Modernizing Authentication — What It Takes to Transform Secure Access
Date: 12/14/2017 @ 1 p.m. ET
Last May, Lieutenant General Keith Alexander appeared before the Terrorism, Unconventional Threats and Capabilities Subcommittee of the House Armed Services Committee in his new role as Commander, Joint Functional Component Command for Network Warfare under US Strategic Command (USSTRATCOM).
Forget the rest of that lumpy mouthful. We zeroed in on these two words: Network Warfare. It has a nice ring. General Alexander, it would seem, is in charge of Americas network fighting machine.
We imagined a whole new branch of the armed services opening up: the eForce. Army, navy, air force, eForce. I Want You for eForce if youre a geek. Join the eForce and serve your country. Or how about tough-as-nails convicted hackers dragooned into a Dirty Dozen eBrigade?
We wanted to know more about the eForce. (For example, where do we join up?) So we tried to, um, liaise with the military, with perhaps predictably frustrating results.
Among many other things General Alexander told the House subcommittee last May, none of them terribly definite or explicit, was this: Maintaining freedom of action in cyberspace in the 21st Century is as inherent to U.S. interests as freedom of the seas was in the 19th Century, and access to air and space in the 20th Century.
The implications may be far from clear, but it does put the issue succinctly in perspective.
He also said, The rapid expansion and global dependence upon cyberspace required the Defense Department to evolve its warfighting doctrine to include cyberspace as a viable domain on par with the domains of the land, sea, air, and space. He referred to cyberspace as a warfighting domain.
Warfighting domain. Again, a nice ring. www.al-qaeda.war. And its all beginning to sound vaguely aggressive and threatening with the emphasis on vaguely.
Secret cyber mission
But what really piqued our curiosity was this statement. General Alexander said his responsibility was to plan, coordinate, and conduct offensive and defensive cyberspace operations. [Emphasis ours.] Executing this mission requires assembling and maintaining a force capable of adapting to, and operating in, a complex and continually evolving and expanding environment.
So there it is: the eForce. And its not just responsible for defending the militarys network infrastructure, it also apparently has a mandate to conduct offensive operations. What kind, we wondered? And under what provocations?
We first approached General Alexanders office and requested an interview with the general himself or some other officer. Eventually we were referred to LCDR Steve Curry, USN who is Chief, Media Operations in the U.S. Strategic Command Public Affairs Office in land-locked Omaha, Nebraska.
LCDR Curry, whom we addressed perhaps impoliticly as Steve (he always addressed us as Sir) is, at least in e-mails, as serious and formal man as befits his station. But hes not without a sense of humor. His first response to us began, Sir Greetings from frigid Omaha.
There followed a somewhat tedious round of nagging for action on our interview request. LCDR Curry eventually broke it to us that no person-to-person interview would be forthcoming, but we could forward questions by e-mail, which we did. And then waited, and waited.
When the answers eventually came, two weeks later, they were a masterpiece of opaqueness and evasion. What else did we expect, you might ask?
We first wanted to know if the eForce mandate included protecting U.S. cyberspace infrastructure, in general including civilian or just military. The answer there was fairly clear: just military.
Our anonymous STRATCOM spokesperson (LCDR Curry, we suspect) added, Responsibility for protecting federal civilian networks remains with the Department of Homeland Security, and responsibility for protecting private sector networks remains with the private sector.
So, no, Google cant call in the Marines, although as we know, it has asked for help from the Secret Service.
We then tried to probe the eForces posture. Was the mandate, as General Alexander seemed to say, offensive as well as defensive?
The e-mailed answer was partly a repetition of General Alexanders text but without the reference to offensive operations and ended with this observation: For obvious reasons of security, we do not discuss alleged or actual operations.
Successive questions probing different aspects what kinds of worst-case scenarios could be imagined? what offensive actions might be undertaken? in what circumstances? elicited the identical answer.
Going on the cyberattack?
A final question in this series, asking point-blank whether the military would initiate offensive actions against an adversary in cyberspace, did draw a longer, but still evasive, response.
As part of approved military operations, the U.S. maintains capabilities to use the cyberspace domain as a medium through which it can defend itself against threats to national or economic security. The United States is actively developing and implementing capabilities to deter or deny a potential adversary the ability to use its computer systems to conduct cyber operations against the U.S.
It concluded with the refrain, For reasons of security, however, we do not provide specific information regarding our intentions, plans, or capabilities.
A question about whether the military was currently involved in espionage-type activities against adversaries drew the same answer word-for-word as the previous one.
We finished by asking about the force that General Alexander told the House subcommittee he was assembling our eForce. What was its makeup? How big was it? And so on. More obfuscation:
It's not realistic to provide a finite number. Cyber security is everyone's responsibility, and the DoD's information systems includes approximately 15,000 networks and more than 7 million pieces of IT equipment. Every day we're training and expanding the staff needed to more effectively manage that enterprise.
Now it begins to sound like nothing more than a corporate data security department. How disappointing.
Finally, we asked if military personnel are currently being trained in cyber warfare? Here the answer appeared to be more contingent than deliberately evasive:
We are developing a doctrine that will address how we will protect DoD interests in cyberspace as a domain, how our forces will be designed, and how they will be trained to protect and defend our networks. The ongoing Quadrennial Defense Review is assessing our current capabilities and will make recommendations on doctrine for the future.
Its very easy, of course, to mock bureaucratic obfuscation of this kind. It verges on comical without any editorializing by a smart-assed columnist. But the underlying issues are serious.
What exactly is the U.S. military up to in cyberspace? We know more or less what its doing on land, sea, and in the air. Why cant we know at least a little more about what its doing in cyberspace?
The thing is, cyberspace is all connected: the military and the civilian, the entire world. Thats the root of the problem the military is addressing.
The worry is about possible collateral damage in the event of military action initiated in cyberspace against an adversary. Could General Alexanders eForce inadvertently precipitate a Dr. Strangelove-style e-Armageddon?
Gerry Blackwell is a veteran technology journalist based in Canada. His original column on cybersecurity appears here every month.