Tag Archives: cybersecurity

Automated Cyber-Security Systems: DARPA

data

From the DARPA website:

DARPA’s Cyber Grand Challenge takes aim at an increasingly serious problem: the inadequacy of current network security systems, which require expert programmers to identify and repair system weaknesses—typically after attackers have taken advantage of those weaknesses to steal data or disrupt processes. Such disruptions pose greater risks than ever as more and more devices, including vehicles and homes, get networked in what has become known as “the Internet of things.

“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere—a process that can take months from the time an attack is first launched,” said Mike Walker, DARPA program manager. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”

To help accelerate this transition, DARPA launched the Cyber Grand Challenge, the first computer security tournament designed to test the wits of machines, not experts. The Challenge plans to follow a “capture the flag” competition format that experts have used for more than 20 years to test their cyber defense skills. That approach requires that competitors reverse engineer software created by challenge organizers and locate and heal its hidden weaknesses in a live network competition. The longest-running annual capture-the-flag challenge for experts is held at an annual conference known as DEF CON, and under the terms of a new agreement the Cyber Grand Challenge final competition is scheduled to co-locate with the DEF CON Conference in Las Vegas in 2016…

At the event, computers that have made it through a series of qualifying events over the next two years would compete head-to-head in a final tournament. Custom data visualization technology is under development to make it easy for spectators—both a live audience at the conference and anyone watching the event’s video stream worldwide—to follow the action.   Details about the Cyber Grand Challenge and some of the other registered teams can be found at www.cybergrandchallenge.com.

Hacking Back: controlling hackers from defense to offense

CrowdStrike is a vocal advocate of “active defence” technologies that are generating much buzz in the cyber-security world. Their proponents argue that those who think firewalls, antivirus programmes and other security software are enough to keep their networks safe are kidding themselves. Instead, companies should work on the assumption that their systems have been breached, and take the fight to the hackers. The methods they prescribe include planting false information on their systems to mislead data thieves, and creating “honeypot” servers, decoys that gather information about intruders.  There are worries that such talk of active defence may encourage companies to go further, and “hack back” at their tormentors, even though many countries have laws that forbid such activity. In a survey of 181 delegates at last year’s Black Hat event, just over a third said they had already engaged in some form of retaliation against hackers.

Concerns about cyber-vigilantism have not deterred financiers from investing in tech firms that see active defence as a money-spinning opportunity. Take the case of Endgame, a secretive outfit that is adapting technology developed for intelligence agencies for commercial use. In March it raised $23m in a second round of funding and added Kenneth Minihan, a former director of America’s National Security Agency, to its board. Endgame has reportedly developed a system called “Bonesaw” that detects which software is being used by devices connected to the web. This could be used defensively by companies to detect vulnerabilities on their own devices, but could also be used to spot them on someone else’s.

Like many other information-technology businesses, the active-defence firms are deploying cloud computing (the delivery of software and data storage over the internet) and big-data crunching. CrowdStrike has developed a cloud-based service that scoops in intelligence about online threats from across the web and merges them with analysis from its own research team. It charges its customers from $25,000 to hundreds of thousands of dollars a year for its services. At the Black Hat conference researchers from Endgame demonstrated a system dubbed “BinaryPig”, which crunches huge amounts of data swiftly to help identify and understand hackers by seeking patterns in the “malware” that they use to enter others’ systems.

Other companies are concentrating on technology to foil software that hackers use to enter websites to indulge in wholesale “scraping”, or extraction, of their content. CloudFlare, one such start-up, has developed a service called Maze, which it proudly describes as “a virtual labyrinth of gibberish and gobbledygook”. The service detects content-scrapers and diverts them from the site’s useful material into dummy web pages with useless content.

John Strand, an expert in active-defence techniques at SANS Institute, a computer-security training outfit, says the goal of all these technologies is to drive up the costs that hackers incur in the hope this will deter them in future. It is not to wreak havoc in enemy servers. “We deal in poison, not venom,” he says.

