Business Does Not Care About Your Chinese Cyber Problem

If you have spent more than ten minutes tracking cyber security issues in this country you know that if there is a Snidely Whiplash in this business it’s the Chinese. If it’s not the government its “patriotic hackers,” or some variation on those themes. The argument over “APT” rages on (is it a ‘who?’ Is it a ‘what?’) and while not clearly labeled “Chinese” we now have “adversaries” to worry about.

Setting aside issues related to the veracity of such claims, let me just state unequivocally: No one cares.

If you are a regular reader you know me and my background (if you don’t here is a snapshot), so you know that I know the scope and scale of the problem and that I’m not talking about this issue in a state-on-state context. My problem is that too many people are trying to extend that context into areas it is ill-suited. In doing so they are not actually improving security. They may in fact be perpetuating the problem.

Rarely do you talk to someone at the C-level – someone who has profits and Wall Street and the Board on his mind – who gives a shit about who his adversary is or what their motivations are. The occasional former military officer-turned-executive will have a flash of patriotic fervor, but then the General Counsel steps up and the flag would be furled. In the end the course of action they all approve is designed to make the pain go away: get the evil out of the network, get the hosts back online, and get everyone back to work. I haven’t talked to every executive about this issue, so your mileage may vary, but one only need read up on the hack-and-decline of Nortel understand what the most common reaction to “someone is intentionally focused on stealing our ideas,” is in the C-suites of American corporations.

This is not a new problem. You have never, ironically, heard of d’Entrecolles. American industrial might wasn’t a home-grown effort: we did the same thing to our cousins across the pond. Nortel is only a recent example of a worst-case industrial espionage scenario playing out. Ever heard of  Ellery Systems? Of course you haven’t.

IP theft is not a trivial issue, but any number of things can happen to a given piece of IP once it is stolen. The new owners may not be able to make full or even nominally effective use of the information; the purpose or product they apply the IP to has little or nothing to do with what the IP’s creators are using it for; the market the new owner is targeting isn’t open to or pursued by the US; or in the normal course of events, what made the IP valuable at the point of compromise might change making it useless or undesirable by the time its new owners bring it to market.

Companies that suffer the fate of Ellery and Nortel are notable because they are rare. Despite the fact that billions in IP is being siphoned off through the ‘Net, there is not a corresponding number of bankruptcies. That’s not a defense; merely a fat, juicy data point supporting the argument that if the fate of the company is not in imminent danger, no one is going to care that maybe, some day, when certain conditions are met, last week’s intrusion was the first domino to fall.

If you are honestly interested in abating the flow of IP out of this country, your most effective course of action should be to argue in a context that business will not only understand but be willing to execute.  Arguing Us vs. Them to people who are not in the actual warfighting business is a losing proposition. The days of industry re-orienting and throwing their weight behind a “war” effort are gone (unless you are selling to PMCs). “More security” generally comes at the expense of productivity, and that is a non-starter. Security done in a fashion that adds value – or at the very least does not serious impede the ability to make money – has the potential to be a winner.

I say ‘has the potential’ because to be honest you can’t count on business decision-makers caring about security no matter how compelling your argument. Top marks if remember the security company @Stake. Bonus points if you remember that they used to put out a magazine called Secure Business Quarterly that tried to argue the whole security-enabling-business thing. Did you notice I said “remember” and “used to?”

We have to resign ourselves to the very real possibility that there will never be an event so massive, so revealing, that security will be a peer to other factors in a business decision. While that’s great for job security, it also says a lot about what society values in the information age.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.

Killing Trees for Cyberspace

At his CTO Vision blog my friend and colleague Bob Gourley found a fair amount of good in the new Cyber Strategy. Me, I see a glass half empty . . .

Let me start out by saying that I really would like to see some progress in this realm, and if this latest attempt at a strategy to secure cyberspace is what leads to progress than all the better for us.

My problem is less with any specific part of the strategy as it is with the whole idea of yet-another-strategy in the first place. Let me be perfectly clear: there is absolutely no reason to believe that any substantial, widespread good will come of this document. This is not our first rodeo . . .

. . . and yet by all measures we are no better off today than we were decades ago when the issues identified in the strategy were first brought up. The advance and ubiquity of information technology has both broadened the scope of problems and simultaneously made them more intimate. We have serious problems that need to be dealt with now, but we’re spending our time congratulating ourselves on a great piece of staff work that may never be realized.

