We've been hearing for years now that the U.S. military's crop of slow-moving spy planes fielded for the wars in Iraq and Afghanistan -- ranging from MQ-9 Reaper drones to manned MC-12 Liberties -- will be totally useless in a fight against an adversary armed with sophisticated radars and anti-aircraft missiles (often labeled anti-access/area denial (A2/AD) weapons).

This, of course, is how the U.S.  Air Force and Navy are justifying the development of a host of stealthy strike and spy jets (manned and unmanned), missiles and electronic warfare weapons designed to fight countries equipped with sophisticated weapons designed to keep U.S. forces far from their borders.

However, the Air Force's spy arm -- officially called the Air Force Intelligence Surveillance and Reconnaissance (ISR) Agency -- is experimenting with flying low and slow prop-driven spy planes in skies where advanced air defenses are present. In late February, the agency sent several squadrons of Air Force intelligence assets to play in the service's legendary air combat exercise known as Red Flag over the Nevada desert.

"One of the things that we need to figure out is how much risk would we have to take to fly airborne ISR assets ... in a non-permissive environment," said Col. Mary O'Brien, commander of the Air Force's 70th ISR Wing during a speech late last week. "Initially, we had said, ‘well you could never fly them because there would be risk.' But one of the things that you can practice at Red Flag is you can build a package that includes defenses and then see."

The agency managed to successful fly a propeller-driven MC-12 Liberty -- based on Beechcraft's civilian King Air -- to collect intelligence in the face of a simulated advanced air defense network that featured Soviet-designed SA-6 surface-to-air missiles.

"It was not shot down but that's a case of one," said O'Brien. "It made us say, ‘this should be perhaps an exercise objective in a future Red Flag."

(While the MC-12 is a slow, twin turboprop of the type you'd see at your average small town airport, it might help that the SA-6 is a 1970s-vintage system used by dozens of countries that the United States has had decades to figure out how to defeat.)

She went on to say that while advanced enemy air defenses would pose a big threat to planes like the MC-12, U.S. forces may be able to provide such planes with protection for just long enough to collect some pieces of vital intelligence.

"How long do we need to operate in that environment?" asked O'Brien. "Maybe you don't need air supremacy and maybe you only need air superiority for this amount of time depending on what you want to do." 

The whole point of sending prop-driven ISR planes into the fight is  getting people to think about the notion that "hey, we don't need to sit everything on the ramp that we used in Iraq and Afghanistan.... Let's start thinking about" how these aircraft might play a role in a future fight.

She wouldn't say what type of protection the Liberty had as it flew its mission, it could have been anything from fighter escorts who were hunting down the enemy radar and missile sites to advanced electronic warfare gear that jammed enemy sensors or some combination of both.

Investigators sifting through the flood of cellphone, surveillance camera, and TV footage of Monday's bombings at the Boston Marathon are being aided by technology similar to the software that the military has used to collect intelligence about IED attacks in Iraq and Afghanistan.

"There's a different twist to it this time. The different twist is the increased degree of crowd-sourcing if you will, in terms of providing information. You have many, many more sensors in the context of people with video devices in their smartphones," said retired Lt. Gen. David Deptula, who was in charge of the Air Force's intelligence efforts from 2006 to 2010. "You had many, many more collectors than we had in the past."

The amount of video and photo documentation of the marathon attacks may be unprecedented, so how do you sift through all that data quickly to find clues? Software, naturally.

As ABC News reported, investigators from the FBI's Operational Technology Division are likely using a computer program that can do things like recognize faces in a crowd if they match those listed in a criminal database. This is similar to the software that the military has been developing for years in an effort to quickly glean information from UAV videos.  

As the U.S. military flocked to the skies of Iraq and Afghanistan with all manner of camera-equipped spy-planes, intelligence officials soon realized they were collecting far more footage -- thousands of hours a day -- than human beings could sort through in time to use the information it contained. The military turned to tech companies to produce software capable of quickly identifying certain things analysts were looking for -- say, a red Toyota pickup truck that had been seen at a bombing site.

"There are software programs that are out there that allow one to rapidly search through that information and key in on what the investigators may find of interest," said Deptula. "Exponential growth is not hyperbole when it comes to motion imagery, much less still imagery, because we've had an explosion in that kind of information. As the information [available] has grown, people have moved from human analytic teams to more automated means to sift through all that data."

"Let's say somebody reported that they saw somebody that was Caucasian, with a yellow sweatshirt, with powder burns on their hands running away before the explosion -- that's a hypothetical -- you could tell the software to look for a yellow sweatshirt, Caucasian running before a certain period of time," said Brian Cunningham, a former White House security official and now a senior advisor to the Chertoff Group who works with firms that develop this kind of software. New York City and London both have massive video surveillance systems that use similar software.

Still, another homeland security consultant who wished to remain anonymous tells Killer Apps that it might not be that easy. First of all, Boston doesn't have a massive, centralized video camera system the way New York does. Many of the images will come from people's phones and other private cameras, meaning that investigators will probably have to receive and review each photo and film clip individually.

