The Wolf Approaches

In the government, the use of the term “grave” means something very specific. That meaning should be obvious to you, but on the off chance that you haven’t had your first cup of coffee yet, it means that whatever the issue is, messing it up could cost someone (or more than one person) their life.

The attack against the water system in Oldsmar, Florida was a potentially grave situation. A water system is not a trivial technology enterprise and as such it has numerous checks – including a human in the loop – to make sure malicious activity or honest mistakes don’t end lives. But the fact that an outsider was able to get such access in the first place makes it clear that there exists a disconnect between what such systems are supposed to be, and what they are.

We give the Sheriff of Pinellas County a pass on the use of the term “wake-up call” because he has not spent a large portion of his life in the belly of the cybersecurity beast. A wake-up call only happens once, how we respond indicates how serious we are about taking action:

  • In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”
  • In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call”
  • In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora “a wake-up call”
  • In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident “an important wake-up call.”
  • In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”
  • In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”
  • In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident “a wake-up call.”
  • In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”

The details of this particular case are probably never going to see sufficient sunlight, which only adds to the ignorance on these matters at all levels, and sustains the fragility we so desperately need to improve. This is particularly important when you consider how our relationship with technology is only getting more intimate.

These are issues that are decades old, yet if you want to have some idea of what it will take to spur action, keep in mind that we intentionally poisoned 100,000 people via a water system for five years and no one is in jail (yet). The idea that the people rooting around in such systems have the ability to cause such effects but don’t because they appreciate the moral, ethical, and legal implications of the matter is increasingly wishful thinking.

We in security have long been accused of “crying ‘wolf’” and for a long time those critics were right. We knew bad things could happen because Sturgeon’s Law has been in full effect in IT for ages, but it has taken this long for matters to go from merely serious to grave. Like everyone who puts off addressing a potentially fatal issue until the symptoms cannot be ignored anymore, our ability to survive what comes next is an open question.

Cyber Security Through the Lens of an Election

Inauguration day has come and gone, giving us some time to reflect on both the previous election process as well as what lies ahead for the next four years. There are a number of parallels between running for office and running a cyber security operation, and a few lessons learned from the former can help those involved in the latter.

It’s a Campaign, Not a Day Hike

Depending on the office you’re running for, your campaign might start years before the winner takes the oath of office. Likewise, it is likely to take years to reach the ideal end-state for the IT enterprise you’re responsible to protect. To further complicate things, technology in general and security threats specifically will change over time, which means the probability you’ll see the end of the race is very close to 0. Not running is not an option, so pace yourself.

You Need a Team

Every chief executive needs a team to get things done. In government, it’s called a “cabinet” and in business the “C-suite.” Regardless of the nomenclature, the purpose is the same: they are the people who specialize in certain things who help you formulate and execute policy. If you’re lucky you’ll get a team that buys into your vision, trusts you implicitly, and has the resources necessary to get the job done. More than likely you’re going to have something more akin to a Team of Rivals, but not ones you got to pick.

 (All Kinds of) Experience Matters

There is no one-size fits-all career path that leads to the White House. People that get into cyber security have a wide range of backgrounds. Yet in both fields people love to poke at perceived shortcomings of those who aspire to (or end up in) top positions. We pick on Michael Daniel or Rudy Giuliani for their lack of technical acumen, forgetting that George Washington never went to high school and his first job was blue collar. Being able to cast a vision, manage people under stress, mange limited resources, and inspire confidence; none of those things requires a given type or level of education, and all of them can be developed in a variety of ways.

Everyone is a Constituent

If you’re in security, everyone is “your people.” You don’t have a party, you don’t have a faction, you have to make everyone happy. At the very least you have to keep everyone from revolting. Everyone has a different agenda, different needs, different outlooks. You will make enemies, and different people will be your friend or foe depending on the situation. Success depends on keeping all those factors in balance so that you can move the center forward.

It’s a great parlor game to try and figure out what the next four years is going to be like on the political front, but the fact of the matter is we have no real idea how things are going to go. In that sense politics is a lot like cyber security: you prepare for the worst, you assume every day is going to be rocky, but sometimes you get pleasantly surprised.

Hail to the Chief! All of them.

We Learn From Death

Why are we perpetually surprised (or not, depending on how you look at it) at the failure of so many at both the organizational and individual level to take cybersecurity seriously? I would argue that most people are placing cybersecurity exactly where it should be when it comes to the myriad risks in their lives, and that is unlikely to change until it is far too late for some.

