Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

The Airborne Shuffle in Cyberspace

I did my fair share supporting and helping develop its predecessor, but I have no special insights into what is going on at CYBERCOM today. I am loathe to criticize when I don’t know all the details, still I see reports like this and scratch my head and wonder: why is anyone surprised?

Focus. If you have to wake up early to do an hour of PT, get diverted afterwards to pee in a cup, finally get to work and develop a good head of steam, only to leave early to go to the arms room and spend an hour cleaning a rifle, you’re not going to develop a world-class capability in any meaningful time-frame. Not in this domain. Not to mention the fact that after about two years whatever talent you’ve managed to develop rotates out and you have to start all over again.

Speed. If you have to call a meeting to call a meeting, and the actual meeting can’t take place for two weeks because everyone who needs to be there is involved in some variation of the distractions noted above, or TDY, you have no chance. It also doesn’t help that when you manage to have the meeting you are forced to delay decisions because of some minutia. You’re not just behind the power curve, you’re running in the opposite direction.

Agility. If your business model is to train generalists and buy your technology…over the course of several years…you are going to have a hard time going up against people with deep expertise who can create their own capabilities in days. Do we need a reminder inhow effective sub-peer adversaries can be against cutting edge military technology? You know what the people attacking SWIFT or major defense contractors aren’t doing? Standing up a PMO.

The procurement and use of tanks or aircraft carriers is limited to the military in meat-space, but in cyberspace anyone can develop or acquire weapons and project power. Globally. If you’re not taking this into consideration you’re basically the 18th Pomeranians. Absent radical changes no government hierarchy is going to out-perform or out-maneuver such adversaries, but it may be possible to close the gaps to some degree.

Focus. You should not lower standards for general purpose military skills, but in a CONUS, office environment you can exercise more control over how that training is performed and scheduled. Every Marine a rifleman, I get it, but shooting wars are relatively rare; the digital conflict has been engaged for decades (and if your cyber troops are hearing shots fired in anger, you’ve probably already lost).

Speed. Hackers don’t hold meetings, they open chat sessions. Their communication with their peers and partners is more or less constant. If you’re used to calling a formation to deliver your messages orally, you’re going to have to get used to not doing that. Uncomfortable with being glued to a screen – desktop or handheld? You’re probably ill-suited to operate in this domain.

Agility. You are never going to replicate ‘silicon valley’ in the DOD without completely disrupting DOD culture. The latter is a zero-defect environment, whereas the former considers failures to be a necessary part of producing excellence. You cannot hold company-level command for 15 years because its the job you’re best suited to; you can be one of the world’s best reverse engineers for as long as you want to be. What is “normal” should mean nothing inside an outfit like CYBERCOM.

Additional factors to consider…

Homestead. If you get assigned to CYBERCOM you’re there for at least 10 years. That’s about 20 dog years from the perspective of the domain and related technology experience, and it will be invaluable if you are serious about effective performance on the battlefield.

Lower Rank/Greater Impact. Cyberspace is where the ‘strategic corporal’ is going to play an out-sized role. At any given moment the commander – once their intent is made clear – is the least important person in the room.

Bias for Action. In meat-space if you pull the trigger you cannot call back the bullet. If your aim is true your target dies. In cyberspace your bullets don’t have to be fatal. The effect need only be temporary. We can and should be doing far more than we apparently are, because I guarantee our adversaries are.

How Do You Get Good at Incident Response?

The Verizon Data Breach Report has been saying it for years. The Forrester/Veracode report Planning for Failurereiterates the same points. It is only a matter of time before your company is breached. Odds are you won’t know about the breach for months, someone other than your security team is going to tell you about it, and the response to the breach is going to be expensive, disruptive, time-consuming and…less than optimal.

If you’ve been breached before, or if you’re an enterprise of any size, it’s not like you don’t have an incident reponse plan, but as Mike Tyson famously said: “Everyone has a plan till they get hit in the mouth.” When is the last time you tested that plan? Is your plan 500 pages in a 3” three-ring dust-covered binder sitting on a shelf in the SOC? That’s not a plan, that’s praying.

Your ability to respond to breaches needs to be put into practice by sparring against partners who are peers or near-peers to the kinds of threat actors you face on a daily basis. How do you do that? By testing with realism:

Over long(er)-terms. Someone who wants what you have is not going to stop after a few days or even a few weeks.Adversaries whose efforts will accelerate by years because of stolen intellectual property don’t mind waiting months; adversaries who strategize over centuries don’t mind waiting years.

Goal-oriented. Serious threat actors attack you for a reason: they are going to get paid for your data. Efforts that don’t help them accomplish their goals are time and resources wasted. The vulnerability-of-the-month may do nothing to advance their agenda; they’re going to find a way in that no one on your staff even knows exists.

