How Many Holes in a Gohor Stick?

I’ve never used Palantir. I’ve never used DCGS-A. When I started as an Analyst you (no-shit) used pencil and paper (and a thing called a guhor stick…but that’s a lewd joke for another day). The kerfuffle over Palatir vs. DCGS-A reminds me of the days when computers started making in-roads in analysis shops, and I hope everyone involved can remember some of those lessons learned.

Now my working world in those early days wasn’t entirely computer-free, but back then computers were where you stored data and recorded activity and typed up reports, you didn’t “link” things together and you certainly didn’t draw, graph or do anything anyone coming up in the business today would recognize as computer-oriented.

If there was a quantum leap in the utility computers gave to analysis it was this application called Analyst Notebook. Analyst Notebook would take in the data you had already entered into some other system (assuming you could get it out of said system), and kick out diagrams and pictures that let you make quick sense of who was talking to whom, what happened when, and identify connections or anomalies you may have missed staring into a green screen at row after row, column after column of letters and numbers.

That’s the key here: Analyst Notebook, Palantir, etc. are Analyst’s tools, they are not analysis tools. Is that a distinction without a difference? I’m not aware of any software application that will think on your behalf. I’m not aware of anyone in the military or IC who would trust answers produced entirely by an algorithm and without human interpretation or enhancement. If you could computerize analysis you wouldn’t have a headcount problem in the IC. Analyst Notebook, Palantir, DCGS-A . . . they’re all tools, and if you’ve been working with hand tools all your life and suddenly someone hands you a Skil saw, of course you’re going to think the Skil saw was sent from heaven.

Now, is the government notorious for producing bloated, expensive, minimally functional software that everyone hates to use (when it works at all)? We don’t have time to go into all the examples, but the answer is ‘yes.’ If I offer you tool A OR tool B when you’ve been using tool C, which are you going to choose? Does that make your other choice crap? Of course not.

It sounds to me like if there is a 800 lb gorilla in the room it’s usability, and if there is one thing that commercial apps excel at its the user experience. Think about the Google interface, and then think about a data retrieval system fielded in the 70s, and you tell me what your average analyst would rather use…

If the ultimate requirement is capability, then the answer is simple: hold a shoot-out and may the best app win. Pretty-but-sub-capable isn’t going to cut it; functional-but-frustrating isn’t either. If DCGS-A is all that, they should be big enough to learn from what Palantir does well; If Palantir is really about saving lives and national defense, they ought to be big enough to implement what GIs need most. Competition raises everyone’s game, but this isn’t about .com vs .gov, it’s about lives.

No New Cyber Security Legislation is Better Than Any New Legislation

The head of the U.S. Cyber Command, the former head of the NSA, and various national security wonks recently told Congress that we must pass new cyber security legislation now or risk worse legislation later. The serious cyber security problems we are dealing with today, left unchecked, could lead to a catastrophic attack tomorrow. In the aftermath of such an attack there would be calls for immediate action, but no time to think clearly about the unintended consequences of a snap decision.

It is hard to reconcile the sound and the fury coming from Capitol Hill about the need for new cyber security legislation with the reality cyber security practitioners are facing on a daily basis. If cyber security is such a problem, why hasn’t funding for the Comprehensive National Cybersecurity Initiative been extended? How come we have such a spotty law enforcement response? If cyber security is so important to the homeland, how come DHS – the organization the Congress would have setting security standards for industry – can’t keep a cyber czar on the job?

We have laws on the books that address cyber crime now: the Computer Fraud and Abuse Act  and the Electronic Communications Privacy Act, both of 1986, come immediately to mind. They’re good laws in that they address the vast majority of behaviors that are associated with cyber crime, they’re just effectively un-enforceable. That does not stop just because we pass new law. The Cyber Security Enhancement Act is proof of that.

The idea that we would later come back to adjust bad legislation, as offered by former NSA Director Hayden, is an equally laughable proposition. There are a lot of things wrong with the PATRIOT Act – legislation passed in a panicked rush because something had to be done – but when we had the opportunity to amend or even repeal what is essentially a wartime law, we did nothing despite the crippling of the threat it was created to combat.

It’s only natural that Washington’s solution to every problem is new law, but new law doesn’t address the root cause of the problem; it simply allows more bureaucracy to grow up around it (imagine the TSA sticking a gloved hand in your laptop). The problems we’ve been facing are a product of both behavior and technology. You can’t legislate behavior, and technology will change three or four times in the span of a Congressman’s term, which means any proposed legislation is outdated before it ever comes to a vote.

The government has known about the security problems associated with the spread of information technology for decades, but despite countless recommendations and warnings we are no better off today than we were 20 years ago. It has taken years for the agencies that would protect us from digital evil to stop receiving “F” grades on their own cybersecurity report cards, but now industry is supposed to consider their advice “expert.”