A national or international strategy makes a number of presumptions, or simply ignores reality, which is the principle reason why such efforts fail. The Internet is not an instrument of national power in the traditional sense; such power rests in the hands of private concerns. The dominant forces online care not a wit for political or military concerns – the domain of nation-states – but for revenue and profitability (alien concepts to governments). Even the most prolific threat actors in cyberspace today pose no serious threat to the ‘Net itself (you can’t make money if connectivity goes away). As long as there is a patsy to off-load the risks of doing business online (read: consumers), and as long as the pain those patsies suffer is nominal, there is no incentive to invest in a safer cyberspace.

The strategy articulates a vision: A cyberspace that is filled with innovations, interoperable, secure enough and reliable enough. Great, except that’s pretty much the state of affairs today, so I guess that’s a ‘win.’ Do you know how we got that win? Aside from tracing the ‘Net’s roots back to ARPANET, it had nothing to do with government action. The prosperity that we would attempt to assure is already here and will continue to exist because of market forces, not legislation or international agreement.

That a strategy may be actionable is of little consequence if there is no incentive to act. To be more precise: when there is no penalty for failure, what do you think agencies and their leadership are going to focus on? Despite past federal efforts to “secure” cyber space, agencies consistently get failing grades, and no one is held accountable. I only know of one (State-level) cyber security official to have ever been fired, and that wasn’t because he was negligent, but because he spoke out of school. Lesson: it’s OK to get pwned, it’s not OK to admit you got pwned (because, you know, no one else is getting pwned so we might look bad).

I know this is the best effort that those involved could produce. If anyone was going to get it drafted, coordinated, and out the door it was going to be Howard. I will do what I can to help realize the goals of a safer cyber space and I would like to think that this time we’re going to see some forward progress, but almost two decades of witnessing ‘fail’ in this area precludes me from holding my breath.

Turn Away from the (Fulda) Gap

Former DIRNSA/DNI McConnell is right in his assessment of the state of cyber conflict and the US’s disposition, but like so many of his generation he defaults to what he knows best and supposes we can secure the future if we look to the past. That would be great if the present, much less the future, were reflective of anything like the past so many cold warriors are familiar with. It is natural to try and frame current situations into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere.

Reducing the impact of cyber conflict through deterrence (as it is commonly portrayed) and the sharing of information are admirable goals; ones we’ve been trying to accomplish without significant results for years.

Attribution requires a level of effort so massive and onerous the only way to make it fast and easy is to re-engineer how the Internet works and the government’s access to the necessary mechanisms. That is a task that is anything but fast or easy or more importantly: cheap. Barring a combination technical-legal breakthrough that is free, global in scope and universal in acceptance, attribution isn’t happening. No attribution, no deterrence (in a traditional sense).

The point of deterrence is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government systems are attacked regularly; so are the systems of the private firms that support defense and intelligence work. There are only a few entities worldwide that can make use of the information that is stolen from targeted systems, so we have attribution in a meta sense, and justification to act in a meta fashion. Let me know how that strongly worded demarche goes over.

Public-Private partnerships are a great idea. We’ve got ISACs for just that purpose, but what have they done in any practical sense? Neither side is as open as they could or should be, no one talks about anything new. The NSA is a great national resource for critical industries that rely on a stable and secure cyberspace to operate, but no one is going to trust the assurance side of the NSA as long as it is tied to the snooping part. The reasons for keeping the agency’s two directorates together are strong, but the reasons for splitting them apart are more compelling (more on that in a separate venue).

It’s one thing to have an international agreement in place, but its folly to think that the most dangerous threats to a nation’s ability to operate in cyberspace would a) adhere to any regime they signed or b) would show up at the negotiating table in the first place. The most dangerous people in cyberspace – those who can and do actually use their weapons – don’t salute a flag, hold sovereign territory, or sign international agreements. For all the time, money and energy put forth trying to counter the proliferation of nuclear weapons, the world is surprisingly full of new nuclear powers (and those that belligerently aspire to achieve such status). Viewed through such a lens, every computer science department in every university is a weapons lab, every professor a national security resources that must be sequestered in Naukograds. Talk about unworkable.

It would be great if safety and security in cyberspace were a notional physics experiment where all the important factors are negligible and controllable, but it’s not, so the only real solutions are the practical ones. The way forward in securing cyberspace is not deterring threats, its making threats irrelevant.

Cyberspace is a construct with physical underpinggings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a reasonable amount of time, an adversary can attack all day, every day, to no avail. Someone once said the war on terror should continue until terrorism is a nuisance, and so should it be for cyberspace. As someone who has spent a good chunk of his career addressing these issues it almost pains me to say it, but securing cyberspace is less about security as it is about resilience.

