involve operations against military and civilian targets in all five
dimensions—land, sea, air, space, and cyberspace—and can be undertaken during peacetime and wartime.
Cyber warfare in an Antiaccess arena
The Chinese have identified the U.S. military’s reliance on information systems as a significant vulnerability
that, if successfully exploited, could paralyze or degrade U.S. forces to such an extent that victory could be
achieved. According to RAND analysis, Chinese analysts believe that attacks against information systems can
delay the deployment of U.S. military forces by disrupting communications or denying the U.S. military access
to information on enemy whereabouts. Chinese analysts note that information warfare can employ either
“soft-kill” or “hard-kill” methods. Soft-kill methods include computer network attacks and electronic jamming,
while possible hard-kill methods include directed energy weapons, explosives, and kinetic energy attacks.
Cyber targets could include computer systems based in the U.S. or abroad, command and control nodes, and
space-based ISR and communications assets. Noting the great distances that U.S. forces would need to travel
in a conflict with China, attacks against logistics systems are also discussed. The goals of these attacks would
be to delay the deployment of additional U.S. forces to the region and to render existing forces in the region
less effective or more vulnerable by preventing timely supplies of the materiel needed for war-fighting.
The net result would be cyber warfare. Cyber warfare has the potential to terrorize, isolate, demoralize and
cast a country into disarray. US military networks are constantly under siege, and in some cases, intruders,
particularly China, have made off with militarily useful data, such as the terabytes of files stolen on the F-35
Joint Strike Fighter’s electronics systems and designs. It is likely for malicious software to be lurking on
military networks and remain hidden until the enemy’s desired end state. However, cyber attacks are not just
limited to the military, civilian networks in the US and countries which host our forward deployment bases can
be hacked as well. These networks—electrical grids, communications, water supplies, banks and more—
provide essential services to military installations and communities around the world and are critical to the
day-to-day lives of millions more. While their impact on the military may seem indirect, any cyber attack
which succeeds in creating widespread disruption on a national scale is certain to at least impede, if not
debilitate military operations and critical military support functions.
Non-Traditional Strategies and the ‘Three Warfares’
Question
Discuss other non-traditional strategies that the PRC could use to affect U.S. operations in the western Pacific,
such as what the Chinese military calls the Three Warfare’s (that is, psychological operations, influence
operations and legal arguments).
Introduction
The PRC concept of Three Warfare’s incorporates psychological, influence and legal arguments. These
concepts are widely discussed in PRC literature and the open source press. The Three Warfare’s concepts are
part of what the U.S. has termed China’s antiaccess strategy, a strategy to keep an enemy at bay through the
development of technology, advanced weapons and information operations designed to keep an enemy out of
certain areas, whether they be physical spaces or the information arena. Psychological, influence and legal
arguments are not new concepts for the PRC but first appeared as a unified grouping in 2003. The PRC is
currently conducting psychological operations, influence and legal operations in an effort to create a favorable
environment for current and future PRC actions. Each of these types of operations, and their relationship to
the concept of antiaccess, will be discussed below.
The “Three Warfares”
The Three Warfare’s concept first appeared in 2003 in Chinese doctrinal writings. Since 2003, discussion of the
Three Warfare’s has been ongoing throughout PRC military writings as well as international media. PRC
doctrine introduces the Three Warfare’s concepts; psychological, influence and legal, as a way to describe and
quantify military efforts to undermine a superior enemy’s military abilities as well as influencing the enemy
civilian leadership’s ‘will to fight’. Additionally, the Science of Military Strategy, notes that “war is not only a
military struggle, but also a comprehensive contest on fronts of politics, economics, diplomacy, and law.” Each
of the Three Warfare’s concepts are separate, but intertwined and many actions that fall underneath these
operations are taking place now as the PRC prepares and influences the battlespace in which they will fight
future wars, whether kinetic or non-kinetic wars. Each of the Three Warfares concepts are further described
below:
Page 12
Psychological Operations (PSYOPS): According to PLA doctrinal literature, psychological warfare attempts
to undermine military operations by conducting operations aimed at deterring and demoralizing military and
civilian populations. PSYOPS includes radio, TV, propaganda, leaflets, deception and coercion operations. In
the PRC, PSYOPS is also likely to be conducted against their own people (and most likely is already being
conducted) to assure the population of Chinese success and insulate them from foreign sources and opinions.
Psychological operations are also likely to be used in conjunction with other traditional means of warfare such
as missile attacks, to increase the effectiveness of these types of kinetic attacks. Psychological operations can
assist in seizing the initiative, conducting key point strikes, reducing the effectiveness of adversary strikes and
achieving information superiority by overwhelming information flow or discrediting the available information.
The 2010 Annual Report to Congress: Military and Security Developments Involving the People’s Republic of
China defined psychological operations as: seeking to undermine an enemy’s ability to conduct combat
operations through psychological operations aimed at deterring, shocking, and demoralizing enemy military
personnel and supporting civilian populations. The PRC can use psychological operations in conjunction with
cyber attacks, by planting propaganda, and in conjunction with other non-traditional means such as jamming
U.S. satellites. Psychological operations are also aimed at the civilian population in an effort to undermine
civilian support. If aimed at Taiwan, they would likely target the Taiwan’s leadership and appeal to the
population, encouraging them to support reunification. Against the U.S., psychological operations would likely
appeal to U.S. sentiment about international law and encourage U.S. civilians to oppose war in general,
encouraging a diplomatic solution, thus delaying U.S. entry into the theater of operations. In the western
Pacific, the U.S. is most vulnerable to PRC psychological operations against U.S. partners including South
Korea, Japan and the Philippines. Should PRC psychological operations be successful, the U.S. risks losing
basing or access rights to these locations, hindering our ability to operate in the region and furthering Chinese
antiaccess goals.
Influence Operations: The 2010 Annual Report to Congress also defines influence operation, calling them:
operations aimed at influencing domestic and international public opinion to build public and international
support for China’s military actions and to dissuade an adversary from pursuing policies perceived to be
adverse to China’s interests. Influence operations have also been referred to as media operations, or public
opinion warfare. Although this concept sounds very similar to psychological operations, it differs fundamentally
in what the operation attempts to affect. Influence operations focuses on both public and international opinion
to support Chinese military actions through the controlled release of information. The PRC is conducting
influence operations now through their censoring of the internet, monitoring of PRC bloggers and controlled
release of both military and civilian information to the international media. The recent information release of
the new Chinese J-20 fighter is a prescient example of just such an operation.
In a conflict with the U.S. or another adversary, the PRC is likely to use the media to control information flow.
They will likely manipulate images to show only what they want seen and will actively block content from the
internet. Media warfare also focuses on influencing the countries own population through management of
public opinion. Media warfare selectively targets audiences and differentiates between internal and external
audiences. The PRC conducts influence operations on a daily basis through media management, state owned
newspapers and television stations, censorship and self-promotion of Chinese ideals. Additionally, media
warfare is central to both psychological and legal arguments through reinforcing of opinions using the
international and domestic media.
Legal Arguments: The PRC uses legal arguments to manipulate international law to their advantage and to
legitimize Chinese actions. Legal warfare was defined in the most recent Annual Report to Congress as: using
international and domestic laws to gain international support and manage possible political repercussions of
China’s military actions. These arguments include using forums such as the United Nations to argue their
claims, claiming their own rights have been violated or insisting that all issues are domestic issues and
therefore not of concern to outsiders.
Additionally, the PRC is becoming very adept at using this tactic in the South China Sea, reiterating through
media operations China’s core interest and historic presence in the South China Sea. Additionally, the PRC is
focusing on desensitizing the international community to their presence in these areas by monitoring, and
shadowing, international sea traffic, aggressively managing the air space and consistently patrolling the seas,
especially the Chinese exclusive economic zone (EEZ). Additionally, the Chinese response to the sinking of the
South Korean naval vessel, the Cheonan, and the resulting calls for a diplomatic solution indicate China’s use
and understanding of the international system. China is very adept at using the international forums to avoid
incidents. In the event of a conflict with Taiwan or any other adversary, the PRC will likely manipulate the
international legal system to their own advantage, claiming sovereignty, right of defense or interference by an
outside party as illegal. They will use the international arena to legitimize their actions, and will also use their
Page 13
economic and diplomatic power (through ASEAN or the UN) to coerce other smaller Asian states or larger
trading partners to support, or maintain a neutral opinion, on their actions. Lastly, the PRC has watched and
learned from the U.S.’s experience with claiming legal warfare within the international community and most
likely will attempt to do the same thing should they conduct kinetic or non-kinetic warfare. The actions they
are taking now support their current and future actions.
The “Three Warfares” and Antiaccess
Antiaccess and the concept of the Three Warfares are often used in conjunction but are actually separate
concepts. The Three Warfares is a unified concept falling under an information superiority campaign. The term
antiaccess is typically used to describe a set of PRC capabilities (military, economic and diplomatic) or a
linkage of concepts that can be used to deny access to a specific area or arena. The word antiaccess is not
used on PRC doctrinal writings, but PRC writers often reference sets of strategies designed to deny access to
an area, either a physical or information space. Documents often refer to strategic goals or assassin’s mace
technologies (specific advanced technologies with great deterrent capabilities such as anti-satellite or anti-ship
ballistic missile technologies) and make specific claims about capabilities that would allow the PRC to seize the
initiative in a conflict. The capabilities the PRC refers to in discussions include both traditional and nontraditional capabilities including ballistic missiles and fighter aircraft (traditional) and cyberspace, space
warfare and information operations (non-traditional) and under which the Three Warfares concepts can be
found.
The concept of antiaccess first emerged in U.S. strategic writings in the early 1990s, but is still not defined as
of the most recent update (December 2010) to the JP 1-02, DOD Dictionary of Military and Associated Terms.
RAND defines an antiaccess measure as: any action by an opponent that has the effect of slowing the
deployment of friendly forces into a theater, preventing them from operation from certain locations within that
theater, or causing them to operate from distances farther from the locus of a conflict than they would
normally prefer. This is a decent definition, although it refers mainly to capabilities and ignores the strategy
portion of antiaccess. Overall, an antiaccess strategy encompasses all the capabilities, both military and
civilian, that a government has at their disposal in order to deny an enemy access to a given space, or arena
(including economic, diplomatic, military, media or a land or sea mass) during a time and space of their
choosing. The Three Warfare’s concept put forth by the PRC is an element of their information superiority
campaign and antiaccess strategy.
“An essential element, if not a fundamental prerequisite, of China’s emerging antiaccess/area-denial regime is
the ability to control and dominate the information spectrum in all dimensions of the modern battlespace.”
- DOD ANNUAL REPORT TO CONGRESS: Military and Security Developments Involving the People’s Republic of
China, 2010
In conclusion, the PRC Three Warfares concepts are a fundamental part of the overall information superiority
strategy. Information superiority is also a fundamental piece of the PRC’s antiaccess strategy. Psychological
operations, influence (media) operations and legal arguments are concepts well understood by PRC
leadership. The PRC is particularly adept at influence operations through the use of the internal and external
media and their ability to control information. They are also increasingly using and exploiting the legal arena.
Psychological operations are more subtle, and currently are primarily targeted at the island of Taiwan,
attempting to deceive and confuse Taiwan’s civilians and military alike through broadcasts, controlled
information leaks and even the positioning of weapons directly across from the island. The Three Warfares
incorporates many traditional and non-traditional methods of warfare, often combining subtle and obvious
signals for maximum effect. We can expect the PRC to mature capabilities in these concepts in the future,
supporting their overall campaign for information superiority and thus their antiaccess goals as well.
Table of Contents
Chinese Use of Cyberwar as an Anti-Access Strategy - Two Scenarios
Martin C. Libicki, Testimony presented before the U.S. China Economic and Security Review Commission on January 27,
2011
Good afternoon, and thank you for inviting me here. I am Martin Libicki, from the RAND Corporation. I’ve
been thinking about how states might use cyberwar for strategic purposes for most of the last twenty years.
Based on that, what I would like to do is to illustrate some of the strategic choices facing China and the United
States in cyberwar by generating two scenarios and seeing where they lead.
In the first scenario, Taiwan shuffles towards independence. China concludes that it will have to take the
island. It believes the United States may come to Taiwan’s defense, but might be pressured into staying
home. So thinking, China launches a wide-scale strategic cyberattack on the U.S. power grid, throwing the
Page 14
Midwest into the dark. Their message to us: do not delude yourself that the costs of intervention will occur
only in our side of the world. Your citizens will suffer directly. Stay home.
But would such a strike do what it was intended to do? A cyberattack would have a coercive effect only if we
could attribute the attack to China. Therefore, assume as much. Following the cyberattack, China then invades
Taiwan. Will the United States be inhibited from intervention? Based on our reaction after Pearl Harbor and
9/11, probably not. Moreover, the Chinese, who take history seriously, would likely believe as much also.
Worse from the Chinese perspective is the likelihood that such an attack would change the narrative of the
conflict in ways they would not like. Prior to the cyberattack, the Chinese could make the following case:
“Taiwan is part of China. Its separate status is an artifact of history. China is only rectifying the past to restore
the nation’s historic sovereignty. Taking Taiwan does not mean that China has designs on Japan, South Korea,
the Philippines, or Southeast Asia – which are clearly different countries.” But once the lights go out here, the
United States will be perceiving a different narrative being sent from China: “China is rising and the United
States is falling. The United States dare not intervene in China’s part of the Pacific because it fears being
hurt.” A cyberattack, therefore, changes any cross-Straits conflict from a local matter to a global matter. If
the United States does not step forward – particularly if it looks as though the cyberattack scared the United
States government – it will reinforce this second narrative and our fabric of mutual alliances in Asia will be
rent. So, the United States intervenes for strategic reasons.
If the Chinese understand as much – and they very well might – they will conclude that a strategic
cyberattack is a very poor coercive tool and its application may well backfire.
Now let us look at a seemingly similar – but far different scenario. Taiwan makes a move towards
independence. China decides it is time to take the island. In contrast to the previous scenario it concedes that
the United States will intervene on Taiwan’s side. So, China takes steps to complicate and hence delay the
U.S. transit of the Pacific, so that by the time the United States does arrive, the war will be over, or at least
the Chinese will have a secure lodgment on the island. So, they carry out a full-fledged operational
cyberattack on United States military information systems with the hopes of turning data into unusable
nonsense. My former colleague, James Mulvenon, testified before your Commission that the Chinese might
corrupt the timephased force deployment data accessible through the United States Department of Defense
unclassified Internet. Although the Chinese may also have other targets, concentrating on that database
suffices for our purposes.
Would that make more sense from China’s perspective? Yes. Such an attack is directly relevant to how the
United States carries out military operations. To the extent that the United States uses force – which the
Chinese already assume will take place – a cyberattack on such a force is a legitimate use of power.
Furthermore, it is by no means clear that such a cyber-attack offers a narrative, as a public challenge of the
United States would. The workings of U.S. military logistics may not be secret but they are esoteric to almost
all of the U.S. public. It is entirely possible that such an attack never hits the news (at least not until after the
after-action analyses take place).
If such a cyberattack were to take place after Chinese forces had begun irrevocable moves towards Taiwan,
and if the fact of U.S. intervention was already determined, then the U.S. military would have little choice but
to deploy anyway and work around the disruption or corruption of its databases as best as it could.
However, under this second scenario now consider the possibility that the Chinese are holding back while
waiting to see how badly U.S. forces have been stymied by the cyberattack. If it received indications –
perhaps visible but more likely gathered from listening posts the Peoples’ Liberation Army (PLA) may already
have within unclassified defense networks – that the hoped for effect has taken place, then the PLA may
conclude that it has achieved a favorable correlation of forces and goes ahead. If, however, the hoped-for
effects fail to materialize then perhaps the correlation of forces is not so good and they stand down and deal
with the fallout from the cyberattack later, perhaps by denying everything.
From the U.S. perspective, if it suffers just such a large scale operational cyberattack (and no war has
started), its first challenge has to be to answer the question “is there a war coming soon?” Why ”soon”?
Because the effects of such a cyberattack are temporary (if no hardware has been broken); the window of
disability is relatively small, measured in days. If a war is to take advantage of the interim confusion, it will
likely start within such a time-window. Conversely, if some preparations for war have been discovered but no
war has started, the next challenge for the U.S. military is to project that its ability to operate has been
unaffected, the better to tilt China’s decision in favor of staying put. The third challenge is to actually get
better. Fourth and last is to worry about how to respond to the cyberattack itself – which, if a war does start,
would be quite low on the priority list since responding to their invasion will be primary.
Page 15
Would a cyberattack on U.S. forces actually work to degrade mission effectiveness? I don’t know.
Unfortunately, it is not clear whether anyone else does, either. If the military knew the specific vulnerabilities
that such an attack would exploit, then one would think they would have been fixed by now. The Chinese,
alone, may know what they, themselves, are capable of. We, alone, may know where our weak spots are.
Neither of us is sharing information with the other on the topic.
But, determining whether such a cyberattack would work may be a secondary question. More critical is
whether the Chinese think that they can alter the correlation of forces with a cyberattack on the U.S. military.
If the answer is yes, and they find themselves debating whether to go to war, their confidence may impel
them towards going ahead (incidentally, a similar argument can be made for outer space). In such a case, if
they carry out a cyberattack and it turns out that the United States can fight its way through it with little
effect, then although U.S. forces will be in a better position to fight, war will have begun anyhow.
Therein rests the challenge for the U.S. military: first, to determine to what extent its ability to carry out its
missions is at risk from any cyberattack; second, to ensure that it has the resiliency to fight through
cyberattacks; and third, to make everyone else, not least of which is China, aware of how well it can
withstand attack. In January 2011, the Secretary of Defense said that “Chinese technological advances in
cyber- and anti-satellite warfare posed a potential challenge to the ability of our forces to operate and
communicate in this part of the Pacific.”3 That suggests that the third task has not yet been accomplished,
perhaps because the second task remains unfinished as well. Unfortunately, it is by no means clear that we
have undertaken the first – understanding what the risk to our mission effectiveness from cyberwar is.
These are not impossible tasks. The oft-stated aphorism that cyberspace is a man-made medium means that
the United States Department of Defense can make its networks into what it will – and do so in ways that
nullify temptations to mischief that our weaknesses would otherwise engender.
My conclusions are twofold. First, that the threat of strategic cyberwar is probably overblown. Second, that the
United States Department of Defense needs to take the prospect of operational cyberwar seriously enough to
understand imaginatively and in great detail how it would carry out its missions in the face of a full-fledged
attack.
Footnotes
1 The opinions and conclusions expressed in this testimony are the author’s alone and should not be interpreted as
representing those of RAND or any of the sponsors of its research. This product is part of the RAND Corporation testimony
series. RAND testimonies record testimony presented by RAND associates to federal, state, or local legislative committees;
government-appointed commissions and panels; and private review and oversight bodies. The RAND Corporation is a
nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the
public and private sectors around the world. RAND’s publications do not necessarily reflect the opinions of its research
clients and sponsors.
2 This testimony is available for free download at http://www.rand.org/pubs/testimonies/CT355/.
3 Pomfret, John. “Regional risks making U.S. - Japan ties even more key, Gates says” The Washington Post. Washington
D.C.: January 14, 2011. pg. A 10.
Table of Contents
Social Media as a Tool for Protest
By Marko Papic and Sean Noonan, STRATFOR, February 3, 2011
Internet services were reportedly restored in Egypt on Feb. 2 after being completely shut down for two days.
Egyptian authorities unplugged the last Internet service provider (ISP) still operating Jan. 31 amidst ongoing
protests across the country. The other four providers in Egypt — Link Egypt, Vodafone/Raya, Telecom Egypt
and Etisalat Misr — were shut down as the crisis boiled over on Jan. 27. Commentators immediately assumed
this was a response to the organizational capabilities of social media websites that Cairo could not completely
block from public access.
The role of social media in protests and revolutions has garnered considerable media attention in recent years.
Current conventional wisdom has it that social networks have made regime change easier to organize and
execute. An underlying assumption is that social media is making it more difficult to sustain an authoritarian
regime — even for hardened autocracies like Iran and Myanmar — which could usher in a new wave of
democratization around the globe. In a Jan. 27 YouTube interview, U.S. President Barack Obama went as far
as to compare social networking to universal liberties such as freedom of speech.
Social media alone, however, do not instigate revolutions. They are no more responsible for the recent unrest
in Tunisia and Egypt than cassette-tape recordings of Ayatollah Ruholla Khomeini speeches were responsible
for the 1979 revolution in Iran. Social media are tools that allow revolutionary groups to lower the costs of
Page 16
participation, organization, recruitment and training. But like any tool, social media have inherent weaknesses
and strengths, and their effectiveness depends on how effectively leaders use them and how accessible they
are to people who know how to use them.
