Wednesday, October 26, 2011

To Cyber Attack or Not to Cyber Attack?

It has been reported recently that the Obama Administration decided against using cyber warfare to suppress Libya's air defenses as the US sought to aid the rebels attempting to overthrow the Qaddafi regime. Why the reluctance to use a modern, bloodless attack mode?

Libya Before Qaddafi

I spent 5 weeks in Libya on a temporary duty (TDY) assignment in 1964. I was with the US Air Force stationed at Bitburg AFB in Germany. I was, at the tender age of 26, the Chief of Periodic Maintenance for our F-105 squadron. We deployed F-105s to Wheelus AFB, Libya, for pilot training in air-to-air, and air-to-ground combat. I headed up the maintenance squadron of over 100 enlisted men.

I remember my first tour of Wheelus. It was a vast base ideally located for flying off into the Libyan desert (90% of Libya is desert), dropping bombs on the sand dunes, and then returning for a dip in the Mediterranean and a cold beer at the O-Club. The down side of Wheelus was the heat (the highest naturally occurring temperature ever recorded on earth occurred in the Libyan desert). We regularly experienced day-time temperatures of over 45C (113F). One section of the base was reserved for the Libyan Air Force. It consisted of a couple of C-47 "Gooney Birds" and a like number of Cessna, T-37, "Tweet," twin engine trainer-attack aircraft.

Libya Before the Uprising

By 2010, Libya's air force was the largest in North Africa. It was headquartered at Okba Ben Nafi Air Base -- formerly Wheelus and Methega Air Bases -- located 7 miles due east of Tripoli. This was a relatively well-equipped air base that had been developed with Russian assistance to support and maintain over 200 combat aircraft. Another large air base was located at Benghazi and a third, Gamal Abdul Nasser Air Base, was situated a few miles southwest of Tobruk. Two other air bases were located near the Egyptian border -- at Al Kufrah Oasis and at Jabal al Uwaynat in the far south. Overall, the Libyan air force was believed to consist of over 500 combat aircraft, with some reports suggesting the number was as high as 700, including  MiG-23s, MiG-25s, Su-24, Fencer 'D's, Su-27s and Mirage F.1EDs. At least one squadron of Tu-22 bombers were known to be located at Okba Ben Nafi AB.

Libya deployed the SA-2, SA-3, and Crotale missiles. At least one battery of each of these types were spotted at each of Libya's three main air bases (Okba Ben Nafi, Benghazi and Gamal Abdul Nassar). One battery of Crotale sites had been detected at each of the two smaller bases in the southeast. The Libyan Army also operated three SA-5 batteries at undisclosed locations -- probably in storage.

NATO Aids the Uprising Against Qaddafi

The New York Times reports that according to military officials, American warplanes struck at Libyan air defenses about 60 times, and remotely operated drones have fired missiles at Libyan forces about 30 times, since the United States handed control of the air war in Libya to NATO in early April. Today, Aljezeera reports that Libya's air force "no longer exists as a fighting force" following the devastating air strikes by international coalition forces, a British military officer has claimed.

There are no reports on the casualties that Libyan regular forces may have suffered as a result of the air strikes that targeted Libya's air defenses. A U.S. Air Force F-15E Strike Eagle fighter jet crashed in Libya, but it was the result of a mechanical failure, not hostile fire, and its two crew members managed to eject to safety. It was the first coalition aircraft to have crashed in the three days of air strikes over Libya up to that time.

It's not necessary to detail the costs and risks of conventional air defense suppression methods to understand that a cyber attack would be cheaper, less risky, and, at least in the short term, equally effective. Only if the objective is to eliminate air defense capabilities in the long term, would conventional methods be the choice.

Why the US Didn't Use Cyber Warfare

According to reports, the Obama administration intensely debated whether to open the Libyan air campaign with a cyber attack to disrupt and disable the Qaddafi government’s air-defense system, which might have threatened allied warplanes (although this is unlikely). The objective would have been to break through the firewalls of the Libyan government’s computer networks to sever military communications links and prevent the early-warning radars from gathering information and relaying it to missile batteries aiming at NATO warplanes.

