Air Force Cyber Panel

Last month I participated in a panel hosted by the US Air Force. One of my co-panelists, Jim Stogdill, summarized some of the event in his recent post Sharing vs. Protecting, Generativity on DoD Networks.

I'd like to add the following thoughts. Before the event most of the panelists met for breakfast. One of the subjects we discussed was the so-called "People's Army" China uses for conducting cyber operations. You can read about this phenomenon in the great book The Dark Visitor.

In the US, our DoD relies upon professional, uniformed military members, government civilians, and an immense contracting force to defend the nation and project its military power. In China, their PLA mixes uniformed military with ordinary civilians, some of whom act at the behest of the military and government, with others acting on their own for "patriotic means."

This latter model is almost unheard of in the US and completely outside any formalized mechanism offered by the DoD. Imagine a group of "patriotic" teenagers approaching the DoD, saying they had hacked into some uber-secret Chinese network! How would generals even wrap their heads around such a scenario? That's illegal! Those kids aren't cleared! Government officials cannot accept donations!

This creates an amazing scenario. In one corner, the military-industrial complex. In the other, the People's Army. Who will win?

During the panel the question of recruiting "cyber warriors" was raised. I responded that recruitment wasn't the real problem; retention is. I left the Air Force Information Warfare Center (along with 31 of my fellow 32 company grade officers) because there was no career path that could keep me "in front of a computer screen." (That reminds me of the problems pilots have "staying in the cockpit.") When I was told it was "time to move," I was given the choice of being a protocol officer, a logistics officer, or an executive officer. The Air Force calls this "career broadening." I decided to broaden my way right out of the service rather than accept any of those non-intelligence, non-cyber jobs. I am hopeful the new Cyber Command will give young officers a real future conducing computer operations.

We discussed open source software briefly. I told the audience that if Windows XP were open source, no one would really care if Microsoft ended support. If the OS were truly that important to the mission, and it was an open source product, the Air Force could fork it and maintain its own patches and development. I am constantly amazed that some people advocate Microsoft's commercial "support" for XP as a reason for shunning open source software, when those "customers" are being instructed by Microsoft to migrate to Vista as XP's support ends.

I still think the Air Force's decision to stick with Microsoft was stupid. Can you imagine it's been almost four years since the AF-Microsoft super deal was signed? Think of all the Microsoft-targeting client-side attacks that could have been avoided if the client had not been running applications on Microsoft Windows.

Yes, I know, other operating systems have problems, other applications have problems, client-side attacks aren't everything, blah blah. Shifting to something other than Windows would still have increased the intruder's cost of exploitation. Suddenly instead of focusing all their R&D on attacking Windows, the bad guy has to open a second exploit development shop, and be far more careful when attacking the Air Force. What did NSA spend all that effort on SELinux for anyway?

Overall, I really enjoyed the panel and even got to visit a few friends from way back in the Air Force CERT who also attended the conference. I met some cool people on the panel too. Please feel free to reunite us anytime!Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)