"What's New" Newsletter (SecurityCritics.org and Vmyths.com)
Truth About Computer Security Hysteria
{12 February 2007}

IN THIS ISSUE:
The editor's notepad

-----------------------------------------------
Want to join or leave this mailing list? Visit
http://newsletter.SecurityCritics.org for instructions...
-----------------------------------------------

THE EDITOR'S NOTEPAD
Two very interesting news stories popped up on the radar screen.
Follow http://Vmyths.com/mm/url/7/4.htm for the first one. General
Ronald Keys, the commander of USAF's Air Combat Command, "said it
would probably take a cyber version of the 9/11 attacks to make the
U.S. realize that barriers to action in cyberspace should be re-
evaluated." He went on to bemoan how the Air Force cannot stop U.S.
antivirus firms that admit they armed China with offensive virus
technology that could cripple the Air Force.

Follow http://Vmyths.com/mm/url/7/5.htm for the second story. U.S.
military wonks met with civilian bureaucrats to discuss how they'll
respond if a foreign government launches a "cyber version of the 9/11
attacks." When that day comes, the president "would consider
launching a [digital] counterattack or [physical] bombing the source
of the cyberattack."

Okay, okay. Keys didn't actually say "I fear the U.S. antivirus
industry that gladly arms hostile nations for a war against the Air
Force." You need to read between the lines. Anyway...

When you put these two stories together, it raises an obvious
philosophical question. How can we drop bombs on another country if
USAF's antivirus "solution" fails so badly that they can't launch
aircraft?

But there's also a hidden issue here -- there are two deep flaws in
USAF's "cyber" mission. I've been pondering these flaws for a
loooooong time; the recent news stories give me the impetus to
discuss it.

If you go to the second story, you'll see a telltale quote by an Air
Force engineer named Jim Collins. "'The Air Force hasn't just been
standing by,' he said, noting that in November, the Air Force added
the mission to fight in cyberspace by creating a new Cyber
Command. 'We're standing up cyber-fighters to do network warfare,'
Collins said. 'Where we had pilots before, we'll have fighters in
cyberspace."

Granted: it sounds ridiculous to say a fighter jet will "fly" across
the Internet. But if you think about it, an army tank is really just
a horse-drawn cannon, and a fighter jet is really just a flying
tank. An airman surfing on a laptop is really just a soldier riding
in a digital Jeep.

Believe it or not, the Internet can apply traditional Air Force
doctrine for things like "counter-offensive air," "suppression of
enemy air defenses," and "close air support." When North Korea
disables USAF's antivirus software, that's "suppression of enemy
cyber defenses." When USAF shuts down North Korea's power grid,
that's "counter-offensive cyber." When North Korea swamps the Kunsan
Air Base telecom network while soldiers physically cross the DMZ,
that's "close cyber support."

So! What's the first flaw in USAF's "cyber" mission?

USAF has placed its new "cyber" mission under Air Combat Command,
which suffers from a die-hard "fighter pilot" mentality. They've
always seen "cyber" in a supporting role, not an operational role.
Worse: USAF's award-winning "Intercom" magazine perpetuates the
notion of "cyber" as a support function. No embedded reporter filed
a story in 2003 that said "the Air Force could have launched a
Hellfire missile, but they opted instead for a computer virus..."

Certainly, the LACK of "cyber attack" news was noticeable when
IraqWar v2.0 hit store shelves. Did we hear about computer
programmers fighting the Iraqis over the Internet? No! We only
heard about laser-guided bombs that snuck into buildings through the
smokers' lounge. The lack of "cyber attack" news means cyber must
have been just another word for "intelligence." Someone gazed at a
satellite photo and said "let's bomb the little circle on the north
side of this building. It's a satellite dish. Oh, and let's bomb
the little square on the west side of that building. It's a diesel
generator for their telecommunications closet."

The LACK of "cyber attack" news in the Iraq War tells us USAF doesn't
yet see "cyber" as a true mission. If you visit USAF's web site
these days, you'll see they're infatuated with F-16 fighter jets and
Purple Heart medals. Air Force officials want to sell cyberspace as
a "mission," but their own sales brochures make it sound like
a "force multiplier."

That's the first flaw. Now let's tackle the second flaw.

General Keys is a fighter pilot. There are also bomber pilots, cargo
pilots, and recon pilots. These four types of pilots can exist in
the cyber world, too. A cyber-fighter pilot would launch a computer
virus at an enemy network. A cyber-bomber pilot would blow up an
enemy database. A cyber-cargo pilot would haul massive amounts of
data to USAF bases around the world. A cyber-recon pilot would
intercept enemy emails. A forward cyber controller would direct
pilots to their targets...

Here's the second flaw -- USAF's "cyber" mission doesn't include
cargo pilots. Long-haul digital cargo is transported by the
Pentagon's Defense Information Systems Agency!

I filed various "Freedom of Information Act" requests over the last
half-year in an effort to study the Air Force cyber-cargo mission.
It's truly pathetic. Even USAF's doctrine for cyberspace
(their "AFDD 2-5" book) glosses over the role of cyber-cargo missions.

General Keys earned his wings in fighter jets like the F-4, the A-10,
and the F-15. He's not a cargo pilot! You talk to him about "cyber"
and he describes it as a SEAD mission flying over the Internet. I
hear NO visionary talk about a "Cyber Mobility Command." Where's
General Ronald Fogelman when you need him?

"This is amazing, Rob! Why did you do all this research?" Well,
there's this U.S. Navy two-star admiral who needs ammunition. He
uses it against Air Force bureaucrats who can't stop talking about
their newfangled "cyber" mission...

That's enough for this edition. My best to y'all. Please keep
fighting the "AFDD 2-5" hysteria.

Rob Rosenberger, editor
http://Vmyths.com
Rob@...

--------------- Useful links ------------------

A-Z list of computer virus hoaxes
http://Vmyths.com/hmul

How to spot a hoax computer virus alert
http://Vmyths.com/resource.cfm_id=19&page=1.htm

Reduce virus hoaxes inside your company
http://Vmyths.com/resource.cfm_id=20&page=1.htm

False Authority Syndrome
http://Vmyths.com/fas/fas1.cfm.htm

Hoaxes NOT related to computer security
http://Vmyths.com/hmul/11

Comedy vs. virus hysteria? Believe it!
http://www.HumorControl.org