Did Chinese Spies Delay F-35?
Published February 6, 2012 | 
Defense Tech has an interesting article questioning if some of the delays associated with the F-35 program was due to rework necessary to recover from Chinese spying. If this is true, it represents a critical failure in information security within the DoD acquisition community and the Defense Industrial Complex. There have been many reports of government contractors’ networks being compromised but I don’t know if anyone is tallying up the bill.
If true, the bill here is Billions of dollars. Dollars spent on extending the lives of aircraft slated to be replaced by the F-35, dollars spent on the engineering rework to change the design of the F-35, and dollars spending on how to counter the possible improvements to Chinese systems due to their adoption of American technology. And for some reason, I doubt Lockheed, the Prime Contractor for the F-35 is opening up their checkbook to cover these costs.
I hope that this report is untrue and that the Chinese didn’t delay the F-35. If so, then we still have a lot of unanswered questions as to why the F-35 is so late and over budget. It was suppose to be a low-risk cheap jet, and it has mushroomed to be the DoD’s most expensive program… EVER. Not good, with or without Chinese help.
The Stupidity of Conventional SLBMs
Published January 29, 2012 | Wired had another well written article titled “Pentagon Confused by its Own ‘Subs vs. Terrorists’ Plan”. The basic idea is that the US wants to conduct conventional global strike from submarines. One of the many Holy Grails for the DoD is instanteous global strike; the ability to hit any target anywhere on the face of the earth in a moments notice.
The article does a good job of calling this what it is, a farse. There is no way that either China, Russia, or any other nuclear equipped nation will sit aside while a conventional warhead is sailing overhead to strike some target. The DoD is trying to make this new conventional warhead to fly a different trajectory, as to indicate to our allies and potential adversaries “Hey, trust us, it isn’t a nuke”. While it may be a conventional warhead, but how will anyone beside the DoD know? If you can make a worhead fly this unique trajectory, why can’t it be a nuclear warhead?
Being able to hit a target in a moments notice is a mixed blessing. I’m reminded of the discussion during Dr. Strangelove where they discuss the benefits of bombers over ICBM’s. The arguement was that bombers took longer, and that was a good thing. Time allows the US and Russia (in Dr. Strangelove) to open up diplomancy and to try to calm things down. This doesn’t happen if the immediate answer is and ICBM launch.
So, if we have this capability, what becomes the role of diplomancy. In addition, we’ll be tempted to use this on the terrorist in a mountain cave. Is that guy really worth it? To launch a conventional ICBM or SLBM will cost millions per launch. Is this guy really worth that price? Is this guy worth the possible nuclear response? I would seriously doubt it, but there may be specific cases where it is worth it.
If money was no object, if we had a sound foreign policy, strong diplomatic capabilities, and if everyone trusted us, then this could be a good idea. In reality, it isn’t. We don’t have enough money to keep being the World’s Policeman, so why do we want to go down this route. It is hard to imaging that this type of weapon would not only start, but end a conflict. This would be just the opening round to an extended conflict involving thousands of American soldiers. If it was possible to avoid war through the use of this weapon, I’d be a big fan… but I just don’t see it.
At best, this is going to be a huge work program for the Military Industrial Complex similar in scope and cost as SDI. At worse, this will get us into an accidental nuclear war and end our civilization. With those being two of many plausible outcomes, we should be wary of going down this path. Let’s hope that the budget hawks will stop it in its tracks before we waste millions of our precious dollars.
Sea Sheperd’s Drone
Published December 26, 2011 | Now, this is interesting. I just read a story about the Sea Shepherd activist organization has now deployed a drone to track Japanese whalers. If you aren’t familiar with Sea Shepherd, it is an anti-whaling organization that follows the Japanese whaling fleet and attempts to disrupt their operations. You can watch their activities on a reality show.
Well, they just got a donated drone, and are now using it to track the whaling fleet. This is pretty cool. This is also an interesting use of the technology that probably wasn’t thought of by the drone inventors. It makes me wonders where this technology may go in the future. What would happen if Occupy Wallstreet had a drone overhead constantly, alerting them as to what the police were doing? How would constant monitoring change police tactics? Does the police shoot down the drone before evicting the protestors?
In this case, Sea Shepherd and the Japanese whalers are in international waters so there is not police that will claim jurisdiction. I have to wonder how the Japanese will respond? Will they even try to shoot down the drone? I would doubt that they have anything on board the ship that will effectively shoot down a drone. Maybe they could get lucky with a harpoon, but I doubt it.
