The Best Defense?

We have all heard the mantra:

“Attackers only have to be right once; defenders have to be right every time.”

It is, of course, complete nonsense and something only people who don’t understand how compromising computers actually works. The more accurate statement is:

“Attackers have to be right every time, and in series.”

To draw a simple analogy, imagine you are about to enter a house that is not yours. You can see the outside of the house and the door into the house, but inside the house it is pitch black. You’ve been inside the same style of house before so you have a rough idea of where the walls and doors and stairways are, but you don’t know what furniture is where and what modifications to the actual house might have been made. To get from the foyer to a bedroom with a treasure chest in the closet involves you taking tiny steps and moving your hands around in front of you in the hopes that you don’t trip on a shoe or knock over a lamp — something that would let the owner of the house know you were there.

Extending the analogy a bit, you worry that the homeowners are not dead asleep. You worry that they have motion sensors installed around the house. That there are infra-red cameras watching you stumble around. That they own night vision goggles and are handy with a shotgun. These are all things that would bring your hunt for treasure to a quick halt and all things that could be deployed against you without your knowledge.

In the never-ending debate over the relative advantages of offense over defense, or vice versa, the trend recently has been to promote defender advantages. Attackers aren’t all that because this is your house! Nobody ****s with you in your house! 

The problem of course is that you might live in the metaphorical house, but you also might have no earthly idea how to use it to your advantage. If you’ve owned several houses in different parts of the country over the course of several decades, this is all old hat, but the new homeowner (so to speak) lacks a great deal of your knowledge and experience. 

Take recent events in Texas as an example. People who live in the northern part of the country know exactly what to do when the temperatures drop below a certain level in order to prevent their water pipes from freezing. If you’ve only ever lived in Texas and never experienced epic cold relative to the region, you’re going to have a bad day. The temperatures may be back to normal, but the cost, suffering, and inconvenience associated with those rare days lingers.

There is a growing chorus of defenders who are piling on the suffering and woe of other defenders (sometimes “defenders”) because the latter are not taking advantage of the benefits ‘home ownership’ affords. This is a special kind of arrogance considering:

  • You have no idea how complicated someone else’s network is.
  • You have no idea how skilled or knowledgeable another defender is.
  • You have no idea what resources that defender has (or doesn’t).
  • You have no idea what competing priorities that person has to contend with.

If you’re only responsible for defending yourself, or your home lab, or a relatively simple IT enterprise, or deal in research and theory, your opinion about what someone else woulda/coulda/shoulda done isn’t particularly useful. It is, in fact, divisive and detrimental. 

At some point in your career you were the person who was under the gun. Who was at a loss. Who didn’t know how they were going to get themselves out of the fix they were in. At that point in time you would have given anything for someone to extend you a hand and help shoulder the burden. There are times when the best thing one can do for cyber defense has nothing to do with technology and everything to do with empathy.

Or keep throwing drowning men bricks and see where that takes the community.

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?

A Brief History of Cybersecurity Advice

Efforts to secure, or in the vernacular of the time “audit” computers, existed before the Ware Report,[1] but it was the report that codified principles and practices that served as the building blocks of what would become the multi-billion-dollar cybersecurity industry. Books like Computer Capers[2] in the 1970s and The Cuckoo’s Egg[3] in the 1980s show just how slowly the field progressed in both the commercial and governmental spheres, and how varied and disconnected cyber defense and crime-fighting efforts were at the time.

