When You Put The Military In Charge of 'Cyberdefense', Don't Be Surprised They Want To Go On The Offensive
from the uh,-we're-going-to-need-lots-of-bombs dept
A US Air Force officer says that America should build a military botnet and go on the offensive, so the system acts as a deterrent against future attacks. Who would be attacked? According to the BBC, “he argues that if a computer owner has failed to use anti-virus software and install the latest security patches, that machine may be a legitimate military target.” Wow. So not having anti-virus software makes it okay for the military to attack any computer? Why stop there? Why not just blow the thing up, if it is indeed a “legitimate military target”? If these are the sorts of strategies that the military sees for cybersecurity — which the officer has called “carpet bombing in cyberspace” — perhaps we’d be better off with somebody else heading up the efforts.
Filed Under: cyberdefense, hacking, military target, offense
Comments on “When You Put The Military In Charge of 'Cyberdefense', Don't Be Surprised They Want To Go On The Offensive”
Proving once again that the term “Military Intelligence” is an oxymoron. I mean look, I get it, the cyber battlefield is one we’re going to have to pay attention to, but why in God’s name do these idiots need to turn domestically? BTW, other than POSSIBLY the NSA, I can just about gurantee that no computer specialist w/i the AFIA, NIA, NCIS, etc., etc. is going to be able to compete w/the “hackers” in the public, so piss them off at your own risk, idiots.
Re: Re:
I have news for you. There are a lot of military personnel who are better than your average hacker. Mainly because a lot of them were civilian hackers. While on active duty I knew of at least a half dozen on any installation that could have made a ton of money on the outside working for major corporations. Don’t get me wrong, there are some seriously thick skulled, dim witted individuals in the military, but they aren’t all like that. In fact, most are highly intelligent. As an enlisted member, I had a college degree and so did a large number of others. I’ve known several that even had Master’s Degrees, not just an Associate’s. So don’t be too quick to think they couldn’t, because they could.
Re: Re: Re:
This has nothing to do with the intellignece of the soldiers. Just because those that may implement the policy might be highly intellignet, educated, and dedicated does not make the policy any “smarter”. Garbage in, garbage out…
Re: Re: Re: Re:
There does seem to be an unfortunate trend in the government of mishandling their implementation of software, especially antivirus software. They just always seem to be lost when they go it on their own. I think the government needs to realize that they, too, can use some help sometimes!
Re: Re: Re:
Respectfully, when I was on active duty, I did not have the same experience, although a majority of the techs I knew were either Naval Intelligence or NIS.
And again, from what I understand, the really good “hackers” work for the NSA.
Re: Re: Re:
The problem with this is the same ‘problem’ as with piracy. If we split it into two hard lines, the military (or in the case of piracy *IAA) and those against this form of action (or in the case of piracy…well the pirates), we see on one side a business or institution that is paying people to do a job. And that’s all it is to them. Now we can suppose that they love their job, and might be quite adept at, but on the other side we see a group of people that are doing something because a) they feel it is important, b) they feel they’ve been wronged, c) they love what they are doing, or numerous similar reasons. The latter group is the kind you don’t stop. They are the people that you hire to get a job done, because to them it isn’t just a paycheck, it’s the most important and interesting thing they’ve had put in front of them in their own lifetime.
Who would you bet on?
Re: Re: Re:
The problem with this is the same ‘problem’ as with piracy. If we split it into two hard lines, the military (or in the case of piracy *IAA) and those against this form of action (or in the case of piracy…well the pirates), we see on one side a business or institution that is paying people to do a job. And that’s all it is to them. Now we can suppose that they love their job, and might be quite adept at, but on the other side we see a group of people that are doing something because a) they feel it is important, b) they feel they’ve been wronged, c) they love what they are doing, or numerous similar reasons. The latter group is the kind you don’t stop. They are the people that you hire to get a job done, because to them it isn’t just a paycheck, it’s the most important and interesting thing they’ve had put in front of them in their own lifetime.
Who would you bet on?
