The Wall: Undermining National Security in More Ways Than One

The nation’s longest federal government shutdown continues, along with the debate on the issue that triggered it: a wall on the border between the U.S. and Mexico. While every serious voice agrees on the importance of secure borders, what constitutes effective border defense varies widely. Largely ignored in these discussions: how the financial and emotional impact of the shutdown puts the nation at risk not from external threats, but internal ones.

From the beginning of this shutdown, we’ve heard numerous stories from the ranks of the 800,000 laid off government employees, as well as the massive number of government contractors who are also not getting paid (and won’t get back-pay when this is all over), on social media and in the press about how the shutdown has and will continue to impact them and their families:

“Last week we had soup for dinner and my son asked if it was because we didn’t have money.”

“I’m really worried my landlord will not be happy when I can’t pay my rent.”

A federal employee with diabetes who is running out of insulin “…can’t afford to go to the ER. I can’t afford anything. I just went to bed and hoped I’d wake up,”

These stories point out the precarious financial situation at least part of the nation’s federal workforce faces, not just during the furlough, but on a regular basis. ‘Living paycheck to paycheck’ is a phrase one usually does not associate with college-educated professionals on the General Schedule, which is a signal to the intelligence services of our adversaries that one of the primary means of getting someone to spy for you – Money – is more likely to produce results across a wider spectrum of targets than may have been thought.

Such efforts do not necessarily have to be applied to feds with security clearances; you don’t have to have a clearance to provide information of value to our adversaries. The collection of intelligence about an adversary is often described as akin to building a ‘mosaic’: a lot of little pieces of this and that, no one piece being particularly valuable, assembled over time into a comprehensive picture.

As an example, one of the classic little ‘asks’ that counterintelligence training used to tell you to be wary of is requesting a facility or agency phone book. What harm could that do, right? It’s not even classified. We always have extra and they just go in the trash at the end of the year. Well, you’ve just handed over a list of who does what in your organization, and provided a means to reach them. You’ve also confirmed, or filled in gaps, in an adversary’s knowledge of the organization and what it does.

A modern equivalent? “Hey, I’ve been trying to bid on this contract your agency is putting out. Could you provide me with the email of <a senior defense executive>?” What’s one email address, right? Well, for all the talk of “APT” and “sophisticated” nation-state hacking, phishing is still a leading method of cyber attack. And based on professional experience, the more senior the individual, the less attentive they are to cyber security threats.

With a little more time and effort, one could come up with an extensive list of potential scenarios. None of them have to be obviously linked to security or safety issues that might make a frustrated-but-loyal fed feel suspicious, because that’s the magic of building a mosaic: every little tiny bit helps.

This isn’t exclusively a nation-state-based threat. Contractors with questionable ethics, organized crime, terrorists, or other threat actors could all take advantage of the precarious financial situation Uncle Sam has placed his people in. This is of particular concern in environments where the trustworthiness of the workforce is already questionable.

Federal shutdowns are not new. But this one comes at the end of a string of insults and injuries the federal workforce has had to face in recent years. The most significant of these being the breach of computer systems at the Office of Personnel Management. OPM didn’t just lose personnel records, it lost the background checks and related paperwork for feds with security clearances. To maintain a clearance, one has to re-submit to a background check every few years. Questions about your financial situation will be asked. Investigators will understand what caused people to miss payments or take a ding to their credit scores in the winter of 2018/spring of 2019; but if a missed paycheck sends you into a financial Mariana Trench, that’s going to be an issue. Being in financial straits could cost you your clearance, the loss of which could cost you your job. The real impact of the shutdown for some might not come home to roost for months or years.

The opposite is also true: if the bulk of the workforce took a financial hit, but you managed to come out unscathed, why is that? Everyone assumed Aldrich Ames’ stories about his wife’s family’s wealth were true, until they found out it wasn’t.

How do we deal with this?

