Cyber Security Through the Lens of Theranos

[This is not me piling on to the woes of Theranos or its CEO. It’s not. Well, it is to the degree that you can’t draw analogies without pointing out some embarrassing truths, but let’s be honest: we have all, like Fox Mulder, wanted to believe in something fantastical, despite all signs to the contrary.]

Credibility Matters. Any product, any service, any methodology that promises the world – or something akin to it – should be viewed with a jaundiced eye. If the driving force behind said promise is effectively a random stranger, even more so. Cyber security has been studied to death. The idea that one person has uncovered something no one else in the field has figured out is so unlikely you almost have to assume they’re full of ****.  I worked on something that was thought to be novel. Turns out it wasn’t, which means we were on to something, but it could be argued that better or at least faster minds than ours were already on the case.

Enablers Are Evil. When the unit of measure is “billions” all sorts of yahoos will come out of the woodwork. Most of them are there because you’re measuring things in billions, not because what you’re doing is actually worth billions. In the case of Theranos they’re worth nothing and have been for a long time. In the security space it is rare to find a company whose valuation is not by and large aspirational. Those doing to assessing really have no idea if those solutions will stand the test of time. And by “time” I mean “the point at which customers realize they’ve been had.”

The Importance of Being Honest. People are putting their trust in you; you owe it to them to be honest and forthright. When over 90% of “your” work has nothing to do with what you’ve sold people on, that’s what most people would call fraud. You exacerbate the problem with half-measures and stalling tactics, so not only are you a liar, you’re sleazy as well. How is that helping the cause exactly? Are you in this business to have an impact or are you just here for the paycheck and what passes for fame? It’s OK, we’re all only human, just be up front about it.

I have to imagine that in the beginning everyone starts out with the best of intentions, but given the nature of the work and the potential impact it can have, we need to hold ourselves to higher standards. If we’re not checking ourselves we’re setting ourselves up for a situation where checks will be imposed upon us by people who know very nearly nothing of what it takes to succeed, much less advance security.

“Cyber MAD” is a Bad Idea. Really Bad.

I don’t know how many times I have to say this, but nothing screams “legacy future” like trying to shoe-horn cold-war thinking into “cyber.” This latest attempt doesn’t disappoint (or maybe it does, depending on how you look at it) because it completely miss two key points:

  1. Cyberspace is not meat-space;
  2. Digital weapons are nothing like atomic ones.

Yes, like the nuclear arms race, it is in fact more expensive to defend yourself than it is to attack someone. Generally speaking. Its OK to paint with a broad brush on this point because so many entities online are so woefully inadequate when it comes to defense that we forget that there are actually some who are quite hard and expensive to attack. Any serious colored-hat who is being honest will tell you that they deal with more than their fair share of unknowns and ‘unknown unknowns’ when going after any given target.

But unlike malicious actions in cyberspace, there is no parsing nuclear war. You’re nuked, or you’re not. Cyber-espionage, cyber-crime, cyber-attack…all indistinguishable in all technically meaningful ways. Each has a different intent, which we are left to speculate about after-the-fact. In the other scenario, no one is around to speculate why a battalion of Reds turned their keys and pushed their buttons.

Attacker identity is indeed important whether you’re viewing a potential conflict through nuclear or digital lenses, but you know what excuse doesn’t work in the nuclear scenario? “It wasn’t me.”

Um, IR burn says it was…

There is no such equivalent in cyberspace. You can get close – real close – given sufficient data and time, but there will be no Colin Powell-at-the-UN-moment in response to a cyber threat because “it wasn’t me” is a perfectly acceptable excuse.

But we have data.

You can fabricate data

You know what you can’t fabricate? Fallout.

All of this, ALL OF THIS, is completely pointless because if some adversary had both the will and the wherewithal to attack and destroy our and just our critical infrastructure and national security/defense capabilities via cyber means…what are we meant to strike back with? Who are those who happen to be left unscathed supposed to determine who struck first? I was not a Missileer, but I’m fairly certain you can’t conduct granular digital attribution from the bottom of an ICBM silo.

What is the point of worrying about destruction anyway? Who wants that? The criminals? No, there is too much money to be made keeping systems up and careless people online. The spies? No, there is too much data to harvest and destruction might actually make collection hard. Crazy-bent-on-global-domination types? This is where I invoke the “Movie Plot Threat” clause. If the scenario you need to make your theory work in cyberspace is indistinguishable from a James Bond script, you can’t be taken seriously.