Re: Re: Re:
As a former member of the airforce and a member of the regular public I can firmly say that in the world of hacking degrees dont mean shit. they’re about as usefull as a piece of bacon in israel
Re: Re: Re: Re:
“they’re about as usefull as a piece of bacon in”
As a former member of the US Navy, this should read “screen door on submarine”
Re: Re:
“Military Intelligence” is not an oxymoron. You are just used to ‘intelligence’ being akin to “common sense”. In reality, ‘intelligence’ is a relative term.
See the problem is the military looks at everything in, well, a *military* manner. They’re supposed to. As such, they’ll handle things in line of that kind of thinking. It is all perfectly logical and right.
But that is the problem some people don’t realize, but the founding fathers of the US did. You do NOT want the military running things as they’ll look at everything in their own narrow way. This is why, in theory, the military is controlled by a civilian whom the people elect out of trust.
Please note I mean no disrespect to the military. I actually like the military. There is something to be said about practicality and they have it in bags. But once this kind of escalation starts it doesn’t stop until the system breaks down and the Internet is too powerful of a tool for humanity in general for us to let that happen.
We’ve created something very amazing that increases our survivability (as a species) exponentially. With it, I have faith that we’ll eventually be able to unite and expand our civilization both physically from this world, and well I suppose you could say spiritually though that’s not entirely what I mean.
The point I’m trying to make was put very well by Bruce Willis’ character in the Siege: The military is a broadsword. It has one purpose and it is not subtle about it. Don’t draw it without intending to use it, and don’t let it control you as it is YOUR tool, not the other way around. If the military wants to go on the offensive, they can wait until a FORMAL declaration of war has been made.
Re: Re: Re:
“Please note I mean no disrespect to the military. I actually like the military. There is something to be said about practicality and they have it in bags. But once this kind of escalation starts it doesn’t stop until the system breaks down and the Internet is too powerful of a tool for humanity in general for us to let that happen.“
Regardless of what happens–should a large portion of the internet be “destroyed” I believe the public reaction would be the much like what happens when water/electric/telephone services are disrupted. In short, we’d rebuild.
Volunteer Army
I don’t think it is a bad idea to have a military botnet. In fact, if they don’t already have one, I’d say that is a problem. Maybe they should enlist volunteers, like those SETI clients (are they still around?), give folks a client to install, and give them a little control over how much system and bandwidth resources it uses, and I’d be willing to bet that a lot of folks will install it. Imagine, a volunteer army of computers, I think that would be pretty cool.
Re: Volunteer Army
That would work well I think. Only problem is that in an emergency their net would probably take full control of your computer and lock you out. There would be a screen that pops up and says “thank you for giving your computer to the US government. Control will be restored to you at the conclusion of the crisis” except the ‘crisis’ would last for years.
Re: Re: Volunteer Army
I’m not really a malware expert, but how is any of this NOT a backdoor for the NSA/OHS domestic spy networks? I can just imagine the Fort Meade boys licking their lips…
Re: Volunteer Army
“Imagine, a volunteer army of computers”
I think what you are referring to is called China.
Re: Volunteer Army
Well, let’s set your thinking straight. Even a voluntary botnet would mean that client software would be pushed out to volunteers, which in turn could be easily compromised by enemies or just plain jerks to be used against us.
The idea that a botnet using DDOS attacks would even be beneficial is ass-backwards. The Col. seems well-intended but not well informed.
He says that we must abandon a fortress mentality, and then he proposes tactics based on a fortress mentality.
Just throw in some advanced AI and this sounds a lot like Skynet from T3.
Hardly surprising when the military is being trained to think of the internet as an enemy weapons system. They want to take control of it, is the real motive.
“Carpet bombing in cyberspace” is the worst idea I have heard yet; and I have heard some truely idiodic ideas over my carrer. At best it would be as ineffective as the physical approach with all or more of the same unintended collateral damage that entails.
My advice to the Millitary would be to scrap the idea and start innovating rather than trying to imitate the criminals…
Unreasonable Seizure?
Wouldn’t a bot-net taking surreptitious control of civilian computers risk violating 4th amendment protection from unreasonable search and seizure? Seems like that should require either a lot of warrants, or a judgment that seizure of an insufficiently protected computer is reasonable for the government even if it is not reasonable non-government entities. Or something like that; I’m not very fluent in legal-speak.
Re: Unreasonable Seizure?
