The Wolf Approaches

In the government, the use of the term “grave” means something very specific. That meaning should be obvious to you, but on the off chance that you haven’t had your first cup of coffee yet, it means that whatever the issue is, messing it up could cost someone (or more than one person) their life.

The attack against the water system in Oldsmar, Florida was a potentially grave situation. A water system is not a trivial technology enterprise and as such it has numerous checks – including a human in the loop – to make sure malicious activity or honest mistakes don’t end lives. But the fact that an outsider was able to get such access in the first place makes it clear that there exists a disconnect between what such systems are supposed to be, and what they are.

We give the Sheriff of Pinellas County a pass on the use of the term “wake-up call” because he has not spent a large portion of his life in the belly of the cybersecurity beast. A wake-up call only happens once, how we respond indicates how serious we are about taking action:

  • In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”
  • In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call”
  • In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora “a wake-up call”
  • In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident “an important wake-up call.”
  • In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”
  • In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”
  • In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident “a wake-up call.”
  • In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”

The details of this particular case are probably never going to see sufficient sunlight, which only adds to the ignorance on these matters at all levels, and sustains the fragility we so desperately need to improve. This is particularly important when you consider how our relationship with technology is only getting more intimate.

These are issues that are decades old, yet if you want to have some idea of what it will take to spur action, keep in mind that we intentionally poisoned 100,000 people via a water system for five years and no one is in jail (yet). The idea that the people rooting around in such systems have the ability to cause such effects but don’t because they appreciate the moral, ethical, and legal implications of the matter is increasingly wishful thinking.

We in security have long been accused of “crying ‘wolf’” and for a long time those critics were right. We knew bad things could happen because Sturgeon’s Law has been in full effect in IT for ages, but it has taken this long for matters to go from merely serious to grave. Like everyone who puts off addressing a potentially fatal issue until the symptoms cannot be ignored anymore, our ability to survive what comes next is an open question.

The Wall: Undermining National Security in More Ways Than One

The nation’s longest federal government shutdown continues, along with the debate on the issue that triggered it: a wall on the border between the U.S. and Mexico. While every serious voice agrees on the importance of secure borders, what constitutes effective border defense varies widely. Largely ignored in these discussions: how the financial and emotional impact of the shutdown puts the nation at risk not from external threats, but internal ones.

From the beginning of this shutdown, we’ve heard numerous stories from the ranks of the 800,000 laid off government employees, as well as the massive number of government contractors who are also not getting paid (and won’t get back-pay when this is all over), on social media and in the press about how the shutdown has and will continue to impact them and their families:

“Last week we had soup for dinner and my son asked if it was because we didn’t have money.”

“I’m really worried my landlord will not be happy when I can’t pay my rent.”

A federal employee with diabetes who is running out of insulin “…can’t afford to go to the ER. I can’t afford anything. I just went to bed and hoped I’d wake up,”

These stories point out the precarious financial situation at least part of the nation’s federal workforce faces, not just during the furlough, but on a regular basis. ‘Living paycheck to paycheck’ is a phrase one usually does not associate with college-educated professionals on the General Schedule, which is a signal to the intelligence services of our adversaries that one of the primary means of getting someone to spy for you – Money – is more likely to produce results across a wider spectrum of targets than may have been thought.

Such efforts do not necessarily have to be applied to feds with security clearances; you don’t have to have a clearance to provide information of value to our adversaries. The collection of intelligence about an adversary is often described as akin to building a ‘mosaic’: a lot of little pieces of this and that, no one piece being particularly valuable, assembled over time into a comprehensive picture.

As an example, one of the classic little ‘asks’ that counterintelligence training used to tell you to be wary of is requesting a facility or agency phone book. What harm could that do, right? It’s not even classified. We always have extra and they just go in the trash at the end of the year. Well, you’ve just handed over a list of who does what in your organization, and provided a means to reach them. You’ve also confirmed, or filled in gaps, in an adversary’s knowledge of the organization and what it does.

A modern equivalent? “Hey, I’ve been trying to bid on this contract your agency is putting out. Could you provide me with the email of <a senior defense executive>?” What’s one email address, right? Well, for all the talk of “APT” and “sophisticated” nation-state hacking, phishing is still a leading method of cyber attack. And based on professional experience, the more senior the individual, the less attentive they are to cyber security threats.

With a little more time and effort, one could come up with an extensive list of potential scenarios. None of them have to be obviously linked to security or safety issues that might make a frustrated-but-loyal fed feel suspicious, because that’s the magic of building a mosaic: every little tiny bit helps.