In the context of your environment. The best security training in the world is still contrived. Even the most sophisticated training lab is nothing like the systems your security team have to work with every day.

Contrast the above to your average pen-test, which is short, “noisy,” and limited in scope. Pen-tests need to be done, but recognize that for the most part pen-testing has become commoditized and increasingly vendors are competing on speed and price. Is that how you’re going to identify and assess potential risks? Lowest bidder?

If we’re breached I’ll call in outside experts.

As well you should, but what are you going to do while you wait for them to show up?

Even if you have a dedicated security team in your company, odds are that team is trained to “man the battlements” so-to-speak. They’re looking for known indicators of activity along known vectors; they’re not trained to fight off an enemy who has come in through a hole of their own making. It doesn’t make sense to keep a staff of IR specialists on the team; that’s an expensive prospect for even the most security-conscious organization.But it does make sense to train your people in basic techniques, just enough to prevent wholesale pillaging. More importantly, they need to practice those techniques so that they can do them on a moment’s notice, under fire.

Your enterprise is not a castle. There is no wall that you can build that will be high enough or thick enough to repel all attackers. If your definition of defensive success is “keep bad guys out” you are setting yourself and our people up for failure. The true measure of defensive success is the speed at which you detect, eject and mitigate the actions of your attackers. If you don’t have a corresponding plan to do that yourself – or to hold out long enough for the cavalry to come – and that plan is not regularly and realistically tested, you’re planning for victim-hood.

Cyber Security Through the Lens of Theranos

[This is not me piling on to the woes of Theranos or its CEO. It’s not. Well, it is to the degree that you can’t draw analogies without pointing out some embarrassing truths, but let’s be honest: we have all, like Fox Mulder, wanted to believe in something fantastical, despite all signs to the contrary.]

Credibility Matters. Any product, any service, any methodology that promises the world – or something akin to it – should be viewed with a jaundiced eye. If the driving force behind said promise is effectively a random stranger, even more so. Cyber security has been studied to death. The idea that one person has uncovered something no one else in the field has figured out is so unlikely you almost have to assume they’re full of ****.  I worked on something that was thought to be novel. Turns out it wasn’t, which means we were on to something, but it could be argued that better or at least faster minds than ours were already on the case.

Enablers Are Evil. When the unit of measure is “billions” all sorts of yahoos will come out of the woodwork. Most of them are there because you’re measuring things in billions, not because what you’re doing is actually worth billions. In the case of Theranos they’re worth nothing and have been for a long time. In the security space it is rare to find a company whose valuation is not by and large aspirational. Those doing to assessing really have no idea if those solutions will stand the test of time. And by “time” I mean “the point at which customers realize they’ve been had.”

The Importance of Being Honest. People are putting their trust in you; you owe it to them to be honest and forthright. When over 90% of “your” work has nothing to do with what you’ve sold people on, that’s what most people would call fraud. You exacerbate the problem with half-measures and stalling tactics, so not only are you a liar, you’re sleazy as well. How is that helping the cause exactly? Are you in this business to have an impact or are you just here for the paycheck and what passes for fame? It’s OK, we’re all only human, just be up front about it.

I have to imagine that in the beginning everyone starts out with the best of intentions, but given the nature of the work and the potential impact it can have, we need to hold ourselves to higher standards. If we’re not checking ourselves we’re setting ourselves up for a situation where checks will be imposed upon us by people who know very nearly nothing of what it takes to succeed, much less advance security.

You Were Promised Neither Security Nor Privacy

If you remember hearing the song Istanbul (Not Constantinople) on the radio the first time around, then you remember all the predictions about what life in the 21st century was supposed to be like. Of particular note was the prediction that we would use flying cars and jet packs to get around, among other awesome technological advances.

Recently someone made the comment online (for the life of me I can’t find it now) that goes something like this: If you are the children of the people who were promised jet packs you should not be disappointed because you were not promised these things, you were promised life as depicted in Snow Crash or True Names.

Generation X for the win!

The amateur interpretation of leaked NSA documents has sparked this debate about how governments – the U.S. in particular – are undermining if not destroying the security and privacy of the ‘Net. We need no less than a “Magna Carta” to protect us, which would be a great idea if were actually being oppressed to such a degree that our liberties were being infringed upon by a despot and his arbitrary whims. For those not keeping track: the internet is not a person, nor is it run by DIRNSA.

I don’t claim to have been there at the beginning but in the early-mid 90s my first exposure to the internet was…stereotypical (I am no candidate for sainthood). I knew what it took to protect global computer networks because that was my day job for the government; accessing the ‘Net (or BBSes) at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous or you got robbed. Everyone knew this, no one was complaining and no one expected anything more.