Glurbie, the military has an ass-ton of computers, maybe they could use those. If they use a standard bot-net and start taking out anyone without antivirus software then they will be taking out their own bot-net in pretty short order since a lot of the computers in said bot-net probably don’t have a/v software installed.
Personally, I like the idea of a volunteer army of computers. They could even pay a few bucks a month for it. If they could get, say, 10,000,000 signed on that would be a heck of a botnet. If war ever broke out they could even do a “draft” and require everyone to put the software on at least one PC in their home.
Re: Re: Unreasonable Seizure?
Does no one else realize that a botnet of machines under assumed control is absolutely NOT under absolute control – i.e. they’re talking about building an extremely powerful tool that they would have limited control over, including limited protections against it being taken over by someone else. INTERESTING BRAINSTORM, BUT OVERALL BAD IDEA.
there won’t be an INTERNET when they are done!
Get your updates
What’s wrong with having the latest AV and updates? I fix problems from viruses all the time because someone didn’t have the time to update their computer…
Lazy bastards…
anyone ever heard of “skynet”
SCARRY!
I actually agree with some of what he says although I don’t think the military should play an active peacetime role. I do believe the Military should have the capability to go on the offensive during wartime in any theater, which includes cyberspace.
We don’t allow unsafe, poorly maintained cars on our roads nor do we allow unsafe planes to fly our skies. So why should we allow poorly maintained, vulnerable computers on our internet infrastructure? The internet is vital part of our infrastructure. We can no longer take a laize-faire approach to dealing with rogue software.
We have the capability of identifying infected and vulnerable hardware on our networks. We should be more proactive in blocking infected devices from public networks. Granted, the methods available aren’t 100% effective nor do they need to be. You only need to effective enough to make malware unprofitable and more risky.
Re: #17
OUR internet infrastructure? Last time I checked the internet was global, so you are effectively wanting to place one country’s military in charge of a global infrastructure? Nice. And they though Alexander the Great, Napoleon, and Hitler had ambitions.
No thanks.
In my view, it would only take one proxxied ip address, and the military takes control of some foreign national’s computer and you are talking an act of WAR.
On another note, You are talking about the military blocking systems that have malware. So teh military is going to clandestinely install software to restrict a machines access, because the machine has software already that is restricting access. So effectively, you are replacing one malware with a government sanctioned malware?
Once you start giving away your freedom, it will only stop when you have none.
Re: Re: #17
“OUR internet infrastructure? Last time I checked the internet was global…”
The Internet is global. The infrastructure is physical and exists where it is. So, by definition, infrastructure within the US is “our” infrastructure,” especially when it is taxpayer subsidized.
Not that I am agreeing with the plan proposed. A requirement of protecting your computer in order to have Internet access may be necessary in the near future. Having the military attack without warrant is not, however.
“…so you are effectively wanting to place one country’s military in charge of a global infrastructure?”
No, not really. In most cases, the IP address will tell you if a computer is within the US. If some dumbass overseas decides to spoof a US IP in this situation, that’s his problem.
“We don’t allow unsafe, poorly maintained cars on our roads nor do we allow unsafe planes to fly our skies. “
No, but the military does not blow up, or even confiscate, unsafe cars and planes (unless the planes violate military airspace). A court of law handles the situation and hands out a fine.
Re: Re: Re: #17
“No, but the military does not blow up, or even confiscate, unsafe cars and planes (unless the planes violate military airspace”
Depends on the country. I think you meant to say they don’t blow up unsafe cars/planes in the USA, though some theories on the 4th 9/11 plane might disagree w/you.
Re: Re: Re: #17
Yeah, but it doesn’t sound like he intends to limit the geographical scope of this botnet.
Re: Re:
We don’t allow unsafe, poorly maintained cars on our roads nor do we allow unsafe planes to fly our skies. So why should we allow poorly maintained, vulnerable computers on our internet infrastructure?
Because people don’t die when a PC* isn’t properly maintained.
* meaning something sitting on someone’s desk, no need to talk about nuclear control systems, hospital computers, aircraft control computers, etc.
Laughable
This guy is a moron. “The Latest Security updates” is the most broad, unspecific statement I have ever heard for the usurping of privacy and personal freedoms since the Patriot Act. Seriously, how will they determine what updates will qualify for this, and who should have them? Seeing as there are MANY “critical updates” that may apply to my computer but not to others.