This isn’t exclusively a nation-state-based threat. Contractors with questionable ethics, organized crime, terrorists, or other threat actors could all take advantage of the precarious financial situation Uncle Sam has placed his people in. This is of particular concern in environments where the trustworthiness of the workforce is already questionable.

Federal shutdowns are not new. But this one comes at the end of a string of insults and injuries the federal workforce has had to face in recent years. The most significant of these being the breach of computer systems at the Office of Personnel Management. OPM didn’t just lose personnel records, it lost the background checks and related paperwork for feds with security clearances. To maintain a clearance, one has to re-submit to a background check every few years. Questions about your financial situation will be asked. Investigators will understand what caused people to miss payments or take a ding to their credit scores in the winter of 2018/spring of 2019; but if a missed paycheck sends you into a financial Mariana Trench, that’s going to be an issue. Being in financial straits could cost you your clearance, the loss of which could cost you your job. The real impact of the shutdown for some might not come home to roost for months or years.

The opposite is also true: if the bulk of the workforce took a financial hit, but you managed to come out unscathed, why is that? Everyone assumed Aldrich Ames’ stories about his wife’s family’s wealth were true, until they found out it wasn’t.

How do we deal with this?

Congress and the White House should focus on border security, not a wall per se. While there are places along the U.S.-Mexico border where a literal wall might make sense, we need to apply all the tools and technologies available to us – steel, concrete, sensors, drones, and people – to address the problem. People want a check on illegal immigration, the form that check takes is less important than the fact that it exists, and is functional.

A comprehensive study of the federal pay scale. No one joins the gov’t to get rich, but if the financial troubles of the workforce are as deep and wide-spread as the media would have us believe, is that a function of a whole lot of people living beyond their means, or are we really not paying people a livable, much less market, wage? Its ‘federal service’ not ‘federal servitude.’

If you’re a fed, particularly one with a clearance, maybe don’t talk to reporters or get on social media to discuss your plight. This is not the old days: identifying the missives of potential targets is neigh on trivial to actors like Russia and China (especially if they have your OPM file and SF-86 paperwork). And while no one thinks they’re the one who is going to sell out their country to pay the mortgage, under the right conditions, anyone can be pressured to do a little, seemingly innocuous thing, that could contribute to serious damage down the road.

/* Full credit and extensive thanks to Freshman, who came up with the idea for this post and was instrumental in its creation. */

The Global Ungoverned Area

There are places on this planet where good, civilized people simply do not voluntarily go, or willingly stay. What elected governments do in safer and more developed parts of the world are carried out in these areas by despots and militias, often at terrible cost to those who have nowhere else to go and no means to go if they did.

Life online is not unlike life in these ungoverned areas: anyone with the skill and the will is a potential warlord governing their own illicit enterprise, basking in the spoils garnered from the misery of a mass of unfortunates. Who is to stop them? A relative handful of government entities, each with competing agendas, varying levels of knowledge, skills, and resources, none of whom can move fast enough, far enough, or with enough vigor to respond in-kind.

Reaping the whirlwind of apathy

Outside of the government, computer security is rarely something anyone asks for except in certain edge cases. Security is a burden, a cost center. Consumers want functionality. Functionality always trumps security. So much so that most people do not seem to care if security fails. People want an effective solution to their problem. If it happens to also not leak personal or financial data like a sieve, great, but neither is it a deal-breaker.

At the start of the PC age we couldn’t wait to put a computer on every desk. With the advent of the World Wide Web, we rushed headlong into putting anything and everything online. Today online you can play the most trivial game or fulfill your basic needs of food, shelter, and clothing, all at the push of a button. The down side to cyber-ing everything without adequate consideration to security? Epic security failures of all sorts.

Now we stand at the dawn of the age of the Internet of Things. Computers have gone from desktops to laptops to handhelds to wearables and now implantables. And again we can’t wait to employ technology, we also can’t be bothered to secure it.

How things are done

What is our response? Laws and treaties, or at least proposals for same, that decant old approaches into new digital bottles. We decided drugs and povertywere bad, so we declared “war” on them, with dismal results. This sort of thinking is how we get the Wassenaar Agreement applied to cybersecurity: because that’s what people who mean well and are trained in “how things are done” do. But there are a couple of problems with treating cyberspace like 17th century Europe:

  • Even when most people agree on most things, it only takes one issue to bring the whole thing crashing down.
  • The most well-intentioned efforts to deter bad behavior are useless if you cannot enforce the rules, and given the rate at which we incarcerate bad guys it is clear we cannot enforce the rules in any meaningful way at a scale that matters.
  • While all the diplomats of all the governments of the world may agree to follow certain rules, the world’s intelligence organs will continue to use all the tools at their disposal to accomplish their missions, and that includes cyber ones.