But some security boffins argue that companies should be given more legal latitude to probe those servers. Stewart Baker, a former Department of Homeland Security official who now works for Steptoe & Johnson, a law firm, thinks firms should be allowed to “investigate back” in certain carefully prescribed situations. “There’s a difference between being a vigilante and a private investigator,” he insists. He also suggests that governments should consider licensing specialist firms to conduct investigations according to strict guidelines, rather than relying solely on their own cyber-detectives.

Other voices in the industry give warning that letting private companies hack into others’ servers, even to protect their own property, could lead to trouble. “It’s a foolish strategy to up the ante when you don’t know who you are attacking,” says Jeffrey Carr of Taia Global, a security consultancy. Mr Carr notes that hackers who are provoked might strike back even harder, triggering an escalation of hostilities.  Even some of the techniques employed by firms such as CrowdStrike could land firms in trouble. For instance, it might seem cunning for a company to try to trick hackers into losing money, by planting dummy accounts somewhere on their system that made the company’s financial health seem much worse than it is. But if instead of just using the misinformation to make unwise trades, the hackers leaked the figures to the financial markets, the company could find itself in hot water with regulators.

In spite of such risks, which can be minimised through close co-ordination between companies’ IT and legal teams, security experts are predicting that the popularity of active-defence techniques will grow. One reason is that businesses are making increasing use of cloud computing and mobile devices such as smartphones, which make it harder to establish clear defensive perimeters around their IT systems. “If you don’t really know where your castle starts and ends, you can’t really build an effective wall and moat around it,” explains Nils Puhlmann, formerly chief security officer of Zynga, a social-gaming company, and a founder of the Cloud Security Alliance, an industry group.

Business and cyber-crime: Firewalls and firefights, Economist, Aug. 10, 2013, at 53

Cyberespionage in South Korea 2009-2013

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013

The Illusion of Privacy: CISPA

medical records

When a coalition of internet activists and web companies scuppered the Hollywood-sponsored Stop Online Piracy Act (SOPA) last year, they warned Congress that future attempts to push through legislation that threatened digital freedoms would be met with a similar response. Now some of them are up in virtual arms again, this time against the Cyber Intelligence Sharing and Protection Act (CISPA)….

Its fans, which include companies such as IBM and Intel, say the bill’s provisions will help America defend itself against attempts by hackers to penetrate vital infrastructure and pinch companies’ intellectual property. CISPA’s critics, which include the Electronic Frontier Foundation, a digital-rights group, and Mozilla, the maker of the Firefox web browser, argue that it could achieve that goal without riding roughshod over privacy laws designed to prevent the government getting its hands on citizens’ private data without proper judicial oversight.

CISPA aims to encourage intelligence-sharing…  [CISPA requires of companies] to be more forthcoming by offering them an exemption from civil and criminal liability when gathering and sharing data about cyber-threats…[T]he bill is vague about what sort of information on cyber-threats can be shared. So in theory everything from e-mails to medical records could end up being shipped to intelligence agencies, even if it is not needed. Harvey Anderson of Mozilla says CISPA “creates a black hole” through which all kinds of data could be sucked in by the government.

The bill does forbid the use by officials of personal information from medical records, tax returns and a list of other documents. But its critics say it would be far better if companies had to excise such data before sharing what is left. They also note that the broad legal protection CISPA offers to firms could be abused by companies keen to cover up mishaps in their handling of customer data. A more carefully worded legal indemnity would stop that happening.

All this has exposed a rift in the internet world. Whereas Mozilla and other firms want CISPA to be overhauled or scrapped, some web firms that helped sink SOPA seem ambivalent. Google claims it has taken no formal position on the draft legislation and is “watching the process closely”. But TechNet, an industry group whose members include the web giant and Facebook, has written to the House Intelligence Committee expressing support for CISPA. If Google and other web companies do have doubts about some of the bill’s provisions, now would be the time for them to sound the alarm.

Cyber-Security, From SOPA to CISPA, Economist, Apr. 20, 2013, at 32

The Secret Bugs: Exploits

computer code

Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.

More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively”.Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesn’t identify and fix the vulnerability, thereby rendering the exploit worthless. As a French exploit developer puts it, those liable to be rapidly detected are about as useful as a “disposable gun” that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computer networks from them akin to finding “unknown unknowns”, says Kenneth Geers, a cyber-security specialist at America’s Naval Criminal Investigative Service.

Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.

Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.

The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three main factors: how hard the exploit is to develop; the number of computers to which it provides access; and the value of those computers. An exploit that can stealthily provide administrator privileges to a distant computer running Windows XP, a no-longer-fashionable operating system, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart).

Software firms also buy exploits to identify and repair vulnerabilities in their products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 people who pointed out flaws in its encryption software for online PC backups. To develop better defences for its clients’ computer systems, HP, an American giant, has spent more than $7m since 2005 buying hundreds of “zero days”, as undiscovered exploits are also known in hacker slang. (Once discovered, an exploit’s days are numbered, literally: it becomes a “one day”, then a “two day”, and so on until the vulnerability it exploits is patched.)

Such “bug bounty” schemes, however, will struggle to compete with buyers who want to exploit rather than seal vulnerabilities. Tarsnap’s biggest payout was just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupen’s boss, Chaouki Bekrar, balked, noting that he could get more elsewhere.

Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.

On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory “who’s your daddy?” notes Pierre Roberge, boss of Arc4dia, a Quebec firm that sells exploits to spy agencies. Exploit trading will continue as long as people pay big money for the opportunity to utter the same joke—this time at the expense of a victim who has been hacked.

Cyber-security: The digital arms trade, Economist, Mar. 30, 2013, at 65.

The Pipeline Cyberwar

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyberinfiltration of supervisory control and data acquisition (SCADA) systems could allow successful “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations.

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines…. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways:

• Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001.

• Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks.

• There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems.

• TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated….

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. The incidents drew new attention to an Al Qaeda video obtained in 2011 by the Federal Bureau of Investigation (FBI) reportedly calling for “electronic jihad” against U.S. critical infrastructure.  These cybersecurity events coupled with serious consequences from recent pipeline accidents have heightened congressional concern about cybersecurity measures in the U.S. pipelines sector.

Excerpt, Paul W. Parfomak, Pipeline Cybersecurity: Federal Policy, CRS Report for Congress, Aug. 16, 2012

Digital Bombs: DARPA and the Digital Battlefield

The Pentagon is turning to the private sector, universities and even computer-game companies as part of an ambitious effort to develop technologies to improve its cyberwarfare capabilities, launch effective attacks and withstand the likely retaliation.  The previously unreported effort, which its authors have dubbed Plan X, marks a new phase in the nation’s fledgling military operations in cyberspace, which have focused more on protecting the Defense Department’s computer systems than on disrupting or destroying those of enemies.  Plan X is a project of the Defense Advanced Research Projects Agency, a Pentagon division that focuses on experimental efforts and has a key role in harnessing computing power to help the military wage war more effectively.  “If they can do it, it’s a really big deal,” said Herbert S. Lin, a cybersecurity expert with the National Research Council of the National Academies. “If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”

Cyberwarfare conjures images of smoking servers, downed electrical systems and exploding industrial plants, but military officials say cyberweapons are unlikely to be used on their own. Instead, they would support conventional attacks, by blinding an enemy to an impending airstrike, for example, or disabling a foe’s communications system during battle.  The five-year, $110 million research program will begin seeking proposals this summer. Among the goals will be the creation of an advanced map that details the entirety of cyberspace — a global domain that includestens of billions of computers and other devices — and updates itself continuously. Such a map would help commanders identify targets and disable them using computer code delivered through the Internet or other means.

nother goal is the creation of a robust operating system capable of launching attacks and surviving counterattacks. Officials say this would be the cyberspace equivalent of an armored tank; they compare existing computer operating systems to sport-utility vehicles — well suited to peaceful highways but too vulnerable to work on battlefields.   The architects of Plan X also hope to develop systems that could give commanders the ability to carry out speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code — a process considered much too slow.  Officials compare this to flying an airplane on autopilot along predetermined routes.  It makes sense “to take this on right now,” said Richard M. George, a former National Security Agency cyberdefense official. “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

