The Lessons of PFC Manning

Make no mistake: PFC Manning made some very bad decisions and he should pay a very heavy price. Taking a step back, however, one can see that in his betrayal he has done something of a public service for both the security and operational communities in both the military, government, and commercial world.

Lesson number one is that your current computer security regime is probably a waste of time and effort. Even in what should have been an extremely secure environment, computer security was something approaching a joke. If Manning’s M.O. is confirmed, there was a complete security breakdown. Military necessity has always trumped certain non-combat-related protocols during wartime, but being able to run roughshod through Top Secret networks and rip classified material to cracked music CDs beggars belief. No amount of briefings, posters, forms and extra-duties will remedy this problem.

Next: you can’t ensure the confidentiality or integrity of anything on SIPRnet or JWICS (private sector entities who find themselves with a similar insider threat issue, insert your own network here). There are intelligence community agencies that don’t like to use SIPRnet, the military’s secret-level network, because they think it isn’t nearly as secure as it should be. PFC Manning has demonstrated that neither is the military’s top secret-level network. The intelligence posted to JWICS by any DOD-intelligence activity (which is most of the intelligence community) has been at risk for who knows how long. If one misguided, low-level troop can do what he is alleged to have done, I don’t even want to think about what a determined adversary – or an agent-in-place – could have been doing all this time.

Finally, more certifications and billions of dollars worth of grand strategies will not improve security. Ten CNCIs would not have stopped this, only a fundamental change in culture – both operational and security – would have worked. To the best of my knowledge, money doesn’t fund the widespread dissemination of good security ideas; it just buys more of the same boxes, software and bodies to reinforce the same dysfunctional security models.

If we are truly serious about improving computer security, if we don’t want $17 Billion in CNCI money to go completely to waste, if we are finally tired of shooting our own feet while trekking towards security nirvana, we need to pay attention to reality, design our security solutions accordingly.

If your approach to security impedes a unit’s (company, agency, etc.) ability to operate effectively, you’re doing it wrong. Security that presumes a condition or series of conditions that do not exist in the real world – much less combat environments – will fail. The people who need to get things done will intentionally cause it to fail . . . in order to get things done. This is not an original thought, but it one that needs to be revised in both military, government, and business circles. Good security is not perfect, it is good enough for what you need to do, what environment you are operating in, and for the duration of your decision-making cycle.

Presume your adversaries know everything you do at this point: react accordingly. Things are fairly speculative at this point, but when the damage assessment is done I’m fairly sure most sane people involved will probably walk away thinking there is no way to verify the confidentiality or integrity of any piece of information on SIPRnet or JWICS. I think that makes this a perfect time to implement some living intelligence solution. Maintaining the static production model gives our adversaries the advantage, because what was a mystery is now history and their Pentagon-ology skills have just gotten a huge boost. An environment of living intelligence also makes spy/leak hunting a lot easier by allowing a more granular view of who accessed what, when.

Clinging to outmoded security models and approaches is only going to end up endangering soldiers and national security because no one will adhere to them when they are needed most. Stop focusing on moats and walls because the enemy is already inside the wire (literally and figuratively). Most arguments against change – radical or incremental – don’t carry a lot of weight because they presume that what was done to date made us secure. What was done to date made us more insecure than ever; doing more of the same won’t bring improvement.

My greatest concern is that when he is in prison and the final chapter on the story of his actions is written, our “solution” will be more strongly-worded policy, more stringent procedures, more paperwork . . . all of which will promptly be ignored the next time the operational need demands it. We’ll carry on – business as usual – thinking that now we’re safe and secure in our own digital cloister, when in fact we’re simply doing more of the same things that got us in trouble in the first place. The tragedy here is not that we were undone by a shit-bird GI who didn’t have his head screwed on straight, it’s that we will ignore what he is teaching us.

We’re Not Breaking Up Anything

A leading Senate critic of online surveillance wants the government to stop widespread spying on phone calls, texts and emails, saying the “digital dragnet” doesn’t make the country safer, and only hurts the U.S. economy.

What data is there to support such notions? That jobs have been lost in any significant numbers? That revenues for any of the associated enterprises are down dramatically based solely on recent revelations? Are there any metrics behind such claims besides the volume and length of press releases from privacy organizations/activists and NSA-haters?

I’m guessing the answer is “no.”

