We’re Not Breaking Up Anything

A leading Senate critic of online surveillance wants the government to stop widespread spying on phone calls, texts and emails, saying the “digital dragnet” doesn’t make the country safer, and only hurts the U.S. economy.

What data is there to support such notions? That jobs have been lost in any significant numbers? That revenues for any of the associated enterprises are down dramatically based solely on recent revelations? Are there any metrics behind such claims besides the volume and length of press releases from privacy organizations/activists and NSA-haters?

I’m guessing the answer is “no.”

Tech executives and industry experts warned those revelations would hurt Silicon Valley companies by making consumers and business customers fearful that U.S. companies can’t protect sensitive data from government prying.

As executives from TJMaxx, Target, Home Depot, JP Morgan, Heartland Payment Systems, etc., etc. will testify, U.S. companies can’t protect sensitive data from anyone. I smell herring.

Some analysts estimated last year that U.S. tech companies could lose tens of billions of dollars in sales, particularly after European firms began marketing themselves as being more secure than U.S. competitors – or less vulnerable to legal demands from the U.S. government.

So “estimations” …from last year… not actual data…from today.

What’s the backup plan?

“The simplest outcome is that we’re going to end up breaking the Internet,” Schmidt said. “Because what’s going to happen is, governments will do bad laws of one kind or another, and they are eventually going to say, ‘We want our own Internet in our country because we want it to work our way, right? And we don’t want these NSA and other people in it.'”

The first rule of SIGINT Club is: going overseas is a help, not a hindrance, to collection.

The second rule of SIGINT Club is: if one man can build it, another man can break it.

Years ago, when asked by think tanks and futurists how I thought things were going to play out I thought Balkanization was the future too. But once I realized that people really didn’t care about security or privacy, I jumped from anger straight to acceptance. We’re not re-engineering the Internet to make it more secure or private. We’re not splitting it up. Ever heard of the steam roller called Internet of Things? Something you should all be aware of: it’s riding on the Internet. No one is disrupting this gravy train for the sake of security. I’m a security guy. Saying this is upsetting to me, but there is no meaningful indication that we’ve learned anything or are prepared to do anything different.

Don’t Quit Your Day Job (Yet)

My business partners and took the leap from “employees” to “founders” four years ago. It has been a challenge, most often in areas and on things you least expected to be worried about when you started, but we are rapidly approaching our fifth year in business and things could not be better. Well, they _could_ but we’re quibbling over some very first-world-problems here.

I was a soldier. Then I was a fed. In two-decades working for ‘the man’ I’ve seen pretty much all there is to see as far as bureaucracies goes. The government shutdown is really just the capstone of D.C. ***-hattery than your average fed – even in the vaunted halls of the intelligence community – deal with on a daily basis.

But standing at the vanguard of national security without getting paid, or just not being allowed to stand post at all, is a demoralizing affair. I don’t know if there is a ‘stages of layoff’ model but a lot of people I used to work with have reached “ship-jumping” stage, which I describe as a Howard Beale moment only for employment. A lot of these folks have come to me looking for advice and I’m afraid I don’t give them the answer they want to hear, to wit: don’t do it.

The responses are varied, from the curious to the angry, but those that bother to hear me out come away with an even greater appreciation for what it means to strike out on your own.

  1. You don’t know anybody. Most of my former colleagues only know other people like them. Well, laid off people don’t offer other laid off people jobs. Laid off people are lamenting how ill-liquid they actually are. If you’re going to hang up your own shingle you need to know people who know what you can do and are willing to pay for that. Now. You don’t have a long runway down which to coast while you develop new business: that mortgage isn’t going to pay for itself.
  2. You don’t know how to work. I don’t mean they don’t know what they’re doing; I mean they’re wholly unprepared for how “civilians” – for lack of a better term – do business. Even my former colleagues who are contractors run face-first into culture shock when dealing with purely commercial concerns.
  3. Most of your day is consumed with non-work. The early days of a business is 99% preparing to do business and 1% actual “work” you want to do. Can’t afford a secretary? Well guess who is going to answer all the phone calls. Don’t have a pricing department? Guess who is learning on-the-job. Haven’t been paid in three months? Guess who gets to play Accounts Receivable technician.
  4. You get paid when the company gets paid. When you’re working for yourself you’re not drawing a reliable paycheck. Net 30 is what the invoice says but not everyone is going to honor that. If you don’t know anybody (see 1 above) then you surely don’t know anybody who is willing to pay you up front.
  5. Nobody cares what you are famous for. You’re a big-wig behind the barbed wire and locked doors? That’s nice: what can you do for me now? Everyone in the Community knows you as the go-to person on issue X? That’s cute: What have you done that you can talk about that I care about? Today, right now, hundreds of thousands of people can claim a security clearance and X years of experience…you stand out how, exactly?

This is not me telling people to suck it up and keep toiling away for Uncle Sam; this is me telling people that if they are really set on not being put into this situation again, then they need to use this time to prepare for when the time is right. If you’re going to empty your 401(k) at least do it when you’ve maximized your chances of success.