If the “wake-up call” associated with both the sovereign-state and non-state-actor threats was not ringing with the events of The Cuckoo’s Egg, the pounding on the door by hotel security was Eligible Receiver 97 (ER97): a no-notice interoperability exercise that had both physical and cyberspace components to it. With regards to the latter, National Security Agency red teams used common hacker techniques and tools freely available online to successfully compromise dozens of military and civilian infrastructure systems.[4]

No sooner did the dust settle from ER97 than the events of Solar Sunrise kicked off: a series of compromises of Department of Defense systems everyone was sure was being perpetrated by Iraq, right up until it was proven it was the work of three teenagers. Solar Sunrise reiterated the point that not only was the ability to apply force online possible with disturbing ease, but that the types of potential threat actors we needed to be concerned about was larger than originally thought, and our ability to deal with them was inadequate.[5]

In the same timeframe the aforementioned events were taking place, a set of recommendations for dealing with such problems was promulgated through the President’s Commission on Critical Infrastructure Protection (PCCIP),[6] which called out the need for:

  • Better policies
  • Public-Private partnerships
  • Information sharing
  • Central coordination and control
  • New or improved organizations and mechanisms to deal with cyber threats and vulnerabilities
  • The need to adapt to this new environment and to be agile enough to respond to emerging threats
  • Legal reforms
  • Improved training, awareness, and education
  • More research and development

These same recommendations were made in the National Plan for Information Systems Protection in 2000,[7] the National Strategy to Secure Cyberspace in 2003,[8] the National Infrastructure Protection Plan in 2006,[9] the Securing Cyberspace for the 44th Presidency report of 2008,[10] and the Comprehensive National Cybersecurity Initiative, also in 2008.[11] For those keeping score, that is 11 years of the same advice, as hacks against commercial and governmental systems kept growing.

It is not until 2010, with the publication of the National Security Strategy (NSS),[12] that some new advice is proffered. The NSS was not exclusively focused on cybersecurity issues, but it continued to recommend partnerships and sharing, better capabilities to deal with threats, training and awareness, as well as R&D. It also highlighted the need for capacity building, as well as the establishment and promotion of “norms.” The DOD Strategy for Operating in Cyberspace (2011), the DOD Cyber Strategy (2018), the National Cyber Strategy (2018), the DHS Cybersecurity Strategy (2018), and the much-hyped Cyberspace Solarium Commission report (2020) all offer a mix of both old and new advice.[13] That’s another 10 years of telling people what ought to be done, while attacks continued apace and their negative impact grew (see Appendix Afor details).

Meanwhile Back at the Server Farm

What impact has all this good advice had on the state of cybersecurity? Well at the federal level the answer is a mixed bag. We have a history of going through “cyber czars” [14] and other senior executives responsible for cybersecurity like most people change underwear.[15] Efforts like Einstein[16] are highly touted, but its effectiveness is often called into question.[17] Every military service has to have its own “cyber command” – not counting the actual Cyber Command – and all sorts of efforts are underway to try and reinforce the ranks with information-age skills[18] in very much industrial-age institutions, with predictable effect.[19] It is hard to think about events like successful attacks against government systems during Allied Force,[20] the efforts of “patriotic hackers” after the EP3 force down,[21] the accidental bombing of the Chinese embassy in Belgrade,[22] the scope and scale of damage associated with the OPM hack,[23] and the loss of offensive tools from not only the CIA[24] but also the NSA[25] and not wonder about the value of this evergreen advice.  

At the state, local, and tribal level the situation is far worse. They have all the same functions of government to execute as their counterparts at the federal level, but none of the budget or human resources. Municipally focused ransomware attacks of the past few years are illustrative of the problem and how difficult it is to address.[26]

In the commercial sector the situation is not much better. The government has an obligation to look after the well-being of its citizens; private enterprise is driven by a profit motive and the interests of a tiny sub-set of the citizenry: shareholders. Time and time again we see ‘risk acceptance’ as the reason for failing to adhere to sound security practice, and why not? The amount of money that can be made before the inevitable compromise far exceeds the amount required to clean up the mess and compensate the victims. No one is in the cybersecurity business, not even cybersecurity companies, they are just in business.

What Might be Wrong?

21 years of asking people to do the “same old” and expecting a different result calls into question the sanity of those giving the advice, and the advice itself. The author lacks the medical qualifications to assess anyone’s mental health, but one can examine the advice given and formulate some reasonable theories to consider.