The shift in focus is significant, said officials from the Pentagon agency, known by the acronym DARPA. Cyber-operations are rooted in the shadowy world of intelligence-gathering and electronic-spying organizations such as the NSA.  Unlike espionage, military cyber­attacks would be aimed at achieving a physical effect — disrupting or shutting down a computer, for example — and probably would be carried out by the U.S. Cyber Command, the organization that was launched in 2010 next to the NSA at Fort Meade.  “Because the origins of cyberattack have been in the intelligence community, there’s a tendency to believe that simply doing more of what they’re doing will get us what we need,” said Kaigham J. Gabriel, acting director of DARPA. “That’s not the way we see it. There’s a different speed, scale and range of capabilities that you need. No matter how much red you buy, it’s not orange.”

Plan X is part of a larger DARPA effort begun several years ago to create breakthrough offensive and defensive cyber-­capabilities.  With a cyber budget of $1.54 billion from 2013 to 2017, the agency will focus increasingly on cyber-offense to meet military needs, officials say. DARPA’s research is designed to foster long-shot successes. In addition to helping create the Internet, the agency’s work gave rise to stealth jet technology and portable global-positioning devices.   “Even if 90 percent of their ideas don’t pan out,” said Martin Libicki, a cyberwar expert at Rand Corp., “the 10 percent that are worthwhile more than pay back the difference.”

A digital battlefield map, as DARPA envisions it, would plot nodes on the Internet, drawing from a variety of sources and changing as cyberspace changes.  “In a split microsecond you could have a completely different flow of information and set of nodes,” Gabriel said. “The challenge and the opportunity is to create a capability where you’re always getting a rapid, high-order look of what the Internet looks like — of what the cyberspace looks like at any one point in time.”  The ideal map would show network connections, analyze how much capacity a particular route has for carrying a cyberweapon and suggest alternative routes according to traffic flows, among other things.

The goal would be a visual representation of cyberspace that could help commanders make decisions on what to attack and how, while seeing any attacks coming from an enemy.  Achieving this will require an enormous amount of upfront intelligence work, experts say.  Michael V. Hayden, a former NSA director and a former CIA director, said he can imagine a map with red dots representing enemy computers and blue dots representing American ones.  When the enemy upgrades his operating system, the red dots would blink yellow, meaning the target is out of reach until cyber operators can determine what the new operating system is…

Plan X also envisions the development of technology that enables a commander to plan, launch and control cyberattacks.  A commander wanting to hit a computer that controls a target — a strategically important drawbridge in enemy territory, for example — should be able to predict and quantify battle damage while considering the timing or other constraints on a possible attack, said Dan Roelker, Plan X program manager.

Cyberwar experts worry about unintended consequences of attacks that might damage the flow of electricity to civilian homes or hospitals. A targeting system also should allow operators to stop a strike or reroute it before it damages systems that are not targeted — a fail-safe mechanism that experts say would be very difficult to engineer.  DARPA will not prescribe what should be represented on the digital map.  Some experts say they would expect to see power and transportation systems that support military objectives.

Daniel Kuehl, an information warfare professor at the National Defense University’s iCollege, said the Air Force built its history around attacks on infrastructure — in Korea, Vietnam, Serbia and Iraq.  “In all of those conflicts,” he said, “we went after the other side’s electricity with bombs.”  Today, he said, cyberweapons could be more humane than pulverizing power grids with bombs.

If a cyberwarrior can disrupt a computer system controlling an enemy’s electric power, the system theoretically can also be turned back on, minimizing the impact on civilians.  But retired Gen. James E. Cartwright, who as vice chairman of the Joint Chiefs of Staff until August pushed to develop military cyber-offense capabilities, said the military is focused less on power grids than on “tanks and planes and ships and anything that carries a weapon.”  “The goal is not the single beautiful target that ends the war in one shot. That doesn’t exist,” said Cartwright, who is now with the Center for Strategic and International Studies. “The military needs more of a brute-force approach that allows it to get at a thousand targets as quickly as possible.

Ellen Nakashima, With Plan X, Pentagon seeks to spread U.S. military might to cyberspace, Washington Post, May 30, 2012