How to Use Social Media
The situations in Tunisia and Egypt have both seen an increased use of social networking media such as
Facebook and Twitter to help organize, communicate and ultimately initiate civil-disobedience campaigns and
street actions. The Iranian “Green Revolution” in 2009 was closely followed by the Western media via YouTube
and Twitter, and the latter even gave Moldova’s 2009 revolution its moniker, the “Twitter Revolution.”
Foreign observers — and particularly the media — are mesmerized by the ability to track events and cover
diverse locations, perspectives and demographics in real time. But a revolution is far more than what we see
and hear on the Internet — it requires organization, funding and mass appeal. Social media no doubt offer
advantages in disseminating messages quickly and broadly, but they also are vulnerable to government
counter-protest tactics (more on these below). And while the effectiveness of the tool depends on the quality
of a movement’s leadership, a dependence on social media can actually prevent good leadership from
developing.
The key for any protest movement is to inspire and motivate individuals to go from the comfort of their homes
to the chaos of the streets and face off against the government. Social media allow organizers to involve likeminded people in a movement at a very low cost, but they do not necessarily make these people move.
Instead of attending meetings, workshops and rallies, un-committed individuals can join a Facebook group or
follow a Twitter feed at home, which gives them some measure of anonymity (though authorities can easily
track IP addresses) but does not necessarily motivate them to physically hit the streets and provide fuel for a
revolution. At the end of the day, for a social media-driven protest movement to be successful, it has to
translate social media membership into street action.
The Internet allows a revolutionary core to widely spread not just its ideological message but also its training
program and operational plan. This can be done by e-mail, but social media broaden the exposure and
increase its speed increases, with networks of friends and associates sharing the information instantly.
YouTube videos explaining a movement’s core principles and tactics allow cadres to transmit important
information to dispersed followers without having to travel. (This is safer and more cost effective for a
movement struggling to find funding and stay under the radar, but the level of training it can provide is
limited. Some things are difficult to learn by video, which presents the same problems for protest organizers
as those confronted by grassroots jihadists, who must rely largely on the Internet for communication.) Social
media can also allow a movement to be far more nimble about choosing its day of action and, when that day
comes, to spread the action order like wildfire. Instead of organizing campaigns around fixed dates, protest
movements can reach hundreds of thousands of adherents with a single Facebook post or Twitter feed,
launching a massive call to action in seconds.
With lower organizational and communications costs, a movement can depend less on outside funding, which
also allows it to create the perception of being a purely indigenous movement (without foreign supporters)
and one with wide appeal. According to the event’s Facebook page, the April 6 Movement in Egypt had some
89,250 people claiming attendance at a Jan. 28 protest when, in fact, a much smaller number of protestors
were actually there according to STRATFOR’s estimates. The April 6 Movement is made up of the minority of
Egyptians who have Internet access, which the OpenNet Initiative estimated in August 2009 to be 15.4
percent of the population. While this is ahead of most African countries, it is behind most Middle Eastern
countries. Internet penetration rates in countries like Iran and Qatar are around 35 percent, still a minority of
the population. Eventually, a successful revolutionary movement has to appeal to the middle class, the
working class, retirees and rural segments of the population, groups that are unlikely to have Internet access
in most developing countries. Otherwise, a movement could quickly find itself unable to control the
revolutionary forces it unleashed or being accused by the regime of being an unrepresentative fringe
movement. This may have been the same problem that Iranian protestors experienced in 2009.
Not only must protest organizers expand their base beyond Internet users, they must also be able to work
around government disruption. Following the Internet shutdown in Egypt, protesters were able to distribute
hard-copy tactical pamphlets and use faxes and landline telephones for communications. Ingenuity and
leadership quickly become more important than social media when the government begins to use counterprotest tactics, which are well developed even in the most closed countries.
Countering Social Media
Like any other tool, social media have their drawbacks. Lowering the costs of communication also diminishes
operational security. Facebook messages can be open for all to see, and even private messages can be viewed
Page 17
by authorities through search warrants in more open countries or pressure on the Internet social media firms
in more closed ones. Indeed, social media can quickly turn into a valuable intelligence-collection tool. A
reliance on social media can also be exploited by a regime willing to cut the country off from Internet or
domestic text messaging networks altogether, as has been the case in Egypt.
The capability of governments to monitor and counteract social media developed alongside the capability of
their intelligence services. In order to obtain an operating license in any country, social networking websites
have to come to some sort of agreement with the government. In many countries, this involves getting access
to user data, locations and network information. Facebook profiles, for example, can be a boon for
government intelligence collectors, who can use updates and photos to pinpoint movement locations and
activities and identify connections among various individuals, some of whom may be suspect for various
activities. (Facebook has received funding from In-Q-Tel, the CIA’s venture capital firm, and many Western
intelligence services have start-up budgets to develop Internet technologies that will enable even deeper
mining of Internet-user data.)
In using social media, the tradeoff for protest leaders is that they must expose themselves to disseminate
their message to the masses (although there are ways to mask IP addresses and avoid government
monitoring, such as by using proxy servers). Keeping track of every individual who visits a protest
organization’s website page may be beyond the capabilities of many security services, depending on a site’s
popularity, but a medium designed to reach the masses is open to everyone. In Egypt, almost 40 leaders of
the April 6 Movement were arrested early on in the protests, and this may have been possible by identifying
and locating them through their Internet activities, particularly through their various Facebook pages.
Indeed, one of the first organizers of the April 6 Movement became known in Egypt as “Facebook Girl”
following her arrest in Cairo on April 6, 2008. The movement was originally organized to support a labor
protest that day in Mahalla, and organizer Esraa Abdel Fattah Ahmed Rashid found Facebook a convenient way
to organize demonstrations from the safety of her home. Her release from prison was an emotional event
broadcast on Egyptian TV, which depicted her and her mother crying and hugging. Rashid was then expelled
from the group and no longer knows the password for accessing the April 6 Facebook page. One fellow
organizer called her “chicken” for saying she would not have organized the protest if she had thought she
would be arrested. Rashid’s story is a good example of the challenges posed by using social media as a tool
for mobilizing a protest. It is easy to “like” something or someone on Facebook, but it is much harder to
organize a protest on the street where some participants will likely be arrested, injured or killed.
Beyond monitoring movement websites, governments can also shut them down. This has been common in
Iran and China during times of social unrest. But blocking access to a particular website cannot stop techsavvy Internet users employing virtual private networks or other technologies to access unbanned IP
addresses outside the country in order to access banned sites. In response to this problem, China shut down
Internet access to all of Xinjiang Autonomous Region, the location of ethnic Uighur riots in July 2009. More
recently, Egypt followed the same tactic for the entire country. Like many countries, Egypt has contracts with
Internet service providers that allow the government to turn the Internet off or, when service providers are
state-owned, to make life difficult for Internet-based organizers.
Regimes can also use social media for their own purposes. One counter-protest tactic is to spread
disinformation, whether it is to scare away protestors or lure them all to one location where anti-riot police lie
in wait. We have not yet witnessed such a government “ambush” tactic, but its use is inevitable in the age of
Internet anonymity. Government agents in many countries have become quite proficient at trolling the
Internet in search of pedophiles and wannabe terrorists. (Of course, such tactics can be used by both sides.
During the Iranian protests in 2009, many foreign-based Green Movement supporters spread disinformation
over Twitter to mislead foreign observers.)
The most effective way for the government to use social media is to monitor what protest organizers are
telling their adherents either directly over the Internet or by inserting an informant into the group,
counteracting the protestors wherever and whenever they assemble. Authorities monitoring protests at World
Trade Organization and G-8 meetings as well as the Republican and Democratic national conventions in the
United States have used this successfully. Over the past two years in Egypt, the April 6 Movement has found
the police ready and waiting at every protest location. Only in recent weeks has popular support grown to the
point where the movement has presented a serious challenge to the security services.
One of the biggest challenges for security services is to keep up with the rapidly changing Internet. In Iran,
the regime quickly shut down Facebook but not Twitter, not realizing the latter’s capabilities. If social media
are presenting a demonstrable threat to governments, it could become vital for security services to continually
refine and update plans for disrupting new Internet technology.
Page 18
Quality of Leadership vs. Cost of Participation
There is no denying that social media represent an important tool for protest movements to effectively
mobilize their adherents and communicate their message. As noted above, however, the effectiveness of the
tool depends on its user, and an overreliance can become a serious detriment.
One way it can hurt a movement is in the evolution of its leadership. To lead a protest movement effectively,
an organization’s leadership has to venture outside of cyberspace. It has to learn what it means to face off
against a regime’s counterintelligence capabilities in more than just the virtual world. By holding workshops
and mingling among the populace, the core leadership of a movement learns the different strategies that work
best with different social strata and how to appeal to a broad audience. Essentially, leaders of a movement
that exploits the use of social media must take the same risks as those of groups that lack such networking
capability. The convenience and partial anonymity of social media can decrease the motivation of a leader to
get outside and make things happen.
Moreover, a leadership grounded in physical reality is one that constructs and sticks to a concerted plan of
action. The problem with social media is that they subvert the leadership of a movement while opening it to a
broader membership. This means that a call for action may spread like wildfire before a movement is
sufficiently prepared, which can put its survival in danger. In many ways, the Iranian Green Revolution is a
perfect example of this. The call for action brought a self-selected group of largely educated urban youth to
protest in the streets, where the regime cracked down harshly on a movement it believed was not broad
enough to constitute a real threat.
A leadership too reliant on social media can also become isolated from alternative political movements with
which it may share the common goal of regime change. This is especially the case when other movements are
not “youth movements” and therefore are not as tech savvy. This can create serious problems once the
revolution is successful and an interim government needs to be created. The Serbian Otpor (Resistance)
movement was successful in the 2000 Serbian democratic revolution precisely because it managed to bring
together a disparate opposition of pro-Western and nationalist forces. But to facilitate such coalition building,
leaders have to step away from computers and cell phones and into factories, rice paddies and watering holes
they normally would never want to enter. This is difficult to do during a revolution, when things are in flux and
public suspicion is high, especially of those who claim to be leading a revolution.
Even when a media-savvy leader has a clear plan, he or she may not be successful. For instance, Thaksin
Shinawatra, the former prime minister of Thailand and telecommunications magnate, has used his skills to
hold video conference calls with stadiums full of supporters, and launched two massive waves of protests
involving some 100,000 supporters against the Thai government in April 2009 and April and May 2010, yet he
still has not succeeded in taking power. He remains a disembodied voice, capable of rocking the boat but
incapable of taking its helm.
Simply a Convenience
Shutting down the Internet did not reduce the numbers of Egyptian protesters in the streets. In fact, the
protests only grew bigger as websites were shut down and the Internet was turned off. If the right conditions
exist a revolution can occur, and social media do not seem to change that. Just because an Internet-based
group exists does not make it popular or a threat. There are Facebook groups, YouTube videos and Twitter
posts about everything, but that does not make them popular. A neo-Nazi skinhead posting from his mother’s
basement in Illinois is not going to start a revolution in the United States, no matter how many Internet posts
he makes or what he says. The climate must be ripe for revolution, due to problems like inflation, deflation,
food shortages, corruption and oppression, and the population must be motivated to mobilize. Representing a
new medium with dangers as well as benefits, social media do not create protest movements; they only allow
members of such movements to communicate more easily.
Other technologies like short-wave radio, which can also be used to communicate and mobilize, have been
available to protestors and revolutionaries for a long time. In reality, so has the Internet, which is the
fundamental technological development that allows for quick and widespread communications. The popularity
of social media, one of many outgrowths of the Internet, may actually be isolated to international media
observation from afar. We can now watch protest developments in real time, instead of after all the reports
have been filed and printed in the next day’s newspaper or broadcast on the nightly news. Western
perceptions are often easily swayed by English-speaking, media-savvy protestors who may be only a small
fraction of a country’s population. This is further magnified in authoritarian countries where Western media
have no choice but to turn to Twitter and YouTube to report on the crisis, thus increasing the perceived
importance of social media.
Page 19
In the Middle East, where Internet penetration is below 35 percent (with the exception of Israel), if a
movement grows large enough to effect change it will have been joined through word of mouth, not through
social networking. Still, the expansion of Internet connectivity does create new challenges for domestic
leaders who have proved more than capable of controlling older forms of communication. This is not an
insurmountable challenge, as China has shown, but even in China’s case there is growing anxiety about the
ability of Internet users to evade controls and spread forbidden information.
Social media represent only one tool among many for an opposition group to employ. Protest movements are
rarely successful if led from somebody’s basement in a virtual arena. Their leaders must have charisma and
street smarts, just like leaders of any organization. A revolutionary group cannot rely on its most tech-savvy
leaders to ultimately launch a successful revolution any more than a business can depend on the IT
department to sell its product. It is part of the overall strategy, but it cannot be the sole strategy.
This report is republished with permission of STRATFOR
Table of Contents
DOD Database Would Sift All Network Traffic for Signs of Attack
By Henry Kenyon, Government Computer News, Feb 02, 2011
In its ongoing effort to keep and hold the high ground in cyberspace, the Defense Department is considering
developing a database to monitor government and private-sector network traffic. According to U.S. Cyber
Command officials, participating in the database is voluntary, but the collected information will provide the
government with a better view of cyber threats.
Speaking last week at a seminar on cybersecurity regulation hosted by the Potomac Institute, Marine Lt. Gen.
Robert E. Schmidle Jr., deputy commander of Cyber Command, said that the shared database will provide the
DOD with a common operational picture. The database will collect information from all of the services’
networks, the Homeland Security Department and other federal agencies.
But putting all of these various data feeds into a single coherent database “will be an ugly challenge,”
Schmidle said. Cooperating organizations who contribute data will have access to the database. This shared
approach is important because it allows the government to respond in a unified fashion during an incident, he
said.
However, Schmidle said that he did not expect the database to be set up immediately, as there are potential
policy and privacy issues to be ironed out first.
Those issues include concerns about how deeply the DOD should be involved in commercial and civilian
government networks. Nextgov reported that legislators and federal officials continue to debate the best
strategy to defend government networks and critical infrastructure while maintaining individual and corporate
privacy.
Schmidle contended that his organization only overlooks and defends sites in the .mil domain and only
conducts operations on the Internet when ordered to by civilian officials. But he noted that defensive
cyberspace operations cannot be effective without offensive operations on other networks.
Defense and industry experts have recently noted that while the DOD has established cyberspace commands
and missions, what is still lacking is an overarching strategy to coordinate activities and responses to attacks
at the national level.
Table of Contents
Speech and Communications as War
By dptrombly, Blog, February 2, 2011
This post from Galrahn at the US Naval Institute’s blog is very interesting in its own right, but this response
from NewsHoggers’s Steve Hynd also raises some interesting questions. Galrahn contends that in providing an
instrument to distribute anti-regime propaganda to a global scale, Google is aiding in a campaign of
subversion against what is currently a major US strategic partner. Galrahn goes so far as to label this action a
form of unconventional warfare, because Google is essentially taking a side to implement a political decision in
a contest of force.
The notion that spreading information or journalism could be a form of warfare deeply worries Hynd, who
believes that defining such activity as warfare both endangers legal protections for journalists and strengthens
totalitarian regimes. Unlike the case of Wikileaks, where Manning’s release of classified documents (if not
necessarily Assange’s dissemination) clearly constitutes an illegal act, this case is, for the reasons Galrahn
Page 20
points out, much more interesting. No US companies are violating or conducting actions which violating their
host nation’s laws, and because these are legitimate entities, they have a larger financial and technological
base for such programs. To Hynd, even speaking of journalism this way strengthens the case of
totalitarianism, and violates the sacred status of immigration and speech.
I think Hynd exaggerates the danger a blogger poses to free speech. Hosni Mubarak did not need external
justification to realize that as far as his interests were concerned, the internet and speech were weapons, and
act accordingly. The US and other countries responded harshly to Mubarak’s communications clampdown, and,
in rhetoric at least, elevated internet access as a new universal right. Mubarak is in a political struggle for his
regime’s survival. When a new regime or constitutional order is at stake, everything does start to look like
war. As Juan Donoso Cortes put it:
… don’t tell me you don’t wish to fight; for the moment you tell me that, you are already fighting; nor
that you don’t know which side to join, for while you are saying that, you have already joined a side;
nor that you wish to remain neutral; for while you are thinking to be so, you are so no longer; nor that
you want to be indifferent; for I will laugh at you, because on pronouncing that word you have chosen
your party.
Cortes, a liberal turned reactionary writing in the wake of the 1848 revolutions, was referring to the struggle
between Catholicism and the ideologies of liberalism and socialism, and he, like the better known Joseph de
Maistre, was on the side of an authoritarian version of the former. Yet he captures the idea of a total political
struggle eloquently. In electing to treat communications as neutral in an ideological battle, states circumscribe
one form of power to enhance the other. Now, we may see this as perfectly legitimate or natural, and thus
exclude it from consideration in a discussion of war. This silence might be wise for policymakers, but it’s less
useful for those seeking an understanding the complexities of political conflict, particularly when
communications technology has given states and other organizations enormous power to influence popular
thought. So, while in an ideal world, speech would not be war, and for a just world, we should endeavor not to
treat speech as such, we should still recognize the implications of speech as a form of warfare, because many
political agents see it that way.
The United States considered speech a weapon in World War I, and it did as well in World War II and the Cold
War. Galrahn is not stating anything revolutionary when he talks about communications technology as policy
by other means, except perhaps in claiming that it’s still a form of warfare when the elements of society,
rather than the state, are waging it. Because the modern legal order generally does not consider war, in the
Clausewitzean sense, a protected right even of states, we will endeavor to avoid labeling information
operations or coercion/pressure-through-communications war, at least until it is used against our values and
interests. We’ve essentially begun to see this with Wikileaks, and I suspect we will see it again. Although
liberalism neutralized political speech long ago, in part as a necessity method of constitutional selfpreservation, with every perceived existential struggle it retreats into censorship.
The difference with any society which rules through coercion is that this period of perceived existential
struggle, of alignment against an enemy, is more permanent (even normal), and the neutrality of speech
becomes politically untenable. Sun Tzu famously said it is best to win without fighting. With the advent of
communications technology, and now that of non-state organizations such as Google capable of leveraging its
tremendous power independently of the government, Galrahn’s post reminds us of this important question:
will it be possible to wage a war not just without fighting, but without anyone realizing a war is being fought?
Table of Contents
Google Declares War on the Egyptian Government
Posted by galrahn, U.S. Naval Institute Blog, 1 February 2011
The relative decline of the United States in the 21st century is a popular topic, but I would argue as long as
nerds from Google can do stuff like this over a weekend fueled by American products like red bull and candy
bars, perhaps the same American ingenuity that fueled the United States through World War II is still alive
and well today.
Like many people we’ve been glued to the news unfolding in Egypt and thinking of what we could do to help
people on the ground. Over the weekend we came up with the idea of a speak-to-tweet service—the ability for
anyone to tweet using just a voice connection.
We worked with a small team of engineers from Twitter, Google and SayNow, a company we acquired
last week, to make this idea a reality. It’s already live and anyone can tweet by simply leaving a
voicemail on one of these international phone numbers (+16504194196 or +390662207294 or
+97316199855) and the service will instantly tweet the message using the hashtag #egypt. No
Page 21
Internet connection is required. People can listen to the messages by dialing the same phone numbers
or going to twitter.com/speak2tweet.
We hope that this will go some way to helping people in Egypt stay connected at this very difficult
time. Our thoughts are with everyone there.
Posted by Ujjwal Singh, CoFounder of SayNow and AbdelKarim Mardini, Product Manager, Middle East
& North Africa
We must think clearly about what we are seeing here, even if it is not popular to do so. Obviously America is a
techno-centric culture, so it is easy to see how this type of technology would immediately be appealing to
modern, young Americans and as it becomes more well known in Egypt – likely appealing to them as well. I
originally learned about this technology from an American sailor who was organizing volunteers on Twitter to
act as interpreters (and having success btw) for this service. Due primarily to the viral nature of social media
and by leveraging the global popularity of Google, it is only a matter of time until the youth in Egypt become
aware of the technology available.
How does it work? Well, someone inside Egypt calls one of the numbers listed, leaves a message, and the
message gets recorded and Tweeted to this Twitter feed where a recording of the voice mail is made available
to everyone to listen. The retweets by others in the feed are interpretations of the feed into English from a
specific voice recording. This is a very clever technology intended to directly circumvent the Egyptian
government policies that are attempting to reduce information access. Is there impact associated with the
technology? Surely not yet, but the tech itself is less than 24 hours old and most people unlikely realize what
they have. The options are many, and for me, I’ll admit the first time I listened to a few messages on
SayNow’s website I was immediately reminded of the BBC radio broadcasts to the Maquis in 1944 France…
If we are going to give serious analysis to what is happening here, we must examine the complicated issues
responsibly and ask the difficult questions.