  1. Get to know people. Don’t violate sound OPSEC practices, but don’t not-interact with people just because you’re spooky and they are not. Conferences are not about keynotes, they’re about the connections you make in between talks and at lunch and at the bar. Those vendors who call you incessantly about stuff you’re not going to buy? Let them buy you a <$25 cup of coffee, explain why you’re not buying, and let them see you as a person, not a number. Being a decent person who does not waste their time isn’t going to go unnoticed later on.
  2. Make sure people know what you can do. Again, this isn’t terribly easy for people who keep secrets for a living, but it’s do-able. Write an article, contribute to a journal, if you have the time do a little something on the side. The hoops you jump through for publication approval and outside employment now will pay off later.
  3.  Start paying yourself now. Odds are no one will pay you up front, so sock away enough money to keep you and yours afloat during the initial dry spell; cut expenses you can live without (and won’t be enjoying anyway since you’ll be working your *** off) to build more financial runway. As long as you are in start-up mode, cash is king, so prepare yourself accordingly.
  4. Lay the groundwork now. Set up your LLC or Corporation. Set up your company bank account. Get a lawyer. Draw up contracts, NDAs, teaming agreements, etc. Get a virtual PBX or Google Voice number, record your greetings and set up your forwarding rules. Get a company computer and load all the tools onto it that you’ll need to do business. Join all the frequent flyer and hotel clubs you can. Start your first day of independence ready to go, not on logistics.
  5. Kiss everyone goodbye. Days are only 24 hours long, but somehow you’ll be logging 36 hours of work. Accept that ‘work life balance’ is a dream you’re not going to experience for a while. The pain you experience now builds the foundation for a sequester-proof, shut-down-resistant enterprise you captain, not some politician who gets paid regardless of how much others suffer.

What’s the Alternative?

The Director of the National Security Agency argues that the NSA should be in charge of computer security in this country. Long the home of some of subject matter experts in computer technology and cryptography, this would seem to make a lot of sense.

But the NSA is an intelligence agency, and free people in a democratic society don’t like the idea of an intelligence agency – built to listen in on the conversations of “others” overseas – turning its extremely powerful data collection apparatus on them. The same or at least a similar argument is made whenever the topic of a domestic intelligence agency is brought up and the FBI argues that they should do the job: People don’t like the idea of those who can arrest you also having the authority to snoop on you. Dig hard and long enough into anyone’s life and you’re bound to find them committing a “crime,” and when you’re rewarded by the number of arrests you make and convictions you win, well, the recipe for abuse becomes obvious.

The hyperbole surrounding computer security that has been bantered about over the past few years aside, it’s clear that the more pervasive computers (in all their forms) become in our lives, the more of a problem insecure systems pose. But if access to, and the use of, such technology is increasingly viewed as a “right,” then some mechanism for defending that right is in order. If that defending entity isn’t the NSA, what is the alternative?

The Department of Homeland Security is often touted as the place where domestic computer security (if that’s even a thing) should be addressed, but I know of no one who would entrust such a mission to an organization that is famous for its dysfunction, and there is enough of that in computer security already. Remember, this is the agency that changes out “cyber czars” more frequently than Liz Taylor changed husbands (am I dating myself?).

Before we completely discard the idea of NSA involvement it may be useful to point out that the NSA is actually two large organizations underneath the same umbrella: an intelligence collection and analysis organization, and an information security organization. The former is the part that listens in on people’s conversations; the latter is the part that is in charge of wrapping math around our own conversations. There is an obvious symbiosis there, but what if you spun the INFOSEC organization out of big-NSA and let if focus on cyber security for all of us? Removed from Ft. Meade, ideally out of the Washington DC area altogether, it could be the center of expertise both the government and private sector need and would trust because they’d be about “security” not “intelligence.”

There is also an argument to be made that there isn’t a compelling need to do anything new from a governmental perspective. Leaving industry to its own devices seems like a bad idea, but cases where poor computer security led to the outright downfall of a company are notable because they’re so rare. The fact of the matter is that companies that get hacked and lose intellectual property suffer no long-term financial penalty, and since that’s what Wall Street grades C-level executives on, where is the incentive to change? It’s worth noting that the loudest voices lamenting the cost of IP theft all have a vested interest in more security, not higher profits.

This begs the question: is “economic prosperity” truly a national security issue? If that were the case the Chinese would have started chopping off French heads once they learned d’Entrecolles had stolen the method for making ‘china;’ the British would have hunted down and shot Slater and his ilk. Protecting IP and R&D that supports defense is a stronger argument, but traditionally our government isn’t in the business of making sure private enterprises can turn a profit (let’s not get side-tracked talking about farm subsidies). This is not the case in other countries, but since when is the US, France? If we became France (in this regard) at some point while we weren’t looking, then it’s time to make that policy known so that we can all act accordingly.

At this point, if forced to do something, I’d say we shift our resources as noted above. I’d rather have a solution that wasn’t a big-government one, but I can’t come up with one at this point. Anyone have any other, original ideas that don’t involve more spooks in the wire?