In case you haven't been following it, the Twitter traffic from today's Cyber Dialogue 2013 at the University of Toronto's Munk School of Global Affairs featured a great quote from a recently retired Canadian general.
Lt. Gen. Andrew Leslie (chief of the Canadian Army from 2006 to 2010, shown above in 2009) apparently made a comment that yours truly has heard plenty of times in Washington: a major, destructive cyber attack would likely prompt a knee-jerk reaction from governments that greatly expanded their control of the Internet. Killer Apps wasn't at the event to hear the quote directly, but here's what people who were at the event tweeted about it.
Taylor Owen, research director at Columbia University's Tow Center for Digital Journalism, tweeted that the general's comments sent "a chill over" the conference:
Scott Carpenter of Google Ideas called the Canadian general's comment "a weird threat":
Finally, Richard Bejtlich, chief security officer at cyber firm Mandiant, tweeted:
It's interesting to see cyber professionals from some of the foremost institutions in tech, business, and journalism express surprise over Leslie's comments. U.S. lawmakers have made similar comments throughout the last year in trying to pass cyber security legislation.
Reps. Mike Rogers and Dutch Ruppersburger -- co-sponsors of CISPA, the cyber security bill currently being worked on in the House -- have used this argument several times in an attempt to push lawmakers to adopt their bill, which civil liberties advocates say is harmful to individual privacy rights.
Last summer, James Lewis of the Center for Strategic and International Studies warned that a destructive cyber attack will likely result in Congress passing legislation that runs roughshod over privacy rights.
Bruce MacRae, Flickr
The U.S. Air Force is looking for someone to help the Royal Saudi Air Force keep its fleet of brand new F-15SA Strike Eagles safe from cyber attack.
Remember, the Saudis bought 84 Boeing-made Strike Eagles in December 2011 as part of a mammoth weapons buy. Deliveries of the new jets are slated to start in 2015. Like other 21st century fighter jets, the newest Strike Eagles are tied to computer networks that could be vulnerable to hacking.
To protect against this, the U.S. Air Force wants to hire someone to give the Saudis "initial Computer Network Defense (CND) capabilities, facilities, and manpower necessary to protect sensitive networks, systems, and data generated and utilized in support of F-15 flight, maintenance, supply, and operations activities," according to this March 11 notice. The U.S. Air Force estimates that this is a $110-$120 million business opportunity, pretty small when compared to the $29.4 billion contract for the 84 new jets.
This is just the start of the Saudi air force's effort to develop a "robust and survivable Computer Network Operations capability," according to the notice.
In addition to designing software and procedures necessary to protect the jets from hacking, the contractor will be expected to build the Saudi air force's new "Secure Communications Facility," which includes the service's primary data center, its new "Cyber Security Operations Center/Network Operations & Security Center," and a secure satellite communications facility.
The Saudi F-15s aren't the only new fighter jets being built with cyber security in mind. Lockheed Martin's F-35 Joint Strike Fighter program underwent a pretty big software overhaul after it was discovered that its computerized maintenance and flight planning systems -- called ALIS -- was vulnerable to hacking. This meant that enemy spies could discover all sorts of information about the maintenance status of the jets, pilot readiness levels, and potentially the plane's weaknesses. Until late in the last decade, fighter jets weren't necessarily designed with cyber security in mind.
If you want to get in on the effort, the Air Force is hosting industry days to talk to potential vendors on April 9, 10 and 11 at Hanscom Air Force Base, MA.
Well, here's another sign of China's rise: the Asian giant has replaced Britain as the world's fifth-largest weapons supplier, according to the Stockholm International Peace Research Institute.
As SIPRI notes, this is the first time that Britain hasn't made the top five since the institute started the rankings in 1950. The amount of weapons China exported increased by 162 percent between 2003-2007 and 2008-2012, bumping its share of the global arms trade from 2 percent to 5 percent.
What's behind this spike in Chinese weapons sales? Pakistan's efforts to modernize its arsenal. Pakistan has been buying everything from JF-17 Thunder fighter jets to F-22P frigates, both of which are being jointly developed by Pakistan and China and are loaded with Chinese weapons.
"China's rise has been driven primarily by large-scale arms acquisitions by Pakistan," said Paul Holtom, Director of the SIPRI Arms Transfers Program in a press release. "However, a number of recent deals indicate that China is establishing itself as a significant arms supplier to a growing number of important recipient states."