What do we make of an American corporation (Google was ranked #102 by Fortune in 2010) basically
declaring war on the government policies of a strategic partner of the United States by inventing a new
technology and offering free services to the political opposition of the Egyptian government? Whether one
agrees or disagrees with what Google is doing – when you remove the morality element of Google’s action
that can easily impact ones opinion – we are left with a few American corporations actively supporting a
revolution as a free service against the current government of a strategic partner of the United States.
Think about that for a second…
Google is waging war leveraging bandwidth as a weapon. Think about how silly our international treaties
governing broadcast communications look when a handful of companies like Google, SayNow, and Twitter can
turn a single node like a cell phone into a voice broadcast to the entire globe as a weekend project. Make no
mistake, bandwidth is most definitely a weapon, and the DoD needs to be thinking carefully about how this
weapon might be used against our enemies. For example, North Korea would likely see broad access to
bandwidth as a very dangerous weapon worth going kinetic over, meaning carefully considered rules of
engagement for bandwidth as a weapon are necessary when bandwidth is used as a weapon.
That thought should trouble those who give serious geopolitical strategic thought to the issue, because in
most cases a corporation like Google can use the bandwidth of the entire internet more effectively than an
organization like the DoD can use the bandwidth of their entire network, and yet, somehow I doubt
corporations carefully consider the rules of engagement when using bandwidth as a weapon.
At some level, one might describe this as the Wikileaks issue in reverse. Wikileaks leverages bandwidth and
cloud technology to insure continuous access to information in support of broadcasting government
information to the entire world. Google and partners are leveraging cell phone technologies to insure
continuous access to information in support of broadcasting anti-government information to the entire world.
The United States government has not, in my opinion, handled Wikileaks very well. When one considers the
geopolitical ramifications, not to mention the strategic ramifications, of American technology corporations like
Google and Twitter waging a private war on the government of Egypt – one might begin to ask what this box
looks like in 5 years that good ole’ Pandora is opening?
Is what Google, SayNow, and Twitter doing wrong or illegal? Is it the harmless stuff of weekend armchair
warriors? On one hand I readily admit to being very proud that a bunch of American nerds would come up
with a clever piece of technology to support a democratic movement against a dictatorship, and on the other
hand I know I am seeing modern methods of non-state cyber warfare applied towards a political purpose
against a state – leveraging the cyber medium where warfare is often difficult to identify or visualize until it is
far too late. Bandwidth is a powerful weapon, and while it is unclear how powerful Speak-to-Tweet is or will
ever be, it is important for us to note it here as a sort of genesis, or prototype capability in the development
Page 22
of bandwidth technologies that can and almost certainly will be used in future 21st century state and nonstate level information warfare.
Table of Contents
How Rumsfeld Abandoned the Peacemakers
By Mark Benjamin and Barbara Slavin, Newsweek, February 06, 2011
Donald Rumsfeld vowed to fight a “different kind of war.” In the days following the 9/11 attacks, the secretary
of defense spoke about how America’s success in Afghanistan depended on the U.S. military being seen as
liberators, not infidel invaders. Drawing upon the ranks of reservists in the military’s Civil Affairs units—a vital
part of U.S. campaigns since the American Revolution—Rumsfeld would send citizen soldiers, with day jobs as
judges, lawyers, carpenters, and clerks, into the countryside to restore electricity, build roads, and spread
good will. “While we may engage militarily against foreign governments that sponsor terrorism, we may also
seek to make allies of the people those governments suppress,” Rumsfeld said in a speech on Sept. 27, 2001.
Days later, he proclaimed on Fox News that “we want to make sure that we can do everything we can to help
the misery of the Afghan people, which has been imposed on them by Al Qaeda and by the Taliban
leadership.”
And thus, a new battle for hearts and minds was begun. But as Rumsfeld’s new memoir, Known and Unknown,
makes clear, his own heart was never really in that fight. “I recognized the Yankee can-do attitude by which
American forces took on tasks that locals would be better off doing themselves,” he writes in the defiant 800page tome. “I did not think resolving other countries’ internal political disputes, paving roads, erecting power
lines, policing streets, building stock markets, and organizing democratic governmental bodies were missions
for our men and women in uniform …The risk was that these nations could become wards of the United
States.”
Caught in the crossfire between the early high-flown rhetoric and the cold reality were the men and women of
Civil Affairs. First in Afghanistan and then again in Iraq, they were rushed to the front without adequate
training and equipment, as documents obtained by the Center for Public Integrity make plain. They were often
caught in combat situations for which they were ill prepared. And they paid the ultimate sacrifice—in
disproportionate numbers—for Washington’s failure to commit fully to their mission. Although Civil Affairs
specialists make up only about 5 percent of the Army’s Reserve forces, they account for 23 percent of the
combined fatalities among reservists in Iraq and Afghanistan, according to Maj. Gen. David Blackledge, the
commander of the U.S. Army Civil Affairs & Psychological Operations Command.
Lawrence Morrison, plucked from a job at the U.S. Postal Service unloading cargo on the docks in Yakima,
Wash., was one of the fatalities. The Army Reserve sergeant would have celebrated his 51st birthday in a few
weeks with his wife, Becky, but he died in 2005 after four months in Iraq, the victim of an IED that tore apart
his Humvee. “This was not the way I wanted my life with him to end,” his widow said.
Just before his unit was deployed, Becky Morrison recalls him telling her, the reservists were instructed to
grab gear from a hodgepodge spread out on a large table that included women’s bras and flak jackets. “They
had to go through and pick out what fit them best,” she said. He spent much of his early months based in
Taji, north of Baghdad, handing out candy to children, she said. But one day his unit was called away: “He
had never been in combat before.” He died near a water mill that “wasn’t even his mission.”
Joseph Collins, who served as deputy assistant secretary under Rumsfeld, describes Civil Affairs soldiers as
“some of the great unsung heroes” of the Afghan and Iraqi wars. But they suffered from bureaucratic
confusion and sporadic interest from Rumsfeld, the documents show—and Congress was misled.
Determined to impress Capitol Hill and satisfy Rumsfeld’s constant demands for progress reports, the Army
inflated the numbers of these troops available—creating on their books so-called ghost soldiers—and then
pushed even older and sometimes physically ailing personnel into harm’s way to make up for the shortfall
between their estimates and the number of actual bodies at hand. (The Army currently has only about 8,000
Civil Affairs troops, or less than 1 percent of its active and Reserve force. And the number of Civil Affairs
battalions has increased by only about a third since the late 1990s, despite two massive, ongoing
counterinsurgency operations.)
Restless with the command structure, Rumsfeld reorganized—pulling Civil Affairs out from under the military’s
elite Special Operations Command, which had overseen those efforts since the mid-1980s. Military
commanders say the reorganization backfired—leaving Civil Affairs units languishing without adequate
numbers, training, or equipment.
The Civil Affairs Command’s lack of resources and legacy of dysfunction is not just a matter for the history
books. It complicates U.S. efforts to withdraw from Afghanistan starting this summer—and calls into question
Page 23
the ability of the military to fight future insurgencies or respond to humanitarian disasters, current and former
military officers say.
“It was too small of a force to begin with. We are scrambling right now to meet additional requirements for
Afghanistan,” General Blackledge said. “Our mission load is actually going up.”
The documents obtained by the Center for Public Integrity show the crisis was evident by 2004 at Fort Bragg,
N.C., the mobilization center for Civil Affairs troops. A Jan. 14, 2004, trip report by Sgt. Maj. John W. Young
Jr., the senior Army Reserve enlisted adviser monitoring Reserves at Special Operations, describes multiple
serious problems:
• One thousand or more Civil Affairs soldiers were “ghosts” who lacked the training or fitness to be
deployed.
• To get one unit filled out and ready to go, qualified Civil Affairs soldiers were cherry-picked from
disparate units, a violation of the military tenet that soldiers fight best alongside those they’ve trained
with—a “cross-leveling” practice still used in Afghanistan today.
• There was a lack of quarters for those who actually turned up, requiring some personnel to be
billeted on cots in the gymnasium.
• Reservists were mobilized with only two weeks’ notice.
• Soldiers were forced to sign statements that they were “volunteering” for what was “an involuntary
mobilization.”
• Soldiers were issued body armor without plates and bulky M-16s instead of smaller M-4 rifles more
suitable for traveling in cramped vehicles. In training, due to “a shortage of weapons and ammo, they
got to fire [only] one round.”
• The memo also describes a “critical shortage” of senior noncommissioned officers.
“This won’t do!” Gen. Bryan D. Brown, the commander then in charge of Special Operations, scribbled in a
handwritten notation on a 2004 memo. The memo warned that Civil Affairs & Psychological Operations was
short of critical supplies and had hundreds of “ghosts” on its books. A cover memo addressed to Lt. Gen. Philip
R. Kensinger Jr., one of Brown’s deputies, said, “Please take action not a very encouraging report.”
Young’s report upset the leadership of Special Operations responsible for Civil Affairs. He was accused of going
behind commanders’ backs and being “out of touch with reality,” according to emails. “They chewed my butt
out and then ignored me until I retired,” said Young, who left the military in 2005 and now lives in Tulsa,
Okla. “They were aware that the whole system was broke, and there wasn’t much they were going to do to
change things.”
Meanwhile, a number of top Army officials told Congress that Civil Affairs units were fully qualified. On March
11, 2004, two months after Young’s report, Brown told a House Armed Services subcommittee that Kensinger
and the Army had been working to “ensure that all of our Civil Affairs forces are trained to … standards. They
are fully qualified,” he said. “Each one of those units are about 115 percent or more manned,” Kensinger told
the subcommittee. “People come into Civil Affairs because there’s a great balance in what they do in the
civilian sector.”
The result of the shortages and mismatches was that soldiers died “needlessly,” said Timothy M. Haake, a
retired major general and former deputy commander for mobilization and Reserve affairs for Special
Operations, who elevated Young’s concerns to higher-ups. “These generals didn’t do their job,” Haake said.
(Neither Brown nor Kensinger could be reached for comment.)
Rumsfeld’s desire to shake up the command structure didn’t help. A trail of the defense secretary’s celebrated
“snowflake” memos shows he thought Civil Affairs ill matched to be run by Special Operations command,
whose predominant role is controlling 12-man Special Forces A-Teams for hunting down terrorists. On March
7, 2005, he wrote that Civil Affairs’ “skill sets are, at this stage, probably more of a distraction than a benefit
to the increasing Special Operations roles and missions.”
“Secretary Rumsfeld focused largely on the high-value target set,” said Thomas O’Connell, assistant secretary
of defense for Special Operations and low-intensity conflict from July 2003 to April 2007. “The Special
Operations Force components that operated at the lower end of the spectrum were less appreciated by many
civilian policymakers as to their potential effectiveness in the fight.”
In 2006, after a blizzard of Rumsfeld snowflakes, most Civil Affairs units were split away from Special
Operations and now report to the Army Reserve. (In an awkward compromise, however, four battalions of
active-duty Civil Affairs soldiers were assigned to Special Operations.) Many military experts consider this socalled divorce a mistake that has fractured Civil Affairs capabilities between two bosses. It’s akin to assigning
Page 24
a child to one parent after a divorce but allowing the other parent to make most of the decisions about how
the child will be raised.
The split was “probably flawed in its conception, it certainly was flawed in its implementation,” a 2009 U.S.
Army War College report by Col. Hugh Van Roosen found. “Given the recent rise in the importance of stability
operations, relying significantly upon CA capabilities, this decision should be revisited by the current Secretary
of Defense.”
Maj. Gen. David Morris, who commanded U.S. Army Civil Affairs & Psychological Operations Command during
the reorganization, said he opposed the “divorce” and that it caused multiple problems. Among them: getting
money for replacement equipment when he suddenly lost access to regular Special Operations funds.
“We had to work our way through that with the Special Operations community, which we did,” he said. “But
we were in the middle of a fight, and it was one of those bureaucratic things that was like an anchor slowing
us down.”
President Obama may be exiting Iraq and trying to wind down the war in Afghanistan. But the need for more
effective Civil Affairs units remains vital today, said David Barno, a retired lieutenant general who commanded
U.S.-led forces in Afghanistan from late 2003 through mid-2005.
“They can get a power grid up and operating and look at how societies interact. These are the skills that are
typically outside the mainstream of the combat-centric military … but in the environments we’re in now,
they’re absolutely essential,” Barno explained. “They are the glue that binds the military effort to the civilian
population.”
In a March 2009 speech on Afghanistan, Obama emphasized “agricultural specialists and educators,
engineers, and lawyers” rather than foot soldiers. Likewise, now-retired Gen. Stanley McChrystal highlighted
the establishment of local judicial systems more than military action in his confidential assessment of the
Afghan war in 2009. “Our strategy cannot be focused on seizing terrain or destroying insurgent forces; our
objective must be the population,” he wrote in the report, which leaked to The Washington Post. “This is a
‘deeds-based’ information environment where perceptions derive from actions, such as how we interact with
the population and how quickly things improve.” He called for an “integrated civilian-military
counterinsurgency campaign that earns the support of the Afghan people and provides them with a secure
environment.”
Indeed, demand for citizen soldiers is so acute today that the Army routinely still resorts to cross-leveling to
get enough warm bodies into a Civil Affairs unit before it deploys.
The Pentagon tries to provide Reserve soldiers with four years of rest between yearlong deployments.
Blackledge, the current commander of Civil Affairs, said his units deploy every 20 months. But even that
number is misleading, and time at home—known as dwell time—was often reduced to less than two years,
meaning reservists were treated like active-duty soldiers and deployed multiple times. An individual Civil
Affairs soldier deploys much more frequently as he is cross-leveled from one unit to another. “The actual dwell
time is much less for any individual soldier,” Blackledge said. “And that is the best it has been since the war
started.”
Defense Secretary Robert Gates is mindful of the problems. He plans to increase Civil Affairs to 11,152 troops
by 2013 and “is exploring ways to better integrate Civil Affairs functions with complementary stability
operations” in Afghanistan, spokesman Geoff Morrell said.
But such promises come as cold comfort to Becky Morrison. She said her husband suffered from a bad knee, a
bum shoulder, and high blood pressure—and never should never have been sent to Iraq in the first place,
given his physical ailments.
“My husband was killed, and we’re walking away from Iraq now,” she said. “I’m angry at the fact they’re
bringing them all home because they didn’t accomplish what they set out to accomplish.”
Table of Contents
Weapons Exist to Defeat Cyber Attacks, But Are Not Being Used
By Sandra Erwin, National Defense Magazine (Blog/post), 31 Jan 2011
Most of the crime that is being perpetrated in cyberspace could be prevented if only organizations employed
the weapons they already have at hand, says an industry expert. Companies and government agencies, for
instance, have information systems that could identify and possibly avert unauthorized release of data, a la
Wikileaks.
Page 25
The government worries about foreign nations trying to hack into Pentagon networks, but often is not paying
attention to the “insider threat,” says Charles Croom, retired Air Force lieutenant general and vice president of
cybersecurity solutions at Lockheed Martin Corp.
In breaches such as the Wikileaks cables, where allegedly it was an Army soldier who downloaded classified
documents, “Why didn’t we protect ourselves?” Croom asked. “Because we didn’t take it seriously … even
though the insider threat is significant.”
Croom spoke last week at the Institute for Defense and Government Advancement’s “Network Enabled
Operations” conference in Arlington, Va.
Recent studies by government experts and industry giants such as Verizon noted that most data thefts or
network attacks are avoidable if existing measures are applied, Croom said. “If we only implemented what we
know how to implement we could avoid 80 percent of breaches,” he said. “Why aren’t we doing it? Because
it’s damned hard implementing what we already know how to do.”
Major Internet service providers, known as ISPs, already have means to destroy botnets — malicious software
that runs autonomously. But they elect to not go after botnets because they worry about liability claims, said
Croom.
On the government side, agencies and Congress are still scrambling, without a “cohesive strategy” for how to
strengthen the nation’s cyber defenses, Croom said.
Senior Obama administration officials — such as White House cyber czar Howard Schmidt, Homeland Security
Secretary Janet Napolitano and U.S. Cyber Command Chief Gen. Keith Alexander — have spoken at various
forums about the need to boost cybersecurity, but each has expressed divergent viewpoints on “what the
threat is and what the way ahead is,” Croom said. “How do you come up with a cohesive government strategy
when you have a leadership as diverse as they are?” he asked. “That may be part of our problem: We can’t
really agree on the difficulty” of the cyber challenge, he added. Perhaps if they all got in a room together and
talked, they would they come out with similar answers, Croom said.
The fragmented arrangement of U.S. cybersecurity responsibilities only will create more confusion about who
has the authority, for example, to unleash a network attack on an adversary, or who has the power to
determine if a target is legitimate. “What happens if we taken down a country’s utility and the hospital’s power
goes out?” Croom asked. If U.S. critical infrastructure were struck by malware, it’s not clear whether that
would be considered a hostile terrorist-like act. “What is our threshold for war, and when do we respond
kinetically and say, ‘That’s enough.’”
Croom blames the military for not providing expert guidance to civilian authorities. “The military, in my view,
has totally avoided the strategy aspect,” he said. Instead, it has just thrown money at the problem. “In the
military, we do what we do best when we come to a hard issue: We create an organization.”
The Defense Department established the Cyber Command and, “as good military people do, we define roles
and responsibilities for the organization,” Croom said. After the bureaucracy is in place, maybe someone will
ask, “what the heck was our strategy anyway?” Croom said. “I’m not saying that’s bad, but it does seem
backwards.”
Cyber Command, in Croom’s opinion, prematurely declared itself “operational” last year, “without any
processes, without any talent.”
The private sector, meanwhile, is ambivalent about investing in cyberwarfare technology because, for many
companies, there is still no “business case,” Croom said. “Industry also is saying to the government, ‘Hey
you’ve got more information than I have, why don’t you start sharing it?’”
With the economy in the United States still struggling, it is going to be more difficult for corporations to justify
large expenditures in security against peril they don’t really understand or believe they really exist.
There is an ongoing debate in the industry on why the nation has not yet seen a “Digital Pearl Harbor.” Some
insiders believe we’ve just been lucky, others maintain that U.S. information systems might be more resilient
than most people think they are. Or maybe nobody has yet bothered to seriously plan an attack.
Executive Branch agencies and the private sector will be closely watching congressional actions this year
regarding cybersecurity. The key question, said Croom, is whether Congress will call for more or less
regulation. Industry would like to see the government adopt contracting rules that reward “best practices” in
cybersecurity and long-term research investments. The private sector also would like some clarity on what
critical infrastructure the government intends to protect.
Mark Young, special counsel for defense intelligence at the House Permanent Select Committee on
Intelligence, said Congress continues to wrestle with these issues.
Page 26
Speaking at the IDGA conference, Young pushed back on the conventional wisdom in Washington that
congressional committees are more interested in protecting their turf than in securing the nation’s networks.
“Unlike what you might see in some headlines, it’s not necessarily a turf battle,” Young said. “Staffers and
members are trying to figure out who should handle what.”
But he acknowledged that Congress is “just as confused sometimes as the Executive Branch is on who should
be doing what.” The specific duties of the intelligence community, the Defense Department or the Department
of Homeland Security haven’t been communicated to Congress, he said. The line between the National
Security Agency and U.S. Cyber Command also is blurry, he said. “The debate within the Executive Branch is
reflected on Capitol Hill.”
The issue of whether a cyberattack is an act of war seems a “little bit of a red herring,” Young said. “The fact
that we all spin our wheels trying to figure out if this is an act of war” is pointless, he said, because only the
president can make that call.
For Congress, it’s important to institutionalize public-private partnerships, he said. “Over 80 percent of the
infrastructure is owned by private sector.” Lawmakers also want to be included upfront in any major decisions,
he said. “The Executive Branch is going to be a lot happier if they cooperate with the Hill rather than bringing
us at the end, and surprising us after it’s fait accompli.”
Table of Contents
General Offers Details on Cyber Command Authorities, Organization
By Amanda Palleschi, Inside Defense, 02 Feb 2011
In the event of a national cyber emergency, U.S. Cyber Command might take the lead defending the nation's
military networks as a "supported command" before "turning things over" to U.S. Northern Command,
according to a CYBERCOM official.
At a Reserve Officers Association conference this week, CYBERCOM Chief of Staff Maj. Gen. David Senty shed
light on how the command could operate in the event of a major cyber attack. But he also stressed such
issues are still being sorted out. CYBERCOM, which falls under U.S. Strategic Command, reached full
operational capability in November 2010.