Also, any retard who has even a few brain cells dedicated to computer smarts doesn’t get viruses, and only uses an anti-virus in the most extreme cases and when a problem is known. With the advent of internet-based virus scans that use a repository of multiple virus databases, there really isn’t a need for an anti-virus for personal use anymore in my opinion. Corporate networks should have them to protect against stupid employees who don’t know anything. But you should be allowed to install what you see fit on your own system. Going “carpet bombing” on the internet against private citizens is a ridiculous idea.
Sensationalize much?
Wow. Firstly, this man is not speaking for the US military in general, or even the USAF. He’s speaking personally – this is his opinion.
Secondly, the clarification that this summary doesn’t include is that the COL only discussed viewing a PC as a miltary target when that PC was actually “attacking” the DOD computer system. Basically, if the PC was either being actively used (read: someone sitting at the keyboard) to attack the DOD network or it was part of a botnet that was attacking the network.
That’s a lot different than, “any computer without AV and updates can be a military target.” Especially since this is just one COL’s opinion.
conficker anyone?
a friend of mine mentioned just last night how conficker has supposedly affected computers that number in the millions (the storm and kraken botnets numbered in the hundreds of thousands), yet it hasn’t done much but send some spam.
my theory is that it is a “for hire” botnet, and just hasn’t gotten much business yet.
he also noted how researchers have been impressed with it’s command and control system and it’s ability to propagate and evade detection in spite of the fact that MS has produced a fix for it.
his conspiracy theory is that conficker is the product of some US government/military thinktank for use as some sort of attack fleet. he suspects the NSA or DARPA.
it has all of the ingredients of your classic conspiracy theory (unanswered questions, blaming the usual suspects, etc.) but you have to wonder if there isn’t some truth to it.
"speaking in a personal capacity"
Note that this was merely one colonel specifically “speaking in a personal capacity”. He no more represents the DoD’s position than does some mid-level manager in MS get to determine their software strategy.
I’m working with the Navy on IT policy, and I can tell you that any time someone in a meeting edges up to something like trying to control the Internet (in whole or part), they get quickly swatted down.
big brother is watching !!
I always wanted
I always wanted to create a virus that would search out unprotected computers, infest it, infest all the other computers in the area it could find then install an anti-virus program like AVG. It doesn’t even have to be a complex virus since the ones it’s targeting don’t have anti-virus to begin with.
Maybe the US government trying to create it’s own malware would be reason enough for some white hat with actual programing skills to create this. You know, help prevent possible international incidents and help millions of people at the same time.
Re: I always wanted
and who gets to decide which AV company get’s the contract? Is said AV company authorized in “insert name of country here”? Does said AV company have multiple controls to make sure program installs in native language? Not counting the myriad of O.S.’s. Nothing like fueling the conspiracy theory fire that viruses are created by the anti-virus companies as a form of job security.
Just how much can you really do with cyberspace?
IF the US was under a cyber attack wouldent we do the most logical thing ever and pull the plug? Chinas million computer botnet is usless when the connection bettween china and the US is cut and the military has there own internal secure network to boot.
In fact, unless your own internal hardware is infected on a large scale just turning off the internet would do the most good. It happend way back when the RPC bug was going around (which shut down our internet for a week back in 2002ish).
The problem is china or korea or whoever else with physical access to the fiber could do the same thing, ONOOOS the US is attacking our Puters! get an axe!
Someone has been watching Hackerz a few to many times.
Its quite simple Private...
In order for us to BEAT the terrorists we have to BECOME the terrrorists!
Re: Its quite simple Private...
That’s Chief Petty Officer, to you…
The article
Is quoted out of context. The person interviewed specifically stated it would be used on other countries against other computers harming us. The legitimate military target means that someone attacking us, which isn’t fully protected, would make a good target for the botnet. And the scarecrow argument used by Carlo just drives up the rage even more.
Read the article fellas. He makes a proper argument that warfare nowadays could easily involve who can keep their information systems running more effeciently than the other guy.
I suppose this is the highly rumored Internet Police.