Resilience and security are not the same thing. You can try to make sound the same, but they’re just not. The problem is that “security” sells, “resilience” is like continuity of operations, and we all know how that’s viewed. Just look over at the shelf to your left, that gigantic three-ring binder with your COOP plan that has ½” of dust on it. Yeah, guys with resilience on their minds put that together. If anyone gets less respect organizationally than cyber security guys its resilience guys, which is a shame because of the two communities, the one that is more successful is the resilience crowd. Resilience is achievable. It is happening. Backups and hot sites and redundancy in connectivity, etc., etc. all contributes more to making cyber attacks irrelevant than firewalls, intrusion detection systems, or anti-virus software. Of course the latter is sexy, the former tedious grunt work. It’s not call the Comprehensive National Resilience Initiative, but it probably should be.

When you get down to it though, making cyberspace more secure isn’t about the physical, its about the behavioral. Most of the compromises suffered by the US government and the businesses that support national security and defense would go away if we had – early on in the ‘Net’s foray from the governmental to the public/commercial – established, promulgated, and enforced good behavior and safe practices. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the driveway. No matter how hard we try to educate our respective workforces about cyber security, they’re still the weakest link in the cyber security chain. We loose billions in lost R&D and proprietary information that supports national security, yet we still don’t punish people for their digital sins the same way we would if they had committed the same violation in meat-space. Knowingly violating espionage laws gets you prison; knowingly violating corporate security policy is hardly detected.

That’s a shame because cyber security is the root of national security in the information age. The ability to project physical power means nothing – the trillions we spend on defense a waste – if that power can be made irrelelvent with a few lines of code. That’s all it takes if any one of the millions of moving parts associated with the design, construction, acquisition, and deployment of our first-world weapons platforms is compromised by an adversary. Make no mistake: the chinks in the armor of the military-industrial complex are too numerous to count, much less monitor or secure.

I support wholeheartedly any effort to really make cyberspace a safer and stronger place, but every few years I listen to the same speeches, read the same studies and ‘strategies’ and watch the same budget cycles burn through billions with no discernible  improvement in our security disposition. What I’d like the heavy hitters in the national security arena to do is stop ignoring the recommendations, stop buying the same non-solutions, stop relying on cold warriors, and start acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over Washington, New York, and Omaha.

Better Government Cyber Security: don’t hold your breath

It is one thing to plan, something else entirely to turn it into reality:

The DHS plans to collocate private-sector employees from the
communications and IT industries with government workers at the U.S.
Computer Emergency Readiness Team (US-CERT) facility here, said Gregory
Garcia, assistant secretary of cybersecurity and telecommunications at
the DHS. The teams will work jointly on improving US-CERT’s information
hub for cybersecurity, Garcia said. The agency didn’t specify a
starting date for the program but said it will begin soon.

Every corporation willing to give up a top-notch employee to a rotation to the government (out of the goodness of your heart, because you’ll have to eat their salary) raise your hand.

Every highly-skilled private sector employee willing to support two households for a year on your current salary and who is prepared to subject yourself to the grinding bureaucracy of DHS, line up over here.

That’s what I thought.

Mr. Assistant Secretary, you can’t do this on the cheap because you are going to get what you pay for. The money Uncle Sam paid your predecessor could comp industry for 3-4 great folks. A little COLA adjustment wouldn’t hurt either, but that’s icing. I’m assuming that since you came from a private-sector lobbying gig you understand how the economics works, so I’m also assuming that you are wed to this course of action because of circumstances that are out of your control. When this effort comes up short, you might want to begin a lobbying effort to change those circumstances.

$.02

E-Jihad

The U.S. government has notified U.S. private financial services of a
call by the al-Qaida terrorist network for a cyber attack against U.S.
online stock trading and banking Web sites
beginning Friday, officials
said.

I smell Zapatistas.

If there is one set of institutions that tends to take cyber security seriously it is financials. Unlike any number of government institutions (most recently the Naval War College) there isn’t a hole or back door around every byte. Terrorist cyber capability, while potentially formidable, has yet to move beyond propaganda and the most basic attack methodologies (stuff that is pushing a decade in age – which is like fighting F-18s with Sopwith camels).

Hey, they could surprise us, but I wouldn’t count on it.

If they really wanted to be taken seriously, they’d leverage insiders, but since that’s the most dangerous and least understood problem of them all (political issues notwithstanding) of course there is little or no serious defense.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.