"We're particularly deep in phase zero, so our Cyber Command responsibilities, where we could be a
supported command, is an evolving discussion," Senty said. "So, if you had a national emergency in the
United States, you may start with Cyber Command being supported in certain functions that are performed on
behalf of, or at the request of, the [Department of Homeland Security], and then we'd turn things over to
NORTHCOM, and make them be the supported command."
This is an evolution to the command's previous organizational structure within the Pentagon, Senty explained.
"We went from a command that was actually a parcel between the joint forces and global operations under
STRATCOM, and another component called network warfare, which was in a different location under a
separate commander,"
Senty said. Following Operation Buckshot Yankee, a counter attack to a 2008 attack on classified military
computer networks, "we moved very quickly to consolidate offense and defense into one command," he said.
His remarks come as Congress is preparing to once again grapple with questions about which agencies would
claim authority and responsibility in the event on an attack on U.S. networks.
Defense Department and DHS officials have clarified that DOD has authority of the nation's military networks,
and DHS is responsible for other U.S. government networks in the event of a cyber attack. But the chain of
command within CYBERCOM has been an open question. The command has worked in conjunction with DHS
and the National Cybersecurity and Communications Integration Center to adjust a National Cyber Incident
Response Plan, tested in efforts such as the exercise Cyber Storm III.
That exercise had "major implications for efforts to define the Pentagon's role in guarding American networks
from malicious cyber attacks," according to Deputy Assistant Secretary of Defense for Cybersecurity and
Space Policy Robert Butler (Inside the Pentagon, Oct. 20, p2).
The significant compromise of classified DOD computer networks in 2008 that led to Operation Buckshot
Yankee began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle
East, according to Deputy Defense Secretary Bill Lynn.
"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto
a network run by the U.S. Central Command," Lynn wrote last fall in Foreign Affairs.
Page 27
That major compromise of classified data "demonstrated that we have taken our eye off the ball with regard
to our culture, our conduct and capabilities to some extent . . . about how we use our systems, whether or not
we have adherence to the way we move data from one place to another," Senty said.
Looking ahead, he said shared situational awareness among the services and combatant commands, smart
data tagging and building the future cyber force are key priorities for CYBERCOM.
Currently, key cyber intelligence and information is not shared "the way it needs to be" among DOD agencies
with capabilities to defend networks, Senty said. Although cyberwarfare is not kinetic, face-to-face interaction
and tests are still required, he said.
"It's not, do we have all the data in our joint operations center, and we'll decide what changes to make on the
network and whether or not we're capable of something on or off line. That's not what we want to do," Senty
explained. "We want to have shared [situational awareness] so that someone who is forward understands that
we're going to reconfigure a network or change policies based on some need, so that they can be mindful of
that and aware of it in real time. That common operational picture is one of our big technological challenges
today."
Smart data tagging -- "where you have data integrity, because you tagged something without showing all
your bandwidth" -- is another technological priority in defending military networks, Senty said. Recruiting
"cyber talents" is the command's second overall priority after addressing cyberdefense, he added.
Currently, the command is not interested in having a separate service for the cyber realm, he said, noting
officials must instead develop cyber skill sets within the armed services, the Defense Information Systems
Agency, the National Security Agency and other organizations.
"People wondered years ago whether there was going to be a separate service for this particular domain,"
Senty told Inside the Pentagon. "But [CYBERCOM] is a COCOM, with capabilities within the services, which we
need, to have that integrated planning, integrated skills, because of the way the service components operate."
Table of Contents
U.S. Has Secret Tools to Force Internet on Dictators
By Spencer Ackerman, Wired, February 7, 2011
When Hosni Mubarak shut down Egypt’s internet and cellphone communications, it seemed that all U.S.
officials could do was ask him politely to change his mind. But the American military does have a second set of
options, if it ever wants to force connectivity on a country against its ruler’s wishes.
There’s just one wrinkle. “It could be considered an act of war,” says John Arquilla, a leading military futurist.
The U.S. military has no shortage of devices — many of them classified — that could restore connectivity to a
restive populace cut off from the outside world by its rulers. It’s an attractive option for policymakers who
want an option for future Egypts, between doing nothing and sending in the Marines. And it might give teeth
to the Obama administration’s demand that foreign governments consider internet access an inviolable human
right.
Arquilla, a professor at the Naval Postgraduate School, spent years urging the military to logic-bomb
adversary websites, disrupt hostile online presences, and even cause communications blackouts to separate
warring factions before they go nuclear. What the military can turn off, he says, it can also turn on — or at
least fill dead airspace.
Consider the Commando Solo, the Air Force’s airborne broadcasting center. A revamped cargo plane, the
Commando Solo beams out psychological operations in AM and FM for radio, and UHF and VHF for TV. Arquilla
doesn’t want to go into detail how the classified plane could get a denied internet up and running again, but if
it flies over a bandwidth-denied area, suddenly your Wi-Fi bars will go back up to full strength.
“We have both satellite- and nonsatellite-based assets that can come in and provide access points to get
people back online,” Arquilla says. “Some of it is done from ships. You could have a cyber version of pirate
radio.”
Then there are cell towers in the sky. The military already uses its aircraft as communications relays in places
like Afghanistan. Some companies are figuring out upgrades: FastCom, an effort led by the defense firm
Textron, is a project that hooks up cellular pods to the belly of a drone, the better to keep cellular and data
connections in the air without pilot fatigue. Underneath the drones, a radius of a few kilometers on the ground
would have 3G coverage.
Sharon Corona, a spokeswoman for the project, says that there’s an obstacle to using a technology like
FastCom for an Egypt-like situation: The recipient devices need to be able to talk with the cell and data signal.
Page 28
But compliant phones or netbooks — small and lightweight — could conceivably be smuggled into a denied
area.
Alternatively, operatives could smuggle small satellite dishes into a country. Small dishes were crucial to
getting the internet back running in Haiti after last year’s earthquake. It’s how cameramen in war zones
rapidly transmit high quality video from the middle of nowhere.
Of course, slow-flying drones or a broadcasting center in the sky have an inherent weakness: They’re sitting
ducks for any half-decent air defense system. (And did we mention that Hosni Mubarak became a national
hero for his air defense prowess in the 1973 war against Israel?)
That leads to another possibility: “Just give people Thuraya satellite phones,” says John Pike of
Globalsecurity.org. The cheapish phones hunt down signals from space hardware.
Even expanding access to the military’s own satellite communications networks is theoretically possible,
Arquilla says. But he won’t say more than that: “Let’s just say that’s an area decided at the level of the
commander-in-chief.”
In the absence of those options, there’s always the old-school methods of jamming a government’s
communication frequencies and broadcasting favorable messages. That’s the Commando Solo’s specialty.
“Jamming is something we think about in the context of shooting wars,” says Arquilla, but “it may have its
place in social revolutions as well.”
The trouble is, if a government follows Egypt’s lead and turns off the internet, it’s not going to be keen to see
a meddling foreign power turn it back on.
That act might not be as provocative as sending in ground troops or dropping bombs. But it’s still an act of
what you might call forced online entry — by definition, a hostile one.
In situations like Egypt, siding with an uprising against a longtime ally is a difficult choice, whether analog or
digital.
That might be why the military hasn’t done it. Asked about whether the Pentagon would consider deploying
mobile connectivity to restore internet access for a social uprising, all a senior official would say is that such a
situation was “hypothetical.”
And all that underscores how Egypt’s internet shutoff pushed the poorly defined limits of cyber hostilities.
Foreign actors don’t really have a blueprint for responding. The U.S. military “has a great deal of expertise on
rebuilding communications network, but that’s … very different when the government is interested in
resisting,” Arquilla says. “This is far less an engineering problem and far more a political one.”
Table of Contents
U.S. State Department starts Farsi Twitter feed
By CNN Wire Staff, February 14, 2011
(CNN) -- The U.S. State Department launched a new Farsi-language Twitter feed Sunday in a bid to connect
with internet users in Iran.
"US State Dept recognizes historic role of social media among Iranians. We want to join in your
conversations," the department said in its first tweet.
The feed was launched just one day before opposition leaders and activists in Iran have called for a protest in
support of the Egyptian revolution, according to Saham News. The rally is planned to coincide with the 25th
day of Bahman, the 11th month of the Persian calendar.
Following the resignation Friday of Egyptian President Hosni Mubarak, the head of Iran's National Security
Council, among other Iranian authorities, lauded the leader's toppling, comparing "the Egyptian Revolution
with the victory of Iran's Islamic Revolution," according to Iran's state-run media.
But while publicly praising the Egyptian uprising, the government has rounded up activists after Iran's two
leading opposition figures called for Monday's rally.
Opposition leaders Mehdi Karroubi and Mir Hossein Moussavi asked that the rally take place in Tehran's Azadi
Square, the site of mass protests by Iran's opposition movement after the disputed 2009 presidential
elections.
"Iran has shown that the activities it praised Egyptians for it sees as illegal, illegitimate for its own people,"
the State Department said in its second tweet.
In its third tweet, the department called on Iran to allow people the same right to demonstrate as Egyptians
had in Cairo.
Page 29
The Farsi-language feed had eight followers as of Sunday night. The State Department's Arabic-language
Twitter feed, launched last week, had more than 1,000 followers.
Table of Contents
Freedom to Connect
By Jerry Edling, Mountain Runner blog, Posted: 14 Feb 2011
"You will not be able to stay home, brother.
You will not be able to plug in, turn on and cop out.
You will not be able to lose yourself on skag and skip,
Skip out for beer during commercials,
Because the revolution will not be televised." -- Gil Scott-Heron, From the album "Small Talk at 125th and
Lennox" (1970)
"The revolution will not be televised...but it may be tweeted." Posted on weeseeyou.com
January 28, 2011
In some ways, Gil Scott-Heron's song "The Revolution Will Not Be Televised" was ahead of its time. The lyrics
were recited rather than sung, accompanied by congas and a bongo drum, making it either a vestige of beat
poetry or one of the first examples of rap. His point, which must be understood in the context of domestic
unrest in the late 1960s and early 1970s in the U.S., was that the revolution was not a pre-packaged bit of
pop culture, sanitized for your protection and brought to you with minimal commercial interruption by Xerox.
The revolution, in his opinion, was real; or, as the final line of the song reads,
"The revolution will be no re-run, brothers; The revolution will be live."
Little did he know that in the 21st century a revolution of a different sort would be live and it would be
televised. And yes, as the quip on weeseeyou.com vividly notes, it would be tweeted. As of this writing, the
Biblical land of Egypt is illuminated with cell phone lights and fireworks as mobs with no definable leaders spill
into the streets to celebrate the resignation of Hosni Mubarak as president after weeks of protest and unrest.
The revolution was televised, and the power to bring those images to the world was in the hands of the
revolutionaries themselves.
In a sense, two different revolutions are ongoing in Egypt. One is a struggle for power, which led to Mubarak's
resignation. The other, broader revolution is a transfer of power that puts media in the hands of the people
and allows individuals with nothing more than a cell phone to publish, broadcast and tweet to the world in real
time. It is a paradigm shift that also provided the underpinning of the Jasmine Revolution in Tunisia, which
sent the president into exile, and the demonstrations surrounding the election in Iran, which led to a
crackdown that was leaked electronically to the world.
"There's somethin' happenin' here/What it is ain't exactly clear..." -- Buffalo Springfield, "For What It's
Worth," 1967.
The communication revolution in the 21st century has often been compared with the invention of the printing
press. Both developments allowed the average person access to a quantum leap of information and furthered
the process of democratization. The invention of movable type put the Bible in the hands of the individual,
eroding the power of the Church hierarchy. Similarly, the Internet and the cell phone have put the virtually
the entire wealth of human knowledge and the ability to share thoughts with the world in the hands of the
individual. The difference is that today, the ability to tap into that power depends on access to cyberspace.
Literally and figuratively, the switch must be on and the batteries must be charged for this extraordinary
ability to communicate with the planet to be enabled. So it is no wonder that when Egypt wanted to defuse
the political revolution, it simply pulled the plug on connectivity.
That's why a new freedom is needed. The events of 2011 demonstrate very clearly that the Universal
Declaration of Human Rights needs to be amended to include the freedom to connect. Secretary of State
Hillary Clinton alluded to the need for such a universal right in her speech at the Newseum in January of 2010.
She defined the freedom to connect as "the idea that governments should not prevent people from connecting
to the Internet, to websites or to each other." She continued, "The freedom to connect is like the freedom of
assembly, only in cyberspace. It allows individuals to get online, come together and hopefully cooperate." Like
the First Amendment to the United States Constitution, it recognizes that the freedom to exercise one's
political rights has at least two components: freedom of expression and freedom of association. Indeed, the
Universal Declaration of Human Rights links these two as well. According to Article 19, "[e]veryone has the
right to freedom of opinion and expression; this right includes freedom to hold opinions without interference
Page 30
and to seek, receive and impart information and ideas through any media and regardless of frontiers."
According to Article 20, "[e]veryone has the right to freedom of peaceful assembly and association" and "[n]o
one may be compelled to belong to an association."
It could be argued that Articles 19 and 20 are enough. But when the Universal Declaration of Human Rights
was adopted by the United Nations General Assembly in 1948, no one knew that more than 60 years later,
there would be an entirely new medium that served as both a repository for all of human knowledge and a
megaphone to most of the planet. Cyberspace is unprecedented. It is both the Royal Library of Alexandria and
the village square. To be excluded from it is to be isolated from the human community.
Some may argue that any form of regulation, even the sort that guarantees freedom, is anathema to the spirit
of the Internet. That's a point well taken. Part of the attraction of the Internet is its Wild West quality. Indeed,
the Silicon Valley geniuses who created the cyberscape grew up in the turbulent era that inspired Gil ScottHeron and infused it with the same spirit of revolution and entrepreneurship. But there is a sort of Alice in
Wonderland logic to the argument that a global agreement guaranteeing information freedom would restrict
freedom. Using the same logic, Article 19 impedes a government's freedom to censor, and child labor laws
restrict corporations' freedom to hire the personnel they want and conduct business as they see fit. A codicil
to the Universal Declaration of Human Rights guaranteeing the freedom to connect certainly would not be the
beginning of a slippery slope to government regulation. On the contrary, it would help preserve the robust and
free-wheeling spirit of this community without borders by ensuring that the cyber-community is, in fact, the
entire human community.
The freedom to connect affects more than the freedoms of expression and association. It also has an
enormous impact on the freedom from want, one of the Four Freedoms coined by U.S. President Franklin
Roosevelt in his 1941 speech. In developing nations, the Internet and mobile phone technology have become
essential tools for survival. Mobile banking has become a real boon to people in developing nations. In 2008,
Informa Telecoms & Media predicted that revenues from mobile phone sales would grow at nearly seven
percent annually through 2013, with most of the growth driven by emerging markets in nations such as Brazil,
Russia, India and China. Mobile banking has exploded in some of the most impoverished nations, enabling
people to receive remittances from relatives in developed nations, pay bills without standing in long lines and
receive wages without dealing with potentially-corrupt officials in manual pay systems. In 2010 the BBC World
Service Trust announced that the mobile phone service Janala had delivered one million English lessons in
Bangladesh. A mobile health project in South Africa uses cell phone text messages to encourage people in
remote parts of the country to get information and counseling on HIV/AIDS. Under an initiative launched by
the Department of State, text messages remind people in sub-Saharan Africa to take HIV medications, and
emails and text messages warn of attacking rebels. All of these potentially life-saving applications can be
foiled by governments that interfere with the ability to connect.
At the onset of Operation Desert Storm a CBS News military consultant, in describing the initial tactics of the
allied air assault, spoke of the need to "draw an electronic curtain around Iraq." His point was telling: the
most important priority at the onset of battle was to destroy the communications infrastructure that enabled
Iraq's armed forces to command and control. 20 years later, an electronic curtain that frustrates the ability of
the peoples of the world to connect with information and connect with each other is potentially even more
destructive than the Iron Curtain of a previous generation. It takes away the peoples' ability to command and
control their lives.
Alec Ross, Clinton's Senior Adviser for Innovation, says, "If Paul Revere had been a modern day citizen, he
wouldn't have ridden down Main Street. He would have tweeted." Denying the people of the world the ability
to connect is akin to robbing Paul Revere of his horse and soundproofing the homes of the people he passed
on Main Street.
The village square has become a virtual meeting place. It is time for the world to recognize that all are
welcome to gather there.
Table of Contents
Somalia's Al-Shabaab Launch TV Channel
AFP, February 5, 2011
Somalia's al-Qaeda-inspired al-Shabaab group has launched a terrestrial news channel in its latest effort to
expand its propaganda activities, the Site monitoring group said on Friday. Al-Kataib News Channel's pilot
showed the confessions of an alleged CIA spy who was executed on Sunday, said Site Intelligence Group,
which carried a translation of a al-Shabaab statement circulated on jihadi internet forums. "This broadcast
success represents an advanced media leap in the mujahedeen’s [holy warriors] media in general and in
Page 31
Somalia in particular," the statement said. al-Shabaab, who have pledged allegiance to Osama bin Laden and
control most of southern and central Somalia, also boasted acquiring a terrestrial TV channel before Somalia's
Western-backed transitional federal government… Few Mogadishu residents have yet been able to watch the
al-Shabaab's channel due to the lack of adequate TV equipment. The insurgent group has banned Somalis
from watching football, Western films and any other programme it deems "un-Islamic."
Table of Contents
Hackers Use Hidden Device to Manipulate News at Wi-Fi Hotspots
By Darlene Storm, ComputerWorld (blog), 14 Feb 2011
What if you are reading the news and some startling and almost unbelievable headline caught your eye such
as "U.S. wants Assange as head of Defense Department"? That would surely be something worth sharing on
Facebook or tweeting about? But after you share it, people quickly reply to let you know the headline says no
such thing. Yet you can clearly see that it does, so what gives? If you happened to be reading the news at a
Wi-Fi hotspot, chances are that you've been had by Newstweek.
If a device called Newstweek is plugged in at a wireless hotspot, then people connected to that Wi-Fi can
have all media content modified, changed or otherwise edited by a hacker who is operating from a remote
location.
Tech savvy Berlin-based artists Julian Oliver and Danja Vasiliev came up with the Newstweek project to
address the potential of how "trustworthy" news can be manipulated and controlled by the "gatekeepers."
Newstweek is a fascinating yet terrifying reminder of how our trusted media content can easily be censored or
modified to manipulate public perception of what is happening in the world. The creators point out "Data from
Reporters Without Borders" as an illustration of "a world increasingly seen through a filter of governmentissued data surveillance."
I found Newstweek to be so intriguing, I interviewed the creators, Julian Oliver and Danja Vasiliev.
Interview with Newtweek creators:
If Newstweek was conceptualization in December 2010 at the 27TH Chaos Communication Congress held in
Berlin, Germany, when did you make it a real working device?
Julian & Danja: In the first week of January, 2011.
Can you change anything on webpage, not just the title?
Julian & Danja: Indeed! For instance an URL to an image, encountered in the clear text of the HTML itself, can
easily be substituted for another URL to another image resource.
The entire concept is scary, but if a person was like OMG and tweeted it -- for example -- the person on the
other end would see the real headline or article, correct?
Julian & Danja: Correct. The manipulation is entirely local to the user associated with the hotspot under
attack.
I realize it is covered on Newstweek, but is Newstweek your site?
Julian & Danja: Yes. It's a spoof-website that demonstrates the ultimate power of Newstweek; we can
potentially take any website (like newsweek.com) and replace its contents entirely. It also served well to
brand the project and as such caught a lot of attention. It was somewhat telling just how many people took it
as a real site with real journalistic intent.
I also read about it here, so did security researchers from Critical Engineering describe and figure it out
correctly?
Julian & Danja: That was us, using a journalistic style to explain the underpinnings of the project. It worked!
That same text was cited all over the place, people simply taking what they read as a given.
Do you have future plans for the device?
Julian & Danja: A 'do it yourself' manual will be released soon, enabling anyone with a little patience to put
together a Newstweek device. The price for the parts comes to under 50 euro at the time of writing.
The same functionality can be easily reproduced on any PC running GNU/Linux, however the ability of a
Newstweek device to blend into its surroundings and remain engaged for a continuous period of time is
important. This is why we opted for a 'pass-through' electrical socket - it looks like part of the infrastructure.
Do you suppose anyone is using such a device to manipulate the news?
Julian & Danja: With the broad penetration of wireless networks we are sure there will be many cases where
news and other content has been manipulated for strategic and/or merely playful reasons.
Page 32
This works only at Wi-Fi hotspots. Does it grab the password per computer in order for the device to be used
in changing the news?
Julian & Danja: The beauty of this attack is that it's entirely password free. In fact, there's no real 'break in' at
all.