What would become the commercial internet went from warez and naughty ASCII images to house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But the police didn’t do that for you, you entrusted that to the people who were offering up the service in cyberspace, again, just like you do in the real world.

But did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and customers pay for functionality, not security. It actually makes more business sense to do the minimum necessary for security because on the off chance that there is a breach, you can make up any losses on the backs of your customers (discretely of course).

Secondly, your data couldn’t be too secure because there was value in knowing who you are, what you liked, what you did, and who you talked to. The money you paid for your software license was just one revenue stream; a company could make even more money using and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites; the people who were promised jet packs know it by another name: junk mail.

Let’s be clear: the only people who have really cared about network security are the military; everyone else is in this to make a buck (flowery, feel-good, kumbaya language notwithstanding). Commercial concerns operating online care about your privacy until it impacts their money.

Is weakening the security of a privately owned software product a crime? No. It makes crypto  nerds really, really angry, but it’s not illegal. Imitating a popular social networking site to gain access to systems owned by terrorists is what an intelligence agency operating online should do (they don’t actually take over THE Facebook site, for everyone with a reading comprehension problem). Co-opting botnets? We ought to be applauding a move like that, not lambasting them.

There is something to the idea that introducing weaknesses into programs and algorithms puts more people than just terrorists and criminals at risk, but in order for that to be a realistic concern you would have to have some kind of evidence that the security mechanisms available in products today are an adequate defense against malicious attack, and they’re not. What passes for “security” in most code is laughable. Have none of the people raising this concern heard of Pwn2Own? Or that there is a global market for 0-day an the US government is only one of many, many customers?

People who are lamenting the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed).

Talking about the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things hasn’t ruled on the issue. You can still live your life without using TCP/IP or HTTP, you just don’t want to.

Ascribing nefarious intent to government action – in particular the NSA as depicted in Enemy of the State – displays a level of ignorance about how government – in particular intelligence agencies – actually work. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. Our government’s number one responsibility is keeping you safe; that it has the capability to inflect harm on massive numbers of people does not mean they will use it and it most certainly does not mean they’ll use it on YOU. To think otherwise is simply movie-plot-thinking (he said, with a hint of irony).

Business Does Not Care About Your Chinese Cyber Problem

If you have spent more than ten minutes tracking cyber security issues in this country you know that if there is a Snidely Whiplash in this business it’s the Chinese. If it’s not the government its “patriotic hackers,” or some variation on those themes. The argument over “APT” rages on (is it a ‘who?’ Is it a ‘what?’) and while not clearly labeled “Chinese” we now have “adversaries” to worry about.

Setting aside issues related to the veracity of such claims, let me just state unequivocally: No one cares.

If you are a regular reader you know me and my background (if you don’t here is a snapshot), so you know that I know the scope and scale of the problem and that I’m not talking about this issue in a state-on-state context. My problem is that too many people are trying to extend that context into areas it is ill-suited. In doing so they are not actually improving security. They may in fact be perpetuating the problem.

Rarely do you talk to someone at the C-level – someone who has profits and Wall Street and the Board on his mind – who gives a shit about who his adversary is or what their motivations are. The occasional former military officer-turned-executive will have a flash of patriotic fervor, but then the General Counsel steps up and the flag would be furled. In the end the course of action they all approve is designed to make the pain go away: get the evil out of the network, get the hosts back online, and get everyone back to work. I haven’t talked to every executive about this issue, so your mileage may vary, but one only need read up on the hack-and-decline of Nortel understand what the most common reaction to “someone is intentionally focused on stealing our ideas,” is in the C-suites of American corporations.

This is not a new problem. You have never, ironically, heard of d’Entrecolles. American industrial might wasn’t a home-grown effort: we did the same thing to our cousins across the pond. Nortel is only a recent example of a worst-case industrial espionage scenario playing out. Ever heard of  Ellery Systems? Of course you haven’t.

IP theft is not a trivial issue, but any number of things can happen to a given piece of IP once it is stolen. The new owners may not be able to make full or even nominally effective use of the information; the purpose or product they apply the IP to has little or nothing to do with what the IP’s creators are using it for; the market the new owner is targeting isn’t open to or pursued by the US; or in the normal course of events, what made the IP valuable at the point of compromise might change making it useless or undesirable by the time its new owners bring it to market.

Companies that suffer the fate of Ellery and Nortel are notable because they are rare. Despite the fact that billions in IP is being siphoned off through the ‘Net, there is not a corresponding number of bankruptcies. That’s not a defense; merely a fat, juicy data point supporting the argument that if the fate of the company is not in imminent danger, no one is going to care that maybe, some day, when certain conditions are met, last week’s intrusion was the first domino to fall.

