Cyber Responsibility: The Trickle-Down Effect

There was a time when cyber security was the sole responsibility of IT, but those days are long gone. Today’s executives know better than to presume themselves and their enterprises immune from a cyberattack, which is why staying safe online requires more than an old “do as I say” mentality. A pair of Cisco leaders, CEO John Chambers and SVP and Chief Security and Trust Officer John N. Stewart place the responsibility squarely on the leadership’s shoulders. “The CEO must make it clear that security is not just an IT problem—it is a priority for the business that is top of mind. Business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike.” (CIO)

Toujours en Avant. I just made this very same argument recently to a room full of CxOs and board members, to varying levels of agreement. You’re never going to convince someone who has had the ‘lead from the front’ mantra drilled into his psyche that there is any other approach, but then in business circles not everyone at echelons-above feels the same way. Regardless of your leadership style remember one thing: people will focus on whatever they are rated on or compensated for. If cyber security is not something that impacts their personal bottom line, they won’t do it regardless of what you say or do.

We Learn From Death

Why are we perpetually surprised (or not, depending on how you look at it) at the failure of so many at both the organizational and individual level to take cybersecurity seriously? I would argue that most people are placing cybersecurity exactly where it should be when it comes to the myriad risks in their lives, and that is unlikely to change until it is far too late for some.

On the radio the other day there was an interview with an airline crash investigator. Airline crashes are rare, and when one happens the investigation defines “comprehensive.” But contrary to what amateurs or outsiders may think, there is really only one reason why an investigation is conducted:

It’s not to let the families know what happened and it’s not to let the lawyers know what happened, it is to prevent this happening again in the future. That’s absolutely the reason for an air crash investigation.

Closure for the families? Don’t care. Assigning blame so lawyers can address issues of liability? Don’t care. I mean, investigators are human beings, they care on one level, butthe true motivation for a crash investigation is singular: reducing the probability that what caused this crash ever happens again. I know you don’t pay attention, but airlines have safety briefings for a reason. They de-ice control surfaces for a reason. You can design and engineer and test all day long, but sometimes problems don’t surface until thousands of hours of flight time under real-world conditions has been logged. To that point:

Aviation has never been safer because we have essentially conquered most of the problems that emerged in the first century of commercial flight. But now we’re starting into the second century of commercial flight and there’s all sorts of new and different challenges.

She goes on to point out that one of those challenges is cybersecurity, but it is not necessarily the most pressing challenge. Why? The interview doesn’t get that in-depth but it is worth noting that ransomware-for-cockpits is not a thing; aircrews not grokinghow automation works is most assuredly a thing.

Stealing credit card numbers, bank account details, social security numbers, medical files, even taking over one’s entire identity doesn’t equate to death. The economics of cybercrime today are such that malicious actors can cause pain, but victims are readily made whole again. In such an environment why would we expect cybersecurity to get better? Why would we expect individuals to care? Why would we expect businesses to do anything more than is absolutely mandated? We don’t catch enough bad guys to provide closure. The industry has successfully fought off efforts to assign liability. The system is basically designed to ensure we will remain victims in perpetuity.

We don’t learn from incompetence, we don’t learn from inconvenience, we don’t even learn from pain: we learn from death. Cybersecurity will get better when people die in sufficiently large numbers.“Cyber” has certainly killed, but as callous and morbid as this sounds, it hasn’t killed enough. How much is enough? I suspect a lot more than have died due to pilot error.

Better Design, Better Security Participation?

A new study by NIST found that a majority of typical computer users experience “security fatigue” that often leads to risky computing behavior at work and in their personal lives. Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, a cognitive psychologist and co-author of the report . “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.” (Biometric Update)

Security products are developed by security nerds, for security nerds, which are an increasingly rare breed. Think about how you get a new app for your phone: search, click link to install, start using app. Now think about all the flaming hoops you had to jump through the last time you had a security problem, or tried to install some security mechanism. The less users have to think about making sound security decisions, and the easier it is for them to take action, the less likely they are to become victims. Hard core security wonks will laugh at the idea of cybersecurity UX, but there is a reason why the more elegant and efficient a tool the more passionate its users. 

Good Cyber Security is Not Glamorous

One of the more common reasons why most organizations push back on spending for cyber security is the lack of a “return on investment.” All that fancy, shiny cyber-y stuff costs a lot of money without providing a clear benefit that is commensurate with the expenditure. Firewalls are expensive. IDS/IPS are expensive. SIEMs are expensive. Talent to run it all (if you can even find it) is expensive.