On the radio the other day there was an interview with an airline crash investigator. Airline crashes are rare, and when one happens the investigation defines “comprehensive.” But contrary to what amateurs or outsiders may think, there is really only one reason why an investigation is conducted:

It’s not to let the families know what happened and it’s not to let the lawyers know what happened, it is to prevent this happening again in the future. That’s absolutely the reason for an air crash investigation.

Closure for the families? Don’t care. Assigning blame so lawyers can address issues of liability? Don’t care. I mean, investigators are human beings, they care on one level, butthe true motivation for a crash investigation is singular: reducing the probability that what caused this crash ever happens again. I know you don’t pay attention, but airlines have safety briefings for a reason. They de-ice control surfaces for a reason. You can design and engineer and test all day long, but sometimes problems don’t surface until thousands of hours of flight time under real-world conditions has been logged. To that point:

Aviation has never been safer because we have essentially conquered most of the problems that emerged in the first century of commercial flight. But now we’re starting into the second century of commercial flight and there’s all sorts of new and different challenges.

She goes on to point out that one of those challenges is cybersecurity, but it is not necessarily the most pressing challenge. Why? The interview doesn’t get that in-depth but it is worth noting that ransomware-for-cockpits is not a thing; aircrews not grokinghow automation works is most assuredly a thing.

Stealing credit card numbers, bank account details, social security numbers, medical files, even taking over one’s entire identity doesn’t equate to death. The economics of cybercrime today are such that malicious actors can cause pain, but victims are readily made whole again. In such an environment why would we expect cybersecurity to get better? Why would we expect individuals to care? Why would we expect businesses to do anything more than is absolutely mandated? We don’t catch enough bad guys to provide closure. The industry has successfully fought off efforts to assign liability. The system is basically designed to ensure we will remain victims in perpetuity.

We don’t learn from incompetence, we don’t learn from inconvenience, we don’t even learn from pain: we learn from death. Cybersecurity will get better when people die in sufficiently large numbers.“Cyber” has certainly killed, but as callous and morbid as this sounds, it hasn’t killed enough. How much is enough? I suspect a lot more than have died due to pilot error.

Better Design, Better Security Participation?

A new study by NIST found that a majority of typical computer users experience “security fatigue” that often leads to risky computing behavior at work and in their personal lives. Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, a cognitive psychologist and co-author of the report . “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.” (Biometric Update)

Security products are developed by security nerds, for security nerds, which are an increasingly rare breed. Think about how you get a new app for your phone: search, click link to install, start using app. Now think about all the flaming hoops you had to jump through the last time you had a security problem, or tried to install some security mechanism. The less users have to think about making sound security decisions, and the easier it is for them to take action, the less likely they are to become victims. Hard core security wonks will laugh at the idea of cybersecurity UX, but there is a reason why the more elegant and efficient a tool the more passionate its users. 

Good Cyber Security is Not Glamorous

One of the more common reasons why most organizations push back on spending for cyber security is the lack of a “return on investment.” All that fancy, shiny cyber-y stuff costs a lot of money without providing a clear benefit that is commensurate with the expenditure. Firewalls are expensive. IDS/IPS are expensive. SIEMs are expensive. Talent to run it all (if you can even find it) is expensive.

Yet for all that expense the end result may still be a breach that costs millions of dollars, and the source of that breach is almost assuredly something that makes all that expense seem like a waste, not an investment. Advancing cyber security starts with promulgating the message that like most things in life: success is about the grind.

The Importance of Blocking and Tackling

A good, sound security capability can in fact be very pedestrian. Take some time to look at the SANS Top 25 (formerly 10) lists going back several years. Do the same thing for the OWASP Top 10. If you look closely you’ll notice that while names may change, the basic problems do not. Buffer overflows and cross-site scripting are not “advanced” or “sophisticated” but they work.  All year, every year.

Addressing the most common security problems facing any enterprise does not require floor-to-ceiling displays showing maps of the world and stoplight charts and data flows from country to country. It doesn’t require a lot of software or hardware or subscriptions or licenses or feeds. The biggest problems are the most common ones that don’t necessarily require advanced skills or technology to resolve. You can harden your enterprise against the most likely and most dangerous problems without ever talking to a salesperson or worrying about how much you’re going to have to pay that guy with all the letters after his name.

Are You Ready For Some Football?