Congress and the White House should focus on border security, not a wall per se. While there are places along the U.S.-Mexico border where a literal wall might make sense, we need to apply all the tools and technologies available to us – steel, concrete, sensors, drones, and people – to address the problem. People want a check on illegal immigration, the form that check takes is less important than the fact that it exists, and is functional.

A comprehensive study of the federal pay scale. No one joins the gov’t to get rich, but if the financial troubles of the workforce are as deep and wide-spread as the media would have us believe, is that a function of a whole lot of people living beyond their means, or are we really not paying people a livable, much less market, wage? Its ‘federal service’ not ‘federal servitude.’

If you’re a fed, particularly one with a clearance, maybe don’t talk to reporters or get on social media to discuss your plight. This is not the old days: identifying the missives of potential targets is neigh on trivial to actors like Russia and China (especially if they have your OPM file and SF-86 paperwork). And while no one thinks they’re the one who is going to sell out their country to pay the mortgage, under the right conditions, anyone can be pressured to do a little, seemingly innocuous thing, that could contribute to serious damage down the road.

/* Full credit and extensive thanks to Freshman, who came up with the idea for this post and was instrumental in its creation. */

Cyber Stars

/* Warning: Extensive over-use of the word “cyber” ahead. */

 

The other day my old friend and colleague Bob Gourley Tweeted:

Random thought: There are 24 four-star flag officers in the U.S. military. Every 4 star I have ever met is really smart. But only one of those 24 has real cyber war experience, and he is retiring soon. How do we change that for the better?

My friendly, snarky-a** response at the time was:

First: Get a time machine

The services have had “cyber” components for several years now, and the US Cyber Command has been active since 2009. But a military officer could have been exposed to what we would recognize as the cyber mission these days at roughly the turn of the century. For the sake of discussion let’s say this was their first assignment out of training. The average amount of time officers spend at various ranks breaks down something like this:

Rank / Time in Service

 

2nd Lieutenant / 1 year

1st Lieutenant / 1.5 years

Captain / 4 years

Major/ 10 years

Lieutenant Colonel/ 16 years

Colonel/ 22 years

 

So if our notional lieutenant started her career in cyber in ‘99, she attended all the right schools, got sufficient command time, and punched all her staff assignment tickets, she might be a G2 (chief intelligence officer) or battalion commander. If she was a “rock star” she may have received several “below the zone” promotions (getting advanced ahead of her peers) and might even be looking at colonel in the very near future.

But…

Time in service doesn’t mean time spent doing the job. The first 4-6 years of an officer’s career is learning the ropes. It is probably when they’re the most technically oriented. Once they get a company-level command their life is basically paperwork (and shaking their head ruefully and the shenanigans of the junior enlisted in their charge).

After company command is staff jobs (more paperwork), and higher civilian and military education. Lieutenant colonel is an officer’s next opportunity at command, and where they’re exposed in-depth to sub-disciplines and how to make all those moving parts work as a coherent whole. Then more staff time until colonel, and with luck brigade command.

In 20 years Colonel Duty Bound is a very well-rounded officer, but she has spent less than half of that time actively working the mission.

“But Mike, there were more senior officers who were working the mission back then. The pipeline of experienced cyber offices isn’t so grim.”

True, but you know who I never heard of back then? Paul Nakasone. You know who I did know? Dusty Rhodes (not the other one). “Who?” you ask. Exactly. Then Captain Jay Healey could have been a Colonel by now. Then Lt. Commander Bill Peyton a Rear Admiral. Then Major Marc Sachs a Lieutenant General. My man Bob Gourley could have been an Admiral and running US Fleet Cyber Command by now, but you know what the Navy decided not to do to one of the pioneering officers in the cyber field? Make him a Captain. We’re not lacking in talent, we’re lacking in talent management.

We have been training, equipping, and staffing for the cyber mission – in fits and starts – for over two decades, and yet the cyber career field is still a newborn. To put things into perspective, the Army Air Corps went from biplanes to the B-29 Super Fortress and nascent jet fighters between the ~20 years of its formation and the end of WWII. Moore’s Law indeed.