This is an interesting development in this multi-year conflict between Sea Shepherd and the Japanese whaling fleet. As the technology continues to develop it will continue to influence this battle. Just wait until someone decides to bring along torpedoes.
Virus Takes Down AF Drones…WTF
Published October 8, 2011 | Wired has an article on a computer virus that has infected the Predator and Reaper control stations at Creech AFB. Someone screwed up big here. First of off, why was infected media introduced to the classified system? Secondly, why wasn’t there a clean backup that they could use to restore to?
These systems operate on a classified network. So, either the bad guy has access to the classified network and introduced the malware there (not a happy thought), or someone broke the rules and transferred media from the internet to the classified network (another no-no). Now, there are always exceptions to the rules, but in those cases all media should have been scanned prior to connecting them to the classified network. So, what happened here? Someone screwed up. Someone didn’t follow the rules assuming that they didn’t apply to them, or that what they were doing at the moment was too critical to slow down and follow the rules. Maybe the system they use to scan media was broken, or perhaps it wasn’t loaded with the right virus signatures. Either way, something went wrong.
Secondly, why don’t that have a clean system to backup from? This is a weapon system, not a video game. In the article they go on about how they had to build the system from scratch again and again, always resulting in the same re-infection? Why? Doesn’t the system have a clean backup? With the advent of virtual machines, snapshots, backup tapes, replication, and so on… you’d think they should be able to backup without a problem. Now, the exception would be if the virus is hiding in some firmware and if that is the case, they are in more trouble that they realize.
I guess the real last question is why are they using Windows at all? Why is the military using a commercial grade operating system that is the largest target on the planet for viruses to run a critical weapon system? Shouldn’t this be on SELinux? I bet the decision was made in the name of convenience and cost savings… so, how convenient is it now? Saving money? We need to realize that if IT systems are weapon systems, then we need to treat them as such. This isn’t the same as my PC at home. People generally don’t die if my PC goes up in smoke at home, but what happens if someone through the virus learns how to insert commands to a Reaper. How does it look when the Reaper fires a missile at friendly troops… and we learn that it was the result of someone highjacking the system. If they can highjack people using their bank’s website, they could certainly do this… and learning the system through a keylogger is the first step in that direction.
The Predator program has been an insane success. It went from a science project to a major weapon system overnight. Had it gone through the traditional acquisition cycle, it would have likely failed. However, in its rush to be fielded, they took shortcuts such as their selection of operating systems. It might be time now to rethink this. If you are going to go with Windows, then you need to secure it correctly. If you are a critical system, then you need to be able to boot from a clean backup. Yes, this means more engineering and more costs, without any obvious operational value… but it also means that you can continue to operate through these type of issues. Mission availability and robustness should be a valued operational characteristic. I doubt that this incident will cause anything to be changed. I just hope that it won’t take one of our UAV’s to be highjacked and the death of friendly troops to finally make us change how the system is designed and used.
Airport Scanners Fail German Tests
Published August 6, 2011 | AFP has reported that the TSA used body scanners are a failure.
Body scanners being tested at Germany’s Hamburg airport have had a thumbs down from the police, who say they trigger an alarm unnecessarily in seven out of 10 cases, a newspaper said Saturday.
Not a surprise to anyone that has been through them, nor any high school graduate. I’m glad that at least Germany is testing them. I get the feeling that the TSA skipped that part, drank the kool-aid, and emptied the piggy bank. Just because a defense contractor tells you that it will work doesn’t make it so. These scanners make no sense in an airport. They simply do not make flying any safer, but they do increase the ability of the TSA to terrorize, embarrass, and intimidate innocent travelers.
This doesn’t mean that these scanners don’t have a place in the world. These could be useful in Iraq and Afghanistan at entry control points to detect suicide bombers. However, the first bomber than blows them self up along with the scanner wins. I doubt you could make a bomb proof scanner, but it would be worth the false positives to stop a suicide bomber. But for the rest of the world, it is time to put some common sense into security and to address the reality that we can’t afford to live in a continuous police state.
Religion and Nuclear Weapons Ethics Training
Published July 30, 2011 | Does Christianity and Christian beliefs have a role in the deployment of nuclear weapons? The Air Force has just pulled some Christian-themed ethics for the use of nuclear weapons. Apparently, they pulled it after truth-out.org published a report on the topic. While I don’t believe that it is proper to have one religious view dominate ethics training, it is a reasonable question to discuss whether or not any religion should be involved.