It wouldn’t be fall without a football analogy, so here is the first one of the season: If you knew who Odell Beckham Jr. was before Lena Dunham did, you know where I’m going with this. If you didn’t, go to YouTube and enter his name, I’ll wait…..

Amazing plays are not the result of practicing acrobatics in full pads. Wide Receivers don’t take contortionist classes. Training for football season at any level is about fundamentals. Everyone doing the same drills, or variations on a theme, that they’ve done since they first put on a helmet. Why? Because the bulk of success on the field is attributable to fundamentals. Blocking and tackling. Plays that make the highlight reels are the result of individual athleticism, instincts, and drive, but no receiver gets into position to make the highlight reel without mastering the basics first.

A team of journeymen who are well versed in the basics alone may not make the playoffs, much less the Super Bowl, but that’s not the point; you want to avoid being beaten by the second string of the local community college. If you want to know how well buying expensive “solutions” to your problems works, I invite you to check out the drama that has been Washington Redskins since 1999.

Its About Perspective

You can’t read an article on cybersecurity and not see the words “advanced” or “sophisticated” either in the text or the half-dozen ads around the story. Security companies cannot move product or get customers to renew subscriptions without promoting some level of fear, uncertainty and doubt. No product salesperson will bring up the fact that procuring the next-generation whatever they are selling is almost assuredly buying a castle that will be installed on a foundation of sand (to be fair: it’s not their job to revamp your security program).

This is not to say you ignore the truly advanced or dangerous, but you need to put it all into perspective. You don’t buy an alarm system for your house and then leave your doors and windows open. You do not spend more money on the car with the highest safety ratings and then roll out without wearing your seat belt. You don’t buy your kids bicycle helmets and then set them loose on the freeway. You do all the things that keep you and yours safe because to ignore the basics undermines the advanced.The same holds true in cyber security, and the sooner we put on our Carhartts and spend more sweat equity than we do cash, the sooner we are likely to see real improvements.

Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

The Airborne Shuffle in Cyberspace

I did my fair share supporting and helping develop its predecessor, but I have no special insights into what is going on at CYBERCOM today. I am loathe to criticize when I don’t know all the details, still I see reports like this and scratch my head and wonder: why is anyone surprised?

Focus. If you have to wake up early to do an hour of PT, get diverted afterwards to pee in a cup, finally get to work and develop a good head of steam, only to leave early to go to the arms room and spend an hour cleaning a rifle, you’re not going to develop a world-class capability in any meaningful time-frame. Not in this domain. Not to mention the fact that after about two years whatever talent you’ve managed to develop rotates out and you have to start all over again.

Speed. If you have to call a meeting to call a meeting, and the actual meeting can’t take place for two weeks because everyone who needs to be there is involved in some variation of the distractions noted above, or TDY, you have no chance. It also doesn’t help that when you manage to have the meeting you are forced to delay decisions because of some minutia. You’re not just behind the power curve, you’re running in the opposite direction.

Agility. If your business model is to train generalists and buy your technology…over the course of several years…you are going to have a hard time going up against people with deep expertise who can create their own capabilities in days. Do we need a reminder inhow effective sub-peer adversaries can be against cutting edge military technology? You know what the people attacking SWIFT or major defense contractors aren’t doing? Standing up a PMO.

The procurement and use of tanks or aircraft carriers is limited to the military in meat-space, but in cyberspace anyone can develop or acquire weapons and project power. Globally. If you’re not taking this into consideration you’re basically the 18th Pomeranians. Absent radical changes no government hierarchy is going to out-perform or out-maneuver such adversaries, but it may be possible to close the gaps to some degree.

Focus. You should not lower standards for general purpose military skills, but in a CONUS, office environment you can exercise more control over how that training is performed and scheduled. Every Marine a rifleman, I get it, but shooting wars are relatively rare; the digital conflict has been engaged for decades (and if your cyber troops are hearing shots fired in anger, you’ve probably already lost).

Speed. Hackers don’t hold meetings, they open chat sessions. Their communication with their peers and partners is more or less constant. If you’re used to calling a formation to deliver your messages orally, you’re going to have to get used to not doing that. Uncomfortable with being glued to a screen – desktop or handheld? You’re probably ill-suited to operate in this domain.