Tech executives and industry experts warned those revelations would hurt Silicon Valley companies by making consumers and business customers fearful that U.S. companies can’t protect sensitive data from government prying.

As executives from TJMaxx, Target, Home Depot, JP Morgan, Heartland Payment Systems, etc., etc. will testify, U.S. companies can’t protect sensitive data from anyone. I smell herring.

Some analysts estimated last year that U.S. tech companies could lose tens of billions of dollars in sales, particularly after European firms began marketing themselves as being more secure than U.S. competitors – or less vulnerable to legal demands from the U.S. government.

So “estimations” …from last year… not actual data…from today.

What’s the backup plan?

“The simplest outcome is that we’re going to end up breaking the Internet,” Schmidt said. “Because what’s going to happen is, governments will do bad laws of one kind or another, and they are eventually going to say, ‘We want our own Internet in our country because we want it to work our way, right? And we don’t want these NSA and other people in it.'”

The first rule of SIGINT Club is: going overseas is a help, not a hindrance, to collection.

The second rule of SIGINT Club is: if one man can build it, another man can break it.

Years ago, when asked by think tanks and futurists how I thought things were going to play out I thought Balkanization was the future too. But once I realized that people really didn’t care about security or privacy, I jumped from anger straight to acceptance. We’re not re-engineering the Internet to make it more secure or private. We’re not splitting it up. Ever heard of the steam roller called Internet of Things? Something you should all be aware of: it’s riding on the Internet. No one is disrupting this gravy train for the sake of security. I’m a security guy. Saying this is upsetting to me, but there is no meaningful indication that we’ve learned anything or are prepared to do anything different.

You Were Promised Neither Security Nor Privacy

If you remember hearing the song Istanbul (Not Constantinople) on the radio the first time around, then you remember all the predictions about what life in the 21st century was supposed to be like. Of particular note was the prediction that we would use flying cars and jet packs to get around, among other awesome technological advances.

Recently someone made the comment online (for the life of me I can’t find it now) that goes something like this: If you are the children of the people who were promised jet packs you should not be disappointed because you were not promised these things, you were promised life as depicted in Snow Crash or True Names.

Generation X for the win!

The amateur interpretation of leaked NSA documents has sparked this debate about how governments – the U.S. in particular – are undermining if not destroying the security and privacy of the ‘Net. We need no less than a “Magna Carta” to protect us, which would be a great idea if were actually being oppressed to such a degree that our liberties were being infringed upon by a despot and his arbitrary whims. For those not keeping track: the internet is not a person, nor is it run by DIRNSA.

I don’t claim to have been there at the beginning but in the early-mid 90s my first exposure to the internet was…stereotypical (I am no candidate for sainthood). I knew what it took to protect global computer networks because that was my day job for the government; accessing the ‘Net (or BBSes) at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous or you got robbed. Everyone knew this, no one was complaining and no one expected anything more.

What would become the commercial internet went from warez and naughty ASCII images to house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But the police didn’t do that for you, you entrusted that to the people who were offering up the service in cyberspace, again, just like you do in the real world.

But did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and customers pay for functionality, not security. It actually makes more business sense to do the minimum necessary for security because on the off chance that there is a breach, you can make up any losses on the backs of your customers (discretely of course).

Secondly, your data couldn’t be too secure because there was value in knowing who you are, what you liked, what you did, and who you talked to. The money you paid for your software license was just one revenue stream; a company could make even more money using and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites; the people who were promised jet packs know it by another name: junk mail.

Let’s be clear: the only people who have really cared about network security are the military; everyone else is in this to make a buck (flowery, feel-good, kumbaya language notwithstanding). Commercial concerns operating online care about your privacy until it impacts their money.

Is weakening the security of a privately owned software product a crime? No. It makes crypto  nerds really, really angry, but it’s not illegal. Imitating a popular social networking site to gain access to systems owned by terrorists is what an intelligence agency operating online should do (they don’t actually take over THE Facebook site, for everyone with a reading comprehension problem). Co-opting botnets? We ought to be applauding a move like that, not lambasting them.

There is something to the idea that introducing weaknesses into programs and algorithms puts more people than just terrorists and criminals at risk, but in order for that to be a realistic concern you would have to have some kind of evidence that the security mechanisms available in products today are an adequate defense against malicious attack, and they’re not. What passes for “security” in most code is laughable. Have none of the people raising this concern heard of Pwn2Own? Or that there is a global market for 0-day an the US government is only one of many, many customers?