Yet for all that expense the end result may still be a breach that costs millions of dollars, and the source of that breach is almost assuredly something that makes all that expense seem like a waste, not an investment. Advancing cyber security starts with promulgating the message that like most things in life: success is about the grind.

The Importance of Blocking and Tackling

A good, sound security capability can in fact be very pedestrian. Take some time to look at the SANS Top 25 (formerly 10) lists going back several years. Do the same thing for the OWASP Top 10. If you look closely you’ll notice that while names may change, the basic problems do not. Buffer overflows and cross-site scripting are not “advanced” or “sophisticated” but they work.  All year, every year.

Addressing the most common security problems facing any enterprise does not require floor-to-ceiling displays showing maps of the world and stoplight charts and data flows from country to country. It doesn’t require a lot of software or hardware or subscriptions or licenses or feeds. The biggest problems are the most common ones that don’t necessarily require advanced skills or technology to resolve. You can harden your enterprise against the most likely and most dangerous problems without ever talking to a salesperson or worrying about how much you’re going to have to pay that guy with all the letters after his name.

Are You Ready For Some Football?

It wouldn’t be fall without a football analogy, so here is the first one of the season: If you knew who Odell Beckham Jr. was before Lena Dunham did, you know where I’m going with this. If you didn’t, go to YouTube and enter his name, I’ll wait…..

Amazing plays are not the result of practicing acrobatics in full pads. Wide Receivers don’t take contortionist classes. Training for football season at any level is about fundamentals. Everyone doing the same drills, or variations on a theme, that they’ve done since they first put on a helmet. Why? Because the bulk of success on the field is attributable to fundamentals. Blocking and tackling. Plays that make the highlight reels are the result of individual athleticism, instincts, and drive, but no receiver gets into position to make the highlight reel without mastering the basics first.

A team of journeymen who are well versed in the basics alone may not make the playoffs, much less the Super Bowl, but that’s not the point; you want to avoid being beaten by the second string of the local community college. If you want to know how well buying expensive “solutions” to your problems works, I invite you to check out the drama that has been Washington Redskins since 1999.

Its About Perspective

You can’t read an article on cybersecurity and not see the words “advanced” or “sophisticated” either in the text or the half-dozen ads around the story. Security companies cannot move product or get customers to renew subscriptions without promoting some level of fear, uncertainty and doubt. No product salesperson will bring up the fact that procuring the next-generation whatever they are selling is almost assuredly buying a castle that will be installed on a foundation of sand (to be fair: it’s not their job to revamp your security program).

This is not to say you ignore the truly advanced or dangerous, but you need to put it all into perspective. You don’t buy an alarm system for your house and then leave your doors and windows open. You do not spend more money on the car with the highest safety ratings and then roll out without wearing your seat belt. You don’t buy your kids bicycle helmets and then set them loose on the freeway. You do all the things that keep you and yours safe because to ignore the basics undermines the advanced.The same holds true in cyber security, and the sooner we put on our Carhartts and spend more sweat equity than we do cash, the sooner we are likely to see real improvements.

Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

The Airborne Shuffle in Cyberspace

I did my fair share supporting and helping develop its predecessor, but I have no special insights into what is going on at CYBERCOM today. I am loathe to criticize when I don’t know all the details, still I see reports like this and scratch my head and wonder: why is anyone surprised?

Focus. If you have to wake up early to do an hour of PT, get diverted afterwards to pee in a cup, finally get to work and develop a good head of steam, only to leave early to go to the arms room and spend an hour cleaning a rifle, you’re not going to develop a world-class capability in any meaningful time-frame. Not in this domain. Not to mention the fact that after about two years whatever talent you’ve managed to develop rotates out and you have to start all over again.

Speed. If you have to call a meeting to call a meeting, and the actual meeting can’t take place for two weeks because everyone who needs to be there is involved in some variation of the distractions noted above, or TDY, you have no chance. It also doesn’t help that when you manage to have the meeting you are forced to delay decisions because of some minutia. You’re not just behind the power curve, you’re running in the opposite direction.

Agility. If your business model is to train generalists and buy your technology…over the course of several years…you are going to have a hard time going up against people with deep expertise who can create their own capabilities in days. Do we need a reminder inhow effective sub-peer adversaries can be against cutting edge military technology? You know what the people attacking SWIFT or major defense contractors aren’t doing? Standing up a PMO.

