Topic C: Implications of Commercial Dependence

Dependence on commercial technology, products and standards is fast becoming a way of life for the military. Use of commercial technology is promoted at the highest levels and this is especially true for the information technologies which are at the heart of information warfare. This topic is concerned about the broader implications of such increased dependence on the commercial sector.

----------- [Moderator] If everyone (including potential adversaries) has access to commercial information technologies useful in information warfare, then what will give the U.S. and allies an edge?

[Campen] It is not a question of access, it is a question of the timely and innovative exploitation of that technology.

[Cebrowski] The edge comes in the synergistic application of technology. For DoD, it's organizing all the IW elements as a system, then integrating it into the larger system of warfightingin a way that enhances ops tempo. Technology is only an enabler. The real power comes from organization and employment concepts. If we don't tackle this area soon, we will lose the lead!

[Cochrane] Access to commercial Information Technology does not of itself define an edge in Information Warfare. Advantage in warfare is not just the possession of weaponry, it is its effective use and the knowledge of how to survive in order to use it again in a combat situation. This edge can be gained during the development, trailing and training in Information Warfare techniques. The scale of investment and technological inertia in the commercial sector will only slightly reduce the scale of the advantage that military strategists would like to attain.

[Cohen] The non-COTS [Commercial Off-The-Shelf] part_the way we connect things together_the way we use things_the skill and training and education of the people using them. We may, in fact, not have an edge.

[Dunnigan] Yes. We have more experience and resources in NetLand and, all things being equal, should prevail (Napoleon: "Victory goes to the bigger battalions." Unless they're Austrian, of course)

[Garigue] The differential comes from the software. Let's not forget that it is the software that make the machine. There can be some substantial capability gains that come from the usage of COTS in Life Cycle Management areas such as costs, availability, acquisition, disposal etc.. but the real warfighting advantage will come from the "configuration" of these software machines and the resulting networks that are developed to support enlightened decision making. Multiplied by the net, one software program can be replicated in each machine and because of this flexibility thousands of more knowledgeable decisions can be made. The network can now distribute knowledge very rapidly. So it is the software (and the wetware) that confers new information warfare capabilities to the organization, COTS is simply the delivery method.

[Gust] Not everyone has access to all commercial info technologies. In addition, my PEO [Program Executive Officer] has recently had a requested FMS [Foreign Military Sales] sale of Night Vision goggles to an ally be disapproved by HQ, DA [Headquarters, Department of the Army]. There still has to be some area of exclusiveness for the U.S. forces to retain a technological edge.

[Hazlett] Innovative organizational concepts, accelerated and automated decision making, and more flexible and automated communications routing.

[King] The edge will belong to those who develop a strategic plan and are willing to make the investments necessary to always be ahead of the wave and not merely on it. The U.S. currently has an advantage in its knowledge and deployment of high-speed nets.

[Probst] Two short answers:

- articulate the new operational concepts so that we can have a Revolution in Military Affairs - exploit the U.S. edge in superior doctrine, superior machines, superior algorithms, and deployed effective Defensive Warfare

[Schwartau] We have to do a couple of things:

1. Make sure that the military still has an edge up on technology that does not reach the commercial sector. This is true with the nature of the DEW [Directed Energy Weapons] (HERF [High Energy Radio Frequency] style weapons) that the military develops. They are vastly more powerful and useful than the homebrew commercial versions. We must take similar approaches with related "weapons."

2. We have to build an organization that is capable of C4I style deployment and engagement to either avoid conventional conflict, or replace conventional conflict.

[Steele] The U.S. and allies can only have an "edge" if they stop lying to themselves and admit that the existing communications and computing industries are "out of control" and ignorant if not criminally negligent with respect to C4I security. The "missing link" in IW is a secure home front, and this requires a national program_understood by and supported by the people_to embed decent security in all U.S.A. produced cyber-products. This will, incidentally, give a boost, to U.S.A.-based producers, whose security "quality" will serve as a major market differentiator. Included in this new commitment to security (and all it implies in terms of data integrity, etc.) will be the ability to detect and eradicate foreign-produced viruses and backdoors_for instance, the industry today is compounding its traditional failure to document software code with the outsourcing of much major code production to Calcutta and Moscow. We have no idea what these people are putting "between the lines" and we should be very concerned.