"There are some automated tools that exist for this type of thing, but for the most part it's just a very labor-intensive process to go through things and try to correlate and sequence things in time and look for suspicious activity and then try to build a profile for how somebody's moving around," said the former DHS official. "There are capabilities like in London and lower New York where they can follow a person who is of concern as they walk from camera to camera. When you're dealing with public-source information it's just a different process."

Cunningham agrees that while the Boston Police Department or the FBI has the software capable of identifying a particular person or bag as they appear in the mountains of video, investigators still face the challenge of uploading all that footage so the software can analyze it. "The biggest challenge will be: how do you upload that volume of video onto a single server or a couple of servers that can be searched against?" he said.

Investigators have identified two people they want to talk to in connection with suspects (see the video above) in the Boston bombing. But, Cunningham said, "It's not clear yet whether it was good old-fashioned shoe leather as much as analytic software."

He explained how the process could work: "You'd figure out where the devices were, and while you had street cops out interviewing people and collecting video of cellphones and you would go to fixed cameras in department stores or ATMs and pole cameras that are right around the area of the devices" and then upload the footage into the software, said Cunningham. "They also may have just had officers sitting there watching the footage. Let's say there were 15 cameras that were fixed, that had a good line of site of where the device was, then you could throw 100 officers at it; you probably wouldn't need software."

Cunningham also points out that investigators are working with cellphone companies to find cellphone records of the calls that were made close to the site of the explosions. Cellphones might allow them to find calls that were used to detonate the explosives. It's not clear if the explosives were triggered by timing devices or cellphones. Initial reports suggest that at least one of the suspects sought by investigators was actually talking with someone on the phone rather than triggering a bomb.

"Once they know what cellphone was his, that's the jackpot because they can find out where he was right before, and they can find out where he is today if he's dumb enough to be carrying that same cellphone," added Cunningham. Even if the phone the suspect used was a cheap, pay as you go phone, investigators would immediately begin to look for the store where that phone was sold.

Despite a climate of what defense officials love to describe as "fiscal uncertainty," the Pentagon's 2014 budget request includes $4.7 billion for increased "cyberspace operations," including dozens of cyber attack teams, the Defense Department announced today. To give you some sense of just how much cyber has increased in importance over the last year, the DOD’s 2013 budget overview mentions "cyber" 47 times while the 2014 overview mentions it 153 times. Last year's budget provided $3.9 billion for cyber according to DOD Comptroller Robert Hale. This money will be used to "increase defensive capabilities and develop the cyber Joint Force," according to the budget proposal.

What's that mean in English? The billions will support the Pentagon's previously announced plan to field dozens of cyber-combat teams that will protect the country from devastating cyber attack.

Thirteen of these teams -- called "defend the nation" teams -- are geared toward offensive operations aimed at deterring cyber attacks. Twenty-seven teams will support battlefield commanders around the globe by giving them cyber attack capabilities. The remainder will focus on defending DOD's networks from cyber attack.

These teams will be composed of a mix of civilian and uniformed personnel at locations across the country.

The increased funding "provides manpower, training and support costs for regional cyber mission teams to be located in Maryland, Texas, Georgia, and Hawaii as well as other Combatant Command and military service locations," the budget proposal says. "In addition, manpower at the National Security Agency continues to be funded to provide both cyber security and intelligence support to the USCYBERCOM teams."

Continued investment in cyber is listed as one of the "Key Priorities" in the budget, along with missile defense, space programs, science and technology efforts, personnel pay, and funding National Guard and reserve forces.

Here are the other cyber highlights of the 2014 budget as listed by DOD:

• Continues to support the construction of the Joint Operations Center for USCYBERCOM at Fort Meade, Maryland. Planned construction begins in FY 2014 with occupancy scheduled in FY 2017.

• Provides funding to develop tools to automate vulnerability detection on classified networks.

• Provides funding for commercial software for data monitoring of defense networks that will identify and isolate suspect files for analysis.

• Continues to robustly support cyberspace operations Science and Technology programs.

• Continues to support defensive cyberspace operations providing information assurance and cyber security to the Defense networks at all levels.

• Provide funding to enhance cyberspace range capabilities by increasing capacity, improving pre- and post- exercise analysis, and mainstreaming and sustaining capabilities of the National Cyber Range developed by the Defense Advanced Research Projects Agency under the oversight of the Department's Test Resource Management Center.

Killer Apps kicked off the week with a quote about the true cost of cyber crime being equivalent to a rounding error when compared to the size of the overall economy. We're going to end it with an interesting quote about what might quell China's campaign of cyber-espionage and trade-secret theft.

"The old trope was always, the Chinese will begin to respect our intellectual property when they have intellectual property of their own to defend," said James Mulvenon, VP of intelligence at Defense Group, a consulting firm, during a breakfast in Washington yesterday. "What we're starting to see on the Chinese side is the intra-company hacking between Chinese companies is having almost more effect on their attitude about a cybersecurity regime in China, than it is about responding to our demarches about their activity."

