Tom Cruise would look a lot less sexy as a droid.  But that didn’t stop Walter Pincus of the Washington Post from writing this morning about an interesting phenomenon within the Air Force:

The Air Force will train more pilots to fly unmanned aerial systems from ground operations centers this year than pilots to fly fighter or bomber aircraft. …

What these aircraft bring “to the table is the ability to stay in position or maneuver over large areas for a long period of time, and that’s where a person in an aircraft becomes a limitation,” Deptula said. Without individuals in the aircraft “you can maintain your position for a long period of time with the opportunity to either watch or strike.” …

Another advantage over manned aircraft is that there is always a fresh crew on the ground, “which enables any sort of persistence,” said Col. Eric Mathewson, director of the Air Force UAS Task Force, at the July briefing.

This phenomenon appears to be more than just a one-time occurrence.  Back in January, Air Force Lt. Gen. Norman Seip said:

“Next year, the Air Force will procure more unmanned aircraft than manned aircraft. . . So I think that makes a very pointed statement about our commitment to the future of UAS [unmanned aerial systems] and what it brings to the fight in meeting the requirements of combatant commanders.”

And USAToday reported also in January that drones would be integrated with fighters, bombers, and tankers of the manned fleet.

However, we’re not moving into a cyborg military just yet.  The increase in UAS technology appears to be a sustaining transformation that maximizes the USAF’s contributions to the wars in Iraq and Af/PAK, keep in mind that drones fit only into these counter-insurgency/anti-terrorism missions.  Until we come up with unmanned systems that can complete the air superiority and transportation missions of the Air Force (and given the size and shape of those aircraft vis-a-vis the current drones, those planes are a long way off), we’ll have plenty of humanoid Mavericks to come.

Back in March 2008, a handful of State Department workers accessed the passport files of Barack Obama, Hillary Clinton and John McCain.  Gerald Lueders - the third guilty ex-State employee who was sentenced to one year probation and a $5000 fine - claimed that “idle curiosity” lead him to browse 50 or so politician and celebrity profiles, all of which contained extensive personal data.

Let’s face it - if you were a government pencil-pusher with 30 years under your belt, you might be a little bored at work too.  And checking out the next president’s blood type and home address might be one way to make the hours tick by until you start collecting Uncle Sam pension.

The Lueders case highlights the cyber security crux — the government collects a bunch of personal information that should only be seen by those who need it.  And while celebrity voyeurism are disturbing, it’s really the terrorism cases that cause the hair on the back of the civil liberties community to stand on end.  In today’s interconnected world, US government agencies looking for terrorists at home or abroad inadvertently vaccuum up mountains of information on US citizens - plane tickets, hotel reservations, or international phone calls - 99.999 percent of which has nothing to do with ongoing investigations.  However, it’s finding the needle in the haystack that could lead to a breakthrough.

That’s the balance - to make sure that the vast majority of information that has no link to nefarious activity is never seen by the government.

NPR reports this morning on a California company - Palantir - who claims to have solved the problem.

“Most people in America believe you can either fight terrorism — i.e., identify and get the terrorists — or you can protect our civil liberties — i.e., make sure the government isn’t looking at our personal information when they are not allowed to,” says Palantir Technologies CEO Alex Karp. “And that dichotomy used to be true. We’ve found a way to tag information so the only people who can see it are those who are allowed to see it, so it takes care of that problem.”

As you might imagine, the story doesn’t go into details about Palantir’s techniques or its success rates.  After all, this could be like the first attempts at missile defense were the system is “working” but a handful of live action tests tell a different story.

Nor does the story answer another key threshold question - should techology of this kind be backed by legislation to cement those privacy protections in place?

It’s a good start; watch this space.

Starting on July 4th and continuing into this week, there have been high-volume but relatively unsophisticated cyber attacks on key South Korean and American websites, including WhiteHouse.gov, the South Korean intelligence agency, DoD, the NYSE’s site, plus Nasdaq, and Yahoo.  The computer virus behind the offensive apparently works by hitting the effected sites with tons of traffic, essentially loading them down with so many hits that the sites slow to a snail’s pace.

Fingers have pointed squarely at North Korea.  This struck me as odd because I imagine that Pyongyang’s internet infrastructure looks a lot like two dudes talking on opposite ends of a Campbell’s and twine telephone system (Picture the instructional video:  “Dear Leader, you can’t “download” information unless you pull the Creamy Tomato tight up against your ear.”)

But the NYT addressed this question, saying:

Although most of the North Korean military’s hardware is decrepit, the South Korean authorities have recently expressed concern over possible cyberattacks from the North. In May, South Korean media reported that North Korea was running a cyberwarfare unit that operated through the Chinese Internet network and tried to hack into American and South Korean military networks. United States computer security researchers who have examined the attacking software and watched network traffic played down the sophistication and extent of the attacks.

“I would call this a garden-variety attack,” said Jose Nazario, manager of security research at Arbor Networks, a network security firm that is based in Chelmsford, Mass. He said that the attackers were generating about 23 megabits of data a second, not enough to cause major disruptions of the Internet at most of the sites that were being attacked.

“The code is really pretty elementary in many respects,” he added. “I’m doubting that the author is a computer science graduate student.”

So what do we have here?  It sounds like a big headache, but not system-wide threat.

If you’re worried that these hackers might succeed accessing DoD’s critical online infrastructure, I think that’s as close to impossible as you could imagine.  DoD actually maintains about four separate, stand-alone internets, three of which have absolutely zero contact with the outside world.  First, there’s NIPRnet, which is DoD-speak for the open internet.  This is what the virus effected.  But to handle information classified SECRET, there’s SIPRnet, which is widely distributed throughout DoD installations worldwide.  Then, for your super-secret information, there’s JWICS.  That separate network handles all TOP SECRET/SCI information and is only present on the largest, most secure DoD installations across the globe.  Trust me, they’re safe.