Bills like the Cybersecurity Enhancement Act in the House want to fund the educations of those who study cyber security, but cyber security education is a band-aid for a kludge. It does not address what is essential for a more secure online environment: better programmers and engineers who are able to build functional but at the same time less vulnerable systems.

The Cybersecurity Act in the Senate emphasizes the need for “sharing,” but Information Sharing and Analysis Centers have been in existence for years. There are no statistics that show sharing has led to a more secure industry. Holding security contests to develop the security workforce is another tired idea. Security contests are always “capture the flag” affairs, which simply train tomorrow’s digital janitors to clean up yesterday’s engineering messes. There is no shortage of technical talent in this country, it’s simply that not everyone wants or is able to work for the government.

There are a number of things the government can do that would have a more meaningful impact on cyber security without new law.

Start by professionalizing and making cyber security a career field in which you can advance to the highest ranks in both law enforcement, defense and intelligence. When an agent, analyst or operator can have a career, not just a rotation, combating cyber crime we can help ensure people on the front lines have the most current skills and can begin to build up institutional knowledge (something sorely lacking in most cyber security organizations today).

Stop relying on shortcuts like certification to determine who gets to join in the fight. You cannot express dismay that our networks are indefensible if you’d rather have a poor performer with a credential instead of someone with who lacks a credential but has demonstrated expertise. The same goes for security requirements. Not everything dealing with government cyber security is classified. The idea that cyber security is some kind of gentleman’s game didn’t make sense 80 years ago and it makes even less sense now when the capability to become a cyber power is within any-one persons grasp.

Encourage more creative approaches to combating cyber crime and cyber criminals. The government cannot and should not do it all. Instead of trying to force the reluctant in industry to share, why not supply administrative and legal support they need to act in their own defense?

Cyber Village People

It takes all kinds to make the world go ’round…or a village to raise a firewall, or something like that. Yet when it comes to the training, equiping and deploying a government workforce for things-cyber, why, why can’t we stop stepping on our tricks?

There is almost certainly room for efficiency with regards to staffing IT positions in general. Every discrete entity will claim some form of “special-ness” but TCP/IP doesn’t discriminate based on Service or mission. The amount of customization and specialization needed in any given org doesn’t justify effectively replicating the same IT org over and over again.

Is every IT generalist going to ease into a CNO position just like that? Of course not. Training is in order, but if you want both a trained AND cleared workforce, this is really your only answer. The latter item is the true value of this proposal, because there is no shortage of people with CNO skills; there is simply a shortage of people who are either clear-able or willing to be cleared.

A more subtle factor in play, though I doubt it will be carried out effectively to any scale, is the injection of defensive thinking into the offensive world. The problem with the CND-CNE/A divide is that everyone specializes in their “thing” and thinks they know what the other side is all about, often forgetting that advances in both sides march ever onward. Everyone thinks the other guy has it easier than they do. Putting both sides in a room to battle over a specific security problem is like deciding who bats first; one hand over the other till someone clearly comes out on top. ‘If you did X, I would do Y. Well if you did Y then I would do Z.’ The end result – assuming everyone involved is a true expert – is that defenders realize they can’t stop a given attack and/or attackers realize they can’t get past a given defense.  I’ve seen it work, but only when everyone checks their attitude and parochialism at the door.

Good luck with that in the government bureaucracy.

Finally, I’m tired of hearing about few “world class” people we have on the roster, or that there is a number we can pin to “world class” talent period. Really? Who defines “world class?” The CIA? GCHQ? Guinness? Was there a census taken? Did we test everyone who claimed ‘1337 $killz?  What exactly would an order of magnitude increase in very-high-end talent provide us? If you put three engineers into a room and ask them to solve a problem did you know you’ll get five answers? Shouldn’t we be focusing _less_ on human resources and more on how we can make computers (which, oddly enough are really good at high-volume, high-speed, complex tasks) do more of the heavy lifting for us?



You Might be Cyber Retarded

/* With a hat tip to Jeff Foxworthy */

If you think the big bad military is a recent intrusion into cyberspace, which should only be used for things that are right and good, and is powered by the rose-scented flatulence of unicorns . . .

If you think Stuxnet is the first time a digital “pandora’s box” has been opened because digital technology is a multi-edged sword with a high potential for blowback . . .

If, despite the Cuckoo’s Egg, Ellery Systems, Nortel, Lockheed Martin, E.O. 13010, the PCCIP report, National Plan for Information Systems Protection, the National Strategy to Secure Cyberspace, the National Infrastructure Protection Plan and the CNCI, you’re still telling people to worry about a “digital Pearl Harbor” . . .

If you make fun of people who employ a Maginot Line-type defense of their IT enterprise and don’t know what the actual Maginot Line was designed to do . . .