We've been bombarded with messages from cyber security firms to lawmakers about a massive Chinese cyber espionage campaign for years. U.S officials have been increasingly vocal in calling out China and the White House just released its new strategy aimed at combating the theft of trade secrets via law enforcement and increased diplomatic pressure on China. One of the criticisms that I've heard many times is, what can the U.S. do if China simply ignores its requests to stop stealing U.S. trade secrets? If Mulvenon is correct, maybe we all we have to do is wait.

We hear a lot about Chinese and Iranian hackers, but we don't usually hear much about North Korea. In the wake of this week's cyber attacks against South Korean banks and television stations, though, there have been several news reports claiming North Korea is one of the world's top cyber players. (The image above shows South Korean cyber investigators looking into this week's attacks) While there's no doubt that the North Korean military has growing cyber capabilities, most experts wouldn't put them at the top of the list in terms of ability or sophistication.

"Limited internet access, limited electricity, bad infrastructure means that North Korea isn't a place you'd look for a hacker culture," Jim Lewis of the Center for Strategic and International Studies told Killer Apps today. "The tendency is to overestimate their capabilities. When you look at their nuclear weapons or their missiles, yeah they have them, but they're pretty primitive. Hacking probably tracks with their other programs."

"Are they trying? Sure, they've been trying since 1995, 1996 when Korean diplomats in the UN began to take computer programming courses in New York," added Lewis. "But the idea that they have low capabilities in all these areas and high capabilities in this one area [cyber] is just a little bit hard to believe."  

Here's what the intelligence unit at cyber security firm Mandiant tells Killer Apps about the North Korean military's cyber endeavors:

While we are unable to determine the extent of North Korean cyber capabilities, we anticipate they may be capable of offensive cyber operations, cyber espionage, and surreptitious intelligence collection on individuals or organizations they perceive as threatening.

North Korea's Automation University graduates around 100 skilled cyber specialists each year and several academies and schools in North Korea now focus on training electronic warfare specialists that support at least two hacker brigades. The majority of North Korea's cyber activities, as reported in the open press, have focused on South Korea. However, we consider that North Korea could target U.S. commercial entities for military or dual use technologies it lacks due to ongoing trade sanctions. During times of heightened political tensions, targeting critical infrastructure or computer networks of either South Korea or the United States might appeal as a perceived lower-risk form of escalation.

We believe North Korea will become more active in the cyber domain as the regime struggles to maintain legitimacy as a military power amid international scrutiny surrounding its nuclear program. Computer network operations employed as a lever of influence, coercion or disruption might appeal to North Korean authorities constrained by the sanctions regime.

Army Gen. Keith Alexander, head of United States Cyber Command, dropped several interesting nuggets about the military's cyber forces during a Senate Armed Services Committee hearing today.

First off, the command is fielding 13 offensive cyber teams that are tasked with deterring destructive cyber attacks against the United States. While Alexander said these are offensive teams, he insisted their role is defensive: "Let me be clear, this defend-the-nation team is not a defensive team, this is an offensive team that the Department of Defense would use to defend the nation if it were attacked in cyberspace."

If you have trouble making sense of that, you're not alone. After the hearing, Alexander compared the teams to missile defenses. (Click here to read some of the Defense Science Board's recent suggestions for deterring destructive cyber attacks with some pretty offensive weaponry.)

"We are already developing the teams that we need, the tactics, techniques, and procedures and the doctrine for how these teams would be employed, with a focus on defending the nation in cyberspace," said Alexander in his opening statement.

In addition, the command is developing 27 teams that will provide assistance in planning offensive cyber operations to the regional combatant commands -- the military organizations around the globe that are tasked with actually fighting wars.

Finally, the command is organizing a number of teams, Alexander didn't say how many, aimed at defending the military's networks against cyber attacks.

"Those three sets of teams are the core construct for what we're working with the services to develop our cyber cadre," said Alexander. "The key here is training our folks to the highest standard possible."

One third of these teams will be stood up by September 2013, the second third in late 2014, and the final third will be in place a year after that, he told lawmakers. 

The Army four-star also said in his written statement that in addition to 917 troops and civilians at Cyber Command headquarters in Maryland (with a budget for FY13 of $191 million), there are more than 11,000 people from all four armed services working cyber issues for the command. (Click here for Killer Apps' recent look at the total expected number of cyber troops in the U.S. military. The numbers we saw were a lot higher than 11,000.)

Alexander's testimony comes as Defense Secretary Chuck Hagel is looking at whether or not to elevate Cyber Command to a full-unified command. Cyber Command currently reports to U.S. Strategic Command.

Later in the hearing Alexander said he agreed with Sen. Lindsey Graham's (R-SC) statement that a major cyber attack that devastated the U.S. power grid would do "as much or more damage" as the 9/11 terrorist attacks. On the other end of the spectrum, Alexander said that the denial of service attacks like the ones suffered by major U.S. banks last fall are best dealt with by Internet Service Providers, not the government. He went on to say that in addition to the Obama administration's recent cyber security executive order, legislation is needed to allow private businesses to share information about cyber attacks they are suffering in real time with the U.S. government.