The various service schoolhouses can turn out 1,000 cyber lieutenants and ensigns a year, but there are still only a handful of flag officer billets for service-level and national-level command in the field. To be successful as warfighters in the information age, we have to ensure that “cyber” is an element within every career field. As odd as this sounds, we can’t treat technology, the use thereof, and the associated risks and threats to same, as something special. Everyone has to know something about it. Everyone has to be responsible for it to some degree. Every commander at every level in every career field needs to know what cyber can do for them (and if they’re not careful what it can do to them and their ability to execute the mission).

Success is a constellation, not a supernova.

The Global Ungoverned Area

There are places on this planet where good, civilized people simply do not voluntarily go, or willingly stay. What elected governments do in safer and more developed parts of the world are carried out in these areas by despots and militias, often at terrible cost to those who have nowhere else to go and no means to go if they did.

Life online is not unlike life in these ungoverned areas: anyone with the skill and the will is a potential warlord governing their own illicit enterprise, basking in the spoils garnered from the misery of a mass of unfortunates. Who is to stop them? A relative handful of government entities, each with competing agendas, varying levels of knowledge, skills, and resources, none of whom can move fast enough, far enough, or with enough vigor to respond in-kind.

Reaping the whirlwind of apathy

Outside of the government, computer security is rarely something anyone asks for except in certain edge cases. Security is a burden, a cost center. Consumers want functionality. Functionality always trumps security. So much so that most people do not seem to care if security fails. People want an effective solution to their problem. If it happens to also not leak personal or financial data like a sieve, great, but neither is it a deal-breaker.

At the start of the PC age we couldn’t wait to put a computer on every desk. With the advent of the World Wide Web, we rushed headlong into putting anything and everything online. Today online you can play the most trivial game or fulfill your basic needs of food, shelter, and clothing, all at the push of a button. The down side to cyber-ing everything without adequate consideration to security? Epic security failures of all sorts.

Now we stand at the dawn of the age of the Internet of Things. Computers have gone from desktops to laptops to handhelds to wearables and now implantables. And again we can’t wait to employ technology, we also can’t be bothered to secure it.

How things are done

What is our response? Laws and treaties, or at least proposals for same, that decant old approaches into new digital bottles. We decided drugs and povertywere bad, so we declared “war” on them, with dismal results. This sort of thinking is how we get the Wassenaar Agreement applied to cybersecurity: because that’s what people who mean well and are trained in “how things are done” do. But there are a couple of problems with treating cyberspace like 17th century Europe:

  • Even when most people agree on most things, it only takes one issue to bring the whole thing crashing down.
  • The most well-intentioned efforts to deter bad behavior are useless if you cannot enforce the rules, and given the rate at which we incarcerate bad guys it is clear we cannot enforce the rules in any meaningful way at a scale that matters.
  • While all the diplomats of all the governments of the world may agree to follow certain rules, the world’s intelligence organs will continue to use all the tools at their disposal to accomplish their missions, and that includes cyber ones.

This is not to say that such efforts are entirely useless (if you happen to arrest someone you want to have a lot of books to throw at them), just that the level of effort put forth is disproportionate to the impact that it will have on life online. Who is invited to these sorts of discussions? Governments. Who causes the most trouble online? Non-state actors.

Roads less traveled

I am not entirely dismissive of political-diplomatic efforts to improve the security and safety of cyberspace, merely unenthusiastic. Just because “that’s how things are done” doesn’t mean that’s what’s going to get us where we need to be. What it shows is inflexible thinking, and an unwillingness to accept reality. If we’re going to expend time and energy on efforts to civilize cyberspace, let’s do things that might actually work in our lifetimes.