With the exception of Solaris systems, all operating systems are vulnerable to this form of network attack due
to a basic flaw in the way modern networks are implemented. By design, all devices on a network respond to
Address Resolution Protocol requests by other members asking them to report their hardware (MAC)address
and their network (IP) address. By responding to these requests with false mapping, the ARP table on both
client and router can be re-written to position the attacking device as a virtual router on the network. The
center of all network traffic, it effectively owns the network.
Do have any advice on how to best secure a computer against such an attack?
Julian & Danja: Using a Virtual Private Network for connecting to the Internet would eliminate the chance of
being 'newstweeked' entirely. Users can also (mostly) rely on SSL to protect their traffic from manipulation.
Naturally the server has to provide that SSL connection. To our knowledge no news sites do this.
If you're lucky enough to be served SSL (with a trusted certificate) vigilance is still important. Using
techniques such as SSL stripping, encrypted traffic can be 'proxied' through a standard HTTP connection
fooling less astute users they are receiving encrypted traffic as usual. Users should always be sure to watch
out for the absence of that little padlock and other visual cues provided by the application brokering the
supposed secure transaction. If they are not there it is likely their secure connection has been stripped and
they are vulnerable to manipulation, data theft, snooping and general nastiness.
On the network level itself, administrators can install utilities like arpwatch to keep a close eye on traffic going
over the router and signal when someone is manipulating the ARP table. This requires a relatively high level of
knowledge however, far more than the average cafe owner would have at their disposal.
If watchdogs against ARP spoofing are in place the attacker can still fall back on other strategies like DHCP
spoofing - handing out leases to clients that point all traffic back to the attacking device. The attacker can also
just simply install a rogue AP with exactly the same ESSID as the hotspot clients expect to connect to. With
the addition of an antenna amplifier, the device will appear as the best candidate for association; many clients
(smartphones, laptops) will then default to your rogue AP rather than the weaker off-the-shelf router normally
found at their cafe or library.
In short, there are many ways to exploit a wireless network and manipulate the data going over it.
Do you see this rogue device or one like it being able to hijack an entire news website?
Julian & Danja: For sure, in fact it would be possible just to perform a simple DNS spoof and redirect an
unwitting user to an entirely fabricated news site. Naturally however most new sites are very complex, with
plenty of javascript and server side code responsible for what the user actually reads on their computer. This
is not easy to duplicate at all and so 'tweeks' to individual bodies of content delivered by the actual server are
much easier to perform.
That article says it is causing havoc in hotspots throughout Europe - is that correct?
Julian & Danja: It is and it seems to be going global. Since publishing the project and outlining the hardware
and software used we have heard of multiple Newstweek interventions in Germany, Netherlands and more
recently in Brazil. This is an unintended consequence of our research.
Is the point behind this to raise awareness or to mess with people or -- what is the point behind Newstweek?
Julian & Danja: News journalism has long been the target of manipulation by propagandists, lobbyists and
governments. Newstweek represents a fresh dimension to news manipulation in an era where such content is
increasingly distributed wirelessly; a tactic that is 'on the ground', civilian and without need of a lobbyist's
budget.
This form of attack could indeed be used to mass effect - in a location such as an airport, convention, hotel or
university library - by those wishing to 'fix back' news they believe is not correct and or biased. If performed
with care and timing, those exposed to that modified news would literally leave that access point with altered
world views. It could be used to mass detriment, mass gain or just for 'fun'.
More broadly however we created this project to raise awareness as to the increasingly network-dependent
reality of modern times; that far too much trust is placed in all the hardware and minds that deliver the
content that eventuates in the browser. Even without devices like Newstweek there are a vast number of
people along the chain of delivery - from people working at ISPs, to those working at large infrastructural
Page 33
switches and even at the origin of the data itself - that have a tremendous amount of power to manipulate the
browser-delivered reality widely accepted by readers.
Where WiFi itself is concerned, we also wish to expose a basic contradiction in the way people feel about
security relating to the technology. We generally accept that a part of public life is overhearing the
conversations of others; their audible emissions are easily read. Why then not for wireless communication? If
the air we breathe is considered public, why not that which passes through it?
802.11 devices like those in smartphones, tablets and laptops are, by definition, radio devices. Just as with
AM/FM, all one needs to do is tune in.
Any other information that you have, or would like the public to know about this, please let me know.
Julian & Danja: Newstweek is made entirely using free, open source software components and tools available
online. We tie it all together with shell scripts and build it into an embedded GNU/Linux distribution.
People were naturally disturbed by the idea of Newstweek, that such a thing as seamless content manipulation
on wireless networks is so feasible. For this reason we've had to work hard to make videos to prove it actually
works! Even now there are less educated naysayers out there that haven't studied our longer video in the
company of someone more knowledgeable and have decided it simply isn't possible.
Our HOWTO, coming in the next days, will change all that. "Stay tuned"!
--Now think again about the headline "U.S. wants Assange as head of Defense Department" and realize that it is
entirely possible for your trusted news site to be censored, manipulated and modified to report whatever the
"gatekeeper" wants you to believe is true. As Oliver and Vasiliev said, "A strictly media-informed reality is a
vulnerable reality."
Table of Contents
House Armed Services Subcommittee on Emerging Threats and
Capabilities Hearing
Statement of Gregory T. Nojeim, Senior Counsel and Director, Project on Freedom, Security & Technology Center for
Democracy & Technology Before the House Committee on Armed Services, Subcommittee on Emerging Threats and
Capabilities On The Role of the Department of Defense in Cybersecurity, 11 Feb 2011
Chairman Thornberry, Ranking Member Langevin, and Members of the Subcommittee: Thank you for the
opportunity to testify today on behalf of the Center for Democracy & Technology. n1 We applaud the
Subcommittee for examining the role of the Department of Defense in cybersecurity. Today, I will briefly
outline the cybersecurity threat and discuss how to avoid cybersecurity measures that would infringe on
privacy or innovation or unintentionally undermine security itself. I will emphasize that private network
operators, not the government, should monitor and secure private sector systems, while the Department of
Defense secures military systems and the Department of Homeland Security secures civilian government
systems. To the extent that DOD entities have information and expertise that would help private sector
operators and DHS with their cybersecurity activities, mechanisms must be developed to permit DOD to share
that information and expertise. I also will discuss some incremental changes in the law that may enhance
information sharing without eroding privacy. Finally, I will discuss the role that identity and authentication
measures, if properly designed and deployed, can play in enhancing security while also protecting privacy.
The Cybersecurity Threat
It is clear that the United States faces significant cybersecurity threats from state actors, from private actors
motivated by financial greed, and from terrorists. In 2009, the Wall Street Journal reported that computer
hackers had penetrated systems containing designs for a new Air Force fighter jet and had stolen massive
amounts of information. n2 Last year, Google revealed that it had been subjected to a major espionage attack
originating in China aimed at stealing personal information about human rights activists and Google's own
proprietary information. n3 DOD agencies, which have developed capabilities to launch cyber attacks on
adversaries' information systems, have sounded alarms about what a determined adversary could do to
critical information systems in the U.S. Both offensive and defensive aspects of the issue may have been
illustrated by the Stuxnet worm, which, allegedly designed with the involvement of the U.S. government,
penetrated the control systems of centrifuges Iran was using to refine uranium, causing hundreds of the
centrifuges to spin out of control and damage themselves. n4 It is also clear that the government's response
to this threat has been inadequate. The Department of Homeland Security has been repeatedly criticized n5
for failing to develop plans for securing key resources and critical infrastructure, as required in the Homeland
Security Act of 2002. n6 President Obama's national security and homeland security advisors completed a
Page 34
cyberspace policy blueprint on April 17, 2009, but implementation of those measures was slowed by the
Administration's failure timely to appoint the cybersecurity official in the White House who could drive policy
development and coordinate implementation of a government-wide plan.
In the meantime, the Department of Defense has stood up its own cyber command to oversee the military's
efforts to protect its own 15,000 computer networks. n7 Commanded by General Keith Alexander - who also
heads the NSA - it is housed at Fort Meade alongside the NSA. It became operational on May 21, 2010, pulling
together information operations expertise from components of the Army, Navy and Air Force and launching a
program to recruit a cadre of cyberwarriors. In this environment - a plodding DHS and a slowed-down White
House, an emergent Cyber command with expertise, a complex threat environment with many actors and
networks that interconnect and that all need to be defended - it is tempting to ask Cyber command and the
NSA to do it all.
We urge you to resist that temptation and instead send a clear message in support of the statement Deputy
Secretary of Defense William Lynn, III made last November: [Cyber command] is not intended to be the
militarization of cyberspace. It will be responsible for DOD's networks - the dot-mil world. Responsibility for
civilian networks - dot-gov - stays with the Department of Homeland Security, and that's exactly how it should
be. n8 In support of this effective allocation of responsibilities, this Subcommittee should encourage DOD
entities to share cybersecurity information that would be useful for private sector entities and to support, with
limitations, the work of the DHS in defending the civilian government domain. It should also watch out for
"mission creep" that would find Cyber command and the NSA conducting activities not in support of others
that go beyond defense of .mil networks.
A Careful and Nuanced Approach Is Required for Securing the Internet
In developing a national policy response to cybersecurity challenges, a nuanced approach is critical. It is
absolutely essential to draw appropriate distinctions between military government systems, civilian
government systems, and systems owned and operated by the private sector. Policy towards government
systems, both those in the military domain and those under .gov, can, of course, be much more "top down"
and much more prescriptive than policy towards private systems.
With respect to private systems, it is further necessary when developing policy responses to draw appropriate
distinctions between the elements of "critical infrastructure" that primarily support free speech and those that
do not. The characteristics that have made the Internet such a success - its open, decentralized and usercontrolled nature and its support for innovation, commerce, and free expression - may be put at risk if heavyhanded cybersecurity policies are enacted that apply uniformly to all "critical infrastructure." While the
Internet is a "network of networks" encompassing at its edges everything from personal computers in the
home to servers controlling the operation of nuclear power plants, cybersecurity policy should not sweep all
entities that connect to the Internet into the same basket. For example, while it is appropriate to require
authentication of a user of an information system that controls a critical element of the electric power grid or
of a user of an information system containing classified information, it would not be appropriate to require
authentication of ordinary Americans surfing the Internet on their home computers.
In sum, CDT believes that cybersecurity legislation and policy should not treat all critical infrastructure
information systems the same. Instead, a sectoral approach is called for. Very careful distinctions - too often
lacking in cybersecurity discourse -are needed to ensure that the elements of the Internet critical to new
economic models, human development, and civic engagement are not regulated in ways that could stifle
innovation, chill free speech or violate privacy.
Network Providers - Not the Government - Should Monitor Privately-Owned Networks for
Intrusions
When the White House released the Cyberspace Policy Review on May 29, 2009, President Obama said: "Our
pursuit of cybersecurity will not -I repeat, will not - include monitoring private sector networks or Internet
traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans." CDT
strongly agrees. No governmental entity - including any element of DOD and DHS - should be involved in
monitoring private communications networks as part of a cybersecurity initiative. This is the job of the private
sector communications service providers themselves, not of the government. Most critical infrastructure
computer networks are maintained by the private sector. Private sector operators already monitor those
systems on a routine basis to detect and respond to attacks as necessary to protect their networks, and it is in
their business interest to continue to ramp up these defenses. Indeed, providing reliable networks is essential
to maintaining their business.
Transparency and the Role of the NSA and Cyber command in Securing Unclassified Civilian
Systems
Page 35
Some have suggested that the National Security Agency and the Cyber command should lead or play a central
role in the government-wide cybersecurity program. They argue that the NSA has more expertise in
monitoring communications networks than any other agency of government and that Cyber command will be
better resourced than DHS to do this work. However, expertise in spying does not necessarily entail superior
expertise in all aspects of cybersecurity. The answer to insufficient resources at DHS should be augmentation
of those resources, not abdication of its mission. Moreover, there is serious concern that if a DOD entity were
to take the lead role in cybersecurity for civilian unclassified systems, it would almost certainly mean less
transparency, less trust, and less corporate and public participation, thereby increasing the likelihood of failure
and decreasing the effectiveness of the effort even in terms of security.
Over 85% of critical infrastructure information systems are owned and operated by the private sector, which
also provides much of the hardware and software on which government systems rely, including the
government's classified systems. The private sector has valuable information about vulnerabilities, exploits,
patches and responses. Private sector operators may hesitate to share this information if they do not know
how it will be used and whether it will be shared with competitors. Private sector cooperation with government
cybersecurity effort depends on trust. A lack of transparency undermines trust and has hampered
cybersecurity efforts to date.
For many reasons, openness is an essential aspect of any national cybersecurity strategy. Without
transparency, there is no assurance that cybersecurity measures adequately protect privacy and civil liberties
and adhere to Fair Information Practice and due process principles. Transparency is also essential if the public
is to hold the government accountable for the effectiveness of its cybersecurity measures and for any abuses
that occur.
NSA is committed, for otherwise legitimate reasons, to a culture of secrecy that is incompatible with the
information sharing necessary for the success of a cybersecurity program. For these reasons, among others,
NSA should not be given a leading role in monitoring the traffic on unclassified civilian government systems,
nor in making decisions about cybersecurity as it affects such systems; and its role in monitoring private
sector systems should be even smaller. Instead, procedures should be developed for ensuring that whatever
expertise and technology NSA has in discerning attacks is made available to a civilian agency.
Likewise, Cyber command, which will also operate largely in secret, should focus on securing the .mil domain.
Mission creep into the .gov domain and the private sector should be guarded against. The lead for
cybersecurity operations should stay with the Department of Homeland Security. Maintaining this division of
labor will benefit both security and liberty. It will require governmental entities and the private sector to share
cybersecurity information, and will require DOD entities to share human resources and expertise with DHS.
- Sharing human resources and expertise: the DOD/DHS Cybersecurity MOU
On September 27, 2010, DHS and DOD signed a Memorandum of Understanding setting forth the terms by
which they would provide personnel, equipment and facilities to increase inter-departmental collaboration and
support and synchronize each other's cybersecurity operations. n9 Under the agreement, DHS sends teams to
the NSA to plan and synchronize cyber-defense, learn about acquisition detection technologies and coordinate
on civil liberties protections. NSA sends a team of cryptologists and operations professionals to the DHS
network operations center to support DHS operations. NSA experts would work alongside DHS cybersecurity
teams to help bring those teams up to speed quickly.
As CDT said when the MOU was made public in October, this kind of arrangement, if of limited duration, might
represent the best way to leverage the NSA's defensive expertise domestically without the negatives
associated with it being secretive, operating without public oversight, and, when operating abroad, bending
and breaking local rules. n10 CDT has long advocated building up the civilian cybersecurity capability by
leveraging the expertise of the NSA precisely to reduce the need of DHS to rely directly on NSA. Once DHS
has built the necessary expertise, the existing MOU can expire. This Subcommittee could play an important
role in overseeing this arrangement to make sure that it is benefitting both security and liberty.
- Sharing information: Disclosures from the private sector to the government Current law gives
providers of communications services substantial authority to monitor their own systems and to disclose to
military and civilian governmental entities, and to their peers, information about cyberattack incidents for the
purpose of protecting their own networks. In particular, the federal Wiretap Act provides that it is lawful for
any provider of electronic communications service to intercept, disclose or use communications passing over
its network while engaged in any activity that is a necessary incident to the protection of the rights and
property of the provider. 18 U.S.C. 2511(2)(a)(i). This includes the authority to disclose communications to
the government or to another private entity when doing so is necessary to protect the service provider's
network. Likewise, under the Electronic Communications Privacy Act (ECPA), a service provider, when
necessary to protect its system, can disclose stored communications (18 U.S.C. 2702(b)(3)) and customer
Page 36
records (18 U.S.C. 2702(c)(5)) to any governmental or private entity. n11 Furthermore, the Wiretap Act
provides that it is lawful for a service provider to invite in the government to intercept the communications of
a "computer trespasser" n12 if the owner or operator of the computer authorizes the interception and there
are reasonable grounds to believe that the communication will be relevant to investigation of the trespass. 18
U.S.C. [Sec.]2511(2)(i).
These provisions do not, in our view, authorize ongoing or routine disclosure of traffic by the private sector to
any governmental entity, including DOD. To interpret them so broadly would destroy the promise of privacy in
the Wiretap Act and ECPA. The extent of service provider disclosures to DOD entities for self-defense purposes
is not known publicly. We urge the Subcommittee to consider imposing a requirement that the extent of such
information sharing be publicly reported, in de-identified form, both to assess the extent to which beneficial
information sharing is occurring, and to guard against ongoing or routine disclosure of Internet traffic to DOD
entities under the self-defense exception.
There is a widespread perception that cybersecurity information sharing as practiced is inadequate and there
is some concern that the provisions of the Wiretap Act and ECPA are impediments to information sharing. This
issue must be approached very cautiously, for exceptions intended to promote information sharing could end
up severely harming privacy.
First, it should be noted that there has not been sufficient analysis to determine what information should be
shared that is not shared currently. Improving information sharing should proceed incrementally. It should
start with an understanding of why existing structures, such as the U.S. Computer Emergency Readiness
Team ("U.S. CERT") n13 and the public-private partnerships represented by the Information Sharing and
Analysis Centers (ISACs) n14 are inadequate. The Government Accountability Office (GAO) has made a series
of suggestions for improving the performance of U.S. CERT. n15 The suggestions included giving U.S. CERT
analytical and technical resources to analyze multiple, simultaneous cyber incidents and to issue more timely
and actionable warnings; developing more trusted relationships to encourage information sharing; and
providing U.S. CERT sustained leadership within DHS that could make cyber analysis and warning a priority.
All of these suggestions merit attention.
Second, an assessment should be made of whether the newly-established National Cybersecurity and
Communications Integration Center (NCCIC) has addressed some of the information sharing issues that have
ariSen. The NCCIC is a round-the-clock watch and warning center established at DHS. It combines U.S. CERT
and the National Coordinating Center for Communications and is designed to provide integrated incident
response to protect infrastructure and networks. n16 Industry is now represented at the NCCIC n17 and its
presence there should facilitate the sharing of cybersecurity information about incidents.
Third, industry self-interest, rather than government mandate, should be relied on to facilitate information
sharing from the private sector to governmental entities. Congress should explore whether additional marketbased incentives could be adopted to encourage the private sector to share threat and incident information
and solutions. Since such information could be shared with competitors and may be costly to produce,
altruism should not be expected, and compensation may be appropriate. Other options would be to provide
safe harbors, insurance benefits and/or liability caps to network operators that share information about
threats and attacks in cyberspace by terrorists and others.
CDT strongly disagrees with proposals to solve the information-sharing dilemma by simply expanding
government power to obtain privately held data. We urge the Congress to steer clear of proposals to give a
governmental entity wide-ranging authority to access private sector data that is relevant to cybersecurity
threats and vulnerabilities. n18 Such an approach would be dangerous to civil liberties and would undermine
the public-private partnership that needs to develop around cybersecurity. Collecting large quantities of
sensitive information into a common database can also undermine security because such a database could,
itself, become a target for hackers.
While, as noted above, current law authorizes providers to monitor their own systems and to disclose
voluntarily communications and records necessary to protect their own systems, we have heard concern that
the provisions do not authorize service providers to make disclosures to other service providers or to the
government to help protect the systems of those other service providers. Perhaps it should. Many types of
attacks could affect multiple providers, and disclosure by one entity about such an attack could be helpful to
others. Therefore, there might be a need for a very narrow exception to the Wiretap Act and ECPA that would
permit disclosures about specific attacks and malicious code on a voluntary basis, and that would immunize
companies against liability for these disclosures. The exception would have to be narrow so that routine
disclosure of Internet traffic to the government or other service providers remained clearly prohibited. Overall,
given the risks to privacy, we urge the Congress to take only incremental approaches to information sharing,
avoiding more radical approaches, such as permitting or mandating broad sharing of information that may be
Page 37
personally identifiable. In addition, because the existing privacy protections in ECPA have been outpaced by
the development of technology, we also urge that any changes to ECPA to facilitate cybersecurity information
sharing are counterbalanced with enhanced privacy protections.
- Sharing information: Disclosures from the government to the private sector
DOD and DHS have legitimate roles, to the extent they have special expertise, in helping the private sector
develop effective monitoring systems to be operated by the private sector. Most of the federal government's
cybersecurity effort regarding private sector networks should focus on improving information sharing and
otherwise strengthening the ability of the private sector to protect private sector networks. This is particularly
true for DOD entities such as NSA, which have identified attack signatures that private sector entities may not
be aware of. Ways should be found for the NSA to share such information with private sector network
operators to help them identify attacks at an early stage, defend in real time against attacks, and secure their
networks against future attack. Ideally this sharing would happen through DHS and would help DHS develop
its own corresponding capacity.