Asia and the Pacific Rim have become the new hot spots for purveyors of heavy weapons. While European nations have dramatically reduced their weapons buys in the last 20 years, countries from the Middle East to the South China Sea are beefing up their militaries alongside their growing economies.
"In the period 2008-12 Asia and Oceania accounted for almost half (47-percent) of global imports of major conventional weapons," reads SIPRI's announcement.
The top-five weapons importers from 2008 through 2009 were all in South Asia and the Far East.
"The top five importers of major conventional weapons worldwide -- India (12-percent of global imports), China (six-percent), Pakistan (five-percent), South Korea (five- percent), and Singapore (four-percent) -- were all in Asia."
As expected, the United States and Russia take the top two exporter spots, supplying 30 percent and 26 percent of global weapons, respectively. Next up is Germany, supplying 7 percent of global weapons, followed by France, with 6 percent.
Here are some more interesting facts about the global arms trade between 2008 and 2012. Notice how arms sales to North African nations are way, way up.
§ Russia accounted for 71-percent of exports of major weapons to Syria in 2008-12 and continued to deliver arms and ammunition in 2012.
§ The Arab states of the Gulf accounted for seven-percent of world arms imports in 2008-2012. Missile defense systems were an important element in their latest arms acquisitions, with orders placed in 2011-12 for Patriot PAC-3 and THAAD systems from the USA.
§ Deliveries of weapons system to Venezuela as part of its ongoing rearmament program continued in 2012. Russia accounted for 66-percent of transfers to Venezuela, followed by Spain (12-percent) and China (12-percent).
§ Imports by North African states increased by 350-percent between 2003-2007 and 2008-12, which was almost entirely responsible for a doubling (by 104-percent) in imports by Africa as a whole.
§ Sub-Saharan imports increased by just five-percent. Most countries in sub-Saharan Africa imported only small numbers of major weapons, but many of these have been used in internal conflicts or in interventions in conflicts in neighboring states, most recently in Mali.
§ Greece's arms imports fell by 61-percent between 2003-2007 and 2008-12, pushing it from the number four importer to number 15. In 2006-10 Greece was the top recipient of German arms exports and the third largest recipient of French arms exports.
The National Institute for Standards and Technology or NIST -- the government institute responsible for bringing together critical infrastructure providers to decide the minimum cyber security standards they should adhere to under President Obama's cyber security executive order -- had to take its list of cyber vulnerabilities offline after it was discovered to be infected with malware.
(That's a photo of NIST' advanced measurement Lab above.)
According numerous reports in the tech press, two of NIST's servers hosting the U.S. government's National Vulnerability Database were infected with malware that took advantage of security gaps in Adobe's ColdFusion software. The kicker: the site was infected for two months before the malware was noticed and NIST took it offline last Friday.
The National Vulnerability Database is supposed to be the government's resource to give the IT security community a running list of known cyber vulnerabilities.
"Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites," a NIST spokeswoman said in a March 14 statement posted to Google+ by Kim Halavakoski, chief security officer at Crosskey Banking Solutions, which noticed the database was offline while trying to research cyber vulnerabilities.
So yeah, it looks like the government agency charged with helping develop cyber security best practices didn't follow a key best practice; regularly updating its software.
When looking for a photo for this piece, Killer Apps noticed that NIST's photo gallery is also unavailable, let's hope it wasn't infected too.
We've got a phone call in to NIST, we'll let you know when we hear back.
UPDATE : A NIST spokeswoman just emailed Killer Apps to say that the database and several other NIST sites are back up and running.
Please note that the following web sites are now back up. There may be some associated web sites or aliases that are not yet up, however.
Army Gen. Keith Alexander, head of U.S. Cyber Command, yesterday said that civilian agencies should have the lead in responding to most cyber attacks on U.S. soil.
"From my perspective the domestic actor would be the FBI," said Alexander, responding to a question from Rep. Joe Heck about the command's role in responding to cyber attacks that originate in the United States. "We share our tools with the FBI. They work through the courts to have the authority to do what they need to do in domestic space to withstand an attack."
Cyber Command and FBI Director Robert Mueller have "come up with a way that he would do inside [the U.S.] and we would do outside," Alexander added, in testimony to a House Armed Services subcommittee.