Religion can be very powerful within a society and can dominate its morals and ethics. Even atheism is a religion and influences society. A society that has many religions within itself is forced to deal with the differences and contradictions, while a society that is homogeneous in religion may adopt it as the basis of their society mores and laws. We’ve seen this in both Japan and Islamic nations. The fact that I wrote it as Islamic nations is an indicator of how the majority of Arab nations are seen.
The men and women that are responsible for the launch of nuclear weapons will bring their own religious view into their job. There is no way around that as long as humans are involved. But, should the Air Force teach nuclear weapon ethics based on religion. Yes and no. First of all, ethics are taught through religion as well as non-religious means. Even the same ethical teachings can be supported by both religious and non-religious thought.
The article cites the Just War Theory as one of the many religious topics in the ethics class. While religion can be used to support the Just War Theory, non-religious teaching could also be used. I do think it is important that people that control nuclear weapons understand the Just War Theory, since it may be used to justify the use of nuclear weapons. One of the fundamental questions here is whether or not officers responsible for nuclear weapons should blindly follow orders or if they should evaluate those orders through an ethical lens prior to destroying large portions of this planet. If they didn’t want humans in the loop, we would simply fully automate the systems and remove the humans, so the Air Force is expecting their nuclear weapons officers to not only follow orders, but also to use their brain in doing that.
I suspect that if our society is in a position that we are ready to launch nuclear weapons that those launch officers will have access to the news and have a sense of the rhetoric that is taking place. Politicians would be citing many justifications for the escalation of the war, and each officer will have to decide if they will follow launch orders for themselves.
The ethics class is followed by the signing of a legal document stating that the officer will not hesitate to launch nuclear weapons if legally ordered to do so. While in the time of a nuclear war, this paper is worth what it is printed on… it is reasonable that you want launch officers that do not have an ethical issue with launching nuclear weapons. I don’t know if we ever came to pulling the trigger if any of those officers will remember that class, signing that paper, or what. My bet is that they will be thinking (or perhaps praying) for their family, their loved ones, and hoping that this crisis will be over soon, and that unleashing nuclear weapons will somehow result in a better world.
I think that it is reasonable to have an ethics class based on a wide range of sources, including religious. I don’t think I’d stick to just Christianity, but also include other beliefs. Not only would the Just War Theory be relevant, but so would the Islamic concept of lessor Jihad (protecting your country from attack). I think most importantly is to have an honest discussion about the ethical dilemma every single launch officer will have when and if the time comes. How do you quickly resolve that and either do your job and launch the weapons, or decide to disobey.
In the end I’m glad that the Air Force is evaluating the ethics training, but I don’t see the Christian beliefs used to support ethical arguments as an indictment against the Air Force.
Excellent Stuxnet Article
Published July 11, 2011 | Wired has an excellent Stuxnet article. The times are a changing.
Should NATO be afraid of Anonymous?
Published June 11, 2011 | According to an article from CNET News, NATO published a report warning of the rise of hacktivism. In the report, they singled out Anonymous as a threat to government and military computer systems. In response to the report, Anonymous released a press release that informed NATO that they should not challenge Anonymous. Their argument is that they are not a threat to governments, just a threat to secrecy.
The broader question here is the role of secrecy in government, and whether or not the people have a right to have unrestricted access to the information that government often consider classified. Anonymous cites their HBGary attack as an example of the good work they have done to bring to light information that they believe the people should know. Today looking back, most Americans would agree that the release of the Pentagon Papers was a good thing. It brought to light the lies that the American administration was feeding the people regarding the Vietnam war. I bet those in the administration at that time weren’t pleased. So, Anonymous believes that such information should be free, and I suspect that in some cases the majority of Americans would agree, and in some, they would not agree.
But, should NATO single out Anonymous? Probably not. While Anonymous has demonstrated itself as a being very capable, its attacks are not military in nature. A threat is defined by both capability and intent. Anonymous, along with a wide range of hackers, has the capability to be a attack government and commercial networks. However, Anonymous has not shown any intent to attack NATO from a military point of view. They may attack specific governments in an effort to further their agenda of transparency, and it is possible for one of the NATO members to consider this a military attack. It would have been better for the NATO report to clearly specify that a wide range of groups including hacktivist have the capability to attack many networks, and if their intent was ever to attack NATO, it would be technically possible. NATO’s defenses should be focused on preventing these attacks from a broad range of capabilities and not focused on Anonymous.