The procurement and use of tanks or aircraft carriers is limited to the military in meat-space, but in cyberspace anyone can develop or acquire weapons and project power. Globally. If you’re not taking this into consideration you’re basically the 18th Pomeranians. Absent radical changes no government hierarchy is going to out-perform or out-maneuver such adversaries, but it may be possible to close the gaps to some degree.

Focus. You should not lower standards for general purpose military skills, but in a CONUS, office environment you can exercise more control over how that training is performed and scheduled. Every Marine a rifleman, I get it, but shooting wars are relatively rare; the digital conflict has been engaged for decades (and if your cyber troops are hearing shots fired in anger, you’ve probably already lost).

Speed. Hackers don’t hold meetings, they open chat sessions. Their communication with their peers and partners is more or less constant. If you’re used to calling a formation to deliver your messages orally, you’re going to have to get used to not doing that. Uncomfortable with being glued to a screen – desktop or handheld? You’re probably ill-suited to operate in this domain.

Agility. You are never going to replicate ‘silicon valley’ in the DOD without completely disrupting DOD culture. The latter is a zero-defect environment, whereas the former considers failures to be a necessary part of producing excellence. You cannot hold company-level command for 15 years because its the job you’re best suited to; you can be one of the world’s best reverse engineers for as long as you want to be. What is “normal” should mean nothing inside an outfit like CYBERCOM.

Additional factors to consider…

Homestead. If you get assigned to CYBERCOM you’re there for at least 10 years. That’s about 20 dog years from the perspective of the domain and related technology experience, and it will be invaluable if you are serious about effective performance on the battlefield.

Lower Rank/Greater Impact. Cyberspace is where the ‘strategic corporal’ is going to play an out-sized role. At any given moment the commander – once their intent is made clear – is the least important person in the room.

Bias for Action. In meat-space if you pull the trigger you cannot call back the bullet. If your aim is true your target dies. In cyberspace your bullets don’t have to be fatal. The effect need only be temporary. We can and should be doing far more than we apparently are, because I guarantee our adversaries are.

How Do You Get Good at Incident Response?

The Verizon Data Breach Report has been saying it for years. The Forrester/Veracode report Planning for Failurereiterates the same points. It is only a matter of time before your company is breached. Odds are you won’t know about the breach for months, someone other than your security team is going to tell you about it, and the response to the breach is going to be expensive, disruptive, time-consuming and…less than optimal.

If you’ve been breached before, or if you’re an enterprise of any size, it’s not like you don’t have an incident reponse plan, but as Mike Tyson famously said: “Everyone has a plan till they get hit in the mouth.” When is the last time you tested that plan? Is your plan 500 pages in a 3” three-ring dust-covered binder sitting on a shelf in the SOC? That’s not a plan, that’s praying.

Your ability to respond to breaches needs to be put into practice by sparring against partners who are peers or near-peers to the kinds of threat actors you face on a daily basis. How do you do that? By testing with realism:

Over long(er)-terms. Someone who wants what you have is not going to stop after a few days or even a few weeks.Adversaries whose efforts will accelerate by years because of stolen intellectual property don’t mind waiting months; adversaries who strategize over centuries don’t mind waiting years.

Goal-oriented. Serious threat actors attack you for a reason: they are going to get paid for your data. Efforts that don’t help them accomplish their goals are time and resources wasted. The vulnerability-of-the-month may do nothing to advance their agenda; they’re going to find a way in that no one on your staff even knows exists.

In the context of your environment. The best security training in the world is still contrived. Even the most sophisticated training lab is nothing like the systems your security team have to work with every day.

Contrast the above to your average pen-test, which is short, “noisy,” and limited in scope. Pen-tests need to be done, but recognize that for the most part pen-testing has become commoditized and increasingly vendors are competing on speed and price. Is that how you’re going to identify and assess potential risks? Lowest bidder?

If we’re breached I’ll call in outside experts.

As well you should, but what are you going to do while you wait for them to show up?

Even if you have a dedicated security team in your company, odds are that team is trained to “man the battlements” so-to-speak. They’re looking for known indicators of activity along known vectors; they’re not trained to fight off an enemy who has come in through a hole of their own making. It doesn’t make sense to keep a staff of IR specialists on the team; that’s an expensive prospect for even the most security-conscious organization.But it does make sense to train your people in basic techniques, just enough to prevent wholesale pillaging. More importantly, they need to practice those techniques so that they can do them on a moment’s notice, under fire.