[Todd] Do not necessarily agree that all potential adversaries will have access to commercial information technologycertainly the possibility is there, but to what degree. Likewise, while other countries may "leap frog" us in more state of the art technologies (go from no telephone service to cellular phone service and bypassing telephone wires), the market place may dictate how and what is available. This disconnect between 2nd, 3rd, 4th generation telecommunication systems, networks, and processing capabilities will enable us to analyze the "seam" in their architecture and exploit them.

----------- [Moderator] Given the possibilities for "chipping" and software "backdoors," how do we ensure the integrity of domestic commercial manufacturing and software processes? How do we ensure the integrity of foreign commercial components and systems which we might use?

[Campen] You don't even try. We must presume this threat and concentrate on the means of extremely rapid detection, fault isolation, and corrective actions.

[Cebrowski] Demonstrate to naysayers that the issues can be managed within reasonable cost. The key is to establish a systemic, national-level process that includes: scope and standards for what should be protected and to what extent (a risk management process); responsive indications and warning/attack analysis; and a broad range of flexible response options. This process will not demonstrate a nation that is invulnerable, but rather one which is constantly vigilant, decisive and prepared to respond to any threat, foreign or domestic, with a full range of national security tools.

[Cochrane] Chipping and "backdoors" are as much a problem to commercial entities as they are to the military. An attack on a large banking institution may cause as much damage to a nation as an attack on a military installation. Existing examination of systems based on guides such as the Orange Book are of limited use. Experience has shown that these processes are difficult to "sell" to software developers. To complement this we need to develop penetrative testing in ways that simulate real attacks and study how systems will react.

[Cohen] With rare exceptions, we don't, and that's an important issue today.

[Dunnigan] You can never let up your guard on such things. Put it out of sight and you can expect the bad guys to come in through your back door.

[Garigue] There will never be any guarantee that software will be proven correct and have no "defects" because of the enormous difficulty of checking large complex programs. Networks are even more problematic. The analysis can only be limited to small portions of programs or objects. And even when programs can be proven correct, there still would exist the possibility for perfectly correct code becoming malicious (Jekyll and Hyde programs). Partitioning mission critical processes from other processes, and ensuring that some functions be performed via an agency of differently coded processes does enables a certain measure of redundancy, cross checking of results, and graceful degradation of performance.

[Gust] This is an area where integrity of use requires adherence to patent and license concerns. We should pay for software intellectual rights if we use it in our systems.

[Hazlett] Developing and instituting a "red team" concept for testing and evaluating software. Developing an "overlay" for domestic and foreign software and components, that detects and reports intrusions and alterations.

[King] There are processes and methods that can be put in place but there will always be the question of the cost of achieving a given level of assurance and the impossibility of that level being 100%. Thus, systems must detect and contain suspicious subsystems (not an easy problem).

[Probst] - legal requirements for due diligence with severe financial penalties - never trusting software you haven't (re)written yourself - spreading the "public health" approach to component integrity - eternal vigilance following adequate training (e.g., personal monitoring of personal audit trails_cf. Shimomura) - less practical: never trusting hardware you haven't designed yourself (testing and certification may be of some help here)

[Schwartau] Someone read my book! Thanks. That's the problem. We will have to develop new methods of process engineering, assurance mechanisms and automated reliance tools. Similarly, we will have to develop additional non-destructive testing methods for completed products as an inspection or QA [Quality Assurance] procedure.

[Steele] The Department of Commerce is simply not up to the challenges of the 21st Century (neither is much of the rest of the USG [U.S. Government], but at least DoD knows there is a 21st Century). The first step must be legislation which requires "due diligence" on the part of all manufacturers and vendors of communications and computational hardware, software, and related services. They must be required to assure their customers that it is safe to work and play in cyberspace, and must be held accountable, using new and solid international standards, to the highest levels of embedded security. The U.S. position on key escrow is ignorant and flies in the face of both history and cyber-power. Until we give up the idea of legislating back doors for law enforcement, we will not be able to provide common security to the whole.

