Turn Away from the (Fulda) Gap

Former DIRNSA/DNI McConnell is right in his assessment of the state of cyber conflict and the US’s disposition, but like so many of his generation he defaults to what he knows best and supposes we can secure the future if we look to the past. That would be great if the present, much less the future, were reflective of anything like the past so many cold warriors are familiar with. It is natural to try and frame current situations into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere.

Reducing the impact of cyber conflict through deterrence (as it is commonly portrayed) and the sharing of information are admirable goals; ones we’ve been trying to accomplish without significant results for years.

Attribution requires a level of effort so massive and onerous the only way to make it fast and easy is to re-engineer how the Internet works and the government’s access to the necessary mechanisms. That is a task that is anything but fast or easy or more importantly: cheap. Barring a combination technical-legal breakthrough that is free, global in scope and universal in acceptance, attribution isn’t happening. No attribution, no deterrence (in a traditional sense).

The point of deterrence is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government systems are attacked regularly; so are the systems of the private firms that support defense and intelligence work. There are only a few entities worldwide that can make use of the information that is stolen from targeted systems, so we have attribution in a meta sense, and justification to act in a meta fashion. Let me know how that strongly worded demarche goes over.

Public-Private partnerships are a great idea. We’ve got ISACs for just that purpose, but what have they done in any practical sense? Neither side is as open as they could or should be, no one talks about anything new. The NSA is a great national resource for critical industries that rely on a stable and secure cyberspace to operate, but no one is going to trust the assurance side of the NSA as long as it is tied to the snooping part. The reasons for keeping the agency’s two directorates together are strong, but the reasons for splitting them apart are more compelling (more on that in a separate venue).

It’s one thing to have an international agreement in place, but its folly to think that the most dangerous threats to a nation’s ability to operate in cyberspace would a) adhere to any regime they signed or b) would show up at the negotiating table in the first place. The most dangerous people in cyberspace – those who can and do actually use their weapons – don’t salute a flag, hold sovereign territory, or sign international agreements. For all the time, money and energy put forth trying to counter the proliferation of nuclear weapons, the world is surprisingly full of new nuclear powers (and those that belligerently aspire to achieve such status). Viewed through such a lens, every computer science department in every university is a weapons lab, every professor a national security resources that must be sequestered in Naukograds. Talk about unworkable.

It would be great if safety and security in cyberspace were a notional physics experiment where all the important factors are negligible and controllable, but it’s not, so the only real solutions are the practical ones. The way forward in securing cyberspace is not deterring threats, its making threats irrelevant.

Cyberspace is a construct with physical underpinggings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a reasonable amount of time, an adversary can attack all day, every day, to no avail. Someone once said the war on terror should continue until terrorism is a nuisance, and so should it be for cyberspace. As someone who has spent a good chunk of his career addressing these issues it almost pains me to say it, but securing cyberspace is less about security as it is about resilience.

Resilience and security are not the same thing. You can try to make sound the same, but they’re just not. The problem is that “security” sells, “resilience” is like continuity of operations, and we all know how that’s viewed. Just look over at the shelf to your left, that gigantic three-ring binder with your COOP plan that has ½” of dust on it. Yeah, guys with resilience on their minds put that together. If anyone gets less respect organizationally than cyber security guys its resilience guys, which is a shame because of the two communities, the one that is more successful is the resilience crowd. Resilience is achievable. It is happening. Backups and hot sites and redundancy in connectivity, etc., etc. all contributes more to making cyber attacks irrelevant than firewalls, intrusion detection systems, or anti-virus software. Of course the latter is sexy, the former tedious grunt work. It’s not call the Comprehensive National Resilience Initiative, but it probably should be.

When you get down to it though, making cyberspace more secure isn’t about the physical, its about the behavioral. Most of the compromises suffered by the US government and the businesses that support national security and defense would go away if we had – early on in the ‘Net’s foray from the governmental to the public/commercial – established, promulgated, and enforced good behavior and safe practices. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the driveway. No matter how hard we try to educate our respective workforces about cyber security, they’re still the weakest link in the cyber security chain. We loose billions in lost R&D and proprietary information that supports national security, yet we still don’t punish people for their digital sins the same way we would if they had committed the same violation in meat-space. Knowingly violating espionage laws gets you prison; knowingly violating corporate security policy is hardly detected.

That’s a shame because cyber security is the root of national security in the information age. The ability to project physical power means nothing – the trillions we spend on defense a waste – if that power can be made irrelelvent with a few lines of code. That’s all it takes if any one of the millions of moving parts associated with the design, construction, acquisition, and deployment of our first-world weapons platforms is compromised by an adversary. Make no mistake: the chinks in the armor of the military-industrial complex are too numerous to count, much less monitor or secure.

I support wholeheartedly any effort to really make cyberspace a safer and stronger place, but every few years I listen to the same speeches, read the same studies and ‘strategies’ and watch the same budget cycles burn through billions with no discernible  improvement in our security disposition. What I’d like the heavy hitters in the national security arena to do is stop ignoring the recommendations, stop buying the same non-solutions, stop relying on cold warriors, and start acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over Washington, New York, and Omaha.

Avoiding a Kluster ****

National Intelligence Estimates (NIEs), are supposed to be a collaborative effort of every agency (in reality, every agency with a dog in that particular fight). Whether you value the findings in recently declassified NIEs or not, most of us have a pretty good idea of what any sort of product produced by committee is like. There is a saying about enjoying sausage and avoiding knowing how it is actually made that applies.

Continue reading

Forrester for Uncle Sam?