Now that NATO has pointed the finger at Anonymous, and Anonymous has responded in kind, I don’t know what will happen next. I suspect that NATO’s “cyberwarriors” are worried, and rightfully so. If Anonymous decides to cross that line and go after NATO just to prove that it can, there are very few networks that are likely to survive. Computer networks (not just NATO’s) are complex with many inherent vulnerabilities that can be exploited. All it takes is someone that is willing to invest the time and effort to find the crack in the armor, and then to exploit that to their advantage. Anonymous has proven time and time again that its members are willing to take the time and effort to do just that.
So the bottom line is that NATO should be afraid, but not just of Anonymous, but of any capable hacker that is willing to take the time and effort to attack. They should be prepared for those attacks, and not be singling out one hacktivist group who doesn’t pose a direct threat. But I suspect that the either Anonymous will realize that pissing off multiple governments just to prove a point isn’t worth it, or we’ll soon hear about NATO’s networks going down. I do hope that they will back down and realize that if they are hunted by the military, it will impair their ability to accomplish their true goals.
Posted in Computers, Intelligence, Military, Technology | 
Anonymous, hacktivism, NATO | 
Leave a commentWho’s behind the Lockheed, L-3, and Northrup attacks?
Published June 4, 2011 | According to a variety of news reports, Lockheed, L-3, and Northrup have all be attacked recently. While only Lockheed has come out and admitted it, there are rumors about L-3 and Northrup. All of these attacks were made possible by the earlier compromise of RSA.
What has been missing in the coverage is any discussion on who is behind all of this. Either the person or group behind the RSA attack are going after key DoD military contractors, or have sold the bounty of their catch to someone going after DoD contractors.
While it may be fun to be the hacker that breaks into Lockheed’s computer networks, this isn’t the signature of traditional hackers. This attack is more consistent if another country’s intelligence services were going after US military technology and secrets. But, you aren’t hearing this in the discussion. Is it the Russians, the Chinese, the Iranians, or someone completely different. If so, what does this mean to the DoD and its ability to protect secrets while doing business with contractors.
I find it odd that at the same time that these attacks are going on, the US Government is beginning to state publically that if another national conducts a cyber attack on the US, then that may be considered an act of war. So, are we now in a state of war? If so, with whom? If not, why not?
Britain Acknowledges Building Cyberweapons
Published June 4, 2011 | According to an article in the Telegraph, Britain’s Armed Forces Minister, Nick Harvey acknowledged that Britain is building a toolbox of cyberweapons. While this really comes as no surprise, I was surprised by his statement that “would be governed by the same rules that apply to the deployment of other military assets."
That type of statement really highlights some serious ignorance on the nature of cyberwar. Unlike other “military assets”, cyberweapons are not easily containable. While I may be able to sell a tank to another nation, that is not the same as giving them the tank assembly line. However, you can make perfect copies of software. Also, unlike traditional military weapons, there are widely available commercial tools to reverse engineer cyberweapons (look at Symantec’s analysis of Stuxnet for example), that would allow anyone with access to the cyberweapon the ability to deconstruct it. This then gives them a blueprint on how the weapon works, and possibly allows them to “repurpose” the weapon for their own use. It is ignorant to equate cyberweapons to traditional weapons for these and other critial reasons.
It is nice that from a military doctrine point of view, you can equate cyberwar with its counterparts in the physical domain. That may help in the military planning, but one must also consider the non-traditional side effects of cyberweapons in the development of cyber warfare doctrine and planning.
A better analogy instead of traditional weapons is biological weapons (they call them computer viruses for a reason). While a very powerful weapon against your enemy, biological weapons are difficult to handle, deploy, and contain. That is why that the concept of using biological weapons is so scary, and something that no government could probably survive. Eventually a biological weapon will “burn itself out”, but the question is if there will be enough of the population left to have anything to rebuild after that. Cyber weapons are similar, although thankfully less deadly. We have seen that with Stuxnet. While targeted at Iran, copies of it have been found worldwide. Even with it’s internal self destruct date in place, copies of Stuxnet will be around forever (I can always change the network time).
What Stuxnet has proven is that if well crafted, and very narrowly focused, a cyberweapon can be effective while minimizing collateral damage. Will Britain’s cyberweapon developers be as careful? Will Iran’s? The bottom line is that cyberware brings some unique aspects that are significantly different than other “military assets”, and if Britain is building them, they must take those into consideration. Their first challenge will be educating their leadership on the differences between cyber warfare and traditional warfare, and then developing the doctrine to take those differences into account.