MAD for cyberspace is a bad idea because its completely academic and does nothing to advance the cause of safety or security online (the countdown to someone calling me “anti-intellectual” for pointing out this imperial nudity starts in 5, 4, 3….). MAD, cyber deterrence, all this old think is completely useless in any practical sense. You know why MAD and all those related ideas worked in the 60s? Because they dealt with the world and the problem in front of them as it was, not how they wished it to be.

I wholeheartedly agree that we need to do more and do more differently in order to make cyberspace a safer and more secure environment. I don’t know anyone who argues otherwise. I’m even willing to bet there is a period of history that would provide a meaningful analog to the problems we face today, but the Cold War isn’t it.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

The Importance of Being There

There is nothing new or special about the “cyber” aspect to the Arab Spring. The use of the Internet and tools that ride on and through it by pro- and anti-regime elements in China, Serbia, Mexico . . . we’ve been seeing this for at least 15 years and every time it surfaces it’s the same breathless coverage about how new, and game changing it all is.

I guess I have different definitions for those words.

“Cyber” might make it easier to organize or communicate if you’re the rebel force, but it’s not going to overthrow the government: that takes people putting themselves in physical danger. To steal a phrase I learned in the Army: If you’re not there, you don’t own it. The difference between “cyber” and pamphleteering? The medium. That’s it.

In the future, it would be great if we focused on what really mattered during events like this: the meat-space strategies and tactics and heroics that actually lead to change, not the fact that the rebels are using the online tool-of-the-month. Actually, it would be better if someone wrote an article about how such tactics alone rarely lead to real-world success, but something tells me that won’t sell a lot of newspapers.

Killing Trees for Cyberspace

At his CTO Vision blog my friend and colleague Bob Gourley found a fair amount of good in the new Cyber Strategy. Me, I see a glass half empty . . .

Let me start out by saying that I really would like to see some progress in this realm, and if this latest attempt at a strategy to secure cyberspace is what leads to progress than all the better for us.

My problem is less with any specific part of the strategy as it is with the whole idea of yet-another-strategy in the first place. Let me be perfectly clear: there is absolutely no reason to believe that any substantial, widespread good will come of this document. This is not our first rodeo . . .

. . . and yet by all measures we are no better off today than we were decades ago when the issues identified in the strategy were first brought up. The advance and ubiquity of information technology has both broadened the scope of problems and simultaneously made them more intimate. We have serious problems that need to be dealt with now, but we’re spending our time congratulating ourselves on a great piece of staff work that may never be realized.

A national or international strategy makes a number of presumptions, or simply ignores reality, which is the principle reason why such efforts fail. The Internet is not an instrument of national power in the traditional sense; such power rests in the hands of private concerns. The dominant forces online care not a wit for political or military concerns – the domain of nation-states – but for revenue and profitability (alien concepts to governments). Even the most prolific threat actors in cyberspace today pose no serious threat to the ‘Net itself (you can’t make money if connectivity goes away). As long as there is a patsy to off-load the risks of doing business online (read: consumers), and as long as the pain those patsies suffer is nominal, there is no incentive to invest in a safer cyberspace.

The strategy articulates a vision: A cyberspace that is filled with innovations, interoperable, secure enough and reliable enough. Great, except that’s pretty much the state of affairs today, so I guess that’s a ‘win.’ Do you know how we got that win? Aside from tracing the ‘Net’s roots back to ARPANET, it had nothing to do with government action. The prosperity that we would attempt to assure is already here and will continue to exist because of market forces, not legislation or international agreement.

That a strategy may be actionable is of little consequence if there is no incentive to act. To be more precise: when there is no penalty for failure, what do you think agencies and their leadership are going to focus on? Despite past federal efforts to “secure” cyber space, agencies consistently get failing grades, and no one is held accountable. I only know of one (State-level) cyber security official to have ever been fired, and that wasn’t because he was negligent, but because he spoke out of school. Lesson: it’s OK to get pwned, it’s not OK to admit you got pwned (because, you know, no one else is getting pwned so we might look bad).

I know this is the best effort that those involved could produce. If anyone was going to get it drafted, coordinated, and out the door it was going to be Howard. I will do what I can to help realize the goals of a safer cyber space and I would like to think that this time we’re going to see some forward progress, but almost two decades of witnessing ‘fail’ in this area precludes me from holding my breath.

