Is your “cyber security expert” full of s***?

Hundreds if not thousands of cyber security practitioners converged on Las Vegas this past week. They came to see and be seen, to occasionally share some newfound insight, but largely for the same reason everyone goes to Vegas . . . do I really need to elaborate?

The media love these conferences because it’s easy to get quotes from “experts” since, well, no one admits to not knowing everything once they realize a reporter is within earshot. Therein we find a serious problem: how to tell the difference between a real expert and a pseudo one. Who truly has a broad base of knowledge about a wide range of related topics (exceedingly rare), or who is a mile deep in one area of emphasis (plentiful)? Who is the actual, technical guru (mildly Asperger-ish), and who is the security celebrity (glib, speaks in sound bites, blindingly white smile)?

He calls something “sophisticated” or “advanced” without justification

Just about every adjective applied to things-malicious online cannot be supported in any objective fashion. If the analysis applied to malicious software or attack methodology were applied to any other phenomenon that we apply scientific methods or practices to, it would be treated like astrology. There is no commonly accepted lexicon for what is advanced or difficult or sophisticated or complex. You could focus on a threat actor’s motivations and ascribe something more complicated at play than simple profit (say, Stuxnet, for which there are pretty clear political-military implications) but it has been a very long time since anyone has done something truly original (read: for which we have no defense – no matter how woefully inadequate – and is a complete surprise to everyone) or something has been discovered that is not simply evolutionary, in the cyber security realm.

He demonizes country X.

There is nothing lazier than someone who points to an IP address and says “See! Proof!” China is a favorite target, as is Russia. I’m not saying a country like China isn’t interested in both U.S. military and corporate secrets (there is a reason why the Russian space shuttle looks a lot like our space shuttle; why Chinese space launch vehicles look a lot like ours) and that they might not be behind various attempts to break into domestic computer systems (I like to shave with Occam-brand razors most of the time), but IP addresses do not equal a person or a country. To assume China (we could find-replace with any nation) is behind every activity that comes from a Chinese IP you would have to accept that the Chinese government has a rock-solid death-grip on every byte that enters or exits systems within their territory or control. Were that so, they would in effect be demonstrating total mastery over all things-cyber: something we know is not possible. Yet in every report about national or industrial espionage carried out online, there is always a line akin to “all signs point to this being the work of country X,” without any critical analysis. There are 20 (G-20) “major economies” in the world, 31 “high income” OECD member nations, and 35 “advanced economies” per the IMF – all of whom could benefit greatly from the intellectual output of American engineers and scientists – but since we only know how to fight with two of them (in meat-space) that’s who we point our fingers at.

He’s an amateur WWII historian or a product of the cold war.

He’ll use phrases like “Digital Pearl Harbor,” which would make sense if conflict or combat in cyberspace had not been underway for decades. He’ll talk about “Cyber deterrence,” which makes all the sense in the world if there were any meaningful analog between nuclear weapons (and their potential impact if used) and digital ones. He’ll lament the lack of “Digital Arms Control” . . . are you serious?! I respect the work of those who came before, but attempting to shoe-horn concepts you’re not familiar with into constructs you are isn’t helping the cause. Legacy futures make for great newspaper copy and think tank literature, but they don’t improve security NOW. Wanting to remain relevant at the expense of meaningful debate about real, current problems is the worst sort of vanity.

Now a couple of ways you can identify the good, from the bad and the ugly:

He’s the first to tell you he doesn’t know/he refuses to talk about subject X.

People in any field, not just security, can quickly become enamored with even the slightest whiff of potential fame (we are, all of us, human). The cyber security world in particular is filled with “security celebrities” who are not entirely without knowledge, skill or ability, but their Q-score is disproportionate to their technical acumen. When we used to launch people into space TV stations would host former Astronauts – not glider pilots – to talk about what it is light to get shot through the atmosphere, yet no one feels that there is anything wrong getting the opinion about the malware-of-the-day from a guy who made his name in not-malware.

He’s lost a few (and doesn’t mind telling you)

Anyone with a perfect track record in cyber security is either a) lying or b) not trying hard enough. Solving problems – or at least marginalizing them – in this space is exceedingly difficult and failure is rampant. Someone with the demonstrated capacity to do great things should also have a sufficient level of humility to be able to say: “What I did was hard and I learned a lot about what doesn’t work while I was doing it.” We have incandescent light bulbs only because Edison (improving the work of someone else) didn’t mind failing over and over and over and over and over . . .

He tells you what you don’t want to hear/something unprintable.

Remember earlier when I said that absent some definitions, rigor, and context, no one could say that a given piece of malware was all that and a bag of chips? Yeah, no one wants to hear a talk about that (certainly not at any conference being held in Vegas). The government doesn’t have a cyber security talent shortage, it has a personnel security standards problem (by definition, people who are good at CNO have done things that would preclude being awarded a security clearance): no one wants to talk about that either. Experts focus on root causes and look beyond the facile: frauds, charlatans, bureaucrats and media whores repeat talking points and “everybody knows” fallacies.

Leave a Reply