This is not to say that such efforts are entirely useless (if you happen to arrest someone you want to have a lot of books to throw at them), just that the level of effort put forth is disproportionate to the impact that it will have on life online. Who is invited to these sorts of discussions? Governments. Who causes the most trouble online? Non-state actors.

Roads less traveled

I am not entirely dismissive of political-diplomatic efforts to improve the security and safety of cyberspace, merely unenthusiastic. Just because “that’s how things are done” doesn’t mean that’s what’s going to get us where we need to be. What it shows is inflexible thinking, and an unwillingness to accept reality. If we’re going to expend time and energy on efforts to civilize cyberspace, let’s do things that might actually work in our lifetimes.

  • Practical diplomacy. We’re never going to get every nation on the same page. Not even for something as heinous as child porn. This means bilateral agreements. Yes, it is more work to both close and manage such agreement, but it beats hoping for some “universal” agreement on norms that will never come.
  • Soft(er) power. No one wants another 9/11, but what we put in place to reduce that risk, isn’t The private enterprises that supply us with the Internet – and computer technology in general – will fight regulation, but they will respond to economic incentives.
  • The human factor. It’s rare to see trash along a highway median, and our rivers don’t catch fire Why? In large part because of the crying Indian. A concerted effort to change public opinion can in fact change behavior (and let’s face it: people are the root of the problem).

Every week a new breach, a new “wake-up call,” yet there is simply not sufficient demand for a safer and more secure cyberspace. The impact of malicious activity online is greater than zero, but not catastrophic, which makes pursuing grandiose solutions a waste of cycles that could be put to better use achieving incremental gains (see ‘boil the ocean’).

Once we started selling pet food and porn online, it stopped being the “information superhighway” and became a demolition derby track. The sooner we recognize it for what it is the sooner we can start to come up with ideas and courses of action more likely to be effective.

/* Originally posted at Modern Warfare blog at CSO Online */

No One is Too Small to Attack

If you’ve been a security practitioner for any length of time, you have probably hear this from a client at least once:

We’re too small/unimportant to be a target of hackers.

If you’ve been doing this for any length of time you also know this is the point in the conversation where you smile politely, get up, and excuse yourself while they go back to their business and you go on to your next meeting. Anyone who has it in their head that they don’t have a red laser dot on their forehead is not going to be convinced by your war stories or ream of counter-examples.

They will learn the hard way.

The thing you want to tell these folks is that anyone online is a target because everyone online has something of value. The reason most folks who think they’re not targets think the way they do is because they don’t deal in valuable information. Data breaches at banks, government agencies, or credit bureaus make headlines because your name, along with your birth date, social security number, bank account, and so on are monetizable.

If you move or make commodity widgets, your efficiency and up-time are what you consider valuable. The design of the widget is not special; they’re one of a hundred factories worldwide that make widgets. What these folks don’t realize is that just having a computer online is a valuable resource to someone. That’s one more processor that a bad guy didn’t have before. It’s one more hard drive they can store illicit material on. One more system they can hop through or use to target another victim. You may not be a target, but you could be an accessory.

It’s also important to note that while you may not be the intended victim of someone else’s attack, that you were involved means down-time, and the expense of cleaning systems, and most all the other issues that the actual victim has to deal with. Yes, on a smaller scale, but it’s not zero, which is the sum you came up with when you decided you weren’t a target.

The widget makers of the world are right to look with a jaundiced eye at calls to spend a lot on security, or to procure a lot of fancy boxes and software. When solutions are designed by people who cut their teeth on fighting nation-state adversaries and “advanced” threats, there isn’t a lot of options for people who need the basics.

Success in cybersecurity at every level means paying attention to business needs, and acceptable risks, not just external threats. The best advice is holistic in nature, not a pitch that plays to your professional strengths. That you know how to wield a hammer is not an excuse for only paying attention to exposed nails.

Most of the time, the best security recommendations are the cheap and unglamorous ones. No, it’s not pretty or fun, but it’s what you owe your clients if you’re really about security.