Also today, the U.S. Intelligence Community released its annual World Wide Threat Assessment, featuring cyber at the top of the list, ahead of terrorism. However, U.S. Director of National Intelligence James Clapper told lawmakers today when unveiling the assessment that the risk of major destructive cyber attacks against the U.S. by a major cyber player like Russia or China "is remote." Remember, Russia and China are the two powers most frequently cited as being able to execute a catastrophic destructive attack against the U.S. Still, many would point out these countries have little interest in doing so.

Think you knew all there was to know about Stuxnet, the worm that was discovered in 2010 to have destroyed thousands of uranium enrichment centrifuges at Iran's Natanz nuclear facility? Think again. It appears that an early version of the worm was attacking Iran's nuclear program years before the version that made headlines in 2010 was unleashed, according to a new report by the IT Security firm Symantec.

Dubbed Stuxnet 0.5, the early version of the worm attacked Iran's nuclear program by closing valves that allowed uranium hexafloride gas (UF6) to flow into the centrifuges at Natanz, according to Symantec. Cutting off the flow of UF6 would, in theory, damage the centrifuges. (Click here for a primer on gas centrifuges.)

This apparently didn't work as well as Stuxnet's designers wanted it to and we saw later versions of the worm that famously caused the centrifuges to spin out of control -- thereby destroying them. Stuxnet 0.5 was under development as early as November 2005 and in the wild by November 2007 with orders to shut down by July 2009 -- the year that the version aimed at causing the centrifuges to spin out of control was developed, according to Symantec.

"The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now," reads a Symantec blog post accompanying the report.

Remember, Stuxnet was reportedly the work of a U.S.-led cyber campaign against Iran known as Operation Olympic Games. At the time of its discovery the worm was considered to be one of the most advanced cyber weapons ever fielded. The worm reportedly took an unprecedented amount of time, expertise, and money to create.

As a Symantec blog post says, "Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure."

The malware was designed to worm its way (See what I did there?) harmlessly around the globe until it found its precise target, the Siemens-made programmable logic control (PLC) computers that ran the centrifuges at Natanz. Once there, it attacked. You know the rest.

Some cybersecurity experts fear that cyberweapons like Stuxnet can be revers- engineered and used against their creators or sold on the ever-growing black market for cyber weapons.

"The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," said cyber security expert Eugene Kaspersky last September in Washington. "Cyber weapons are different" because the victims "can learn from" weapons used against them.

As another cyber security expert told Killer Apps last fall:

Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."

"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."

These new revelations are unlikely to assuage such fears.

The U.S. government has and will continue to confront senior Chinese government officials "at the highest levels" about the massive amounts of cyber theft and espionage being committed against the United States by Chinese hackers, a senior White House official said today.

"We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so," said the official in a statement emailed to Killer Apps Monday morning in reaction to cyber security firm Mandiant's new report detailing the exploits of a Chinese government cyber espionage unit.

"The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information," said the official, whose comments come a week after the White House introduced its cyber security executive order aimed at protecting critical infrastructure providers -- a relatively small group of banks, transport firms, energy companies, defense contractors and communications providers -- from crippling cyber attacks that would impact large numbers of Americans. The Pentagon is famously bolstering its offensive cyber capabilities in an effort to deter destructive cyber attacks against the United States.

The news of Mandiant's findings, first reported by the New York Times, also comes a week after Rep. Mike Rogers (R-Mich.), chairman of the House intelligence committee, called on the United States to confront China on its reportedly widespread cyber theft and espionage campaign against U.S. government and businesses. (Click here to read Killer Apps's recent interview with Mandiant's chief security officer on China's massive espionage campaign.)

"We need direct talks with China, and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps after a speech at the Center for Strategic and International Studies Wednesday. "This is a problem of epic proportions here and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date."

Rogers suggested that the United States begin implementing trade sanctions and "identifying individuals who participate in this, go after their visas, go after family travel -- all of the levers we have at the Department of State. The problem is that bad.

White House officials have repeatedly declined to discuss the specific steps they are considering taking to counter Chinese cyber aggression.

The United States is reportedly preparing a National Intelligence Estimate detailing Chinese cyber attacks against U.S. interests.Last year, Rogers's committee urged U.S. companies not to deal with Chinese telecommunications firms Huawei and ZTE, accusing the two of spying on U.S. businesses for the Chinese government. Also last year, U.S. Army Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency called cyber crime "the greatest transfer of wealth in history."

The White House official went on to call for the United States and China to "continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace."

The effort to establish international rules of the road, or norms of behavior, in cyberspace based on the law of armed conflict is a tricky process that may take decades to flesh out, U.S. officials have repeatedly said. 

Rep. Mike Rogers said today that Iran may pose the highest risk of a destructive cyber attack on U.S. critical infrastructure because its leaders are irrational. Although Russia and China are conducting large-scale cyber espionage campaigns, he explained, Iran has fewer qualms about launching a destructive attack.

"You have nation-states like Iran who are developing this capability, and they're not a rational actor when it comes to trying to disrupt or cause a catastrophic attack to our U.S. economy," the chair of the House Permanent Select Committee on Intelligence said during a speech Wednesday reintroducing his Cyber Intelligence Sharing and Protection Act, better known as CISPA.