Much has been said about the problem of sharing classified information with private sector owners and
operators of critical information systems. This Subcommittee could make a substantial contribution to
cybersecurity by taking steps to ensure that attack signatures are not unnecessarily classified and by working
to ensure that providers have personnel who are cleared to receive the attack signatures that must remain
classified.
The Government Should Monitor Its Own Networks for Intrusions, But Privacy Concerns Need to Be
Addressed
Just as private sector network operators should, and do, monitor their systems for intrusions, the federal
government clearly has the responsibility to monitor and protect its own systems. At the same time, such
efforts must start with the understanding that exercise of the First Amendment rights of free speech and to
petition the government will be chilled if communications between Americans their government are routinely
accessed and shared with law enforcement and intelligence agencies. While the Fourth Amendment may not
come into play because those communicating with governmental entities necessarily reveal their
communications - including content - to the government, the privacy and civil liberties inquiry does not stop
there. Protecting privacy in this context is absolutely critical to giving Americans the necessary comfort to
communicate with their government.
Another important consideration is the question of how likely it is that private-to-private information may be
accessed inadvertently through systems intended to detect intrusions against government computers. While
we do not quarrel with the notion that DOD should monitor its own systems for intrusions, the role of
intelligence and law enforcement agencies such as the NSA and the FBI in the intrusion detection enterprise
with respect to civilian government networks must be carefully considered. Generally, Fair Information
Practice principles should be applied to minimize the amount of personally identifiable information collected by
the government, to limit its use of this information, and to notify users of this information collection and
disposition. n19 Under current law, all federal departments and agencies must adhere to information security
best practices. Generally, these practices include the use of intrusion detection systems. n20 In an effort to
improve security, the government has developed and is deploying the Einstein intrusion detection and
prevention system. According to a May 19, 2008 Privacy Impact Assessment n21 and a January 9, 2009
opinion of the DOJ Office of Legal Counsel, n22 Einstein 2 is being deployed at participating federal agency
Internet Access Points. Einstein 2 assesses network traffic against a pre-defined database of signatures of
malicious code and alerts U.S. CERT to malicious computer code in network traffic. While the signatures are
not supposed to include personally identifiable information ("PII") as defined by DHS, they do include Internet
Protocol addresses, and the alerts that Einstein 2 generates for U.S. CERT may include PII. n23 In addition to
using attack signatures, Einstein 2also detects anomalous network traffic on a particular system and alerts
U.S. CERT to those anomalies.
A successor, Einstein 3, is being tested with an undisclosed ISP and an undisclosed federal agency. It will have
the added capability of intercepting threatening Internet traffic before it reaches a government system.
According to the Privacy Impact Assessment DHS issued in connection with these tests, n24 Einstein 3 will use
intrusion detection technology developed by the NSA and will adapt threat signatures developed by NSA in the
course of its foreign intelligence work and by the DOD in connection with its information assurance mission. It
will also use commercially available threat signatures. A key feature of Einstein 3 is that it operates on the
network of an ISP providing service to the government instead of on the network of the federal agency that is
being protected. One critically important question is whether Einstein can reliably focus on communications
with the government to the exclusion of private-to-private communications passing over the ISP's network.
Page 38
According to the Einstein 3 PIA, the participating federal agency will provide Internet Protocol addresses to the
ISP, which will use them to distinguish traffic to or from that agency from other traffic. This is a logical, but by
no means fool-proof method of identifying the targeted traffic. IP addresses can be re-allocated and become
outdated. If Einstein were to analyze private-to-private communications, it would likely be conducting an
unlawful interception under the electronic surveillance laws. The Intelligence Authorization Act for FY 2010
requires reports to Congress about the privacy impact of Einstein and any other similar cybersecurity
programs as well as information about the legal authorities for the programs and about any audits that have
been conducted or are planned for the programs. n25 The Subcommittee should consider whether it would be
appropriate for it to conduct oversight to determine the extent to which Einstein information flows back to
DOD entities and the uses to which this information is being put.
Other questions about the Einstein intrusion detection system include:
* What personally-identifiable information has Einstein collected so far?
* What have law enforcement and intelligence agencies done with Einstein information that is shared with
them, and more to the point, to what extent is the system being used to identify people who should be
prosecuted or people who are of intelligence interest, even if that is not its primary purpose?
* To what extent are private sector operators keeping information about communications that appear to
match attack signatures?
* How should users be notified that their visits to government websites and their email communications with
government employees are being scanned for security reasons? n26
The lack of transparency around Einstein highlights a broader concern about the federal government's
cybersecurity program: excessive secrecy undermines public trust and communications carrier participation,
both of which are essential to the success of the effort. The government needs to publicly disclose sufficient
details about Einstein and other programs to be able to assure both the public at large and private sector
communications service providers that the confidentially of personal and proprietary communications will be
respected.
"Active Defense" and the First Amendment Some DOD cybersecurity activities are expected to go beyond the
kind of monitoring envisioned in the Einstein program. We also urge you to tread carefully in the area of
"active defense" in the cybersecurity arena because of the First Amendment concerns raised by some active
defense activities. Most cybersecurity measures today involve taking defensive steps, such as using firewalls
and protecting sensitive information through authentication and authorization systems.
DOD officials and other experts speak of "active defense" and of offensive measures that would involve
reaching out beyond the boundaries of military networks that must be protected and into other networks to
hunt for malicious software. n27 For example, General Keith Alexander, head of Cyber command and of the
NSA, reportedly seeks authority to shut down parts of adversaries' computer networks to pre-empt a
cyberattack against U.S. targets. n28 The risk here is that attacking computers in one country can
unintentionally disrupt communications in another and disrupt the ability of people in the U.S. to legitimately
access information that may be housed abroad. Moreover, because attribution is difficult in cyberspace, there
is heightened risk that a defensive attack aimed at the source of malware will target another victim of the
attack, instead of the attacker itself.
For all of these reasons, we urge you to take great care when considering these measures, and that this
Subcommittee exercise its oversight authority over such measures keeping in mind the First Amendment
rights of Americans.
Presidential Authority in Cybersecurity Emergencies
Some have proposed that the President or the Department of Homeland Security ought to be given authority
to limit or shut down Internet traffic to a compromised critical infrastructure information system in an
emergency or to disconnect such systems from other networks for reasons of national security. n29 When the
government of Egypt cut off Internet services on January 27, 2011 to much of its population in order to stifle
dissent in an uprising, it magnified concerns about extending cybersecurity emergency authority to the U.S.
President. It illustrated the First Amendment concerns that would attend use of such authority in the U.S. The
authority to shut down or limit communications traffic should extend only to governmental systems
(presumably, the government already has the authority to disconnect its own systems from the Internet), but
should not extend to those maintained by private sector entities.
To our knowledge, no circumstance has yet arisen that could justify a governmental order to limit or cut off
Internet traffic to a particular privately-owned and controlled critical infrastructure system when the operators
of that system think it should not be limited or cut off. They already have control over their systems and
Page 39
strong financial incentives to quarantine network elements that need such measures. They already limit or cut
off Internet traffic to particular systems when they need to do so. They know better than do government
officials whether their system needs to be shut down or isolated.
The list of potential unintended consequences to both the economy and to critical infrastructures themselves
from a shutdown of Internet traffic is long. It could interfere with the flow of billions of dollars necessary for
the daily functioning of the economy. It could deprive doctors of access to medical records. Users of those
systems, which may include government personnel, state and local emergency first responders and civilian
volunteers, could find themselves with crippled communications capability in a crisis. It could deprive
manufacturers of critical supply chain information. It could have worldwide effect because much of the world's
Internet traffic goes through the United States.
Even if such power over private networks were exercised only rarely, its mere existence would pose other
risks, enabling a President to coerce costly, questionable - even illegal - conduct by threatening to shut down
a system.
Finally, giving the government the power to shut down or limit Internet traffic would also create perverse
incentives. Private sector operators will be reluctant to share information if they know the government could
use that information to order them to shut them down. Conversely, when private operators do determine that
shutting down a system would be advisable, they might hesitate to do so without a government order and
could lose precious time waiting to be ordered by the government to shut down so that they would less likely
be held liable for the damage a shut down could cause others.
We urge you to reject proposals to give the President or another governmental entity power to limit or shut
down Internet traffic to privately held critical infrastructure systems.
Building Privacy into Identity and Authentication Requirements Designed to Thwart or Discourage
Malicious Activity
One of the most talked-about approaches to preventing and tracing cyber attacks by terrorists and others is to
improve identity and authentication of those who would seek access to the system that must be protected. If
an attack cannot be attributed to a particular person because the person cannot be identified, it is difficult to
prosecute the perpetrator or deter the attack. However, while identification and authentication will likely play
a significant role in securing critical infrastructure, identity and authentication requirements should be applied
judiciously to specific high value targets and high-risk activities.
Some have argued for broad authentication mandates across the Internet -including calls for "Internet
passports." Mandating strong identity and authentication measures for routine Internet interactions could
seriously compromise user privacy, slow on-line interactions and transactions so much that their utility would
be impaired, and fundamentally limit the ways in which people use the Internet.
While identity and authentication measures are important elements of cybersecurity, they can either promote
privacy or threaten it, depending on how they are designed and implemented. For example, the fact that some
transactions or interactions are anonymous may enhance the privacy and security of those transactions.
Moreover, the right to speak anonymously enjoys constitutional protection. n30 On the other hand,
authentication can also enhance privacy. For example, authenticating a party to a transaction may advance a
privacy interest by preventing identity fraud. Depending on how the authentication system is designed,
disclosing personally identifiable information to facilitate authentication may put privacy at risk or it may
increase privacy. For example, it is possible to disclose data to establish trusted credentials that can be used
for many on-line transactions, thereby eliminating the need to provide such information for each transaction
and to many different entities. n31 Instead of submitting personal information to 10websites in order to make
10 purchases, the information could be submitted once to a credentialing organization that would perform the
authentication necessary to the other transactions. At least for systems used by the private sector,
government officials are not well equipped to resolve the complex design and implementation issues that must
be addressed to ensure that such a system enhances privacy and security rather than undermining them.
Accordingly, policymakers should be hesitant to impose identity mandates on the private sector.
Identity and authentication requirements should adhere to the principles of proportionality and diversity. n32
Under the proportionality principle, if a transaction has high significance and sensitivity and an authentication
failure carries with it significant risk, it may be more appropriate to require authentication and the collection of
more sensitive information to authenticate. Conversely, certain transactions do not need high degrees of
authentication, or any at all. This principle applies in both the private and public sectors, but private sector
operators - who know their systems best - are in the best position to decide what level of identity and
authentication should be required for their own systems and transactions, depending on the degree of risk
posed and the degree of trust that is called for. Private sector operators, such as those in the financial sector,
Page 40
already use various security measures related to online services such as banking and e-commerce. In
addition, in light of the federal government's poor historical track record on securing its own systems, it may
not be the best entity to put in charge of credentialing or other centralized online security activities.
Under the diversity principle for privacy in identity management schemes, it is better to have multiple
identification solutions, because use of a single identifier or credential creates a single target for privacy and
security abuses. A single identifier also allows for multiple transactions and interactions to be tied to that
identifier, permitting potentially invasive data surveillance. Instead, identification and enrollment options
should function like keys on a key ring, with different identities for different purposes. n33 One model that
holds great promise is the "user-centric" identity model, in which the user logs into a Web site through a third
party identity provider, who passes on information at the user's request to the Web site in order to
authenticate the user.
The White House Cyberspace Policy Review embraced the diversity and proportionality principles by calling for
an array of interoperable identity management systems that would be used only for what it called "high value"
activities, like certain smart grid functions, and then only on an opt-in basis. It also called for the federal
government to build a security-based identity management vision and strategy for the nation, in collaboration
with industry and civil liberties groups.
Likewise, the draft National Strategy for Trusted Identities in Cyberspace (NSTIC) envisions an identity ecosystem led by various private sector identity providers. It is not a "government ID for the Internet." If such an
ID were created, it would not be trusted and would be little used. Instead, NSTIC properly relies on private
sector entities to create identities that operate across many platforms. It also accounts for the need to have a
range of levels of assurance for interaction on the Internet, ranging from completely anonymous to highly
assured.
We urge the Congress to reject sweeping identity mandates and instead support identity initiatives that are
led by the private sector and based on the federated model, as recommended in the NSTIC.
Conclusion
Policy makers should distinguish among different types of critical infrastructure when developing cybersecurity
policy. One size does not fit all. Effective policies will preserve the open, decentralized, user-controlled, and
innovative nature of the Internet and will tailor solutions to the systems that need protection.
Private network operators should monitor their own networks for evidence of intrusion and malicious code.
Current law provides adequate authority for such monitoring, but may need to be clarified while ensuring that
"self protection" measures do not become backdoors for governmental monitoring of private networks.
The DOD should focus on securing the .mil domain and should provide information and human resources to
help DHS to monitor and secure the .gov domain. Intrusion detection and prevention activities should be
designed and implemented so as not to chill the right to free speech and the right to petition the government.
Intrusion detection/prevention programs such as Einstein should be made more transparent.
Privacy and security are not a zero sum game. Measures intended to increase the security of communications
and transactions - such as identity and authentication requirements - need not threaten privacy and indeed
may enhance it if properly deployed.
Notes
n1. The Center for Democracy & Technology is a non-profit, public interest organization dedicated to keeping the Internet
open, innovative and free. Among our priorities is preserving the balance between security and freedom. CDT coordinates
the Digital Privacy and Security Working Group (DPSWG), a forum for computer, communications and public interest
organizations, companies and trade associations interested in information privacy and security issues.
n2. Gorman, Siobhan, Computer Spies Breach Fighter-Jet Project, The Wall Street Journal,
http://online.wsj.com/article/SB124027491029837401.html, April 21, 2009.
n3. Nakashima, Ellen, Google To Enlist NSA To Help It Ward Off Cyberattacks, The Washington Post,
http://www.washingtonpost.corn/wp-dyn/content/article/2010/02/03/AR2010020304057.html, February 4, 2010.
Information from over 30 other technology, defense, energy and financial firms was also compromised in related attacks.
n4. Broad, William, et al., Israeli Test on Worm Called Crucial in Iran Nuclear Delay, New York Times,
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html? r=1, January 15, 2011.
n5. See, e.g., Government Accountability Office, Critical Infrastructure Protection: DHS Leadership Needed to Enhance
Cybersecurity http://www.gao.gov/new.items/d061087t.pdj, Testimony of GAO's David A. Powner, Director, Information
Technology Management Issues, before the Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity of the House Committee on Homeland Security, September 13, 2006. In2008, GAO reported that the
Department of Homeland Security's U.S. Computer Emergency Readiness Team, which has significant responsibilities for
protecting private and governmental computer networks, was failing to establish a "truly national capability" to resist cyber
attacks. Government Accountability Office, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a
Page 41
Comprehensive National Capability, http://www.gao.gov/products/GAO-08-588, July 2008. In 2009, GAO testified that DHS
had yet to comprehensively satisfy its cybersecurity responsibilities: Cybersecurity, Continued Federal Efforts Are Needed to
Protected Critical Systems and Information. Testimony of GAO's Gregory C. Wilshusen, Director, Information Security
Issues, before the Subcommittee on Technology and Innovation of the House Committee on Science and Technology, June
25,2009. In 2010, GAO found continued shortcomings. Cyberspace Policy: Executive Branch Is Making Progress
Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed, GAO-11-24, October 6, 2010,
http://www.gao.gov/products/GAO-11 - n6. P.L. 107-296, Section 201(d)(5).
n7. The United States Cyber command is subordinate to the U.S. Strategic Command and is headquartered in Fort Meade,
Maryland where NSA is also headquartered. Its mission statement, from the U.S. Strategic Command Fact Sheet:
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of
specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military
cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny
the same to our adversaries. http://www.stratcom.mil/factsheets/Cyber Command/.
n8. Lynn, William J. III, Deputy Secretary of Defense, speech delivered November 12, 2009 at the Defense Information
Technology Acquisition Summit in Washington, D.C. http://www.defense.gov/speeches/speech.aspx?speechid=1399.
n9. Memorandum Agreement Between the Department of Homeland Security and the Department of Defense Regarding
Cybersecurity, effective September 27, 2010, http://www.dhs.gov/xlibrary/assets/20101013-dod-dhs-cyber-moa.pdf.
n10. Leslie Harris, President and CEO of the Center for Democracy & Technology in the Huffington Post, October 15, 2010,
htto://www.humngtonpostcom/leslie-harris/dhs-nsa-in-cybersecurity b 764289.html.
n11. Another set of exceptions authorizes disclosure if "the provider, in good faith, believes that an emergency involving
danger of death or serious physical injury to any person requires disclosure without delay of communications [or
information] relating to the emergency." 18 U.S.C. 2702(b)(8) and (c)(4).
n12. A "computer trespasser" is someone who accesses a computer used in interstate commerce without authorization. 18
U.S.C. 2510(21).
n13. U.S. CERT is the operational arm of the Department of Homeland Security's National Cyber Security Division. It helps
federal agencies in the .gov space to defend against and respond to cyber attacks. It also supports information sharing and
collaboration on cybersecurity with the private sector operators of critical infrastructures and with state and local
governments.
n14. Each critical infrastructure industry sector defined in Presidential Decision Directive 63 has established Information
Sharing and Analysis Centers (ISACs) to facilitate communication among critical infrastructure industry representatives, a
corresponding government agency, and other ISACs about threats, vulnerabilities, and protective strategies. See
Memorandum from President Bill Clinton on Critical Infrastructure Protection (Presidential Decision Directive/NSC-63) (May
22, 1998), available at http://www.fas.org/irp/offdocs/pdd/pdd-63.htm. The ISACs are linked through an ISAC Council, and
they can play an important role in critical infrastructure protection. See, THE ROLE OF INFORMATION SHARING AND
ANALYSIS CENTERS (ISACS) IN PRIVATE/PUBLIC SECTOR CRITICAL INFRASTRUCTURE PROTECTION 1 (Jan. 2009),
available at http://www.isaccouncil.org/whitepapers/files/ISAC Role in CIP.pdf.
n15. See Government Accountability Office, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a
Comprehensive National Capability, http://www.gao.gov/products/GAO-08-588, July 2008.
n16. See DHS Press Release announcing opening of the NCCIC, http://www.dhs.gov/ynews/releases/pr
1256914923094.shtm.
n17. See DHS Press Release announcing that it has agreed with the Information Technology Information Sharing and
Analysis Center (IT-ISAC) to embed a full time IT-ISAC analyst at the NCCIC, November 18, 2010,http:
//www.dhs.gov/ynews/releases/pr 1290115887831.shtm.
n18. For an example of such a proposal, see Section 14 of the Cybersecurity Act of 2009 as introduced in the 111th
Congress, S. 773.
n19. The Department of Homeland Security's Chief Privacy Officer issued a memorandum in late 2008 to describe how DHS
would apply FIPS. Privacy Policy Guidance Memorandum, issued December 29, 2008 by Hugo Teufel III, Chief Privacy
Officer, available at http://www.dhs.gov/xlibrary/assets/privacy/privacy policyguide 2008-01.pdf.
n20. Einstein 2 PIA, http://www.dhs.gov/xlibrary/assets/privacy/privacy pia einstein2.pdf (May 19, 2008), p. 2.
n21. http://www.dhs.gov/xlibrary/assets/privacy/privacy pia einstein2.pdf.
n22. Stephen. G. Bradbury, Principal Deputy Assistant Attorney General, Legal Issues Relating To the Testing, Use and
Deployment of an Intrusion-Detection System (Einstein 2.0) to Protect Unclassified Computer Networks in the Executive
Branch, January 9, 2009, http://www.justice.gov/olc/2009/e2-issues.pdf. The memo concludes that operation of Einstein 2
does not violate the Constitution or surveillance statutes, and an August 14, 2009 opinion from the Obama Justice
Department's Office of Legal Counsel affirms that conclusion. http://www.justice.gov/olc/2009/legality-of-e2.pdf.
n23. The PIA for Einstein 2 makes it clear that, for example, Einstein 2 will collect an email address when the source of
malicious code it detects is attached to an email address. Moreover any "flow record" (a specialized summary of a suspicious
communication) that Einstein routinely generates will generally include IP address and time stamp, which are widely
regarded as personally identifiable.
n24. Privacy Impact Assessment for the Initiative Three Exercise, March 18, 2010,
http://www.dhs.gov/xlibrary/assets/privacy/privacy pia nppd initiative3exercise.pdf.