If you think domestic and international politics-as-usual and the shoe-horning of nuclear arms race analogs into information-age problems is going to help “secure” cyberspace . . .

. . . you might be cyber retarded.

The (Dis)Illusion of Control

Conventional wisdom is telling us that “assumption of breach” is the new normal. Some otherwise well-respected names in computer security would have you believe that the appropriate response to such conditions is to increase the cost to the attackers. If you’re too expensive to breach – so the logic goes – the bad guys will go looking for someone. Maybe someday, when everyone makes hacking too expensive, it will stop.

Maybe I will play power forward for the Celtics.

There are two major problems with “drive up attacker cost” logic. The first is that you have almost no control over how expensive it is to hack your organization. You have no meaningful, granular control over:

  • The hardware you use
  • The operating system you use
  • The applications you use
  • The protocols used by all of the above
  • …and the communications infrastructure all of the above uses to exchange bytes with customers, vendors, etc., etc., etc.

Any one of the aforementioned items, or more than one of them interacting with each other, is ripe with vulnerabilities that will be exploited for fun and profit. For those who are in it for the profit, this is their job. They are good at it to the tune of billions of dollars a year worldwide.

The second problem is that “driving up attacker cost” is a misnomer. What advocates of this particular approach are really saying is: “spend more money” on the same things that failed to keep you secure in the first place.

2012 is not the year corporate (or governmental) enterprises wake up and start to take security seriously. Most corporate victims of cyber crime recently surveyed couldn’t be bothered to do simple things that would have prevented an attack (even more this year than last year), but suddenly they’re going to go from willful ignorance to becoming highly astute with regards to cyber threats now that we’re going to stop pretending there is anyone out there who isn’t or hasn’t been owned? More likely such thinking will have the opposite effect: why fight when I can punt?

Neither are enterprises going to change the way they do business, or otherwise introduce new complexities for the sake of improving security. There is a reason why so many businesses keep feeding and sheltering a cash cow, even when its becoming increasingly clear that milk production is dropping rapidly: security is an expense that does not directly translate into profitability.

There is only one thing you do control, and that is how quickly and effectively you respond to breaches of security. If you’re going to spend time and money on security, stop spending it on things that don’t work (well) and start focusing on things that could actually make a difference:

  • Improve your awareness of what happens on your hosts: that’s where the bad stuff happens.
  • Improve your ability to capture the minimum-meaningful network traffic: for every additional needle full-packet capture provides, it also supplies a thousand pieces of hay.
  • Reduce your attack surface by exposing a little of yourself to external research as possible: they can’t eat your fruit if you’ve trimmed all the low-hanging branches

The goal here is not to make it expensive to get hacked, its to make it so cheap to respond you don’t particularly care if you get hacked. That’s basically the position most businesses have today, so why no align your approach to security accordingly?


We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Number One: Those With Bullets

If anything illustrates why the executive-level of any organization – civilian, military or governmental – holds things-cyber in such low regard (based on their actions/decisions), it’s captured in the report that the Anonymous group has decided (subject to confirmation as this is being drafted) that they will not, in fact, conduct an operation against the Las Zetas narco-cartel. A token study of the Zetas would have revealed that they’re not strangers to the use of technology, and of course unlike digital adversaries, their response to attempts to deny or degrade their operations is gruesomely kinetic, not virtual.

Why is, despite the hype, “cyber war” an also-ran to old-fashioned shooting war? Why is bank robbery more successfully pursued and prosecuted than online heists? Why, despite terabytes of data and billions of dollars lost, are most companies still woefully under-protected from digital threats?

The bottom line is that you can’t dodge actual bullets, but there are myriad ways to defer or pass along the risks associated with operations online. For the fourth (or fifth?) time: until “cyber” can kill to scale this is the most talked-about and expensive also-ran security problem the world has ever seen.

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.

The Importance of Being There

There is nothing new or special about the “cyber” aspect to the Arab Spring. The use of the Internet and tools that ride on and through it by pro- and anti-regime elements in China, Serbia, Mexico . . . we’ve been seeing this for at least 15 years and every time it surfaces it’s the same breathless coverage about how new, and game changing it all is.

I guess I have different definitions for those words.

“Cyber” might make it easier to organize or communicate if you’re the rebel force, but it’s not going to overthrow the government: that takes people putting themselves in physical danger. To steal a phrase I learned in the Army: If you’re not there, you don’t own it. The difference between “cyber” and pamphleteering? The medium. That’s it.

In the future, it would be great if we focused on what really mattered during events like this: the meat-space strategies and tactics and heroics that actually lead to change, not the fact that the rebels are using the online tool-of-the-month. Actually, it would be better if someone wrote an article about how such tactics alone rarely lead to real-world success, but something tells me that won’t sell a lot of newspapers.