C.R.E.A.M. IoT Edition

I didn’t get to see the discussion between Justine Bone and Chris Wysopal about the former’s approach to monetizing vulnerabilities. If you’re not familiar with the approach, or the “Muddy Waters” episode, take a minute to brush up, I’ll wait….

OK, so if you’re in one computer security sub-community the first words out of your mouth are probably something along the lines of: “what a bunch of money-grubbing parasites.” If you knew anyone associated with this event you’ve probably stop talking to them. You’d certainly start talking shit about them. This is supposed to be about security, not profiteering.

If you’re in a different sub-community you’re probably thinking something along the lines of, “what a bunch of money-grubbing parasites,” only for different reasons. You’re not naive enough to think that a giant company will drop everything to fix the buffer overflow you discovered last week. Even if they did, because it’s a couple of lines in a couple of million lines of code, a fix isn’t necessarily imminent. Publicity linked to responsible disclosure is a more passive way of telling the world: “We are open for business” because it’s about security, but it’s also about paying the mortgage.

If you’re in yet another sub-community you’re probably wondering why you didn’t think of it yourself, and are fingering your Rolodex to find a firm to team up with. Not because mortgages or yachts don’t pay for themselves, but because you realize that the only way to get some companies to give a shit is to hit them where it hurts: in the wallet.

The idea that vulnerability disclosure, in any of its flavors, is having a sufficiently powerful impact on computer security is not zero, but its not registering on a scale that matters. Bug bounty programs are all the rage, and they have great utility, but it will take time before the global pwns/minute ratio changes in any meaningful fashion.

Arguing about the utility of your preferred disclosure policy misses the most significant point about vulnerabilities: the people who created them don’t care unless it costs them money. For publicly traded companies, pwnage does impact the stock price: for maybe a fiscal quarter. Just about every company that’s suffered an epic breach sees their stock price at or higher than it was pre-breach just a year later. Shorting a company’s stock before dropping the mic on one vulnerability is a novelty: it’s a material event if you can do it fiscal quarter after fiscal quarter.

We can go round and round about what’s going to drive improvements in computer security writ large, but when you boil it down it’s really only about one of and/or two things: money and bodies. This particular approach to monetizing vulnerabilities tackles both.

We will begin to see significant improvements in computer security when a sufficient number of people die in a sufficiently short period of time due to computer security issues. At a minimum we’ll see legislative action, which will be designed to drive improvements. Do you know how many people had to die before seatbelts in cars became mandatory? You don’t want to know.

When the cost of making insecure devices exceeds the profits they generate, we’ll see improvements. At a minimum we’ll see bug bounty programs, which is one piece of the puzzle of making actually, or at least reasonably secure devices. Do you know how hard it is to write secure code? You don’t want to know.

If you’re someone with a vulnerable medical device implanted in them you’re probably thinking something along the lines of, “who the **** do you think you are, telling people how to kill me?” Yeah, there is that. But as has been pointed out in numerous interviews, who is more wrong: the person who points out the vulnerability (without PoC) or the company that knowingly let’s people walk around with potentially fatally flawed devices in their bodies? Maybe two wrongs don’t make a right, but as is so often the case in security, you have to choose between the least terrible option.

The Wolf is Here

For decades we’ve heard that iCalamity is right around the corner. For decades we’ve largely ignored pleas to try and address computer security issues when they are relatively cheap and easy, before they got too large and complicated to do at all. We have been living a fairy tale life, and absent bold action and an emphasis on resiliency, it only gets grim(m)er going forward.

Reasonably affordable personal computers became a thing when I was in high school. I fiddled around a bit, but I didn’t know that computer security was a thing until I was on active duty and the Morris Worm was all over the news. Between the last time Snap! charted and today, we have covered a lot of ground from a general purpose IT perspective. We’ve gone from HTML and CGI to the cloud. From a security perspective however, we’ll still largely relying on firewalls, anti-virus, and SSL.

Why the disparate pace of progress? People demand that their technology be functional, not secure. Like so many areas of our lives, we worry about the here and now, not the what-might-be. We only worry about risks until a sufficiently horrific scenario occurs, or if one is not enough, until enough of them occur in a sufficiently short period of time.

Of course today we don’t just have to worry about securing PCs. By now it is fairly common knowledge that your car is full of computers, as is increasingly your house. Some people wear computers, and some of us are walking around with computers inside of us. Critical infrastructure is lousy with computers, and this week we learned that those shepherd boys crying ‘wolf’ all those years weren’t playing us for fools, they were just too early.