Agility. You are never going to replicate ‘silicon valley’ in the DOD without completely disrupting DOD culture. The latter is a zero-defect environment, whereas the former considers failures to be a necessary part of producing excellence. You cannot hold company-level command for 15 years because its the job you’re best suited to; you can be one of the world’s best reverse engineers for as long as you want to be. What is “normal” should mean nothing inside an outfit like CYBERCOM.

Additional factors to consider…

Homestead. If you get assigned to CYBERCOM you’re there for at least 10 years. That’s about 20 dog years from the perspective of the domain and related technology experience, and it will be invaluable if you are serious about effective performance on the battlefield.

Lower Rank/Greater Impact. Cyberspace is where the ‘strategic corporal’ is going to play an out-sized role. At any given moment the commander – once their intent is made clear – is the least important person in the room.

Bias for Action. In meat-space if you pull the trigger you cannot call back the bullet. If your aim is true your target dies. In cyberspace your bullets don’t have to be fatal. The effect need only be temporary. We can and should be doing far more than we apparently are, because I guarantee our adversaries are.

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.

Killing Trees for Cyberspace

At his CTO Vision blog my friend and colleague Bob Gourley found a fair amount of good in the new Cyber Strategy. Me, I see a glass half empty . . .

Let me start out by saying that I really would like to see some progress in this realm, and if this latest attempt at a strategy to secure cyberspace is what leads to progress than all the better for us.

My problem is less with any specific part of the strategy as it is with the whole idea of yet-another-strategy in the first place. Let me be perfectly clear: there is absolutely no reason to believe that any substantial, widespread good will come of this document. This is not our first rodeo . . .

. . . and yet by all measures we are no better off today than we were decades ago when the issues identified in the strategy were first brought up. The advance and ubiquity of information technology has both broadened the scope of problems and simultaneously made them more intimate. We have serious problems that need to be dealt with now, but we’re spending our time congratulating ourselves on a great piece of staff work that may never be realized.

A national or international strategy makes a number of presumptions, or simply ignores reality, which is the principle reason why such efforts fail. The Internet is not an instrument of national power in the traditional sense; such power rests in the hands of private concerns. The dominant forces online care not a wit for political or military concerns – the domain of nation-states – but for revenue and profitability (alien concepts to governments). Even the most prolific threat actors in cyberspace today pose no serious threat to the ‘Net itself (you can’t make money if connectivity goes away). As long as there is a patsy to off-load the risks of doing business online (read: consumers), and as long as the pain those patsies suffer is nominal, there is no incentive to invest in a safer cyberspace.

The strategy articulates a vision: A cyberspace that is filled with innovations, interoperable, secure enough and reliable enough. Great, except that’s pretty much the state of affairs today, so I guess that’s a ‘win.’ Do you know how we got that win? Aside from tracing the ‘Net’s roots back to ARPANET, it had nothing to do with government action. The prosperity that we would attempt to assure is already here and will continue to exist because of market forces, not legislation or international agreement.

That a strategy may be actionable is of little consequence if there is no incentive to act. To be more precise: when there is no penalty for failure, what do you think agencies and their leadership are going to focus on? Despite past federal efforts to “secure” cyber space, agencies consistently get failing grades, and no one is held accountable. I only know of one (State-level) cyber security official to have ever been fired, and that wasn’t because he was negligent, but because he spoke out of school. Lesson: it’s OK to get pwned, it’s not OK to admit you got pwned (because, you know, no one else is getting pwned so we might look bad).

I know this is the best effort that those involved could produce. If anyone was going to get it drafted, coordinated, and out the door it was going to be Howard. I will do what I can to help realize the goals of a safer cyber space and I would like to think that this time we’re going to see some forward progress, but almost two decades of witnessing ‘fail’ in this area precludes me from holding my breath.

Turn Away from the (Fulda) Gap

Former DIRNSA/DNI McConnell is right in his assessment of the state of cyber conflict and the US’s disposition, but like so many of his generation he defaults to what he knows best and supposes we can secure the future if we look to the past. That would be great if the present, much less the future, were reflective of anything like the past so many cold warriors are familiar with. It is natural to try and frame current situations into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere.

Reducing the impact of cyber conflict through deterrence (as it is commonly portrayed) and the sharing of information are admirable goals; ones we’ve been trying to accomplish without significant results for years.

Attribution requires a level of effort so massive and onerous the only way to make it fast and easy is to re-engineer how the Internet works and the government’s access to the necessary mechanisms. That is a task that is anything but fast or easy or more importantly: cheap. Barring a combination technical-legal breakthrough that is free, global in scope and universal in acceptance, attribution isn’t happening. No attribution, no deterrence (in a traditional sense).