Alexander went on to point out that DOD, the FBI, and the Department of Homeland Security are hammering out ways to share information on cyber threats extremely quickly -- figuring out where the attack is coming from; determining whether it's a criminal, espionage, or destructive attack; and allowing the appropriate agency to take the lead while receiving support from the others.
"There may be points and times where you have, you know, significant attacks where we need to change parts of that [civilian-led response structure], but the key thing is to have him [Mueller and the FBI] do inside the country," said Alexander. "He would work with the courts as appropriate to do his portion of the mission. Outside the country, that's where we would operate." (Click here to read about the offensive cyber teams that DOD is standing up to conduct operations outside the United States.)
It's worth noting that some of the teams that Cyber Command is establishing to "operate and defend" networks will work closely with "DHS and FBI as required," said Alexander.
Still, as Alexander noted, "the Defense Department will do its part to defend the country. It's not going to just defend itself. Our job is to defend the country and the focus would be obviously on critical infrastructure, just as it would be in kinetic and other things."
He elaborated on the key questions that govern the debate as to when the military becomes deeply involved in responding to a cyber incident.
"The issue becomes, when does an exploit become an attack, and when does an attack become something that we respond to? Those are the policy decisions, and the red lines that go to those will be policy decisions" for the White House, said the four-star. "Our job would be to set up the options that the president and the secretary could to stop [destructive cyber attacks from an outside enemy]. And as you may recall, both the former president and the current president have both said that they would keep the options open in this area. I mean, I think that's reasonable, from using State Department to demarche, all the way over to kinetic options or cyber. So they have that whole range."
Around the same time millions of people around the world were waiting for the new pope to appear on the balcony of Saint Peter's Basilica today, U.S. President Barack Obama was talking cyber security with the CEOs of 13 major American corporations.
(It should be noted that most of the businesses are banks, energy firms, transportation companies, defense contractors and communication providers -- businesses that might be classified as critical infrastructure providers.)
The meeting came one day after the U.S. Intelligence Community (IC) released its annual World Wide Threat Assessment -- with cyber warfare at the top of the list, ahead of terrorism and weapons of mass destruction. It also comes a day after the head of U.S. Cyber Command, Army Gen. Keith Alexander unveiled more information about the military's offensive capabilities and warned that a major, destructive cyber attack could cause more damage than the 9/11 terrorist attacks. However, when unveiling the IC's threat assessment, Director of National Intelligence James Clapper played down the risk of a catastrophic cyber attack, calling it "remote."
Anyway, here's the White House's readout of the president's meeting to discuss cyber with CEOs. Enjoy.
This afternoon, a group of CEOs met in the Situation Room with senior White House and NSC officials to discuss cybersecurity and the threat it poses to our economy and our security. The President joined this meeting to demonstrate the importance he and his Administration place on the issue of cybersecurity. Today's meeting was part of the Administration's ongoing dialogue with the private sector on cybersecurity.
The President and the CEOs discussed the increasing cyber threats to our critical infrastructure and our economy. They discussed the efforts the U.S. Government is taking to address these threats, including diplomatic engagement and the President's recently signed Executive Order. The President and the CEOs discussed how the government and private sector can build on our cooperation to improve the nation's cybersecurity. And finally, they discussed the need for cybersecurity legislation to enable government and industry to more effectively address these cyber threats.
The following CEOs attended:
- Nicholas Akins, President and CEO, American Electric Power Company, Inc.
- Ursula Burns, Chairman and Chief Executive Officer, Xerox Corporation
- Wes Bush, Northrop Grumman Corporation
- Clarence Cazalot, Chairman, President and CEO, Marathon Oil Corporation
- David Cote, Chairman and CEO, Honeywell International, Inc.
- Scott Davis, Chairman and CEO, United Parcel Service, Inc.
- James Dimon, Chairman and CEO, JP Morgan Chase & Co.
- David Melcher, CEO and President, ITT Exelis
- Brian Moynihan, President and CEO, Bank of America Corporation
- Eric Spiegel, President and CEO, Siemens Corporation
- Randall Stephenson, Chairman and CEO, AT&T Inc.
- Rex Tillerson, Chairman and CEO, Exxon Mobil
- Maggie Wilderotter, Chairman and CEO, Frontier Communications
That's right, this is why we can't have nice things. Debris from the satellite China destroyed with an anti-satellite missile in January 2007 has finally done what everyone was afraid of: it hit another satellite, possibly causing serious damage.