Turn Away from the (Fulda) Gap

Former DIRNSA/DNI McConnell is right in his assessment of the state of cyber conflict and the US’s disposition, but like so many of his generation he defaults to what he knows best and supposes we can secure the future if we look to the past. That would be great if the present, much less the future, were reflective of anything like the past so many cold warriors are familiar with. It is natural to try and frame current situations into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere.

Reducing the impact of cyber conflict through deterrence (as it is commonly portrayed) and the sharing of information are admirable goals; ones we’ve been trying to accomplish without significant results for years.

Attribution requires a level of effort so massive and onerous the only way to make it fast and easy is to re-engineer how the Internet works and the government’s access to the necessary mechanisms. That is a task that is anything but fast or easy or more importantly: cheap. Barring a combination technical-legal breakthrough that is free, global in scope and universal in acceptance, attribution isn’t happening. No attribution, no deterrence (in a traditional sense).

The point of deterrence is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government systems are attacked regularly; so are the systems of the private firms that support defense and intelligence work. There are only a few entities worldwide that can make use of the information that is stolen from targeted systems, so we have attribution in a meta sense, and justification to act in a meta fashion. Let me know how that strongly worded demarche goes over.

Public-Private partnerships are a great idea. We’ve got ISACs for just that purpose, but what have they done in any practical sense? Neither side is as open as they could or should be, no one talks about anything new. The NSA is a great national resource for critical industries that rely on a stable and secure cyberspace to operate, but no one is going to trust the assurance side of the NSA as long as it is tied to the snooping part. The reasons for keeping the agency’s two directorates together are strong, but the reasons for splitting them apart are more compelling (more on that in a separate venue).

It’s one thing to have an international agreement in place, but its folly to think that the most dangerous threats to a nation’s ability to operate in cyberspace would a) adhere to any regime they signed or b) would show up at the negotiating table in the first place. The most dangerous people in cyberspace – those who can and do actually use their weapons – don’t salute a flag, hold sovereign territory, or sign international agreements. For all the time, money and energy put forth trying to counter the proliferation of nuclear weapons, the world is surprisingly full of new nuclear powers (and those that belligerently aspire to achieve such status). Viewed through such a lens, every computer science department in every university is a weapons lab, every professor a national security resources that must be sequestered in Naukograds. Talk about unworkable.

It would be great if safety and security in cyberspace were a notional physics experiment where all the important factors are negligible and controllable, but it’s not, so the only real solutions are the practical ones. The way forward in securing cyberspace is not deterring threats, its making threats irrelevant.

Cyberspace is a construct with physical underpinggings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a reasonable amount of time, an adversary can attack all day, every day, to no avail. Someone once said the war on terror should continue until terrorism is a nuisance, and so should it be for cyberspace. As someone who has spent a good chunk of his career addressing these issues it almost pains me to say it, but securing cyberspace is less about security as it is about resilience.

Resilience and security are not the same thing. You can try to make sound the same, but they’re just not. The problem is that “security” sells, “resilience” is like continuity of operations, and we all know how that’s viewed. Just look over at the shelf to your left, that gigantic three-ring binder with your COOP plan that has ½” of dust on it. Yeah, guys with resilience on their minds put that together. If anyone gets less respect organizationally than cyber security guys its resilience guys, which is a shame because of the two communities, the one that is more successful is the resilience crowd. Resilience is achievable. It is happening. Backups and hot sites and redundancy in connectivity, etc., etc. all contributes more to making cyber attacks irrelevant than firewalls, intrusion detection systems, or anti-virus software. Of course the latter is sexy, the former tedious grunt work. It’s not call the Comprehensive National Resilience Initiative, but it probably should be.

When you get down to it though, making cyberspace more secure isn’t about the physical, its about the behavioral. Most of the compromises suffered by the US government and the businesses that support national security and defense would go away if we had – early on in the ‘Net’s foray from the governmental to the public/commercial – established, promulgated, and enforced good behavior and safe practices. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the driveway. No matter how hard we try to educate our respective workforces about cyber security, they’re still the weakest link in the cyber security chain. We loose billions in lost R&D and proprietary information that supports national security, yet we still don’t punish people for their digital sins the same way we would if they had committed the same violation in meat-space. Knowingly violating espionage laws gets you prison; knowingly violating corporate security policy is hardly detected.

That’s a shame because cyber security is the root of national security in the information age. The ability to project physical power means nothing – the trillions we spend on defense a waste – if that power can be made irrelelvent with a few lines of code. That’s all it takes if any one of the millions of moving parts associated with the design, construction, acquisition, and deployment of our first-world weapons platforms is compromised by an adversary. Make no mistake: the chinks in the armor of the military-industrial complex are too numerous to count, much less monitor or secure.