  • Practical diplomacy. We’re never going to get every nation on the same page. Not even for something as heinous as child porn. This means bilateral agreements. Yes, it is more work to both close and manage such agreement, but it beats hoping for some “universal” agreement on norms that will never come.
  • Soft(er) power. No one wants another 9/11, but what we put in place to reduce that risk, isn’t The private enterprises that supply us with the Internet – and computer technology in general – will fight regulation, but they will respond to economic incentives.
  • The human factor. It’s rare to see trash along a highway median, and our rivers don’t catch fire Why? In large part because of the crying Indian. A concerted effort to change public opinion can in fact change behavior (and let’s face it: people are the root of the problem).

Every week a new breach, a new “wake-up call,” yet there is simply not sufficient demand for a safer and more secure cyberspace. The impact of malicious activity online is greater than zero, but not catastrophic, which makes pursuing grandiose solutions a waste of cycles that could be put to better use achieving incremental gains (see ‘boil the ocean’).

Once we started selling pet food and porn online, it stopped being the “information superhighway” and became a demolition derby track. The sooner we recognize it for what it is the sooner we can start to come up with ideas and courses of action more likely to be effective.

/* Originally posted at Modern Warfare blog at CSO Online */

Cyber War: The Fastest Way to Improve Cybersecurity?

For all the benefits IT in general and the Internet specifically have given us, it has also introduced significant risks to our well-being and way of life. Yet cybersecurity is still not a priority for a majority of people and organizations. No amount of warnings about the risks associated with poor cybersecurity have helped drive significant change. Neither have real-world incidents that get worse and worse every year.

The lack of security in technology is largely a question of economics: people want functional things, not secure things, so that’s what manufacturers and coders produce. We express shock after weaknesses are exposed, and then forget what happened when the next shiny thing comes along. Security problems become particularly disconcerting when we start talking about the Internet of Things, which are not just for our convenience; they can be essential to one’s well-being.

To be clear: war is a terrible thing. But war is also the mother of considerable ad hoc innovation and inventions that have a wide impact long after the shooting stops. War forces us to make those hard decisions we kept putting off because we were so busy “crushing” and “disrupting” everything. It forces us to re-evaluate what we consider important, like a reliable AND secure grid, like a pacemaker that that works AND cannot be trivially hacked. Some of the positive things we might expect to get out of a cyberwar include:

  • A true understanding of how much we rely on IT in general and the Internet specifically. You don’t know what you’ve got till it’s gone, so the song says, and that’s certainly true of IT. You know IT impacts a great deal of your life, but almost no one understands how far it all goes. The last 20 years has basically been us plugging computers into networks and crossing our fingers. Risk? We have no idea.
  • A meaningful appreciation for the importance of security. Today, insecurity is an inconvenience. It is not entirely victimless, but increasingly it does not automatically make one a victim. It is a fine, a temporary dip in share price. In war, insecurity means death.
  • The importance of resilience. We are making dumb things ‘smart’ at an unprecedented rate. Left in the dust is the knowledge required to operate sans high technology in the wake of an attack. If you’re pushing 50 or older, you remember how to operate without ATMs, GrubHub, and GPS. Everyone else is literally going to be broke, hungry, and lost in the woods.
  • The creation of practical, effective, scalable solutions. Need to arm a resistance force quickly and cheaply? No problem. Need enough troops to fight in two theaters at opposite ends of the globe? No problem. Need ships tomorrow to get those men and materiel to the fight? No problem. When it has to be done, you find a way.
  • The creation of new opportunities for growth. When you’re tending your victory garden after a 12 hour shift in the ammo plant, or picking up bricks from what used to be your home in Dresden, it’s hard to imagine a world of prosperity. But after war comes a post-war boom. No one asked for the PC, cell phone, or iPod, yet all have impacted our lives and the economy in significant ways. There is no reason to think that the same thing won’t happen again, we just have a hard time conceiving it at this point in time.