Rogers said that Iran had already displayed its willingness to wreak havoc abroad in the attacks last August against the Saudi Aramco oil company and the Qatari gas firm RasGas, which wiped the data from 30,000 computers and kept employees off email for more than a week.

The U.S. government has yet to name a culprit in those attacks, but Rogers said that, based on his conversations with private sector cyber security analysts, he is "99.9 percent sure" that Iran was behind them.

"That's a new level of capability," said Rogers. "They have obviously aggressively stepped up their campaign."

He then pointed to last fall's denial of service attacks against U.S. banks as also being the work of Iranian cyber operators, though he acknowledged those attacks were far less sophisticated and damaging.

"Most people believe that was a probing action, they're trying to find deficiencies in our systems to find a better way to come back and cause some catastrophic disruption," Rogers said. "You can imagine how devastating it would be, not just getting into that system but actually breaking that system, manipulating and changing data, and destroying data. Devastating. That could bankrupt a company."

Rogers said that Russia and China would be unlikely to attack the United States in peacetime, but that Iran is a different story.

"I think they're eager and ready to ramp up their actions against the United States," he said to reporters after his speech. "Here's a country that's feeling isolated. Sanctions are hurting badly. You saw them reach out and strike Aramco. This is the same country that tried to kill the Saudi ambassador here in Washington DC. This is not a country that's going to make a rational decision about attacks of this nature."

With the White House expected to release its cyber security executive order as early as tonight, Killer Apps spoke with some private sector cyber security experts on what they would like to see. Almost all agreed that the Obama administration -- and Congress -- need to do something to help protect the nation's banks, transport companies, energy firms, defense contractors, and other companies on which millions of people rely, from a crippling cyber attack.

"It's a public security and a public safety issue, and it needs some level of government oversight because you cannot let market forces completely go in areas where public safety is involved," said Ashar Aziz, chief technology officer of FireEye. While Aziz and other IT security executives Killer Apps spoke with recently agreed that the government needs to do something to ensure that critical infrastructure providers are adequately protected against cyber attacks, they caution that an executive order or legislation should not dictate technical security measures (such as specific pieces of software) that could quickly become obsolete.

"The regulations don't need to be specified in terms of technology, they need to be specified in terms of posture," said Aziz. "You need to look at where the [evolving] threats are, how the threats operate, and what is needed to counter such threats. . . . All we need to say is, the critical networks need to have safeguards to protect against unknown threats, independent of technology. Use whatever the best commercially available products on the market are."

Some suggest that the government could follow the model used by the credit card industry's security organization, Payment Card Industry Security Standards Council, whose members develop security standards and audit companies that process credit card payments. If a company fails an audit, the council has the power to ban that firm from processing credit cards.

"It specifies 12 different things that companies need to do in order to secure credit card data," such as encrypting credit card data and using firewalls. "An auditor will walk in and look and see how well you followed that 12-step criteria," said Rob Rachwald, manager of IT security strategy at Imperva. "If you're found out of compliance, different penalties could apply. They may be financial penalties. Worst case -- and this doesn't happen very often but it does happen -- your ability to transact credit cards is pulled.

Roger Thornton, chief technical officer at AlienVault, agrees with the approach.

"What you want to specify is, ‘the end result I [the government] want you to achieve. You're all smart and you'll all find different ways to achieve it'," said Thornton of what any cyber legislation should say. That end result would involve limiting how many break-ins each firm suffers or how many IT security vulnerabilities the firm has.

The execs also agreed that provisions allowing for rapid information sharing on cyber threats, and the best way to defend against them, between the government and private businesses needs to be in any executive order or legislation.

"We really need good threat intelligence sharing, these attack frequently come in campaigns and these campaigns target multiple organizations," said Aziz. "We need a real-time view of a threat landscape. I believe it's possible to provide that in a way that does not violate or compromise the consumer's or the public's information privacy."

The Cyber Security Act of 2012, which failed to pass the Senate last fall, contained provisions aimed at encouraging businesses to share information with the government about cyber attacks they had suffered by freeing them of liability for improperly sharing citizens' private information.

"We all recognize that cybersecurity is a [government] problem because a lot of these attacks are coming from overseas," said Rachwald. "What would happen for example, if the government ponied up a community resource center" aimed at sharing information about cyber attacks against U.S. firms and the best responses to those attacks.

Rachwald agreed that the government should order companies to constantly scan their networks for actual intrusions, not just potential vulnerabilities -- under the premise that all networks will be penetrated, no matter how good their security.

Richard Bejtlich, chief security officer with Mandiant told Killer Apps that simply ordering that firms adhere to certain standards won't work. Businesses need to be audited for actual intrusions.

"I would like to see some type of annual requirement, maybe starting with critical infrastructure, that says, at the very least on an annual basis, are you compromised?" he said. "You need to know, are the Russians inside your network, are the Chinese inside your network doing damage and have it be an annual test. All this vulnerability-based we've been doing for the last 10 or 15 years doesn't make any difference."

Companies would have to report publicly if they had been penetrated -- something that might prompt innovation in cyber defense since firms won't want to be known for having bad network security. "I see it as the same thing as a financial audit, are you a going concern, what kind of money are you making, what kind of money are you losing? As a shareholder, I want to know, is some of the intellectual property that drives this investment in someone else's hands."