This may be the wrong advice. No one who has worked in this field for any length of time has much good to say about public-private partnerships, information sharing schemes, or the state of security awareness training. Big “R” research that has practical implications is rare, while little “r” research as presented in most conferences is lost in a wilderness of wheel-reinvention and stunt hacking.

The right advice, not always the right audiences. The number of organizations that can actually derive benefit from following such advice is actually quite small, though they themselves tend to be quite large. The security poverty line is a real thing,[27] and maybe expecting the largest segment of the economy (small and medium sized businesses) to carry on like they are JPMorgan Chase with its half-billion-dollar security budget is a bridge too far.[28]

Good advice, bad implementation. We are free with advice but parsimonious when it comes to things that would lead to adherence. With a few exceptions, everything is voluntary. We suggest, we do not mandate. We cajole we do not require. We encourage but we do not incent. Everyone is hesitant to use a stick, but we make no effort to offer carrots. Outside of the military and certain government circles, cybersecurity is something people are obliged to have, not anything they want. We appeal to people’s sense of patriotism or talk of “doing the right thing,” but the NSA is not here to save your private enterprise, and advice from people on high horses is hard to swallow.[29]

What Might Make Things Better?

If those in both policy and technology circles can agree that the recommended advice is sound, then we should be examining how we might do things differently, and how we can demonstrate success.

If it matters measure it. At a high level, asking for “better” does not make sense if you do not define what “better” means. Not hand-wavy abstractions, but hard metrics that can be measured, communicated, and evaluated.

The most important efforts must be mandatory. No one does anything voluntary for long. Such efforts start well, and everyone participating means well, but it quickly becomes number 11 on the top 10 list of things to do. Particularly with regards to government and critical infrastructure providers, no one should be able to lobby their way out of their responsibilities, which leads us to…  

Align everyone’s incentives. I am not aware of any meaningful metrics on the value of being a member of an ISAC, ISAO, or joining InfraGard (and the author has been on both sides of these relationships). In the political sphere telling someone to do something without providing resources has a name: unfunded mandate. Better security does not pay for itself. There are any number of incentives that might be offered that would drive compliance, but incentives are almost never an agenda item in panel or policy discussions.

Limited liability and full accountability. Those who provide data to help assess threats and gauge risk must be provided sufficient protection against adverse legal action (short of negligence or incompetence).[30] The lack of such data in sufficient volume makes it hard to understand the scope of the problems we face.[31] Likewise, we have to stop pretending that code, in the right context, is any different than concrete, steel, or silicon. You do not pick random people off the street to build a suspension bridge or pacemaker. This is not a call for a licensing scheme nor protectionism, but adherence to standards and imposing costs on those who willingly fail to do so.

More R&D only makes sense if you know the state of the art. There is no dedicated repository of cybersecurity knowledge that researchers at the academic, corporate, or independent levels can access to understand what prior art exists in any given security discipline. We cannot hope to level-up the science portion of the art-and-science that is cybersecurity without adhering to more scientific practices, of which a repository is a cornerstone.

Recognize the limitations of political approaches. No nation is giving up the advantages that operating in cyberspace affords them in a military or intelligence context. “Norms” are a double-edged sword; if you expect others to adhere to them, you are obliged to do the same. Now re-read the first sentence. What we may want to accomplish politically and what the Internet as-designed will allow are two different things. Aspiring Achesons and Kennans that improve their understanding of the technology that underpins cyberspace will develop approaches more likely to produce positive, achievable results.

The Next 10 Years

If history is any indication, we are a few short months away from the release of another set of policy recommendations that will encompass most of the ideas put forth previously. It will almost certainly contain nothing novel, but it will be received with a great deal of sound and fury, repeated over again annually, signifying nothing.