In a cyberwar there will be casualties. Perhaps not directly, as you see in a bombing campaign, but the impacts associated with a technologically advanced nation suddenly thrown back into the industrial (or worse) age (think Puerto Rico post-Hurricane Maria). The pain will be felt most severely in the cohorts that pose the greatest risk to internal stability. If you’re used to standing in line for everything, the inability to use IT is not a big a deal. If you’re the nouveau riche of a kleptocracy – or a member of a massive new middle class – and suddenly you’re back with the proles, you’re not going to be happy, and you’re going to question the legitimacy of whomever purports to be in charge, yet can’t keep the lights on or supply potable water.

Change as driven by conflict is a provocative thought experiment, and certainly a worst-case scenario. The most likely situation is the status quo: breaches, fraud, denial, and disruption. If we reassess our relationship with cybersecurity it will certainly be via tragedy, but not necessarily war. Given how we responded to security failings 16 years ago however, it is unclear if those changes will be effective, much less ideal.

/* Originally published in CSOonline – Modern Warfare blog */

Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

The Airborne Shuffle in Cyberspace

I did my fair share supporting and helping develop its predecessor, but I have no special insights into what is going on at CYBERCOM today. I am loathe to criticize when I don’t know all the details, still I see reports like this and scratch my head and wonder: why is anyone surprised?

Focus. If you have to wake up early to do an hour of PT, get diverted afterwards to pee in a cup, finally get to work and develop a good head of steam, only to leave early to go to the arms room and spend an hour cleaning a rifle, you’re not going to develop a world-class capability in any meaningful time-frame. Not in this domain. Not to mention the fact that after about two years whatever talent you’ve managed to develop rotates out and you have to start all over again.

Speed. If you have to call a meeting to call a meeting, and the actual meeting can’t take place for two weeks because everyone who needs to be there is involved in some variation of the distractions noted above, or TDY, you have no chance. It also doesn’t help that when you manage to have the meeting you are forced to delay decisions because of some minutia. You’re not just behind the power curve, you’re running in the opposite direction.

Agility. If your business model is to train generalists and buy your technology…over the course of several years…you are going to have a hard time going up against people with deep expertise who can create their own capabilities in days. Do we need a reminder inhow effective sub-peer adversaries can be against cutting edge military technology? You know what the people attacking SWIFT or major defense contractors aren’t doing? Standing up a PMO.

The procurement and use of tanks or aircraft carriers is limited to the military in meat-space, but in cyberspace anyone can develop or acquire weapons and project power. Globally. If you’re not taking this into consideration you’re basically the 18th Pomeranians. Absent radical changes no government hierarchy is going to out-perform or out-maneuver such adversaries, but it may be possible to close the gaps to some degree.

Focus. You should not lower standards for general purpose military skills, but in a CONUS, office environment you can exercise more control over how that training is performed and scheduled. Every Marine a rifleman, I get it, but shooting wars are relatively rare; the digital conflict has been engaged for decades (and if your cyber troops are hearing shots fired in anger, you’ve probably already lost).

Speed. Hackers don’t hold meetings, they open chat sessions. Their communication with their peers and partners is more or less constant. If you’re used to calling a formation to deliver your messages orally, you’re going to have to get used to not doing that. Uncomfortable with being glued to a screen – desktop or handheld? You’re probably ill-suited to operate in this domain.

Agility. You are never going to replicate ‘silicon valley’ in the DOD without completely disrupting DOD culture. The latter is a zero-defect environment, whereas the former considers failures to be a necessary part of producing excellence. You cannot hold company-level command for 15 years because its the job you’re best suited to; you can be one of the world’s best reverse engineers for as long as you want to be. What is “normal” should mean nothing inside an outfit like CYBERCOM.

Additional factors to consider…

Homestead. If you get assigned to CYBERCOM you’re there for at least 10 years. That’s about 20 dog years from the perspective of the domain and related technology experience, and it will be invaluable if you are serious about effective performance on the battlefield.

Lower Rank/Greater Impact. Cyberspace is where the ‘strategic corporal’ is going to play an out-sized role. At any given moment the commander – once their intent is made clear – is the least important person in the room.

Bias for Action. In meat-space if you pull the trigger you cannot call back the bullet. If your aim is true your target dies. In cyberspace your bullets don’t have to be fatal. The effect need only be temporary. We can and should be doing far more than we apparently are, because I guarantee our adversaries are.