Still, Bejtlich admits that this approach is "fairly intrusive, so the likelihood of that happening is low, instead, we're likely to see more standards."

Jeffrey Carr, CEO of Taia Global, echoed Bejtlich's sentiment, arguing that the SEC's current recommendation that companies disclose cyber attacks, should be made mandatory. President Obama's executive order should "encourage the SEC to make their cyber security guidelines into requirements," said Carr in an email to Killer Apps. "At the very least, to require registrants to reveal their degree of cyber risk."

Bringing the PCI audit model and using it to find actual penetrations on networks instead of monitoring for vulnerabilities may be workable, according to another cyber security expert.

The "idea of continuous monitoring linked to mitigation, if you can fit that into the credit card model, then that makes sense," said James Lewis of the Center for Strategic and International Studies. "The idea of monitoring for weird behavior is a good one, if massive files are being transferred out of your network at 3:00 in the morning, you know something's up."

When asked by Killer Apps about the business lobby's claim that critical infrastructure providers are doing a good job at cyber security and that no government action is needed, Lewis said, "Why are the banks squealing for help from NSA?"

Below is the email that the Department of Energy sent to its employees notifying them that the personal information about several hundred DoE staff and contractors at the department's Washington headquarters (shown above) may have been accessed by hackers.

You'll notice that DoE mention who might have been responsible for the attack and it makes no mention of whether classified information regarding nuclear-anything was accessed.

(Several media accounts have said Chinese hackers were to blame and that the cyber attack didn't access nuclear-related information.) 

You can also see that DoE is in the early stages of figuring out the details and full extent of the attack.  From the early reports, it sounds like this could have been a spear phishing email attack. If that's the case, an employee at DoE likely got a professional sounding email with a special file attached that contained malware, once the staffer clicked on the file, the hackers were into the department's networks. What would hackers/spies want with staffers' and contractors' email and the info contained within? For one thing, they could use it to crack security safeguards to other networks that contain classified information.

Click here to read an article about DoE's Inspector General's report on the department's cyber security practices from last fall that points out a bunch of cyber vulnerabilities.

Here's the email:

Employee Notification

The Department of Energy (DOE) has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters' network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information (PII).

The Department is strongly committed to protecting the integrity of each employee's PII and takes any cyber incident very seriously. The Department's Cybersecurity Team, the Office of Health, Safety and Security and the Inspector General's office are working with federal law enforcement to promptly gather detailed information on the nature and scope of the incident and assess the potential impacts to DOE staff and contractors. Based on the findings of this investigation, no classified data was compromised.

We believe several hundred DOE employees' and contractors' PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft.

Once the full nature and extent of this incident is known, the Department will implement a full remediation plan.  As more specific information is gathered regarding affected employees and contractors, the Department will make further notifications.

The Department is also leading an aggressive effort to reduce the likelihood of these events occurring again. These efforts include leveraging the combined expertise and capabilities of the Department's Joint Cybersecurity Coordination Center to address this incident, increasing monitoring across all of the Department's networks and deploying specialized defense tools to protect sensitive assets. 

Cybersecurity is a shared responsibility, and we all play an important role in maintaining the integrity and security of our networks. To help minimize impacts and reduce any potential risks, please keep the following best practices in mind:

Encrypt all files and emails containing PII or sensitive information, including files stored on hard drives or on the shared network.

Do not store or email non-government related PII on DOE network computers.

The cyber attacks by Chinese hackers against the New York Times and Wall Street Journal, and possibly Bloomberg, are just the latest episode in a long-term effort by China against the West, says one cyber security expert whose firm was hired to defend the Times networks from the attackers.

While the hacks against the Times and Journal are considered pretty low-key cyber crimes (since they didn't steal money, property, or destroy the newpapers' networks) in the United States, China may view them as part of an almost military-style campaign to secure its rise a major world power, according to Richard Bejtlich, chief security officer at Mandiant, the IT security company hired by the Times to respond to the attacks,.

"I tend to [view] war from the perspective of the East; war is an ongoing condition that involves social, political, economic [efforts], it's not strictly troops on a field," Bejtlich told Killer Apps.  "So from that perspective, [the hacks are] part of the global cyber war that the East is waging more or less against the West."

The attacks against the newspapers are the latest in a long list of cyber espionage attacks against U.S. targets -- ranging from defense contractors working on the F-35 Joint Strike Fighter program to the White House and even Washington think tanks.

"There's been no slowdown" in the onslaught of cyber attacks emanating from China, despite the ever increasing amount of attention Chinese hackers have been getting in the press, said Bejtlich.

The attacks are aimed at getting intelligence that may help Chinese leaders gain insight about their U.S. counterparts decision-making, learn military secrets, and steal intellectual property than can help Chinese businesses produce military and civilian technology that is on par with products made in the West.

"Almost universally, we don't see these type of actors seeking to do destructive activities," said Bejtlich. "Though with the level of access that they have, it wouldn't be a problem, it's just not one of their goals."