Page 42
n25. Section 336 of the Intelligence Authorization Act for FY 2010, Pub. L. No. 111-259.
n26. For a fuller listing of open questions about the Einstein Intrusion Detection System, see Center for Democracy &
Technology, Einstein Intrusion Detection System: Questions That Should Be Addressed,
http://www.cdt.org/security/20090728 einstein rptpdf.
n27. The line between "active defense" and "offensive" cyber operations is a blurry one, and we do not attempt here to
delineate what activities fall into each category.
n28. Nakashima, Ellen, Pentagon's Cyber Command Seeks Authority to Expand Its Battlefield, The Washington Post,
November 6, 2010, http://www.washingtonpost.com/wp-dyn/content/article/2010/11/05/AR2010110507304.
n29. In the 111th Congress, Section 18 of the Cybersecurity Act of 2009, S. 773 and Section 201 of the Protecting
Cyberspace as a National Asset Act, S. 3480 both included such provisions.
n30. Mclntyre v. Ohio Elections Comm'n, 514 U.S. 334 (1995).
n31. Center for Strategic and International Security, Report of the CSIS Commission on Cybersecurity for the 44th
Presidency,http://csis.org/files/media/csis/pubs/081208 securingcyberspace 44.pdf, December, 2008, p. 63. The CSIS
report advocates strong authentication of identity for the information and communications technology sector, and the
energy, finance and government services sectors. It also recognizes that authentication requirements should be proportional
to the risk they pose and that consumers should have choices about the authentication they use.
n32. CDT has outlined these and other Privacy Principles for Identity in the Digital Age. Version 1.4 of the principles,
released in December 2007, can be found here: http://www.cdt.org/security/identity/20080108idprinciples.pdf. The privacy
principles for identity that extend beyond proportionality and diversity are based on Fair Information Practice principles, and
include specifying the purpose for the system being used, limiting the use and the retention period of personal information
collected, giving individuals control and choice over identifiers needed to enroll in a system to the extent this is possible,
providing notice about collection and use of personally identifiable information, security against misuse of the information
provided, accountability, access and data quality.
n33. See, Center for Democracy & Technology, Privacy Principles for Identity in the Digital Age,
http://www.cdt.org/security/identity/20080108idprinciples.pdf, December 2007.
Table of Contents
What Should the Department of Defense’s Role in Cyber Be?
Shari Lawrence Pfleeger Director of Research, Institute for Information Infrastructure Protection, Dartmouth College,
Hanover, New Hampshire; Testimony to House Armed Services Committee Subcommittee on Emerging Threats and
Capabilities, 11 February 2011
Many thanks to the Subcommittee for inviting me to address these important questions. I am the Director of
Research for the Institute for Information Infrastructure Protection, at Dartmouth College. The I3P is a
consortium of 27 American universities, national laboratories, and non-profits focused on tackling problems in
cyber security, dependability, safety and reliability. However, my opinions today are my own, not the I3P's,
Dartmouth College’s, nor my sponsors’.
I have organized my comments so that they address the three important questions posed by the
Subcommittee's invitation to me.
What are the significant challenges facing the private sector, federal government and Defense
Department in preparing for the defense of the nation’s cyber infrastructure?
Diverse and distributed ownership. Much of the nation's critical cyber infrastructure is privately owned, and
the federal government, including the Defense Department, requires its uses in providing critical functions and
services to the American public. For this reason, private enterprise must recognize its responsibility in
providing secure and resilient infrastructure components. The government plays an essential role in
encouraging or requiring private enterprise to find solutions that permit the nation’s economic and social
engines to function. However, traditional approaches such as service level agreements, reliability standards,
and problem reporting are made more difficult by the diverse and distributed ownership of the cyber
infrastructure. Moreover, the cyber infrastructure is constructed of many parts that were not originally
designed to provide critical infrastructure capabilities; because many of the security-related parts are not the
primary money-makers for their providers, there is often little incentive for the providers to put security
concerns above functionality provision.
Appeal as a criminal tool. Many criminals use the cyber infrastructure as a tool to perpetrate their crimes.
This usage enables criminals to act more broadly, more quickly, and with more anonymity than with other
technologies. It is important to address the increase in cyber crime and cyber attack without restricting the
far-more-common legal uses of the cyber infrastructure.
Difficulty in quickly identifying and reacting to emergent behavior. Cyber problems are usually emergent
behaviors with high degrees of uncertainty about both cause and extent of effect. Consequently, the time
Page 43
between recognizing an abnormality, understanding cause and effect, and selecting an appropriate reaction
can sometimes be quite long. And there are significant risks in acting with insufficient information. The large
service providers can often act quickly to spot and stop aberrant behavior, especially when a disruption in
service or function is temporary and non-critical. But when the aberrant behavior's cause is not certain and
involves possible responses with life-threatening or international diplomatic repercussions, decision-makers
must take far more care in reducing the uncertainty surrounding cause and effect.
What policy, legal, economic and technical challenges are critical?
Misaligned incentives. Economics and behavioral science provide numerous examples of misaligned cyber
security incentives. (See van Eeten and Bauer, 2008 for a summary.) For instance, an organization that
chooses not to act securely can nevertheless be protected by the secure actions of others. (This phenomenon
is called “herd immunity,” where someone is protected when enough others keep the level of “infection” down,
or “free riding,” where investments by others allow someone without investment to benefit, too.) Similarly,
many organizations under invest in cyber security: they take no up-front preventive or mitigative measures,
preferring instead to deal with cyber attacks when they happen, and expending resources to clean up the
resulting mess. (Rowe and Gallaher 2006) Indeed, Kunreuther and Heal (2003) point out that when one
organization takes protective measures, those steps can actually discourage others from making security
investments. These misaligned incentives sometimes result in good business decisions that are at the same
time very bad security decisions. And the bad outcomes do not always affect the organization behaving badly,
or not for very long. For example, the Defense Department may experience a breach of personal information
about its soldiers, perhaps due to a cyber security failure. The impact is felt by the soldiers and their families;
the breach may not cost the Defense Department much to remedy, and the long-term impact to recruitment
and solider effectiveness may be negligible. Similar examples of short-term effect to reputation and stock
price are documented in the cyber security economics literature.
The need for diversity. Many researchers and practitioners have argued that technological diversity leads to
more secure products and networks, (Geer et al. 2003) and several studies (for example, Danezis and
Anderson 2005) suggest that systems composed of diverse resources perform better than those whose nodes
have the same resource mix. However, for economic reasons (especially in terms of the cost of maintenance
and support), organizations often prefer technological uniformity. Anderson and Moore (2008) point out how
externalities such as market dominance and access to applications reduce diversity. Moreover, it is more
difficult to assure diversity than it would seem. Knight and Leveson (1986) demonstrated that attempts at
diverse design are often dashed because of commonality in the way we train our software engineers. Other
diversity failures can emerge by chance, when lack of knowledge, system complexity, and business
confidentiality lead to architectures with unintended dependencies and unexpected points of failure.
Perceived lack of security choices compatible with organizational culture and goals. Too often, decisionmakers view security as an inhibitor of creativity and productivity rather than as an enabler. For example, my
profile of a large, multi-national corporation under sustained cyber attack revealed that the corporate
president refused to remove administrative privileges from all corporate computers for fear that it would
inhibit employees’ computational flexibility. (Pfleeger 2010) Other studies show similar problems, with
practitioners disabling or avoiding security in order to “get their jobs done.” (See Sasse 2004 for a survey of
these problems.)
What should the government do to address these challenges?
Address cyber crime and cyber attacks the way other unwelcome behaviors are addressed. The government
should incentivize or require better breach, fraud and abuse reporting, much as the Federal Trade Commission
and the Food and Drug Administration track consumer problems and adverse consequences. Similarly, data
about the nature and number of cyber attacks should be reported consistently each year, so that sensible
trend data can form the basis for effective preventive and mitigative actions. Currently, almost all states
require breach reporting when personal information is revealed—a good first step at capturing much-needed
data. Other countries, such as Britain and France, have mandatory public reporting of bank fraud by crime
method; efforts could be instituted here in the U.S. by extending existing criminal statutes to include cyber
crimes. Our current reliance on convenience surveys for information about cyber attack trends can be
misleading; more careful sampling and more consistent solicitation of data are essential. Early attempts by
the Bureau of Justice Statistics at capturing cyber crime data on a large scale with a careful sampling scheme
(see Rantala, 2008) had significant drawbacks, as documented by Cook and Pfleeger (2010). It may be more
useful to capture data in various ways for various purposes, but doing so consistently over the years so that
trends can be analyzed; some of the common terminology, such as the CVE (common vulnerabilities and
exposures) list, can be useful in this regard. Good cyber economic models, informed by these representative,
Page 44
consistent data, offer the opportunity to improve cyber security investments and our general understanding of
cyber risk relative to other kinds of risk. (Rue and Pfleeger, 2009)
technology—just like other technology providers—are forced to take responsibility for its failure. The situation
now in cyber is similar to that of automobiles in the 1960s. When a lack of car safety was made more visible,
the government responded by making automobile companies more liable for their unsafe practices and
products. And as with automobiles, a combination of manufacturer liability and economic constructs (such as
insurance) could encourage more secure cyber product design and implementation.
Insist on good systems engineering. The government is a significant buyer of cyber technology, and its
purchasing power can be put to use in two important ways. First, by keeping track of cyber-related failures
(security and otherwise), the government can refuse to continue to deal with system providers whose
products and services are demonstrably insecure, unsafe or undependable. The data gathered in this process
have another purpose: they can inform subsequent requirements selection, design decisions, and testing
strategies, so that errors made in earlier products are less likely to occur in later ones. Second, the
government can insist that critical systems, not just software, must be accompanied by solid, up-to-date
formal arguments describing why the systems are secure and dependable. Such arguments are used in other
domains, such as nuclear power plant safety, and can easily be extended to cyber systems. (Pfleeger, 2005)
Moreover, suppliers’ formal arguments can be woven into the system integrator’s security and dependability
arguments, to show that supply chain issues have been addressed with appropriate levels of care and
confidence.
Provide economic incentives to encourage “good hygiene” in individual organizations. Such incentives can
speed implementation of protocols (such as DNSSEC), applications and systems that are demonstrably more
secure. The incentives should also include rewards for speedy correction of security problems and
punishments for lax attention to such problems. There are both public and private precedents for such
incentives, such as tax incentives and insurance discounts. Previous attempts at self-regulation have been
distinctly unsuccessful; for instance, Edelman (2006) shows that less reputable companies are more likely to
buy trust certificates than reputable ones.
Encourage research in key multi-disciplinary areas that often get short shrift. Many security failures occur
not because a problem has no solution but because the solution has not been applied. From failure to apply
patches promptly to reluctance to thoroughly scrub a system for vulnerabilities, many system problems result
from system designers’ failure to acknowledge the user’s perspective and proclivities. Behavioral science
(including psychology and organizational behavior) and behavioral economics have significant potential to
improve the security and dependability of the nation’s cyber infrastructure. For example, we in the I3P are
managing three such projects. The first, on leveraging behavioral science to improve cyber security, is
performing a series of carefully-controlled experiments in actual business settings to determine the best ways
to improve security awareness and incentivize “good security hygiene.” The second, on privacy, is
investigating how organizational and national culture influence privacy perception and related behaviors. The
third seeks ways to incorporate the user’s perspective in the specification, design and testing of cyber security
products and services. In the short term, this type of research can improve adoption rates for security
technology, thereby reducing the “attack surface” at which malicious attackers take aim. In the longer term,
this research can lead to a more resilient cyber infrastructure that users are eager to use correctly and safely.
References
Anderson, Ross and Tyler Moore, “The Economics of Information Security,” Science (314:5799), October 2006, pp. 610613.
Anderson, Ross and Tyler Moore, “Information Security Economics and Beyond,” Proceedings of the Information Security
Summit 2008, available at http://www.cl.cam.ac.uk/~rja14/Papers/econ_czech.pdf
Cook, Ian P. and Shari Lawrence Pfleeger, “Security Decision Support Challenges in Data Collection and Use,” IEEE Security
& Privacy 8(3), May 2010, pp. 28-35.
Danezis, George and Ross Anderson, “The Economics of Resisting Censorship,” IEEE Security & Privacy, 3(1), January 2005,
pp. 45-50.
Edelman, Benjamin, “Adverse Selection in Online „Trust’ Certifications,” Fifth Workshop on the Economics of Information
Security, 2006, available at http://www.benedelman.org/publications/advsel-trust.pdf
Geer, Daniel, Charles P. Pfleeger, Bruce Schneier, John S. Quarterman, Perry Metzger, Rebecca Bace and Peter Gutmann,
CyberInsecurity: The Cost of Monopoly, Computer & Communications Industry Association Report, September 24, 2003,
available at https://www.schneier.com/essay-318.html
Knight, John C. and Nancy G. Leveson, “An Experimental Evaluation of the Assumption of Independence in Multi-version
Programming,” IEEE Transactions on Software Engineering, SE-12(1), January 1986, pp. 96-109.
Page 45
Kunreuther, Howard and Geoffrey Heal, “Interdependent Security,” Journal of Risk and Uncertainty, 26(2-3), March-May
2003, pp. 231-249.
Pfleeger, Shari Lawrence, “Soup or Art? The Role of Evidential Force in Empirical Software Engineering” IEEE Software,
January/February 2005.
Pfleeger, Shari Lawrence, “Anatomy of an Intrusion,” IT Professional 12(4), July 2010, pp. 20-28.
Rantala, Ramona R., Cybercrime Against Businesses, 2005, Bureau of Justice Statistics Special Report NCJ 221943,
September 2008, available at http://bjs.ojp.usdoj.gov/content/pub/pdf/cb05.pdf.
Rowe, Brent and Michael Gallaher, “Private Sector Cyber Security Investment Strategies: An Empirical Analysis,” Workshop
on the Economics of Information Security, 2006, available at http://weis2006.econinfosec.org/docs/18.pdf
Rue, Rachel and Shari Lawrence Pfleeger, “Making the Best Use of Cybersecurity Economic Models,” IEEE Security & Privacy
7(4), July 2009, pp. 52-60.
Sasse, M. Angela, “Usability and Trust in Information Systems,” Cyber Trust and Crime Prevention Project, 2004, available
at
http://hornbeam.cs.ucl.ac.uk/hcs/publications/Sasse_Usability%20and%20trust%20in%20information%20systems_Cyber
%20Trust%20&%20Crime%20Prevention%20Project2004.pdf
van Eeten, Michel J.G. and Johannes M. Bauer, Economics of Malware: Security Decisions, Incentives and Externalities, STI
Working Paper JT03246705, OECD, 29 May 2008.
Table of Contents
House Armed Services Committee; Subcommittee on Emerging
Threats and Capabilities
Remarks of Gerry Cauley, President and Chief Executive Officer, North American Electric Reliability Corporation, February
11, 2011
Good morning Chairman Thornberry, Ranking Member Langevin, Members of the Subcommittee and fellow
panelists. My name is Gerry Cauley and I am the President and CEO of the North American Electric Reliability
Corporation (NERC). I am a graduate of the U.S. Military Academy, a former officer in the U.S. Army Corps of
Engineers, and have over 30 years experience in the bulk power system industry, including service as a lead
investigator of the August 2003 Northeast blackout and coordinator of the NERC Y2K program.
Background
NERC’s mission is to ensure the reliability of the bulk power systems of North America and promote reliability
excellence. NERC was founded in 1968 to develop voluntary standards for the owners and operators of the
bulk power system (BPS).1 In 2007, NERC was designated the Electric Reliability Organization (ERO) by FERC
in accordance with the Energy Policy Act of 2005 and our reliability standards became mandatory across the
BPS. These mandatory reliability standards include Critical Infrastructure Protection (CIP) Standards 002
through 009 which address the security of cyber assets essential to the reliable operation of the electric grid.
To date, these standards are the only mandatory cybersecurity standards in place across the critical
infrastructure sectors of North America. Subject to FERC oversight, NERC enforces these standards, which are
developed with substantial input from industry and approved by FERC, to accomplish our mission to ensure
the reliability of the electric grid. In its position between industry and government, NERC embodies the ofteninvoked goal of creating effective partnerships between the public sector and the private sector.
As a result of society’s evolutionary dependency on electricity, the electric grid is one of the nation’s most
critical infrastructures. The bulk power system in North America is one of the largest, most complex, and most
robust systems ever created by man. It provides electricity to over 334 million people, is capable of
generating over 830 gigawatts of power over 211,000 miles of high voltage transmission lines and represents
over $1 trillion in assets. The electricity being used in this room right now is being generated and transmitted
in real time over a complex series of lines and stations from possibly as far away as Ontario or Tennessee. As
complex as it is, few machines are as robust as the BPS. Decades of experience with hurricanes, ice storms,
and other natural disasters as well mechanical breakdowns, vandalism and sabotage, have taught the electric
industry how to build strong and reliable networks. The knowledge that disturbances on the grid can impact
operations thousands of miles away has influenced the electric industry culture of planning, operating and
protecting the BPS.
The Cybersecurity Challenge for the Grid
Along with the rest of our economy, over the past few decades the electric industry has become increasingly
dependent on digital technology to reduce costs, increase efficiency and maintain the reliability of the BPS.
The networks and computer environments that make up this digital technology could be as vulnerable to
malicious attacks and misuse as any other technology infrastructure. Much like the defense of this country,
Page 46
the defense of the BPS requires constant vigilance and expertise. An increasing amount of resources and skill
are required to mitigate vulnerabilities and maintain the integrity and availability of the BPS.
The assets that make up the BPS are varied and widespread. Consequently, the architecture within the
systems varies from operator to operator. However, the computer systems that monitor and control BPS
assets are based on relatively few elements of technology. Due to increasing efficiencies and globalization of
vendors, the universe of suppliers for industrial control systems is limited. This trend is leading toward a fairly
homogenous technological underpinning and, as older proprietary technology is replaced, the variation may
decrease further.
For example, the bulk power system could be as vulnerable to digital threats as IT systems, but with far more
critical implications, as the recent Stuxnet virus has shown. As proprietary industrial control systems continue
to integrate Commercial Off-The-Shelf (COTS) systems, these platforms could inherit the embedded
vulnerabilities of those systems. As illustrated by Stuxnet, industrial control system software can be changed
and data can be stolen without intrusions even being detected. These injection vectors serve as a blueprint for
future attackers who wish to access controllers, safety systems, and protection devices to insert malicious
code that could result in changes to set points and switches as well as the alteration or suppression of
measurements.
Establishment and continued refinement of enterprise risk-based programs, policies and processes to prepare
for, react to, and recover from cybersecurity vulnerabilities need to continue to be a high priority for the
industry. The bulk power system has not yet experienced wide-spread debilitating cyber-attacks; the most
significant contributing factor is the traditional physical separation between the industrial control system
environment and the business and administrative networks. The increased sharing of internet and computer
networking by control systems and business and administrative networks simply means that digital
infrastructures that were formerly physically separated are now becoming susceptible to common threats that
were previously unknown in control system environments.
The Role of NERC and Critical Infrastructure Protection Reliability Standards
The NERC CIP reliability standards create a useful baseline of security, but they should not be interpreted (or
expected) to render an entity invulnerable. Rather, the NERC CIP standards require electric sector entities to
develop a risk based security policy based upon their own specific assets, architecture and exposure. This
policy, if properly implemented, will provide insight into the entity’s systems and provide the opportunity to
mitigate potential threats and vulnerabilities before they are exploited. While the electric sector is the only
critical infrastructure sector to have mandatory cybersecurity standards, simple compliance with the NERC CIP
standards is only an initial element in properly securing the BPS. There is no single security asset, security
technique, security procedure or security standard that even if strictly followed or complied with will protect
an entity from all potential threats. The cybersecurity threat environment is constantly changing and our
defenses must keep pace. Security best practices call for additional processes, procedures and technologies
beyond those required by the CIP standards. Simple implementation of enforceable standards, while valuable
and a necessary first step, should not be seen as the security end-state. It’s important here to emphasize the
difficulty of addressing grid security through a traditional regulatory model that relies principally on mandatory
standards, regulations, and directives. The defensive security barriers mandated by CIP standards can be
effective in frustrating ordinary hackers or would be copper thieves by increasing the costs and resources
necessary to harm to the grid. They will not, however, stop the determined efforts of the intelligent, adaptable
adversaries supported by nation states or more sophisticated terrorist organizations. NERC is moving forward
with a number of actions to complement our mandatory CIP Standards and provide enhanced resilience for
the grid. As chair of the Electricity Sub- Sector Coordinating Council (ESCC), I work with industry CEO’s and
our partners within the government to discuss and identify critical infrastructure protection concepts,
processes and resources as well as facilitate information sharing about cyber vulnerabilities and threats. This
type of public/private partnership is key to coordination and communication efforts on cybersecurity topics
and initiatives. NERC is also developing a North American cyber security exercise to prepare for and test a
national response plan for the electric sector.