The point of deterrence is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government systems are attacked regularly; so are the systems of the private firms that support defense and intelligence work. There are only a few entities worldwide that can make use of the information that is stolen from targeted systems, so we have attribution in a meta sense, and justification to act in a meta fashion. Let me know how that strongly worded demarche goes over.

Public-Private partnerships are a great idea. We’ve got ISACs for just that purpose, but what have they done in any practical sense? Neither side is as open as they could or should be, no one talks about anything new. The NSA is a great national resource for critical industries that rely on a stable and secure cyberspace to operate, but no one is going to trust the assurance side of the NSA as long as it is tied to the snooping part. The reasons for keeping the agency’s two directorates together are strong, but the reasons for splitting them apart are more compelling (more on that in a separate venue).

It’s one thing to have an international agreement in place, but its folly to think that the most dangerous threats to a nation’s ability to operate in cyberspace would a) adhere to any regime they signed or b) would show up at the negotiating table in the first place. The most dangerous people in cyberspace – those who can and do actually use their weapons – don’t salute a flag, hold sovereign territory, or sign international agreements. For all the time, money and energy put forth trying to counter the proliferation of nuclear weapons, the world is surprisingly full of new nuclear powers (and those that belligerently aspire to achieve such status). Viewed through such a lens, every computer science department in every university is a weapons lab, every professor a national security resources that must be sequestered in Naukograds. Talk about unworkable.

It would be great if safety and security in cyberspace were a notional physics experiment where all the important factors are negligible and controllable, but it’s not, so the only real solutions are the practical ones. The way forward in securing cyberspace is not deterring threats, its making threats irrelevant.

Cyberspace is a construct with physical underpinggings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a reasonable amount of time, an adversary can attack all day, every day, to no avail. Someone once said the war on terror should continue until terrorism is a nuisance, and so should it be for cyberspace. As someone who has spent a good chunk of his career addressing these issues it almost pains me to say it, but securing cyberspace is less about security as it is about resilience.

Resilience and security are not the same thing. You can try to make sound the same, but they’re just not. The problem is that “security” sells, “resilience” is like continuity of operations, and we all know how that’s viewed. Just look over at the shelf to your left, that gigantic three-ring binder with your COOP plan that has ½” of dust on it. Yeah, guys with resilience on their minds put that together. If anyone gets less respect organizationally than cyber security guys its resilience guys, which is a shame because of the two communities, the one that is more successful is the resilience crowd. Resilience is achievable. It is happening. Backups and hot sites and redundancy in connectivity, etc., etc. all contributes more to making cyber attacks irrelevant than firewalls, intrusion detection systems, or anti-virus software. Of course the latter is sexy, the former tedious grunt work. It’s not call the Comprehensive National Resilience Initiative, but it probably should be.

When you get down to it though, making cyberspace more secure isn’t about the physical, its about the behavioral. Most of the compromises suffered by the US government and the businesses that support national security and defense would go away if we had – early on in the ‘Net’s foray from the governmental to the public/commercial – established, promulgated, and enforced good behavior and safe practices. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the driveway. No matter how hard we try to educate our respective workforces about cyber security, they’re still the weakest link in the cyber security chain. We loose billions in lost R&D and proprietary information that supports national security, yet we still don’t punish people for their digital sins the same way we would if they had committed the same violation in meat-space. Knowingly violating espionage laws gets you prison; knowingly violating corporate security policy is hardly detected.

That’s a shame because cyber security is the root of national security in the information age. The ability to project physical power means nothing – the trillions we spend on defense a waste – if that power can be made irrelelvent with a few lines of code. That’s all it takes if any one of the millions of moving parts associated with the design, construction, acquisition, and deployment of our first-world weapons platforms is compromised by an adversary. Make no mistake: the chinks in the armor of the military-industrial complex are too numerous to count, much less monitor or secure.

I support wholeheartedly any effort to really make cyberspace a safer and stronger place, but every few years I listen to the same speeches, read the same studies and ‘strategies’ and watch the same budget cycles burn through billions with no discernible  improvement in our security disposition. What I’d like the heavy hitters in the national security arena to do is stop ignoring the recommendations, stop buying the same non-solutions, stop relying on cold warriors, and start acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over Washington, New York, and Omaha.