Oct 17 2010

TenSix Things Every Airman Must Know About Cyberspacethe Internet, part 1

Years go by ... yet USAF still can't get its cyber doctrine right
No Gravatar

I quote myself from a previous column when I say there can be no true cyber-war “until someone takes on the role of Phillip Meilinger. This person will write the definitive booklet on ‘Ten Propositions Regarding Cyber Power.’ It has to be taken seriously, too — no crackpots allowed.”

U.S. Air Force commanding general Norton Schwartz attempted something pretty close to my notion in his new doctrine for cyberspace operations. He calls it “Ten Things Every Airman Must Know.”

The only problem is … it’s actually six things every Airman must know, plus four things they must do. Oh, and it focuses on the Internet rather than on cyberspace. Study it closely and you’ll realize USAF’s top general got hoodwinked by the groupthink that cripples his cyber mater. Let’s review his “Ten Things” list:

Can the Penta­gon’s free anti­virus soft­ware in item #10 detect the mali­cious printers they men­tion in item #2?

  1. The United States is vulnerable to cyberspace attacks by relentless adversaries attempting to infiltrate our networks at work and at home — millions of time a day, 24/7.
  2. Our enemies plant malicious code, worms, botnets, and hooks in common websites, software, and hardware such as thumb­drives, printers, etc.
  3. Once implanted, this code begins to distort, destroy, and manipulate information, or “phone” it home. Certain code allows our adversaries to obtain higher levels of credentials to access highly sensitive information.
  4. The enemy attacks your computers at work and at home knowing you communicate with the Air Force network by email, or transfer information from one system to another.
  5. As cyber wingmen, you have a critical role in defending your networks, your information, your security, your teammates, and your country.
  6. You significantly decrease our enemies’ access to our networks, critical USAF information, and even your personal identity by taking simple action:
    1. Do not open attachments or click on links unless the email is digitally signed, or you can directly verify the source — even if it appears to be from someone you know.
    2. Do not connect any hardware or download any software applications, music, or information onto our networks without approval
    3. Encrypt sensitive but unclassified and/or critical information. Ask your computer systems administrator (CSA) for more information
    4. Install the free Department of Defense anti-virus software on your home computer. Your CSA can provide you with your free copy.

(I made two trivial changes to Schwartz’s “Ten Things” list. I put a colon at the end of item #6, and I indented items #7-10. You’ll understand why in a moment.)

Look closely at the content & grammar in Schwartz’s “Ten Things” and you’ll realize a committee wrote it for him. Wrote it poorly, I dare say. Problems include:

If you place a colon at the end of item #6, the entire last half reads like a Power­Point slide.

  • It switches between the first person and the second person. For example, item #2 says “our” whereas item #4 says “your.”
  • It switches between the singular and the plural. For example, item #4 says “the enemy” whereas item #6 says “our enemies.” Item #5 uses “you” in the plural whereas item #6 uses “you” in the singular.
  • Item #3 suffers from redundancy. “Distort” and “manipulate” mean the same thing in the first sentence, and one could argue the second sentence continues the point made in item #1.
  • It’s incorrect (and superfluous) to preface item #5 with “As cyber wingmen” because it’s “ten things every Airman must know.”
  • If you place a colon at the end of item #6 (like I did), the entire last half reads like a PowerPoint slide — complete with punctuation errors in items #8-9. Who wants to bet Major Mark D. Hedden wrote it?
  • Item #9 is not something “Every Airman Must Do.” The professionalmartial use of encryption demands arcane skills far beyond those of a CSA. The Pentagon centrally deploys & manages encryption with NSA guidance for this very reason.
    • A CSA who offers encryption advice almost certainly suffers from False Authority Syndrome.
    • The person who wrote item #9 doesn’t realize “the best encryption is transparent,” hence we can conclude (a) a non-expert wrote it and (b) these “Ten Things” didn’t go through a vetting process.
    • Worse: given the Wikileaks debacle, we must expect DoD officials will suspect treason if they discover a personally encrypted CD-ROM or a personally opened SSH tunnel.
  • Item #10 orders Airmen to load free antivirus software on their home computers. Believe it, folks: Air Force doctrine now directly impacts a dependent child‘s laptop. (Read it again, folks. It’s a lawful order written in the imperative and published as doctrine with the Air Force Chief of Staff’s name on it.)

“Memorize any policy that serves a mandate and was written by a craftsman. Forget any policy that survived a consensus and was pencil­whipped by a committee.”

— the late Jay Gowens

It disturbs me that USAF continues to pump out grammatical errors in short documents with overarching policy, this time signed by a four-star general. And don’t even get me started on the use of acronyms like “CSA” for Powerbullet points that fit on less than one page…

“As cyber wingmen,” begins item #5. I can’t help but laugh at the notion of General Schwartz calling his troops “cyber wingmen.”

Believe it: General Schwartz called his troops “cyber wingmen.”

“Cyber wingmen” reminds me of a classic scene in “Flash Gordon!” where our savior of the universe rushes to the aid of a downed Hawkman. I call Flash Gordon a “cyber wingman” because Emperor Ming remotely hacked into our SCADA systems and Flash launched a counter-attack on a Hawkman rocket cycle. An air force attacked a cyber villain — folks, that movie was 30 years ahead of its time!

(“Your Flash Gordon joke isn’t as good as the ‘brown-tinged guesstimates,’ Rob.” Yeah, yeah, I hear you. Let me know what you think of my Jay-Z joke in part 2 of this column.)

Seriously, though: I’d love to bump into General Schwartz at the Andrews AFB commissary. I can already hear our conversation at the checkout line…

Hey, General, I see you’re buying Hormel Compleat meals. I can’t get enough of those.
I definitely like them, too. You look like a retiree. Do I know you from a previous tour?
Some years back, sir, but I don’t expect you to remember everyone under your command. So, uh, I read your “Ten Things Every Airman Must Know” and I’m wondering who your “cyber wingman” is.
“Cyber wingman”?
Yes, sir. Item #5 of your “Ten Things” says we’re all cyber wingmen. Who’s your cyber wingman?
Well, I guess that would be my A6?
Great guess. By the way, what encryption do you use?
I’m sorry?
Item #9 of your “Ten Things” tells all cyber wingmen to use encryption. I’m curious what encryption you use. If it’s good enough for you, it’s good enough for me!
Uh, is there a point to all this?
Actually, sir, I was about to ask you the very same question. But let me ask you this: can the free antivirus software you talked about in item #10 detect those malicious printers you talked about in item #2?

[Continued in part 2]