But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. They were also unable to resolve whether the president had the power to proceed with such an attack without informing Congress.

Early in 2010, the US Deputy Defense Secretary warned of cyber warfare’s appeal to potential foes who are unable to match the U.S.'s conventional military might. An enemy could deploy hackers to take down U.S. financial systems, communications and infrastructure, he suggested, at a cost far below that of building a trillion-dollar fleet of fifth-generation jet fighters. "Some governments already have the capacity to disrupt elements of the U.S. information infrastructure." The nation's top intelligence official warned that cyber-enemies have already "severely threatened" U.S. computer systems, and said that, "Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication."

United States Cyber Command

But the US military has been working for years on developing its own sophisticated Information Operations (IO) capability and cyber warfare is the most technologically advanced and perhaps the most militarily important element of this IO capability.
  • The Air Force is developing the ability to infiltrate any computer system anywhere in the world completely undetected. It plans to slip computer code into a potential foe's computer and let it sit there for years, maintaining a low and slow gathering paradigm to thwart detection.
  • The Army is developing techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications.
  • And the Navy is developing a non-lethal, non-attributable system designed to offer non-kinetic offensive information operation solutions.

In fact, the US established the United States Cyber Command (USCYBERCOM) on May 21, 2010. USCYBERCOM “plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."

USCYBERCOM coordinates the cyber activities of the various military departments. Service elements include Army Cyber Command (ARCYBER); 24 AF/ Air Force Cyber Command (AFCYBER); Fleet Cyber Command (FLTCYBERCOM); and Marine Forces Cyber Command (MARFORCYBER).

US Capabilities and Limitations

According to some IT experts, the US is one of the top three of nations in terms of cyber warfare capabilities; the other two are China and Russia. The US is concerned that if it is discovered using cyber war against an enemy, other countries would not hesitate to respond by using cyber war against our infrastructure and/or interests. In other words, the US views cyber war in the same way it views conventional war -- you bomb me, I'll bomb you. That premise is certainly debatable (does anyone really believe that North Korea hesitates to use cyber war to attack the US?), but what isn't debatable is that just as warfare in general has gone beyond the nation state boundary, cyber warfare has certainly done the same -- that is after all, the nature of the beast. Richard Clarke talked about this in a PBS interview.

In their book, Cyber War: The Next Threat to National Security and What to Do About It, Richard Clarke and Robert Knake state that, “Cyberspace includes the Internet plus lots of other networks of computers that are not supposed to be accessible from the Internet. Clarke and Knake point out that cyberspace includes transactional networks that do things like send data about money flows, stock market trades, and credit card transactions; and control systems that just allow machines to speak to other machines, like control panels talking to pumps, elevators, and generators. They go on to say that, “In the broadest terms, cyber warriors can get into these networks and control or crash them.” Certainly, the United States has or is quickly developing these capabilities.

A warning pops up on Iran's Bushehr's SCADA computer screen.
The plant was attacked by the Stuxnet malware.
Ironically, the US has rejected efforts by other nations to institute a cyber war "arms control" treaty. That rejection is probably reasonable, given the difficulty of verifying compliance. Nevertheless, discussion and debate domestically and in international fora is needed.

Unfortunately, the cyber arena, like so many other national issues, has become a partisan battleground, with Republicans forming their own cybersecurity task force as a response to President Barack Obama's May 2011 legislative proposal. Republicans appear to be concerned again with excessive government regulation regarding defensive measures that might be required of private companies who are part of America's critical infrastructure.

So, the Obama Administration's reluctance to undertake an offensive cyber attack against Libyan air defense systems reflects the administration's caution in setting a precedence in a still evolving arena of advanced warfare. One wonders whether the other 21 nations with such capabilities, and the non-nation players assembling cyber capabilities, will be as cautious.

Friday, October 14, 2011

Should You Get a PSA Test?

According to the Mayo Clinic, "Prostate cancer screening can help identify cancer early on, when treatment is most effective. And a normal PSA test, combined with a digital rectal exam, can help reassure you that it's unlikely you have prostate cancer."