Your enterprise is not a castle. There is no wall that you can build that will be high enough or thick enough to repel all attackers. If your definition of defensive success is “keep bad guys out” you are setting yourself and our people up for failure. The true measure of defensive success is the speed at which you detect, eject and mitigate the actions of your attackers. If you don’t have a corresponding plan to do that yourself – or to hold out long enough for the cavalry to come – and that plan is not regularly and realistically tested, you’re planning for victim-hood.

Cyber Security Through the Lens of Theranos

[This is not me piling on to the woes of Theranos or its CEO. It’s not. Well, it is to the degree that you can’t draw analogies without pointing out some embarrassing truths, but let’s be honest: we have all, like Fox Mulder, wanted to believe in something fantastical, despite all signs to the contrary.]

Credibility Matters. Any product, any service, any methodology that promises the world – or something akin to it – should be viewed with a jaundiced eye. If the driving force behind said promise is effectively a random stranger, even more so. Cyber security has been studied to death. The idea that one person has uncovered something no one else in the field has figured out is so unlikely you almost have to assume they’re full of ****.  I worked on something that was thought to be novel. Turns out it wasn’t, which means we were on to something, but it could be argued that better or at least faster minds than ours were already on the case.

Enablers Are Evil. When the unit of measure is “billions” all sorts of yahoos will come out of the woodwork. Most of them are there because you’re measuring things in billions, not because what you’re doing is actually worth billions. In the case of Theranos they’re worth nothing and have been for a long time. In the security space it is rare to find a company whose valuation is not by and large aspirational. Those doing to assessing really have no idea if those solutions will stand the test of time. And by “time” I mean “the point at which customers realize they’ve been had.”

The Importance of Being Honest. People are putting their trust in you; you owe it to them to be honest and forthright. When over 90% of “your” work has nothing to do with what you’ve sold people on, that’s what most people would call fraud. You exacerbate the problem with half-measures and stalling tactics, so not only are you a liar, you’re sleazy as well. How is that helping the cause exactly? Are you in this business to have an impact or are you just here for the paycheck and what passes for fame? It’s OK, we’re all only human, just be up front about it.

I have to imagine that in the beginning everyone starts out with the best of intentions, but given the nature of the work and the potential impact it can have, we need to hold ourselves to higher standards. If we’re not checking ourselves we’re setting ourselves up for a situation where checks will be imposed upon us by people who know very nearly nothing of what it takes to succeed, much less advance security.

“Cyber MAD” is a Bad Idea. Really Bad.

I don’t know how many times I have to say this, but nothing screams “legacy future” like trying to shoe-horn cold-war thinking into “cyber.” This latest attempt doesn’t disappoint (or maybe it does, depending on how you look at it) because it completely miss two key points:

  1. Cyberspace is not meat-space;
  2. Digital weapons are nothing like atomic ones.

Yes, like the nuclear arms race, it is in fact more expensive to defend yourself than it is to attack someone. Generally speaking. Its OK to paint with a broad brush on this point because so many entities online are so woefully inadequate when it comes to defense that we forget that there are actually some who are quite hard and expensive to attack. Any serious colored-hat who is being honest will tell you that they deal with more than their fair share of unknowns and ‘unknown unknowns’ when going after any given target.

But unlike malicious actions in cyberspace, there is no parsing nuclear war. You’re nuked, or you’re not. Cyber-espionage, cyber-crime, cyber-attack…all indistinguishable in all technically meaningful ways. Each has a different intent, which we are left to speculate about after-the-fact. In the other scenario, no one is around to speculate why a battalion of Reds turned their keys and pushed their buttons.

Attacker identity is indeed important whether you’re viewing a potential conflict through nuclear or digital lenses, but you know what excuse doesn’t work in the nuclear scenario? “It wasn’t me.”

Um, IR burn says it was…

There is no such equivalent in cyberspace. You can get close – real close – given sufficient data and time, but there will be no Colin Powell-at-the-UN-moment in response to a cyber threat because “it wasn’t me” is a perfectly acceptable excuse.

But we have data.

You can fabricate data

You know what you can’t fabricate? Fallout.

All of this, ALL OF THIS, is completely pointless because if some adversary had both the will and the wherewithal to attack and destroy our and just our critical infrastructure and national security/defense capabilities via cyber means…what are we meant to strike back with? Who are those who happen to be left unscathed supposed to determine who struck first? I was not a Missileer, but I’m fairly certain you can’t conduct granular digital attribution from the bottom of an ICBM silo.