I have an antivirus. It’s called “Unix.” I’m sick and tired of people telling me I need another one. I don’t need that bull that I can override the security with my password. You can override an antivirus without a password.
But now we pick on the military. We couldn’t pick on something like bankers or insurance companies. No, we have to pick on the military. Whatever, have your fun.
What if this botnet attacks someone in another country? Isn’t that highly… bad?
Think Local Act Global
So here’s the thing, we (humanity) haven’t figured out that the ‘net is global in nature. So when you say “another country” it’s not valid. The ‘net doesn’t stop at national borders (unless the country disconnects itself).
We take for granted the idea that someone driving on a road in our town will obey the local laws / have insurance / had formal training / etc. If someone borrows / steals the car without the owner’s permission, then the owner has some responsibility for damages that may be caused by the car – IF – it is shown that the owner was negligent in securing the car.
So, is running an unpatched system “negligent”. I’d say so. The fact that most PC owners aren’t trained is no-one’s ‘fault’ and I wish that some OS would have some kind of unobtrusive exam running and provide support based upon the user’s demonstrated skill set. And yes, install patches / AV / etc. ‘magically. If the user decides to over-ride the support, then they knowingly become liable for exploits that use the machine for malicious puprposes.
Since we’ve passed the point of requiring a ‘drivers license’ to operate tese dangerous devices, something else will have to be implemented,
I thought it was the WORLD wide web...
Building on what Nebetsu says – um – I’m not sure the United States military has proper jurisdiction to police the web – people been trying for years, and it’s not happening, partly because legality and rules are variable to nationality. I understand that IPAs would indicate originating computer, but don’t most even halfway decent hackers (including, in this case, the terrorists) spoof IPs and route through several – wouldn’t the military then have higher odds of “attacking” the wrong computer, even with a well-manned/programed botnet? And, if they managed to do that, would that then be an “Act of War” in the form of a pre-emptive strike?
Granted, I like my privacy WAAAAYYY too much to do anything but pull the plug if something like this really happens, but it’s still scary that someone with little to no computer savvy (like most of Congress has proven itself to be or most of the higher ranking military officials – they’re hell on a battlefield, but aren’t really known for their computer expertise)will probably pass something like this without realizing the ramifications!
George Orwell, you were right – just a little off with the date.
Lady Grey
Read The Article
I urge every US Citizen in this group to read the Armed Forces Journal article.
I makes some very valid points.
I find it very interesting that it was written by a USAF JAG Officer.
RTFA
In the actual article it is very explicit that an unpatched computer that is attacking should be considered a threat. Who in the hell has a problem with this? If a botnet operator is attacking my company and your computer is part of that botnet because your too much of an imbecile to keep up your patches and protection then I will fight back with everything I have.
Huh...
Attacking attackers is wasteful. You think an army fighting on two fronts is strapped for resources? Try fighting on a million.
No thank you, sir. This is one officer’s opinion. The military’s network defense strategy will remain exactly that.
As always, I’m amazed at the number of people here who don’t even think about a) the validity of the source and b) Techdirt’s shameless slant and bias before letting loose with the textual diarrhea.
Anyone seen this before?
Remember, big brother is doing this because he loves you!
re: military in charge of cyberdefense?
The military began the Internet with a DARPA program, then people used it to learn and collaborate, then over time a subset of creeps began using it for evil garbage and to hurt as many people as possible. Then we came to depend on it for too much since it is by design inherently insecure. OTOH, it is a good way to ferret out those who are clearly outside the norm and in need of help or a serious attitude change. Argue all you wish but there are limits and responsibilities with true freedom. If you don’t believe that is truth thing a little deeper and stop parroting others lame thoughts; you know, the ones who are not thinking for themselves. Is it a fine line between sanity and madness? Perhaps a finer line when there is too much garbage clogging our minds… Any way the military in our nation is controlled by the non-military heads of government as one check and balance. Why would we be calling the military in (meaning our heads of state arranged this, not the military self-assuming the role) if we were not already losing the cyberwar. If you doubt there is a cyberwar read some more in places that are legitimate sources of truth and higher intelligence. Of course you won’t do that if you are reading this because you like others giving you what to think? Am i right?
Re: re: military in charge of cyberdefense?