But according to a recent finding of the U.S. Preventive Services Task Force,"The vast majority of men who are treated do not have prostate cancer death prevented or lives extended from that treatment, but are subjected to significant harms." The American College of Preventive Medicine (ACPM) does not support the efficacy of PSA tests or the digital rectal exam (DRE) for prostate cancer screening.

PSA tests have been used for men over 50 since FDA approval in 1994. DREs have been done even longer.  When a PSA test turns up prostate cancer in a man with no outward symptoms, that early warning could help him beat a tumor that otherwise would have killed him. But there are two other possibilities: Either the tumor is so aggressive that the patient dies anyway, or it is so slow-growing that it wouldn't have been fatal, even if left untreated.

According to the task force, fully 95% of men whose prostate cancers are detected with PSA tests will be alive 12 years later even if they don't get treatment. And, the panel added, no study on prostate cancer screening has ever shown that screening reduces the number of deaths.

I started having the PSA test, in addition to a digital rectal exam (DRE), annually after age 55.  Over the years, my PSA gradually rose,eventually reaching double digits (no pun intended). My urologist recommended a biopsy. The first one he performed did not reveal any cancer, but my PSA continued to rise, and I had a second biopsy, which did show traces of cancer. Incidentally, although the biopsy is an unpleasant out-patient procedure, and has its own risks (infection, blood in urine and/or sperm), it is not one of your more involved or painful medical tests.

After considering my situation further and doing some research on the Internet, I opted for the "watch and wait" option, rather than having surgery immediately. My urologist was okay with this. While I "watched and waited," I researched treatment options, specialists, and medical centers. I talked with men who'd had various treatments. I documented my findings systematically, using an Excel spreadsheet. I was focused and meticulous. I knew the probable effectiveness and risk probabilities of each form of treatment, from doing nothing, to radical prostatectomy.

I waited a year. After another biopsy showed cancer, I asked to discuss the findings of the biopsy with the local pathologist (tissue samples had been sent to a pathologist in another city, as well as being examined by our local pathologist). The local pathologist was very willing to discuss the results with me and even sat me down in front of a dual microscope and showed me what he was identifying as cancerous tissue. This was a very interesting experience for me and demonstrated quite dramatically how important experience is in the examination of tissue samples, for what the pathologist saw, I would have definitely missed.

Prostate Tissue Sample

I decided that I wanted my prostate removed. For me the deciding factor was my life expectancy. I was 68. Both my parents had lived into their 100s. I opted for a procedure that attempted to preserve the nerves attached to the prostate. These nerves are crucial for a man's erectal function. Nerve-sparing prostatectomy requires very precise surgery, and therefore I chose retropubic prostatectomy; it is more invasive, but provides the surgeon the best clearance.

Once I decided on my treatment, I looked for the best surgeon to do the job. I found the man who pioneered the technique, Dr. Paul H. Lang. He was located at the University of Washington Medical Center in Seattle, a 4-hour drive from where I lived. My urologist did this type of surgery, but I talked to him about it and he agreed that Dr. Lang would likely be a better choice for the technique I'd chosen. It may also have been that given how much effort I'd put into deciding my course of action, he'd rather have someone else responsible for the result. Frankly, I didn't care about hurting his feelings -- it was my prostate, and my future.

I had my prostate surgery 5 years ago and I've been extremely happy with the result. For those pondering their options given the most recent findings regarding screening for prostate cancer, my advise, for what it's worth, is, be your own consultant and advocate. No single test, whether for that pain in your left knee, or your problems urinating, is going to be sufficient for making a decision on screening or treatment.

When it comes to early detection of prostate cancer, and what to do about it, you have to consider all the relevant factors, including your age, health, family history, and so on. The PSA test is simple and painless and can be done along with other blood work. I'd recommend doing it and the DRE annually for men over 55 who have concerns about their predisposition for prostate cancer. If your PSA is elevated, don't panic, take the next steps and gather all the information available to you -- you'll find there's a lot -- before deciding what your course of action will be. And when dealing with your doctor, remember, it's your future.