What is the point of worrying about destruction anyway? Who wants that? The criminals? No, there is too much money to be made keeping systems up and careless people online. The spies? No, there is too much data to harvest and destruction might actually make collection hard. Crazy-bent-on-global-domination types? This is where I invoke the “Movie Plot Threat” clause. If the scenario you need to make your theory work in cyberspace is indistinguishable from a James Bond script, you can’t be taken seriously.

MAD for cyberspace is a bad idea because its completely academic and does nothing to advance the cause of safety or security online (the countdown to someone calling me “anti-intellectual” for pointing out this imperial nudity starts in 5, 4, 3….). MAD, cyber deterrence, all this old think is completely useless in any practical sense. You know why MAD and all those related ideas worked in the 60s? Because they dealt with the world and the problem in front of them as it was, not how they wished it to be.

I wholeheartedly agree that we need to do more and do more differently in order to make cyberspace a safer and more secure environment. I don’t know anyone who argues otherwise. I’m even willing to bet there is a period of history that would provide a meaningful analog to the problems we face today, but the Cold War isn’t it.

You Were Promised Neither Security Nor Privacy

If you remember hearing the song Istanbul (Not Constantinople) on the radio the first time around, then you remember all the predictions about what life in the 21st century was supposed to be like. Of particular note was the prediction that we would use flying cars and jet packs to get around, among other awesome technological advances.

Recently someone made the comment online (for the life of me I can’t find it now) that goes something like this: If you are the children of the people who were promised jet packs you should not be disappointed because you were not promised these things, you were promised life as depicted in Snow Crash or True Names.

Generation X for the win!

The amateur interpretation of leaked NSA documents has sparked this debate about how governments – the U.S. in particular – are undermining if not destroying the security and privacy of the ‘Net. We need no less than a “Magna Carta” to protect us, which would be a great idea if were actually being oppressed to such a degree that our liberties were being infringed upon by a despot and his arbitrary whims. For those not keeping track: the internet is not a person, nor is it run by DIRNSA.

I don’t claim to have been there at the beginning but in the early-mid 90s my first exposure to the internet was…stereotypical (I am no candidate for sainthood). I knew what it took to protect global computer networks because that was my day job for the government; accessing the ‘Net (or BBSes) at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous or you got robbed. Everyone knew this, no one was complaining and no one expected anything more.

What would become the commercial internet went from warez and naughty ASCII images to house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But the police didn’t do that for you, you entrusted that to the people who were offering up the service in cyberspace, again, just like you do in the real world.

But did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and customers pay for functionality, not security. It actually makes more business sense to do the minimum necessary for security because on the off chance that there is a breach, you can make up any losses on the backs of your customers (discretely of course).

Secondly, your data couldn’t be too secure because there was value in knowing who you are, what you liked, what you did, and who you talked to. The money you paid for your software license was just one revenue stream; a company could make even more money using and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites; the people who were promised jet packs know it by another name: junk mail.

Let’s be clear: the only people who have really cared about network security are the military; everyone else is in this to make a buck (flowery, feel-good, kumbaya language notwithstanding). Commercial concerns operating online care about your privacy until it impacts their money.

Is weakening the security of a privately owned software product a crime? No. It makes crypto  nerds really, really angry, but it’s not illegal. Imitating a popular social networking site to gain access to systems owned by terrorists is what an intelligence agency operating online should do (they don’t actually take over THE Facebook site, for everyone with a reading comprehension problem). Co-opting botnets? We ought to be applauding a move like that, not lambasting them.

There is something to the idea that introducing weaknesses into programs and algorithms puts more people than just terrorists and criminals at risk, but in order for that to be a realistic concern you would have to have some kind of evidence that the security mechanisms available in products today are an adequate defense against malicious attack, and they’re not. What passes for “security” in most code is laughable. Have none of the people raising this concern heard of Pwn2Own? Or that there is a global market for 0-day an the US government is only one of many, many customers?

People who are lamenting the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed).

Talking about the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things hasn’t ruled on the issue. You can still live your life without using TCP/IP or HTTP, you just don’t want to.

Ascribing nefarious intent to government action – in particular the NSA as depicted in Enemy of the State – displays a level of ignorance about how government – in particular intelligence agencies – actually work. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. Our government’s number one responsibility is keeping you safe; that it has the capability to inflect harm on massive numbers of people does not mean they will use it and it most certainly does not mean they’ll use it on YOU. To think otherwise is simply movie-plot-thinking (he said, with a hint of irony).