The most effective approach for combating advanced adversaries is to apply resiliency principles, as outlined
in a set of nine recommendations the National Infrastructure Advisory Council delivered to the White House in
October 2010. I served on that Council along with a number of nuclear and electric industry CEO’s. Resiliency
requires a more proactive readiness for whatever may come our way. Resiliency includes providing an
underlying robust system; the ability to respond in real-time to minimize consequences; the ability to restore
essential services; and the ability to adapt and learn. The industry is already resilient in many aspects, based
on system redundancy and the ability to respond to emergencies. To further enhance resiliency, examples of
the NIAC team’s recommendations include: 1) a national response plan that clarifies the roles and
Page 47
responsibilities between industry and government; 2) improved information sharing by government regarding
actionable threats and vulnerabilities; 3) cost recovery for security investments driven by national policy or
interests; and 4) a national strategy on spare equipment with long lead times, such as transformers. At NERC,
we are working with stakeholders to develop programs that build upon the resiliency inherent in the grid to
better secure critical assets and ensure the continued reliability of the BPS.
Information Exchange is Critical
It is important to note that NERC and the electric industry can only develop risk based security policies that
deal with the risks they are aware of. It is impractical, inefficient and impossible to defend against all possible
risks, threats or vulnerabilities. Entities must prioritize their resources to ensure that they are protected
against those risks that pose the greatest harm to their assets, business and clients. The electric industry is in
the best position to understand the impact that a particular event or incident could have on the BPS, but they
do not have the same access to actionable intelligence and analysis that the Government does. This lack of
information leads the industry to be, at best, a step behind when it comes to protecting against potential
threats and unknown vulnerabilities. Too often we have heard from Government agencies that the threats are
real, but are given little or no additional information. This leads to frustration among the private sector leaders
who are unable to take fact-based responsive measures due to ill-defined and nebulous threat information.
Improving the amount and quality of actionable intelligence is a priority for NERC and it manifests itself in a
number of projects in which we are engaged with the Departments of Defense and Homeland Security. NERC
is currently working with both DoD and DHS to finalize a memoranda of understanding regarding sharing of
bi-directional actionable intelligence. Under this agreement, NERC, as the Electric Sector Information Sharing
and Analysis Center (ES-ISAC), will act as a clearing house, disseminating actionable intelligence including
classified contextual information to appropriately cleared staff within the BPS community. NERC will also
provide anonymous situational awareness back to DoD and DHS analysts to supplement the information
received from the intelligence community. We see this effort as crucial to improving the level of threat
awareness within the industry.
NERC-DOD Collaboration
Few elements of our society are able to generate enough of their own electricity so as to be independent of
the electric grid and this includes the Department of Defense. The vast majority of our nation’s military
facilities purchase their electricity from private sector power companies, creating a symbiotic relationship that
has endured for over 100 years. Defense Department leadership recognizes that the BPS is vital to the
readiness and overall effectiveness of the Department’s mission and has reached out to NERC to collaborate
on ensuring the continued reliable supply of electricity to our defense facilities.
To that end, I recently traveled to Colorado Springs to meet with officials from U.S. NORTHCOM where we
discussed collaborating on various electric grid focused activities including participation in the 2011 SecureGrid
Exercise, providing electric sector situational awareness and collaborating on the Joint Capability Technology
Demonstration (JCTD) Smart Power Infrastructure Demonstration for Energy Reliability and Security
(SPIDERS). The latter project is being proposed to discover how specific facilities could develop small reliable
“micro-grids” on a short-term or emergency basis. Similarly, NERC is discussing a project with U.S.
NORTHCOM to develop case studies at critical military installations to further understand the requirements for
“flow of power” and the implications to military readiness.
NERC is engaged with other agencies and DOE National Laboratories to further the level of awareness and
expertise focused on cybersecurity, especially as it pertains to the BPS. We are working with Pacific Northwest
National Laboratory (PNNL) on developing certification guidelines for Smart Grid Cyber Operators and
discussing the creation of a technical method to verify compliance with Aurora vulnerability mitigation.
Similarly we are working with the Idaho National Laboratory (INL) to promote Cyber Security Evaluation Tools
(CSET) for use within the electric sector and partnering with the Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) to share threat, vulnerability and security incident information. We are also
exploring collaboration with INL to expand benchmarking of vendor products and systems that improve
cybersecurity protection, especially within the BPS.
Additionally as announced last week, NERC is actively engaged with the Department of Energy and the
National Institute of Standards and Technology (NIST) in developing comprehensive cybersecurity risk
management process guidelines for the entire electric grid, including the BPS and distribution systems. We
believe this to be particularly important with the increasing availability of “smart grid” technologies. While the
majority of technology associated with the “smart grid” is found within the distribution system, without
appropriate safeguards and security processes and procedures in place, vulnerabilities realized within the
distribution system could potentially impact the BPS. It is incumbent upon everyone engaged in the smart grid
Page 48
implementation that appropriate security applications and technologies be built into the system to prevent
additional threats and vulnerabilities.
The title of this hearing today is “What should be the Department of Defense’s role in cybersecurity?” Clearly,
the Department of Defense has important resources, invaluable expertise and critical mission needs when put
in context of the Advanced Persistent Threat (APT). At the same time, defining the Department’s role on this
issue is not easy when so many critical assets are privately owned. Increases in information sharing and
growing trusted relationships between government agencies and private sector organizations can go a long
way in improving the overall security posture of our critical infrastructure. Leadership is key. Without the
institutional courage to be first and the humility to receive constructive criticism we will never advance the
security conversation beyond just that of an exchange of positions. We must develop operational strategies
that are capable of adjusting and growing to match the evolving threat.
Conclusion
As our nation moves forward and continues to become more dependent upon electricity and information
systems, it is imperative that we come to grips with how we secure those systems that enable our way of life.
Government must provide leadership and appropriate support in addressing the question of how to integrate
security into society. Industry must be willing to use its expertise and resources to further the goals of our
nation to make it stronger as well as more prosperous. The cybersecurity challenges facing us are not
intractable - they are the result of our own great innovation and can be overcome through our own great
ingenuity.
Notes:
1 The Bulk Power System (BPS) is defined as generation and transmission of electricity greater than 100kv, in contrast to
the distribution of electricity to homes and businesses at lower voltages.
Table of Contents
Revising Information Operations Policy at the Department of
Defense
By Michael A. Clauser, Mountain Runner post, February 15,
On January 25, 2011, Secretary Gates signed a memorandum (hereafter 1/25/11 memo) entitled "Strategic
Communication and Information Operations in the DoD." The memo signals that the Pentagon's "E Ring" is
finally emphasizing the need for reform of interagency strategic communication (SC) and military information
operations (IO). It's frustrating that after eight years of irregular warfare in southwest Asia, it took an Act of
Congress (literally) to sharpen the minds and pencils of the Pentagon to take the problems. And now,
Secretary Gates' memo claims credit when it shouldn't, takes for granted one of its most controversial
statements, plays-up one minor bureaucratic re-organization while glossing over the disestablishment of a
vital SC and IO problem-solving office, and most concerning may be too late to affect meaningful change in
Afghanistan.
To understand the memo one must understand its genesis. The memo is the follow-on to the DoD's 2009
Strategic Communication Report mandated in Section 1055(b) of the Duncan Hunter National Defense
Authorization (NDAA) for fiscal year 2009 (P.L 110-417). The section was inserted into the NDAA as the
culminating legislative work of the House Armed Services Subcommittee on Terrorism and Unconventional
Threats from 2007 and 2008. The Subcommittee's leadership was alerted to the issue because of the two
Defense Science Board reports published in 2004 and 2008.
That same section 1055 of the FY09 NDAA also required a report from the President, written by his National
Security Council (NSC), for "a comprehensive interagency strategy for public diplomacy and strategic
communication of the Federal Government." Congress received a very late and past due DoD Report and
"National Framework for Strategic Communication" (an earlier leaked copy was entitled "National Strategy for
Strategic Communication.") For a review of the President's "Framework" see Matt Armstrong's synopsis.
In many ways, the 1/25/11 memo contains what the DoD's "1055 Report" should have contained--concrete
decisions and a way forward. The 1/25/11 memo has ten substantive paragraphs with ten corresponding main
points. The memo:
1. Recognizes a new dynamic strategic environment and need to adapt "anachronistic programs and
policies" to it.
2. References Congressional "scrutiny and reporting requirements" but takes credit for initiating a policy
review rather than more candidly admitting the Department's utter inaction absent the Congressionallymandated review.
Page 49
3. Transfers the "Principal Staff Advisor" (PSA) function for IO to the Under Secretary of Defense for Policy
[USD(P)] from Under Secretary of Defense for Intelligence [USD(I)].
4. Reorganizes responsibilities between the Combatant Commands (COCOMs) and Joint Staff.
5. Eliminates the Joint Information Operation Warfare Center and realigns its functions.
6. Redefines IO resulting in new emphases.
7. Heralds a forthcoming DoD Directive and an Instruction in an effort led by the Assistant Secretary of
Defense for Public Affairs [ASD(PA)] and USD(P).
8. Reaffirms that the term "Psychological Operations" is to be replaced by the term "Military Information
Support Operations."
9. Assigns USD(P), the Under Secretary of Defense for Comptroller [USD(C)], and the Director for Cost
Assessment and Program Evaluation (CAPE) to develop standardize budget methodologies for SC & IO
related capabilities.
10. Evaluates and possibly re-do SC/IO training and education.
Paragraph One: The Strategic Environment
The memo's introductory sentence, that the U.S. is in a dynamic and fluid strategic environment, is a
tautology. On its face, the sentence following is equally as obvious:
"The erosion of traditional boundaries between foreign and domestic, civilian and combatant, state
and non-state actors, and war and peace is but one indication of this change."
While true, that sentence is not that simple--certainly not for how the U.S. government is organized for armed
conflict and Congressional oversight. The sentence poses serious questions about the military's role globally
absent a declaration of war or an authorization for the use of force, about the division of labor between the
DoD and the Department of State, and Congress's oversight role. The most concise and thorough discussion
can be found in Daniel Silverberg and Joseph Heimann's "An Ever Expanding War: Legal Aspects of Online
Communication." Some lawyers have not made prosecution of the Global War on Terror easier over the last
decade, but Silverberg and Heimann make a good point about mission creep and authorities creep.
Paragraph Two: "Why I Decided to Write This Memo"
The 1/25/11 memo's second paragraph sounds the call to modernize "anachronistic programs and policies."
Better late than never, right? While the Secretary tips his hat to "external and internal demand signals," he
takes credit for initiating a "Front-End Assessment" in 2010 of SC and military IO. With all due respect to
Secretary Gates, that would not have happened without Section 1055 of the FY09 NDAA. The Department
should be given credit for capitalizing on the opportunity to do a fundamental scrub of SC and IO rather than
blow-off the reporting requirement (though they failed to meet its deadline by months). But he should not
take credit for its initiation.
Paragraph Three: From Intelligence to Policy (...to Special Operations?)
The third paragraph announces that the DoD's oversight of SC and IO has shifted from the USD(I) to the
USD(P)--[which really means the ASD for Special Operations and Low Intensity Conflict and Interdependent
Capabilities (SOLIC&IC)].
Moving SC and IO into the Pentagon's main policy shop puts these functions back into the "mainstream."
There will be more ability for interagency collaboration and transparency in this process: discussions will be
held in only one, not multiple, SCIFs. But perhaps most importantly, the day-to-day care and feeding of these
functions will be farmed down the policy chain to the ASD(SOLIC&IC), who is overseeing the day-to-day of the
global war on terror and is the Pentagon's resident expert on insurgency, counterinsurgency, radical Islamic
extremism, and terrorism. SOLIC is also directly tied in to Special Operations Command, one of the
"functional" unified Combatant Commands (COCOMs) that have global (as opposed to regional) missions,
capabilities, reach, and authorities. Farming SC/IO oversight to SOLIC taps into those global authorities.
The third paragraph also announces that the USD(P) will rewrite DoD Directives 3600.01 and 5111.1. DoD
Directive 3600.01 is entitled "Information Operations," while DoD Directive 5111.1 simply outlines the
authorities and responsibilities of the USD(P). Rewriting DoD Directive 3600.01 is overdue. What's not
mentioned is DoD Directive 3321.1, entitled "Overt Psychological Operations Conducted by the Military
Services in Peacetime and in Contingencies Short of Declared War." DoDD 3321.1 is in desperate need of an
overhaul--but not by the USD(P), by Congress. Congress must step-up and do a better job of defining the
lines in the road between foreign and domestic, influence and inform, peacetime and wartime, for the Defense
Department. Frankly, I'm beginning to believe that DoD needs its own Smith-Mundt. But more on that in a
separate post.
Page 50
Paragraph Four: Joint Staff and COCOM Reorganization
Paragraph four severs and reassigns the traditional "pillars" of IO between the Joint Staff in the Pentagon and
various COCOMs. The pillars are traditionally understood to be (1) electronic warfare (EW), (2) computer
network operations (CNO), (3) psychological operations, (4) military deception (MILDEC), and (5) operations
security (OPSEC). Prior to this 1/25/11 memo, U.S. Strategic Command (STRATCOM), specifically the Joint
Information Operations Warfare Center (JIOWC), was the touch point and budget proponent for IO. The
memo obliterates that arrangement. It names the Joint Staff to be the IO flak at Pentagon budget meetings.
Joint Staff also now "owns" the MILDEC and OPSEC pillars. PSYOPs (now called MISO) goes to SOCOM [where
it already is per 10 USC 167(j)(6) ...but more on that later]. CNO (more of a function of cyber warfare
anyway) stays with U.S. Cyber Command under STRATCOM.
Paragraph Five: Joint Information Operations Warfare Center (JIOWC)
I had the opportunity to travel to JIOWC in June 2009 as part of a joint Congressional Staff Delegation. A
Democrat counterpart and I represented the bipartisan Strategic Communication and Public Diplomacy Caucus
and two other staff represented the Electronic Warfare Working Group. We attended a daylong brief led by
Director Mark H. Johnson. We all walked away thinking JIOWC was a great operation--nimble, providing value
for taxpayer money. JIOWC acts as an internal IO troubleshooting service "for COCOMs; by COCOMs." The
Center is able to deploy staff to assist geographic or functional COCOMs write their IO planning appendices.
They assist and advise on the other pillars of IO as well.
While a valuable resource for the warfighters, the IO, SC, and MILDEC pieces were an awkward fit at the
command center of America's nuclear arsenal. The CNO and EW pieces fit, but the rest didn't. Before the
announcement of its disestablishment, most thought U.S. Joint Forces Command may have made a better
home. The 1/25/11 memo effectively disestablishes JIOWC. While the more technical IO pillars rightfully
belong co-aligned to places like Cyber Command, I feel strongly that JIOWC should be maintained with a
narrowed focus on IO and SC. Regretfully, according to this memo, that's not in the cards.
Paragraph Six: A New IO Definition
The sixth paragraph promises a policy and doctrine revision co-chaired by the USD(P) and the Chairman of the
Joint Chiefs of Staff. Secretary Gates frames their efforts by decreeing a new DoD definition of IO:
"The integrated employment, during military operations, of information-related capabilities in concert
with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries
and potential adversaries while protecting our own."
The old definition was clearly written with Pentagon bureaucratic boundaries in mind (or what the 1/25/11
memo calls "core capabilities"):
"the integrated employment of electronic warfare, computer network operations, psychological
operations, military deception, and operations security, in concert with specified supporting and
related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision
making while protecting our own."
Andrew Exum (aka @AbuMuqawama) with the Center for a New American Security has a pretty good critique
of that former definition here. The new definition of IO is better. The 1/25/11 memo is right to complain that
"the current definition lacks reference to the information environment and places too much emphasis
on core capabilities. This has led to excessive focus on the capabilities and confuses the distinction
between them and IO as an integrating staff function."
It wastes taxpayer dollars, official time, and does not make America safer for Pentagon officials sit around
arguing whether computer network attack (CNO) is less IO and more cybersecurity, who should get the
budget and who should write the policies. The sixth paragraph ends, "Capability integration does not
necessitate ownership." Agreed.
Paragraph Seven: Strategic Communication
"Whither Strategic Communication?" once asked RAND's Chris Paul. One could ask the same thing of SC
throughout the 1/25/11 memo. Because SC is largely ignored until the memo's seventh paragraph, it leaves
the reader wondering whether DoD really (really really) sees a functional difference between SC and IO.
Heaven knows enough mid-level officials casually use the two interchangeable. How often has one seen an
email signature block from a Public Affairs Officer from any given service branch casually listing:
VR/
Lt. Joe Dokes
Director of Strategic CommunicationS
Page 51
U.S. Military Service Branch
But the military's official dictionary, Joint Publication 1-02, defines SC:
"focused USG (United States Government) processes and efforts to understand and engage key
audiences in order to create, strengthen, or preserve conditions favorable to advance national
interests and objectives through the use of coordinated information, themes, plans, programs and
actions synchronized with other elements of national power."
The DoD's 1055 Report stuck with the joint publication definition but admitted it had little connection to how it
was implemented or understood in the military. The President's response to the 1055 reporting requirement
went a different direction defining SC as:
"(a) the synchronization of words and deeds and how they will be perceived by selected audiences, as
well as (b) programs and activities deliberately aimed at communicating and engaging with intended
audiences, including those implemented by public affairs, public diplomacy, and information operations
professionals.
Most heartening, the seventh paragraph promises a fresh scrub of SC resulting in a new DoD Directive and
Instruction which will provide a new definition of SC and clarifying roles and execution. The new DoD
Directive and Instruction will be drafted jointly by the USD(P) and the ASD(PA) to better integrate the DoD's
policy and communication. The new directive will formalize the "Global Engagement Strategy Coordination
Committee," which post ipso facto will write the directive that establishes it.
Paragraph Eight: Goodbye "Psychological Operations." Hello "Military Information Support
Operations."
The memo's eighth paragraph reaffirms the Secretary's December 2010 decision to no longer use the term
"Psychological Operations" and instead use "Military Information Support Operations." Frankly, I do not
believe he has the power to do that--at least not the way he did. "Psychological Operations" is a mission
assigned to U.S. Special Operations Command in 10 USC 167(j)(6). If he wants to change the term he must
submit an authorization request to Congress to amend Title 10 to have the name changed. The best
articulation of this argument is Alfred Paddock's Small Wars Journal article on the topic. Secretary Gates, if
you want to change the law, just ask Congress. That's what they're there for.
Paragraph Nine: Auditing IO
Secretary Gates calls on the Pentagon's budget and program guru's to "develop standardized budgeting
methodologies for SC and IO-related capabilities and activities." There is a consistent and reasonable need to
account to Congress and other audiences how money is spent across the DoD on particular inter-service
capabilities or inter-command missions. To date, I think the noblest attempt was by the Air Force to create a
virtual Major Force Program (vMFP) to account for funding across service branches relating to Outer Space.
Does the 1/25/11 memo mean Secretary Gates calling for a vMFP for IO?
Paragraph Ten: Training, Education and IO
The memo's final paragraph (sans conclusion and imperator) calls on the CJCS to evaluate SC and IO training
and education to meet COCOM requirements through the joint education and training system. The concern
here is broader than IO: lumping "training and education" in together confuses the two (just like the memo's
lumping together IO and SC confuses the two). Why? The military service branches at the highest levels can't
bring themselves to separate out the two. As one friend and retired Marine O-6 told me (to paraphrase)-"education expands your mind to think new ways and ask 'what can be?' while training is rote repetition to
perform a function faster and more efficiently."
Conclusion
The memo concludes and so do I. Gates' 1/25/11 memo is important and "good" in many respects--but not
perfect. And much of their decisions are late--by at least a year--if not a decade, depending how you count.
The bottom line is that DoD has a lot of work ahead of them. Most importantly, they should stop churning on
questions frankly above their pay grade and ask Congress for specific Title 10 authorization to clarify
ambiguities in law, mission, organization, and budget.
Table of Contents
Page 52
Information as Power
Volume 5, An Anthology of Selected United States Army War College Student Papers, Information In Warfare Group, U.S.
Army War College
Information as Power is a refereed anthology of United States Army War College (USAWC) student papers
related to information as an element of national power. It provides a medium for the articulation of ideas
promulgated by independent student research in order to facilitate understanding of the information element
of power and to better address related national security issues. The anthology serves as a vehicle for
recognizing the analyses of Army War College students and provides a resource for USAWC graduates, senior
military officers, and interagency national security practitioners concerned with the information element of
national power. [Download here]
Table of Contents
Page 53