If you are honestly interested in abating the flow of IP out of this country, your most effective course of action should be to argue in a context that business will not only understand but be willing to execute.  Arguing Us vs. Them to people who are not in the actual warfighting business is a losing proposition. The days of industry re-orienting and throwing their weight behind a “war” effort are gone (unless you are selling to PMCs). “More security” generally comes at the expense of productivity, and that is a non-starter. Security done in a fashion that adds value – or at the very least does not serious impede the ability to make money – has the potential to be a winner.

I say ‘has the potential’ because to be honest you can’t count on business decision-makers caring about security no matter how compelling your argument. Top marks if remember the security company @Stake. Bonus points if you remember that they used to put out a magazine called Secure Business Quarterly that tried to argue the whole security-enabling-business thing. Did you notice I said “remember” and “used to?”

We have to resign ourselves to the very real possibility that there will never be an event so massive, so revealing, that security will be a peer to other factors in a business decision. While that’s great for job security, it also says a lot about what society values in the information age.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.

The Importance of Being There

There is nothing new or special about the “cyber” aspect to the Arab Spring. The use of the Internet and tools that ride on and through it by pro- and anti-regime elements in China, Serbia, Mexico . . . we’ve been seeing this for at least 15 years and every time it surfaces it’s the same breathless coverage about how new, and game changing it all is.

I guess I have different definitions for those words.

“Cyber” might make it easier to organize or communicate if you’re the rebel force, but it’s not going to overthrow the government: that takes people putting themselves in physical danger. To steal a phrase I learned in the Army: If you’re not there, you don’t own it. The difference between “cyber” and pamphleteering? The medium. That’s it.

In the future, it would be great if we focused on what really mattered during events like this: the meat-space strategies and tactics and heroics that actually lead to change, not the fact that the rebels are using the online tool-of-the-month. Actually, it would be better if someone wrote an article about how such tactics alone rarely lead to real-world success, but something tells me that won’t sell a lot of newspapers.

Killing Trees for Cyberspace

At his CTO Vision blog my friend and colleague Bob Gourley found a fair amount of good in the new Cyber Strategy. Me, I see a glass half empty . . .

Let me start out by saying that I really would like to see some progress in this realm, and if this latest attempt at a strategy to secure cyberspace is what leads to progress than all the better for us.

My problem is less with any specific part of the strategy as it is with the whole idea of yet-another-strategy in the first place. Let me be perfectly clear: there is absolutely no reason to believe that any substantial, widespread good will come of this document. This is not our first rodeo . . .

. . . and yet by all measures we are no better off today than we were decades ago when the issues identified in the strategy were first brought up. The advance and ubiquity of information technology has both broadened the scope of problems and simultaneously made them more intimate. We have serious problems that need to be dealt with now, but we’re spending our time congratulating ourselves on a great piece of staff work that may never be realized.

A national or international strategy makes a number of presumptions, or simply ignores reality, which is the principle reason why such efforts fail. The Internet is not an instrument of national power in the traditional sense; such power rests in the hands of private concerns. The dominant forces online care not a wit for political or military concerns – the domain of nation-states – but for revenue and profitability (alien concepts to governments). Even the most prolific threat actors in cyberspace today pose no serious threat to the ‘Net itself (you can’t make money if connectivity goes away). As long as there is a patsy to off-load the risks of doing business online (read: consumers), and as long as the pain those patsies suffer is nominal, there is no incentive to invest in a safer cyberspace.

The strategy articulates a vision: A cyberspace that is filled with innovations, interoperable, secure enough and reliable enough. Great, except that’s pretty much the state of affairs today, so I guess that’s a ‘win.’ Do you know how we got that win? Aside from tracing the ‘Net’s roots back to ARPANET, it had nothing to do with government action. The prosperity that we would attempt to assure is already here and will continue to exist because of market forces, not legislation or international agreement.

That a strategy may be actionable is of little consequence if there is no incentive to act. To be more precise: when there is no penalty for failure, what do you think agencies and their leadership are going to focus on? Despite past federal efforts to “secure” cyber space, agencies consistently get failing grades, and no one is held accountable. I only know of one (State-level) cyber security official to have ever been fired, and that wasn’t because he was negligent, but because he spoke out of school. Lesson: it’s OK to get pwned, it’s not OK to admit you got pwned (because, you know, no one else is getting pwned so we might look bad).

I know this is the best effort that those involved could produce. If anyone was going to get it drafted, coordinated, and out the door it was going to be Howard. I will do what I can to help realize the goals of a safer cyber space and I would like to think that this time we’re going to see some forward progress, but almost two decades of witnessing ‘fail’ in this area precludes me from holding my breath.