The spear phishing attacks against the newspapers were "not that sophisticated," he added. "This wasn't the best stuff we'd ever seen, for sure."

In the case of the news outlets, Chinese officials appear to want to learn what stories are being written about them before they are published. This gives China's propaganda machine a head start in pushing out a pro-China narrative, according to Bejtlich. It's an approach that has backfired, in this case, making China look worse. "This was a bad day for them," said Bejtlich.

"This was reconnaissance, espionage -- this was not a disruption attempt," said Bejtlich. "They wanted to know what [the newspapers] were going to report and who their sources were."

In the Times' case, the hackers were looking for information that reporters gathered from public documents in China for a story on the wealth of China's premier, Wen Jiabao.

"The sources were very important. The Chinese were operating from a position of, ‘who is feeding you information about the Wen family so that we can handle those people,'" added Bejtlich. "They were basically leak obsessed."

The Times and Journal are not the only major media outlets that have been targeted by Chinese hackers, according to Bejtlich. He put the number at "not quite double digits but close."

Killer Apps found it interesting that cyber security featured prominently in last week's confirmation hearing of Sen. John Kerry, with the next secretary of state calling cyber threats the nuclear weapons of the 21^st century. He even went so far as to agree with Sen. Dick Durbin's (D-Ill.) labeling of cyber security as the world's "greatest threat."

My how things have changed. During Condoleezza's Rice's 2005 confirmation hearing there was nary a mention of cyber, hackers, or even the Internet. The trickle of cyber awareness at confirmation hearings for secretaries of state and defense began in 2006, when Robert Gates acknowledged that Chinese computer hacking was a threat -- but he admitted that he wasn't too well versed in it. Fair enough: the Iraq War was raging and COIN was the theme of the day. It wasn't until 2009, with Secretary of State Hillary Clinton's confirmation hearing, that the word "cyber" was brought up.

There is almost certain to be cyber talk at Chuck Hagel's confirmation hearing tomorrow. Hagelians in the Obama administration reached out to Killer Apps earlier this month to argue that the nominee gets cyber. Stay tuned: this afternoon we'll bring you a look at how Hagel answered advance questions on cyber that the Armed Services Committee sent him.

In the meantime, here's a look at what nominees have said over the last decade. Use it as a rough, unscientific measurement to the growing cyber awareness among the U.S. government's national security leaders.

Condoleezza Rice's testimony to the Senate Foreign Relations Committee, Jan. 18, 2005:

No mention of "cyber," "Internet," or "hacker."

Robert Gates' testimony to the Senate Armed Services Committee, Dec. 5, 2006:

While the term cyber wasn't specifically mentioned, Sen. James Inhofe (R-Okla.) asked Gates for his take on Chinese hackers breaking into the U.S military and defense contractor networks between 2003 and 2006 as part of the Titan Rain attacks. Gates, admitting to being under informed about Titan Rain's details (understandably), framed these attacks as more of an intelligence and counterintelligence perspective rather than as one element in an entirely new combat domain -- akin to sea, air, space and land. That would change by the end of his tenure:

Inhofe: "But I am concerned about China, and I'd like to hear what your thoughts are. Just in the last month the Chinese hackers, as you, I'm sure, have read, have shut down the e-mail and official computer work at the Naval War College. This is referred to by this commission as the Titan Rain..."

Gates: "Yes, sir. I have not read the reports. I would be more than willing to do so. I've been aware, just from reading in the newspapers, it's been a number of years since I received any classified intelligence on what the Chinese were up to.

But it's been my impression that they've had a very aggressive intelligence-gathering effort against the United States.

Some of these other things that you've mentioned, this is the first time I've heard about that. And clearly, if confirmed, this would be something that I would want to get well-informed on."

Hillary Clinton testimony to the Senate Foreign Relations Committee, Jan. 13, 2009:

Only two years later, things had radically changed. Then Sen. Clinton mentioned "cyber" in a list of weapons of mass destruction that posed "the gravest threat" to the United States should they fall into the hands of terrorists. And she said would reorganize the state department to handle "these new threats."

Clinton: "The gravest threat that America faces is the danger that weapons of mass destruction will fall into the hands of terrorists. We must curb the spread and use of these weapons -- nuclear, biological, chemical, or cyber -- and prevent the development and use of dangerous new weapons."

She went on to say:

"You add to [traditional WMD] the growing threat of cyber terrorism, which has the potential of disrupting the networks we rely on for all kinds of things, like traffic signals and electric grids and the like, which would be incredibly disruptive and dangerous -- I mean, this is the number one threat we face, there's no doubt in my mind. So we're going to start calling it such. We're going to reorganize the department to be better prepared to deal with nonproliferation, arms control and these new threats."

Leon Panetta's testimony to the Senate Armed Services Committee, June 9, 2011:

Finally, we get to Defense Secretary Leon Panetta's June 2011 confirmation hearing where cyber security featured prominently. This was the first such hearing where the both senators and the nominee, who was then director of the CIA, seemed to have a fairly strong grasp of cyber security. Panetta hints at his desire to expand DOD's cyber fighting capabilities and its role in defending U.S. critical infrastructure from cyber attack -- something that has been one of the hallmarks of his relatively brief tenure as defense secretary. You also get the sense that Panetta understands that cyber is much bigger than buying the best software and hackers -- that dealing successfully with cyber threats may mean establishing international codes of conduct dealing with cyber war, espionage and crime.