Forward progress in cybersecurity is entirely dependent upon the will of political leadership. Understandably blood, not bytes, takes precedence in governmental affairs, but our willingness to be so casual about something we claim to be a priority suggests that cybersecurity is not the issue we in cybersecurity think it is. That is a fair point: stealing credit card numbers, social security numbers, medical files, even taking over one’s entire identity does not equate to death. 

But the fact of the matter is that, by and large, we only learn from death. Nothing is really a problem until the body count is high enough, at which point it comes a national imperative. One need only remember their last trip to the airport to realize that this is not hyperbole. Cybersecurity is one field where we have a rare opportunity to bring about meaningful change before we have to hold a memorial service for those we lost.

Better security is a three-legged stool: You need to identify the problem, you need to devise a solution, and you need to measure the effectiveness of that solution. What has impact stays, what does not goes back to the drawing board. For 21 years we have been reinforcing two of those legs and wondering why we are still falling over. Repeating the same mantra while continuing to plug random boxes into a global network is the cyberspace equivalent of “thoughts and prayers.”

This is not a call to declare a war on cyber insecurity, if for no other reason than the wars on drugs and poverty have not exactly produced ideal results. It is a declaration that if something is worth doing then we should do it properly or reprioritize accordingly. To the extent that cybersecurity practitioners have been crying “wolf” for the past few decades, mea culpa, but it is worth remembering that eventually the wolf shows up.


[1] https://en.wikipedia.org/wiki/Ware_report

[2] https://www.amazon.com/Computer-Capers-Thomas-Whiteside/dp/0451617533

[3] https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book)

[4] https://en.wikipedia.org/wiki/Eligible_Receiver_97

[5] https://www.globalsecurity.org/military/ops/solar-sunrise.htm

[6] https://www.hsdl.org/?abstract&did=487492

[7] https://www.hsdl.org/?abstract&did=341

[8] https://us-cert.cisa.gov/sites/default/files/publications/cyberspace_strategy.pdf

[9] https://www.cisa.gov/national-infrastructure-protection-plan

[10] https://www.csis.org/analysis/securing-cyberspace-44th-presidency

[11] https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/national-initiative

[12] https://obamawhitehouse.archives.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf

[13] https://www.solarium.gov/report

[14] https://www.nbcnews.com/id/wbna6151309

[15] https://www.cnn.com/2020/11/17/politics/chris-krebs-fired-by-trump/index.html

[16] https://www.cisa.gov/einstein

[17] https://www.business2community.com/cybersecurity/dhs-einstein-fail-01462281

[18] https://www.goarmy.com/army-cyber/cyber-direct-commissioning-program.html

[19] https://thehill.com/opinion/cybersecurity/391426-pentagon-faces-array-of-challenges-in-retaining-cybersecurity-personnel

[20] https://www.researchgate.net/publication/228605067_The_Cyberspace_Dimension_in_Armed _Conflict_Approaching_a_Complex_Issue_with_Assistance_of_the_Morphological_Method

[21] https://www.wired.com/2001/04/a-chinese-call-to-hack-u-s/

[22] https://www.wired.com/1999/09/china-fought-bombs-with-spam/

[23] https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

[24] https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html

[25] https://en.wikipedia.org/wiki/The_Shadow_Brokers

[26] https://www.nytimes.com/2020/02/09/technology/ransomware-attacks.html

[27] https://www.uscybersecurity.net/csmag/the-cybersecurity-poverty-line/

[28] https://www.forbes.com/sites/stevemorgan/2016/01/30/why-j-p-morgan-chase-co-is-spending-a-half-billion-dollars-on-cybersecurity/?sh=2e4f84062599

[29] https://www.tripwire.com/state-of-security/featured/fbi-dont-pay-ransomware/

[30] https://www.lexology.com/library/detail.aspx?g=91d7fce9-4f04-4376-b4ae-b80b141f9291

[31] We are, effectively, at the mercy of private security companies who choose to publish reports on the findings they extract from the cases they are called upon to support. While informative, such reports capture the details of a fraction of a percentage of the total number of cases worldwide.