According to Space.com, the debris from China's 1,600-pound FY-1C weather satellite collided with Russia's tiny "Ball Lens In The Space (BLITS) retroreflector satellite" (we have no idea what that means, either) on January 22.
Like we said, the international community has been worrying about this for a long time. Almost immediately after China shot down its relatively new satellite just to show that it could, it was condemned by the U.S. government for introducing a massive cloud of dangerous debris into the very crowded orbital highways. (The image above shows the debris stream roughly one month after the test, the lone white track represents the orbit of the International Space Station.)
China is believed to have used a modified version of its DF-21 ballistic missile (the same missile on which its DF-21D carrier-killer is based) to smash the satellite orbiting 537-miles above Earth into 2,841 pieces of "high-velocity" debris. That debris has twice passed close to the International Space Station.
To be fair, the United States destroyed an orbiting satellite for similar reasons -- to prove it could -- using a missile lobbed into space by an F-15 Eagle fighter in 1985. That test was reportedly rushed before Congress banned such activities due to the dangers posed by space debris and a desire to avoid militarizing space.
Anyway, the ever growing cloud of space debris and trash is a huge driver behind the U.S. military's push to improve its so-called Space Situational Awareness. Basically, it wants to know what's going on in the vicinity of all of its satellites so that it can steer them clear of a potential collision. Right now, the U.S. and other nations mostly rely on catalogues listing the orbits and last known locations of debris and satellites instead of real-time monitoring.
Army Gen. Keith Alexander, head of United States Cyber Command, dropped several interesting nuggets about the military's cyber forces during a Senate Armed Services Committee hearing today.
First off, the command is fielding 13 offensive cyber teams that are tasked with deterring destructive cyber attacks against the United States. While Alexander said these are offensive teams, he insisted their role is defensive: "Let me be clear, this defend-the-nation team is not a defensive team, this is an offensive team that the Department of Defense would use to defend the nation if it were attacked in cyberspace."
If you have trouble making sense of that, you're not alone. After the hearing, Alexander compared the teams to missile defenses. (Click here to read some of the Defense Science Board's recent suggestions for deterring destructive cyber attacks with some pretty offensive weaponry.)
"We are already developing the teams that we need, the tactics, techniques, and procedures and the doctrine for how these teams would be employed, with a focus on defending the nation in cyberspace," said Alexander in his opening statement.
In addition, the command is developing 27 teams that will provide assistance in planning offensive cyber operations to the regional combatant commands -- the military organizations around the globe that are tasked with actually fighting wars.
Finally, the command is organizing a number of teams, Alexander didn't say how many, aimed at defending the military's networks against cyber attacks.
"Those three sets of teams are the core construct for what we're working with the services to develop our cyber cadre," said Alexander. "The key here is training our folks to the highest standard possible."
One third of these teams will be stood up by September 2013, the second third in late 2014, and the final third will be in place a year after that, he told lawmakers.
The Army four-star also said in his written statement that in addition to 917 troops and civilians at Cyber Command headquarters in Maryland (with a budget for FY13 of $191 million), there are more than 11,000 people from all four armed services working cyber issues for the command. (Click here for Killer Apps' recent look at the total expected number of cyber troops in the U.S. military. The numbers we saw were a lot higher than 11,000.)
Alexander's testimony comes as Defense Secretary Chuck Hagel is looking at whether or not to elevate Cyber Command to a full-unified command. Cyber Command currently reports to U.S. Strategic Command.
Later in the hearing Alexander said he agreed with Sen. Lindsey Graham's (R-SC) statement that a major cyber attack that devastated the U.S. power grid would do "as much or more damage" as the 9/11 terrorist attacks. On the other end of the spectrum, Alexander said that the denial of service attacks like the ones suffered by major U.S. banks last fall are best dealt with by Internet Service Providers, not the government. He went on to say that in addition to the Obama administration's recent cyber security executive order, legislation is needed to allow private businesses to share information about cyber attacks they are suffering in real time with the U.S. government.
Also today, the U.S. Intelligence Community released its annual World Wide Threat Assessment, featuring cyber at the top of the list, ahead of terrorism. However, U.S. Director of National Intelligence James Clapper told lawmakers today when unveiling the assessment that the risk of major destructive cyber attacks against the U.S. by a major cyber player like Russia or China "is remote." Remember, Russia and China are the two powers most frequently cited as being able to execute a catastrophic destructive attack against the U.S. Still, many would point out these countries have little interest in doing so.
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.