Sen. Jack Reed (D-RI.): "There is a whole a whole new dimension [of conflict, in addition to land, air, sea], cyber. I don't think we know enough yet to be fully prepared, fully conversant, but can you comment briefly on the strategy that you will try to develop?

Panetta: "There is no question that the whole arena of cyber attacks, developing technologies in the information area represent potential battlefronts for the future. I have often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.

This is a real possibility in today's world. And as a result, I think we have to aggressively be able to counter that. It is going to take both defensive measures as well as aggressive measures to deal with it. But most importantly, there has to be a comprehensive approach in Government to make sure that those attacks don't take place.

My goal would be to work very closely with [NSA] and with others to develop not only the capability, but also the law that I think we need to have in order to determine how we approach this challenge in the future."

And later:

Sen. Kirsten Gillibrand (D-NY): "Can you share with us any of your vision, design, goals with regard to how we create a greater platform for cyber security and cyber defense?"

Panetta: "This is an area of great concern for me because I think what I have witnessed at the CIA and elsewhere is that we are now the target of increasing attacks that go after our systems, and it is extremely important for us to do everything we can to confront that threat.

He went on to say: "What I would like to do is to develop an even more effective force to be able to confront cyber terrorism, and I would like to work with you on the effort to try to develop those kinds of relationship not only here, but abroad, so that other countries can work with us in this effort. We talk about nuclear. We talk about conventional warfare. We don't spend enough time talking about the threat of cyber war."

Dana Stuster contributed to this report.

Operation Red October -- the newly discovered cyber spying operation that has targeted a range of diplomatic facilities, defense companies, and energy firms around the globe -- may mark an evolution of the cyber black market.

U.S. government officials have been extremely worried about the rise of hackers for hire and the associated markets for cyber crime and espionage tools for, but Red October may be one of the most sophisticated cyber espionage operations conducted by a private group. Since 2007, Red October has been using a virus called Rocra to spy on computers and smartphones used by the employees of everything from diplomatic missions to research facilities -- gathering exactly the type of information that government spy agencies want.

Kaspersky Lab, the IT security firm that announced they had uncovered Red October earlier this week, says that its perpetrators appear to be Russian-speaking, but the lab can't provide evidence that this is an official Kremlin-backed operation. The lab also can't eliminate the possibility that private hackers are responsible. That's right, we may be seeing the rise of private spy agencies, think SPECTRE or whatever Raoul Silva, Javier Bardem's character in the latest 007 film, calls his organization.

"If this is a private cyber espionage network without close state sponsoring or funding -- which seems to be the driving thesis in the Kaspersky report -- than that says something about the new terrain for how actors are working in cyberspace," Laura Galante, an intelligence analyst at IT security firm Mandiant, told Killer Apps.

"We've moved on from kind of this hacker for hire" who simply perform disruptive, denial of service attacks "and now we're into what information can we sell that would be incredibly valuable to a government, and private individuals or groups are willing to take on that kind of endeavor which is definitely riskier and requires significant funding to do," said Galante. "It's almost digital spies for hire."

"I think the big takeaway for most people will be people; this was a sophisticated attack, that's the type of thing that makes people think, ‘do we now have private espionage networks that can provide really targeted information" about high level targets to a government, said the analyst.

Still, this may well be the work of government spies, notes Galante. She points out that Red October is a sophisticated operation that's been going on for five years, meaning that it likely had significant funding and its perpetrators were probably comfortable in knowing there's a low chance they'll be prosecuted.

"To be able to function and get the information that they've supposedly got, you have to be able to operate in an environment immune from imminent prosecution," said Galante. "For something that goes after this type of information, that's a five year long operation, it's really suspicious that a completely private group of entrepreneurial hackers would have the funding to do that and have the same kind of attention to go on that long."

It's also worth noting that Kaspersky researchers found Cold War era Russian espionage slang (who knew that was a thing?) written into Rocra's code. For example, one of Rocra's modules designed to spy on smartphones was named, zakladka, possibly after the Russian slang term for a microphone bug embedded in the wall of an embassy, according to Kaspersky.

If the Kremlin is behind Red October, the discovery would give Western analysts a relatively rare window into Russia's cyber capabilities.

"If the Russian government had close ties or some sort of ability to direct and provide tasking for something like the Red October campaign, that would be the newest point for an understanding of what Russia's capabilities are," said Galante. "It definitely raises suspicions for the U.S. government about the potential of Russia's capabilities; whether we believe they're highly capable or not is the question, but it definitely raises suspicions" about how advanced Russia's cyber capabilites are.

Still, Galante warned against freaking out about the Russians coming after everyone in cyberspace.

"We don't know how capable Russia is, we don't have a lot to point to, and we should look at threats accordingly, seeing demonstrated capabilty and seeing attributed events is something we should look at before we're too giddy to deem a certain country a major threat.