When the Department of Defense needed the ability to push the technological envelope they developed the Advanced Research Projects Agency. Recognizing the value in that approach – about fifty years later – the intelligence community formed its own advanced R&D capability. The community nurtures the development of advanced IT solutions through its venture capital firm In-Q-Tel. All well and good for major technology solutions, but what good is all this to your average general-schedule working stiffs who are just trying to get their little $2, $5, $10 million dollar projects off the ground?
Not much.

Continue reading

An XGW-cyber intel lab?

Beltway Bandits offering up expensive and cumbersome gaming solutions to Uncle Sam: look out!

I was sitting at a picnic table Thursday afternoon talking with a revolutionary who last year bombed an American Apparel store.

I didn’t think she was all that dangerous. As far as I could tell, she was just a big-time radical in the Second Life virtual world.

My Second Life alter ego, Caro Zohari (an avatar who has much
nicer hair than I do), was interviewing a spokeswoman for the Second
Life Liberation Army (SLLA), an “avatar rights” group that has sprung
up in the Linden Lab-created virtual world with the objective of
fomenting a “democratic revolution” to oppose Linden’s supposedly
authoritarian rule.

Couple of things strike me:

  • Assuming SL doesn’t but the kibosh on madness like this, it would be an interesting way to test out a variety of pol-mil-legal responses to terrorist, insurgent, or radical activist activity; not just the sticks but the carrots too. A live political and military science lab if you will.
  • People who are going to dismiss this as just game play are ignoring the potential to radicalize otherwise “normal” people via this medium. There are some people who can’t separate fantasy from reality and the consequences can be grave.
  • Do the normal rules of HUMINT and SIGINT apply in SL? Do we assume everyone in SL is a “US Person” or do we take advantage of the fact that no one online knows you’re a dog and maximize the medium for both the actual take and the lessons learned?

If Linden let’s the activity continue, I could see the need for a weapons toolkit that allows for real-world flexibility but does not impact the underlying system; you want targets to suffer losses for the sake of realism, you don’t want rouge external malcode shutting down the system. Maybe its artificial (ahem) but you want to keep the experiment going as long as possible I would think.

Maybe this is where you get some preliminary answers to questions about the effectiveness of generational warfare.

Better Government Cyber Security: don’t hold your breath

It is one thing to plan, something else entirely to turn it into reality:

The DHS plans to collocate private-sector employees from the
communications and IT industries with government workers at the U.S.
Computer Emergency Readiness Team (US-CERT) facility here, said Gregory
Garcia, assistant secretary of cybersecurity and telecommunications at
the DHS. The teams will work jointly on improving US-CERT’s information
hub for cybersecurity, Garcia said. The agency didn’t specify a
starting date for the program but said it will begin soon.

Every corporation willing to give up a top-notch employee to a rotation to the government (out of the goodness of your heart, because you’ll have to eat their salary) raise your hand.

Every highly-skilled private sector employee willing to support two households for a year on your current salary and who is prepared to subject yourself to the grinding bureaucracy of DHS, line up over here.

That’s what I thought.

Mr. Assistant Secretary, you can’t do this on the cheap because you are going to get what you pay for. The money Uncle Sam paid your predecessor could comp industry for 3-4 great folks. A little COLA adjustment wouldn’t hurt either, but that’s icing. I’m assuming that since you came from a private-sector lobbying gig you understand how the economics works, so I’m also assuming that you are wed to this course of action because of circumstances that are out of your control. When this effort comes up short, you might want to begin a lobbying effort to change those circumstances.

$.02

underrattelser – US style

Ralph Peters’ latest report on improvements in MI. Money graph:

Appropriate technologies can help us – but no database or collection
system is a substitute for seasoned human judgment. The key task in
intelligence is understanding the enemy. Machines do many things, but they still don’t register flesh-and-blood relationships, self-sacrifice or fanaticism.

Underrattelser: Improvement from below (how Swedes describe MI) covered at John Robb’s site.

 

Smart Move

The Bush administration may withhold technology dollars from federal agencies that are lagging on cybersecurity, a top IT official said Wednesday.

The philosophy goes something like this: The government shouldn’t be spending money on agencies that want to build new systems when their overall management processes remain flawed.

“This year we’re really focused on making sure agencies are delivering results, investing the taxpayers’ dollars wisely, and are really executing now on the activities they said they are going to do,” … That means agencies must address known security flaws, particularly when it comes to protecting personal information . . .

There are only two ways to make things happen in the gov’t: make what you want done a ratable performance review item or fiddle with the cash flow.

Dumb Luck

I’m on a cyber-roll today:

Computer hackers tapped into a Web site at the Centers for Disease Control and Prevention last week, planting a virus that has possibly infected computers used by people who visited the site, agency officials said.

CDC’s podcast site, www.cdc.gov/podcasts, which contains audio and video on a variety of public health topics, has been taken off the agency’s Web site and is expected to be down for at least a few days.

“At this time, CDC does not have any evidence that sensitive information has been compromised in any way. However, it is possible that computers used by visitors to CDC’s site may have been infected with a computer virus,” the agency said in a news item posted Saturday evening at www.cdc.gov.

“Users that visited the site Thursday morning should ensure their computer has been scanned for viruses.”

Ah, no, users that visited the site should ensure that they’re not following bogus medical advice. The danger is not malcode but semantic attack. You can clean/wipe/rebuild an infected system; you’d be hard pressed to recover from libel, injury or death caused by diddled data. No one remembers Lamo the homeless hacker and his foray into AP/Yahoo news or if they do they’ve forgotten the impact a successful attack can have.

CDC’s kung fu may be weak, but they’re just plain lucky their adversary was only a yellow-belt.