As Noah Shachtman pointed out during our cyber panel a few weeks ago, the biggest worry we have about cyber attacks on DoD is the Pentagon’s overreaction.  All too often - as was the case during ThumbDriveGate08 - DOD uses a metaphorical ICBM where a set of tweezers would be more effective.  Hopefully the Pentagon won’t go overboard with this, either.

The silver lining of this headache is that it continues to raise the spectre of public debate about cyber security.  How do we balance free access with security?

I just walked back into the office after our cyber panel.  Here’s what we’ve learned:

1.  Rep. Clarke (D-NY) had some pretty weighty things to say about the topic.  Or, as Noah (I think) said, “who knew the Congresswoman from Flatbush actually knew her stuff. on cyber issues”  She supports the cyber coordinator as an assistant to the president, but doesn’t think it should be an “operational” figure.  The job should develop a strategy that is coordinated throughout the government and that can task the differing agencies to follow that strategy.  However, she doesn’t think that we need to realign the bureaucracy or control the various parts of government. She was asked by an audience member about the potential budget authority of the “cyber czar” but said she hadn’t studied how much ability the position should have to direct funds.

And in the comments I appreciated most, Rep. Clarke talked about the “invisible” threat posed by cyber security.  This is where I think the public misses the boat on the issue - it doesn’t impact you unless you’ve experienced it.  You can’t visualize a cyber attack the way you can look at the smouldering Twin Towers.  To gain public momentum, we need to conceptualize the issue in new ways.

2. Noah Shachtman basically called the new Cyber Command a bureaucratic nightmare that will do little more than what already exists to protect our critical defense infrastructure.  The individual services, plus the NSA, all have their dedicated cyber guys, and the new command will basically exaggerate budgetary infighting.

Noah also talked about the Pentagon’s propensity to overreact to cyber problems.  He used the example of thumb drives - those 512MB sticks that essentially every servicemember carries to store movies, gag videos, and who knows what else.  A few years ago, someone in the Pentagon determined that thumb drives were spreading viruses to DoD computers.  The solution?  BAN THEM ALL.  I was working with the Navy at the time and remember the ban well.  It killed morale, not to mention stifling the flow of legitimate information.  Noah compared the overreaction to if all of DC was shut down to all traffic after 9/11. Read the rest of this entry »

You can say what you want about me, but you’d be lying if you claim my sense of timing is off.

Just when we’re about to hold a forum tomorrow on cyber security (yes, you’re invited), SecDef Bob Gates issued an order to establish a… yes, you guessed it… cyber command.

The Pentagon initiative will reshape the military’s efforts to protect networks from attacks by hackers, especially those from China and Russia. It also consolidates the largest concentration of cyber warriors and investigators in the government under one military command, exacerbating concerns of some experts who worry about military control of civilian computer systems.

The new command will at least initially be part of the Pentagon’s Strategic Command, which is responsible for computer-network security and other missions. The command is meant to begin working by October and to be fully operating by October 2010.

In announcing its creation, defense officials took pains to stress it would focus solely on military networks.

The NSA wants to up its annuall cyber class of new computer geeks to 200 (but I’m not sure how many they’re graduating now).  This is in addition to the 100 cyber nerds at the Department of Homeland Security, which wants to get to 260.  And what about the rest of the non-governmental internet (ie, most of it!)?  Who protects them?

Come tomorrow and find out.

As if on cue, former Congresswoman Heather Wilson (R-NM) has an op-ed in today’s Washington Post advocating a dynamic response to cyber security:

First, we must abandon the notion that static defenses will help us against sophisticated threats….

Our cyber-defense capabilities must be inherently dynamic, with a close connection between system operators, intelligence analysts, and the researchers who can rapidly build and deploy tools to protect or restore vital capabilities.

Second, our intelligence on other countries’ cyber-capabilities must be strengthened. We have scores of trained experts who know the ins and outs of foreign radars and missile systems and almost none who are daily tracking cyberthreats in all their manifestations.

Third, while there are national security systems we certainly need to protect, our greatest vulnerability as a nation is outside the government. Our banking system, our telephone communications and our electricity grid are all owned and run by private companies and are interconnected to the global computer network. We must anticipate that an adversary determined to cause economic damage or enhance the fog of war will exploit these vulnerabilities.

A better approach is to align the interests of stockholders with the interests of national security by establishing a trusted safe harbor where private entities can confidentially share information and get help from cyberexperts in and out of government. Such an information clearinghouse could, without attribution, share information with other private entities so that everyone benefits.

The timeliness of Wilson’s piece fits nicely with PPI’s cyber security event on Thursday.  The good news is that there’s starting to be a ground-swell of bi-partisan support on the federal level for cyber security, but while op-ed’s in the Washington Post are a great start, the government has to do a better starting the dialogue with the public.  Think about climate change - fifteen years ago, it was an issue that a few fringe environmentalist groups cared about.  It was a long-term threat that the average American couldn’t physically grasp.  Then along came “An Inconvenient Truth” and $4 gas, and BOOM, everyone’s an environmentalist.  The key was that there were consequences for all - the left viewed climate change as a moral issue, the right viewed it as a national security issue (”energy independence”).  And the cross-over between the two was significant enough to galvanize the country.

Where’s that moment for cyber security?

Come on Thursday and hopefully we’ll find out.

Y’all are invited - next Thursday, 930AM in the Members Room of the Library of Congress.  I just went to check out the room, and it’s ridiculously cool.  So come on down - send RSVPs to rsvp@ppionline.org