Oh yeah, the military invented the internet under the direction of Al Gore, I imagine.
Does anyone doubt that we as the United States have enemies who hate us enough to blow us up, to poison us, to cause as much loss of American life as possible? If so, where have you been over the last 100 or so years? Get your head out will ya? Lots of people are planning our demise and they don’t seem to care about the rules we love to live by. We have war planning documents from the military officers of other countries that show plans for asymetric warfare — attacking our infrastructures i.e. things that cause massive loss of lives when they fail… get it? So stopping their abiltiy to execute such plans seems like a reasonable response. Of course as ususal some people will want the military to do such unpopular work, underpay them to do it, and then persecute, marginalize, belittle, lambast, denegrate, the ones that survice the conflict. The real and most difficult enemy sometimes is often us, we destroy each other at times in the name of fairness to people who seek to destroy us and then it is a cakewalk for them to do it. Freedom; is it really just another word for – nothing else to lose? One way to find out is to actually leave the USA and go to another country. If you like it better there. Stay. My guess is (1) you won’t go and (2) if you do you will become eager to return real soon. USA and our military are not perfect but you better believe they are better than the rest. That is one reason we are being targeted for asymetric warfare, the enemy can’t compete with our defense or offense any other way. Oh, you don’t like defending ourselves against sick evil killers who would kill and mutilate you and yours, then sit on your cold dead body and eat a ham sandwich? Shoulda guessed from the comments. You don’t want to be defended and you don’t want to defend. Interesting delima that will resolve itself in time, meaning you will change your mind if and when people you care about are hurt by the ones you pretend we don’t need to stop.
Re: Re:
You twit, you haven’t read a single response here. This isn’t anti-military – far from. We just don’t want some idiot’s badly informed, extremely vulnerable, tactically ill-conceived opinion to become policy.
Oh, and they don’t eat ham, stupid.
Re: Re: Re:
best final line ever.
Re: Re:
“Does anyone doubt that we as the United States have enemies who hate us enough to blow us up, to poison us, to cause as much loss of American life as possible? If so, where have you been over the last 100 or so years? Get your head out will ya?”
Uh, doubter here. 100 years and we’ve been attacked on our soil twice…I’m going to call that a win, particularly since they’re are questions in both instances (Pearl Harbor and 9/11) about WHO was attacking, and who ALLOWED the attacking. So yes, there are those of us that just don’t see the threat.
“Lots of people are planning our demise and they don’t seem to care about the rules we love to live by. We have war planning documents from the military officers of other countries that show plans for asymetric warfare — attacking our infrastructures i.e. things that cause massive loss of lives when they fail… get it? So stopping their abiltiy to execute such plans seems like a reasonable response.”
Lots of people? Who? And where are these documents describing planned attacks on our soil? Why haven’t we seen them, if we truly have them? And don’t give me that “you can’t see them because of nat’l security” crap. You have them, then show them, or else you don’t get to claim you have them.
“Oh, you don’t like defending ourselves against sick evil killers who would kill and mutilate you and yours, then sit on your cold dead body and eat a ham sandwich? Shoulda guessed from the comments. You don’t want to be defended and you don’t want to defend. Interesting delima that will resolve itself in time, meaning you will change your mind if and when people you care about are hurt by the ones you pretend we don’t need to stop”
I certainly can’t speak for others, but a quick question: did you ever serve? I did, and nothing pissed me off more than people saying they loved what we did in Iraq and supported us. If you wanted to support us, you should have done something to get us the fuck back home (which, to their credit, the American people eventually did). So I DID defend, and it was a pointless endeavor, because we didn’t FIX THE PROBLEM. All of this BS is going to continued until the Israel problem is solved one way or the other, end of story. Two state solution, letting them fight it out, holding Israel’s feet to the fire about the humanitarian crises in Gaza, bitch slapping Syria/Egypt for their repeated bullshit…I don’t know, but THAT’S the problem, not the scary boogie man created by the military industrial complex.
One Small Problem
Hackers can’t access data stored on computers without an Internet connection.
Not quite...
Actually, your quote is a little bit out of context. He actually said (not exact quote, sorry) “any computer being used by another botnet to attack the US government, possible only because the owner didn’t keep his computer secure, is a legitimate target”