You Were Promised Neither Security Nor Privacy

If you remember hearing the song Istanbul (Not Constantinople) on the radio the first time around, then you remember all the predictions about what life in the 21st century was supposed to be like. Of particular note was the prediction that we would use flying cars and jet packs to get around, among other awesome technological advances.

Recently someone made the comment online (for the life of me I can’t find it now) that goes something like this: If you are the children of the people who were promised jet packs you should not be disappointed because you were not promised these things, you were promised life as depicted in Snow Crash or True Names.

Generation X for the win!

The amateur interpretation of leaked NSA documents has sparked this debate about how governments – the U.S. in particular – are undermining if not destroying the security and privacy of the ‘Net. We need no less than a “Magna Carta” to protect us, which would be a great idea if were actually being oppressed to such a degree that our liberties were being infringed upon by a despot and his arbitrary whims. For those not keeping track: the internet is not a person, nor is it run by DIRNSA.

I don’t claim to have been there at the beginning but in the early-mid 90s my first exposure to the internet was…stereotypical (I am no candidate for sainthood). I knew what it took to protect global computer networks because that was my day job for the government; accessing the ‘Net (or BBSes) at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous or you got robbed. Everyone knew this, no one was complaining and no one expected anything more.

What would become the commercial internet went from warez and naughty ASCII images to house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But the police didn’t do that for you, you entrusted that to the people who were offering up the service in cyberspace, again, just like you do in the real world.

But did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and customers pay for functionality, not security. It actually makes more business sense to do the minimum necessary for security because on the off chance that there is a breach, you can make up any losses on the backs of your customers (discretely of course).

Secondly, your data couldn’t be too secure because there was value in knowing who you are, what you liked, what you did, and who you talked to. The money you paid for your software license was just one revenue stream; a company could make even more money using and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites; the people who were promised jet packs know it by another name: junk mail.

Let’s be clear: the only people who have really cared about network security are the military; everyone else is in this to make a buck (flowery, feel-good, kumbaya language notwithstanding). Commercial concerns operating online care about your privacy until it impacts their money.

Is weakening the security of a privately owned software product a crime? No. It makes crypto  nerds really, really angry, but it’s not illegal. Imitating a popular social networking site to gain access to systems owned by terrorists is what an intelligence agency operating online should do (they don’t actually take over THE Facebook site, for everyone with a reading comprehension problem). Co-opting botnets? We ought to be applauding a move like that, not lambasting them.

There is something to the idea that introducing weaknesses into programs and algorithms puts more people than just terrorists and criminals at risk, but in order for that to be a realistic concern you would have to have some kind of evidence that the security mechanisms available in products today are an adequate defense against malicious attack, and they’re not. What passes for “security” in most code is laughable. Have none of the people raising this concern heard of Pwn2Own? Or that there is a global market for 0-day an the US government is only one of many, many customers?

People who are lamenting the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed).

Talking about the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things hasn’t ruled on the issue. You can still live your life without using TCP/IP or HTTP, you just don’t want to.

Ascribing nefarious intent to government action – in particular the NSA as depicted in Enemy of the State – displays a level of ignorance about how government – in particular intelligence agencies – actually work. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. Our government’s number one responsibility is keeping you safe; that it has the capability to inflect harm on massive numbers of people does not mean they will use it and it most certainly does not mean they’ll use it on YOU. To think otherwise is simply movie-plot-thinking (he said, with a hint of irony).

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.

fighting the long war with the jr. varsity

Let me preempt the inevitable brickbats by saying I never met a new/recent hire that wasn’t better educated than I was at that age (and probably more inquisitive to boot):

The Department of Defense will face a worldwide civilian manning challenge in the near future, because roughly 22 percent of its work force will reach retirement age within two years, a senior Defense Department official said Monday.

This follows on the heels of an earlier report:

Continue reading