The fragility of our standard of living is no longer the musings of Cassandras. The proof of concept was thankfully demonstrated far, far away, but the reality is we’re not really any safer just because ‘merica. Keeping the lights on, hearts beating, and the water flowing is a far more complex endeavor than you find in the commodity IT world. It is entirely possible that in some situations there is no ‘fix’ to certain problems, which means given various inter-dependencies we will always find ourselves with a Damoclean sword over our heads.

Mixed mythologies notwithstanding, the key to success writ large is insight and resiliency. The more aware you are of what you have, how it works, and how to get along without it will be critical to surviving both accidents and attacks. I would like to think that the market will demand both functional and secure technology, and that manufacturers will respond accordingly, but 50 years of playing kick the can tells me that’s not likely. The analog to security in industrial environments is safety, and that’s one area power plants, hospitals, and the like have down far better than their peers in the general purpose computing world. We might not be able to secure the future, but with luck we should be able to survive it.

Save Yourself – Delete Your Data

You probably don’t remember but in the spring of 2015 I wrote:

What if ransomware is only the beginning? What about exposé-ware?  I’ve copied your files. Pay me a minimal amount of money in a given time-frame or I’ll publish your data online for everyone to see. Live in a community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door.

This week we learn:

Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.

My response now is the same as it was a before:

In an era when remedying computer security failures is cheaper than calling in computer security experts, we need to collectively get on board with some new ways of doing things.

For starters, we need to work at scale. Botnet takedowns are one example. I’m proud to have been associated with a few, and I’m not going to pretend every effort like this goes off without a hitch, but we need to do more at or near the same scale as the bad guys, and often. That’s really the only way we have any hope of raising attacker costs: when they’re fighting people in the same weight class with similar skills on a regular basis.

We also need to accept that the future has to be more about restoration than conviction. Most corporate victims of computer crime don’t want to prosecute, they just want to get back to work. Tactics, techniques, procedures and tools need to reflect that reality. If you’re law enforcement you don’t have a lot of leeway in that regard, but everyone else: are you really doing right by your customers if you are adhering to a law enforcement-centric approach simply because that’s how you were taught?

Finally, we need to retire more problems. You’ve heard the phrase: “if you’re so smart how come you’re not rich?” My variation is: “if you’re such an expert how come you haven’t solved anything?” Now, not every computer security problem can be solved, but there are problems that can be minimized if not trivialized. That would require regularly growing and then slaughtering cash cows. Business majors who run massive security companies don’t like that idea, but it is not like we’re going to run out of problems. So as long as there are new opportunities to slay digital dragons, you have to ask yourself: am I in this to get rich, or am I in this to make the ‘Net a safer place? Kudos if you can honestly do both.

…and I would add one more thing: If you don’t need data, get rid of it. I remember when storage was expensive and you had to be judicious about what you saved, but if you buy enough memory these days its practically free, which has led people to think that there are no consequences for control-s’ing their way to retention nirvana. The supposed value of “big data” doesn’t help. When you get down to it though, you can’t be held ransom – or extorted – over something you don’t have.

Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

How Do You Get Good at Incident Response?

The Verizon Data Breach Report has been saying it for years. The Forrester/Veracode report Planning for Failurereiterates the same points. It is only a matter of time before your company is breached. Odds are you won’t know about the breach for months, someone other than your security team is going to tell you about it, and the response to the breach is going to be expensive, disruptive, time-consuming and…less than optimal.

If you’ve been breached before, or if you’re an enterprise of any size, it’s not like you don’t have an incident reponse plan, but as Mike Tyson famously said: “Everyone has a plan till they get hit in the mouth.” When is the last time you tested that plan? Is your plan 500 pages in a 3” three-ring dust-covered binder sitting on a shelf in the SOC? That’s not a plan, that’s praying.

Your ability to respond to breaches needs to be put into practice by sparring against partners who are peers or near-peers to the kinds of threat actors you face on a daily basis. How do you do that? By testing with realism:

Over long(er)-terms. Someone who wants what you have is not going to stop after a few days or even a few weeks.Adversaries whose efforts will accelerate by years because of stolen intellectual property don’t mind waiting months; adversaries who strategize over centuries don’t mind waiting years.

Goal-oriented. Serious threat actors attack you for a reason: they are going to get paid for your data. Efforts that don’t help them accomplish their goals are time and resources wasted. The vulnerability-of-the-month may do nothing to advance their agenda; they’re going to find a way in that no one on your staff even knows exists.

In the context of your environment. The best security training in the world is still contrived. Even the most sophisticated training lab is nothing like the systems your security team have to work with every day.