The FBI should be given funding ($500 million a year) for a new Electronic Security & Counterintelligence Division, and the Secret Service should be relieved of its dubious claims to the mission of handling crimes in cyberspace. National testing & certification laboratories should be established using existing capabilities (for instance, one of the Department of Energy laboratories), and all foreign hardware and software should be subjected to both preliminary and ongoing (random) testing. All hardware and software being introduced to government installations should be individually tested. Corporations should have liability incentives for doing the same thing. Ultimately we should eliminate portable disks and require that all data and software be sent from one infosec gate to another for scanning and air gap transfer under control.

[Todd] The ability to protect our systems needs to be the first priority in this emerging warfare area. Our first goal is to raise the our integrity of our systems to such a level that the "casual" hacker cannot get primary access to our network system. This can be done with an integrated approach of engineering fixes, highly trained system administrators, and highly aware users. This will have to be a continuing effort. But we will still need to understand that the top 5 percentile of professional hackers will still be able to penetrate our system. Now we need a system of both highly trained people and equipment that can identify such activity, bound its effect, recover systems that are damaged or corrupted, and work back to the origin of the attack for either criminal prosecution or counterintelligence activities.

----------- [Moderator] Given the decreasing financial leverage of the military in the commercial marketplace, how should the military positively engage firms to take military needs into account during the commercial product development process?

[Campen] First you take into account the remarkable similarities in "needs" between the private and military sector and identify short falls. The military then applies its talents and funds on those relatively few shortfalls.

[Cebrowski] This is achieved by answering and addressing two questions: What must be protected? Certainly not "everything." This is the policy issue on the scope of protection. What type and level of protection is appropriate, under a managed risk approach? This is the technical question of "standards." Those commercial organizations wishing to "do business" with the protected enclave must interoperate on its terms. Over time, the standards become universal_not by mandate, but by market forces.

[Cochrane] By locking companies into the development cycle as the military outsources everything. The military is still doing studies, still funding universities, still doing original stuff. Forming a partnership with companies on joint programmes where there is a synergy between the applications. What is the difference between secure banking, secure networking for industry, and the military_only degree!

[Cohen] Money.

[Dunnigan] Pay them money. That always works. Beyond that, the troops have little influence.

[Garigue] I believe that that is not required. The present capability of components and systems by far exceeds the present majority of our needs. The notions that competitive advantages will come from faster, smaller, more secure, robust, and functional information systems are already accepted goals and are driving every commercial innovation process. We need not emphasize these expectancies. However, we do need a more focused effort on the problem of how to use these capabilities to impose order or defuse conflict.

[Gust] We use a dialog process in the Army which includes Advance Planning Briefings to industry and discussions via an electronic bulletin board for draft RFPs [Request for Proposals]. We also speak to symposiums and industry forums. Finally, pre-solicitation conferences advertise the near-term release of the RFP to the interested bidders who responded to our CBD [Commerce Business Daily] announcement.

[Hazlett] Revise acquisition procedures so that government specs do not needlessly burden process. Revise "lowest bidder" rules so that government can purchase "best value."

[King] The military needs to be very clear and realistic about how its needs differ from commercial needs. There will continue to be companies that make mil spec versions of commercial products for those few cases where they are really needed.

[Probst] Build military applications on top of COTS hardware and software. If you really need something different, talk to them.

[Schwartau] Declassify the threat to the commercial sector. Put us all on the same team.

[Steele] Declassify the threat. Not only will the private sector not heal itself until it fully appreciates the problem (and stockholders know enough to hold management liable for being stupid about electronic security), but the military will never heal itself as long as C4I "deficiencies" are classified_the latter guarantees that only the people that created the problems in the first place will have the clearances to jerk around with possible solutions, oblivious as they are to the explosion of innovation in the private sector, far from all SCIFs [Sensitive Compartmented Information Facilities].