I support wholeheartedly any effort to really make cyberspace a safer and stronger place, but every few years I listen to the same speeches, read the same studies and ‘strategies’ and watch the same budget cycles burn through billions with no discernible  improvement in our security disposition. What I’d like the heavy hitters in the national security arena to do is stop ignoring the recommendations, stop buying the same non-solutions, stop relying on cold warriors, and start acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over Washington, New York, and Omaha.

“reputation system”

From the Enterprise Resilience Management Blog:

Anyone who believes he knows of information relating to these proposed
patents will be able to post this online and solicit comments from
others. But this will suddenly make available reams of information,
which could be from suspect sources, and so the program includes a
‘reputation system’ for ranking the material and evaluating the
expertise of those submitting it.

“reputation system” – how the wiki-fied, blogosphered IC can sort the wheat from the chaff and cast off the last vestiges of the old way of doing things.

Now, to find out the status of that reform book draft . . .

Mission First, People Always

Not going to repeat the now well-worn story of Walter Reed-related issues, merely wanted to take a minute to point out a trend and offer up a lesson.

There was a time when, while serving on active duty, the Army just decided to stop paying me. Never did figure out what happened, the checks just stopped coming. I worked through the chain. I trusted it. I accepted the fact that things move slowly in the Army. I waited. I followed up. I waited some more. I exhausted every internal option available to me as I watched my savings dwindle (the chow hall was great, but I still had other bills to pay).  When loan defaults loomed I wrote my Senator who at the time was Army veteran Daniel Inouye.

Roughly 72 hours later I had a check for all my back pay and a line outside my barracks room door of members of my chain of command from battalion-level on down asking if everything was OK, and would I please work through the chain of command to resolve future problems ’cause we really get the heebie jeebies when Senator’s offices call.

The pay problems of one buck sergeant don’t compare to the woes of outpatients at Walter Reed, but this story – and many others any GI will be happy to relate to you – are indicative of the general mindset of those at the top. Nothing is their problem (“If you sloppy GI’s wouldn’t keep food in your rooms there wouldn’t be a rat problem”)  until someone makes it their problem, and that “someone” is never going to be someone they outrank. The operative phrase is “mission first, people always” until people do what people do and then it becomes “people whenever.”

Under different circumstances I’m sure everyone highest levels of Army medicine and the Department of the Army are great folks, but that they responded in typical Army fashion to this situation is beyond shameful. I hope this serves as a lesson for a wider variety of defense and national security leadership: fat lot of good your big initiatives are going to be if you are undone by the little things.

Better Government Cyber Security: don’t hold your breath

It is one thing to plan, something else entirely to turn it into reality:

The DHS plans to collocate private-sector employees from the
communications and IT industries with government workers at the U.S.
Computer Emergency Readiness Team (US-CERT) facility here, said Gregory
Garcia, assistant secretary of cybersecurity and telecommunications at
the DHS. The teams will work jointly on improving US-CERT’s information
hub for cybersecurity, Garcia said. The agency didn’t specify a
starting date for the program but said it will begin soon.

Every corporation willing to give up a top-notch employee to a rotation to the government (out of the goodness of your heart, because you’ll have to eat their salary) raise your hand.

Every highly-skilled private sector employee willing to support two households for a year on your current salary and who is prepared to subject yourself to the grinding bureaucracy of DHS, line up over here.

That’s what I thought.

Mr. Assistant Secretary, you can’t do this on the cheap because you are going to get what you pay for. The money Uncle Sam paid your predecessor could comp industry for 3-4 great folks. A little COLA adjustment wouldn’t hurt either, but that’s icing. I’m assuming that since you came from a private-sector lobbying gig you understand how the economics works, so I’m also assuming that you are wed to this course of action because of circumstances that are out of your control. When this effort comes up short, you might want to begin a lobbying effort to change those circumstances.


underrattelser – US style

Ralph Peters’ latest report on improvements in MI. Money graph:

Appropriate technologies can help us – but no database or collection
system is a substitute for seasoned human judgment. The key task in
intelligence is understanding the enemy. Machines do many things, but they still don’t register flesh-and-blood relationships, self-sacrifice or fanaticism.

Underrattelser: Improvement from below (how Swedes describe MI) covered at John Robb’s site.