Contrast the above to your average pen-test, which is short, “noisy,” and limited in scope. Pen-tests need to be done, but recognize that for the most part pen-testing has become commoditized and increasingly vendors are competing on speed and price. Is that how you’re going to identify and assess potential risks? Lowest bidder?

If we’re breached I’ll call in outside experts.

As well you should, but what are you going to do while you wait for them to show up?

Even if you have a dedicated security team in your company, odds are that team is trained to “man the battlements” so-to-speak. They’re looking for known indicators of activity along known vectors; they’re not trained to fight off an enemy who has come in through a hole of their own making. It doesn’t make sense to keep a staff of IR specialists on the team; that’s an expensive prospect for even the most security-conscious organization.But it does make sense to train your people in basic techniques, just enough to prevent wholesale pillaging. More importantly, they need to practice those techniques so that they can do them on a moment’s notice, under fire.

Your enterprise is not a castle. There is no wall that you can build that will be high enough or thick enough to repel all attackers. If your definition of defensive success is “keep bad guys out” you are setting yourself and our people up for failure. The true measure of defensive success is the speed at which you detect, eject and mitigate the actions of your attackers. If you don’t have a corresponding plan to do that yourself – or to hold out long enough for the cavalry to come – and that plan is not regularly and realistically tested, you’re planning for victim-hood.

“Cyber MAD” is a Bad Idea. Really Bad.

I don’t know how many times I have to say this, but nothing screams “legacy future” like trying to shoe-horn cold-war thinking into “cyber.” This latest attempt doesn’t disappoint (or maybe it does, depending on how you look at it) because it completely miss two key points:

  1. Cyberspace is not meat-space;
  2. Digital weapons are nothing like atomic ones.

Yes, like the nuclear arms race, it is in fact more expensive to defend yourself than it is to attack someone. Generally speaking. Its OK to paint with a broad brush on this point because so many entities online are so woefully inadequate when it comes to defense that we forget that there are actually some who are quite hard and expensive to attack. Any serious colored-hat who is being honest will tell you that they deal with more than their fair share of unknowns and ‘unknown unknowns’ when going after any given target.

But unlike malicious actions in cyberspace, there is no parsing nuclear war. You’re nuked, or you’re not. Cyber-espionage, cyber-crime, cyber-attack…all indistinguishable in all technically meaningful ways. Each has a different intent, which we are left to speculate about after-the-fact. In the other scenario, no one is around to speculate why a battalion of Reds turned their keys and pushed their buttons.

Attacker identity is indeed important whether you’re viewing a potential conflict through nuclear or digital lenses, but you know what excuse doesn’t work in the nuclear scenario? “It wasn’t me.”

Um, IR burn says it was…

There is no such equivalent in cyberspace. You can get close – real close – given sufficient data and time, but there will be no Colin Powell-at-the-UN-moment in response to a cyber threat because “it wasn’t me” is a perfectly acceptable excuse.

But we have data.

You can fabricate data

You know what you can’t fabricate? Fallout.

All of this, ALL OF THIS, is completely pointless because if some adversary had both the will and the wherewithal to attack and destroy our and just our critical infrastructure and national security/defense capabilities via cyber means…what are we meant to strike back with? Who are those who happen to be left unscathed supposed to determine who struck first? I was not a Missileer, but I’m fairly certain you can’t conduct granular digital attribution from the bottom of an ICBM silo.

What is the point of worrying about destruction anyway? Who wants that? The criminals? No, there is too much money to be made keeping systems up and careless people online. The spies? No, there is too much data to harvest and destruction might actually make collection hard. Crazy-bent-on-global-domination types? This is where I invoke the “Movie Plot Threat” clause. If the scenario you need to make your theory work in cyberspace is indistinguishable from a James Bond script, you can’t be taken seriously.

MAD for cyberspace is a bad idea because its completely academic and does nothing to advance the cause of safety or security online (the countdown to someone calling me “anti-intellectual” for pointing out this imperial nudity starts in 5, 4, 3….). MAD, cyber deterrence, all this old think is completely useless in any practical sense. You know why MAD and all those related ideas worked in the 60s? Because they dealt with the world and the problem in front of them as it was, not how they wished it to be.

I wholeheartedly agree that we need to do more and do more differently in order to make cyberspace a safer and more secure environment. I don’t know anyone who argues otherwise. I’m even willing to bet there is a period of history that would provide a meaningful analog to the problems we face today, but the Cold War isn’t it.