----------- [Moderator] Many commercial firms (for example, banking firms) share the same "information protection" concerns as the government. What can the military learn from how these companies conduct information warfare functions? How should we share this information?

[Cebrowski] This first step is to raise awareness of senior level management and encourage dialog in interagency fora. An understanding of the inherent vulnerabilities of information-based technologies will spawn focused efforts on security processes, procedures, and policy. If we can learn anything from the commercial sector, it's the extremely low tolerance for ignoring security policy. Before this can be done at the scale and levels required, government must put in place the policies and legal protections necessary to secure interests and equities.

[Cochrane] Such commercial enterprises have communications and systems that are often held by, or accessible by, "the enemy" and are open to attack on more than one front. Commerce probably has simulated and experienced a greater number of attack scenarios and now can respond to an attack faster than the military. Information technology is the life blood of a modern nation, if it is cut off then society crashes and stops. Sharing is only a problem for the military; they will just have to get used to the idea!

[Cohen] These firms do a poor job of it in military terms, but the military could, at a minimum, adopt the same minimum standards these firms use in addition to current DoD standards.

[Dunnigan] You mean, "how do you get them to share information with you." The banks are in real info-war mode at all times. These are the folks with the "combat experience" regarding what works and what does not. In the peace time, the military is playing games while the banks are battling the hordes of cybernasties.

[Garigue] Open societies as well as open systems are more robust because the spread of critical information and knowledge on security helps everyone. Continuing an open dialogue at all levels between the concerned groups such as between the banking, power, telecom, and military communities as well as with the security advocate groups within Internet will ensure that the weakest network functions will be identified and brought into line with acceptable security procedures. What benefits one community, benefits the net and benefits all communities.

[Gust] There is a formed chartered organization in the Army, supervised by the HQ, DA DISC4 [Director of Information Systems and C4] office responsible for the "C2 Protect" mission. I am not totally current on the details of their involvement with commercial businesses, but know that a process is in place.

[Hazlett] Government should fund a portion of the research so that it can benefit from the discoveries and be part owner in the product. Share in licensing the procedures and products.

[King] There is a lot to be learned but it will be a difficult process. There are signs such as the "Invitational Workshop on Computer Vulnerability Data Sharing" scheduled for June in Gaithersburg that this is recognized as a common problem that must be solved.


- Banks worry about information security and banking-systems security. Certainly one should talk to their security officers. I really doubt that banks crack other banks, so you won't find much help here.

- The ISAT [Information Science and Technology] Summer Study on Defensive Warfare and Information Survivability had a balanced mix of academic, commercial, and government representation.

- As the market develops, people will buy the security products they need (the government's role is primarily to watch over the infrastructure).

[Schwartau] The key lesson is that much of the commercial sector can move on a dime; unlike slowing down a carrier in 20 miles.

- Rapid Decision making - Iterative process changes - Adaption to market conditions - Policy must change as rapidly as do one's adversaries

[Steele] Most commercial firms do not understand electronic vulnerabilities, in part because most of their security and "infosec" officers don't really understand the insides of their systems, and in part because corporate management will continue to shoot the messenger until such time as they cross a major pain threshold, i.e., are held accountable or "see" the losses they are incurring. The real hard problem with electronic theft, as Toffler and others have noted, is that electronic property can be in two places at once_when proprietary information is stolen, the files are still "there," they have simply been duplicated.

Banking has nothing to teach us, despite the inflated claims of some self-serving commentators. The real experts (e.g., Eric Hughes of Cypherpunks) know how easy it is to penetrate both banks and trading houses, not only electronically but also through direct access to uncontrolled terminals on the trading floor. More simple denial of service attacks, and physical interruption of services, have long been described by Winn Schwartau. The single greatest danger to much of the U.S.A. is the chaos and anarchy as well as the financial loss that will be incurred because of the lack of hard-copy backup documentation for electronic wealth and property ownership. It will take years to sort it all out, and will probably require some emergency legislation freezing all claims.