People who are lamenting the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed).

Talking about the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things hasn’t ruled on the issue. You can still live your life without using TCP/IP or HTTP, you just don’t want to.

Ascribing nefarious intent to government action – in particular the NSA as depicted in Enemy of the State – displays a level of ignorance about how government – in particular intelligence agencies – actually work. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. Our government’s number one responsibility is keeping you safe; that it has the capability to inflect harm on massive numbers of people does not mean they will use it and it most certainly does not mean they’ll use it on YOU. To think otherwise is simply movie-plot-thinking (he said, with a hint of irony).

Surveillance Protests: Get Serious or Go Home

In the US of A, if you don’t like the fact that your government may have collected data about your phone calls and emails you can do something about it without fear of being thrown in a Gulag. Unfortunately, the actions being proposed by those who take offense at this kind of things isn’t the kind of “something” that is going to make a difference.

Just as a reminder:  The Executive Branch (where the NSA sits) carries out national policy; the Legislative Branch funds the Executive Branch agencies that carry out national policy; the Judicial Branch makes sure the other two branches aren’t breaking the law.

None of the aforementioned organizations care about your petition, or your march, or your online protest.

If you want to bring about political change you need to get out the vote. If you want to get out the vote you need to spend money. A lot of it. As I’ve stated before: your average citizen cares more about just about anything than they do things-cyber. With apologies to Benjamin Franklin, the only thing that is sure to get people’s attention is sex and taxes…”cyber” is an also-ran politically.

Don’t like the NSA maybe capturing your meta-data? Gather up enough friends, pool your money, and hire a lobbyist. Just so you know: A couple dozen mega defense contractors that make billions of dollars a year supporting the NSA and its sister organizations are your competition.

I’m not saying it is right, I’m not saying it is fair, I’m just saying that’s the way it is. If you want to win the game you have to play; anything less is a waste of time.

 

 

Explaining Computer Security Through the Lens of Boston

Events surrounding the attack at the Boston Marathon, and the subsequent manhunt, are on-going as this is being drafted. Details may change, but the conclusions should not.

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

  1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
  2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
  3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

What’s the Alternative?

The Director of the National Security Agency argues that the NSA should be in charge of computer security in this country. Long the home of some of subject matter experts in computer technology and cryptography, this would seem to make a lot of sense.

But the NSA is an intelligence agency, and free people in a democratic society don’t like the idea of an intelligence agency – built to listen in on the conversations of “others” overseas – turning its extremely powerful data collection apparatus on them. The same or at least a similar argument is made whenever the topic of a domestic intelligence agency is brought up and the FBI argues that they should do the job: People don’t like the idea of those who can arrest you also having the authority to snoop on you. Dig hard and long enough into anyone’s life and you’re bound to find them committing a “crime,” and when you’re rewarded by the number of arrests you make and convictions you win, well, the recipe for abuse becomes obvious.

The hyperbole surrounding computer security that has been bantered about over the past few years aside, it’s clear that the more pervasive computers (in all their forms) become in our lives, the more of a problem insecure systems pose. But if access to, and the use of, such technology is increasingly viewed as a “right,” then some mechanism for defending that right is in order. If that defending entity isn’t the NSA, what is the alternative?

The Department of Homeland Security is often touted as the place where domestic computer security (if that’s even a thing) should be addressed, but I know of no one who would entrust such a mission to an organization that is famous for its dysfunction, and there is enough of that in computer security already. Remember, this is the agency that changes out “cyber czars” more frequently than Liz Taylor changed husbands (am I dating myself?).

Before we completely discard the idea of NSA involvement it may be useful to point out that the NSA is actually two large organizations underneath the same umbrella: an intelligence collection and analysis organization, and an information security organization. The former is the part that listens in on people’s conversations; the latter is the part that is in charge of wrapping math around our own conversations. There is an obvious symbiosis there, but what if you spun the INFOSEC organization out of big-NSA and let if focus on cyber security for all of us? Removed from Ft. Meade, ideally out of the Washington DC area altogether, it could be the center of expertise both the government and private sector need and would trust because they’d be about “security” not “intelligence.”

There is also an argument to be made that there isn’t a compelling need to do anything new from a governmental perspective. Leaving industry to its own devices seems like a bad idea, but cases where poor computer security led to the outright downfall of a company are notable because they’re so rare. The fact of the matter is that companies that get hacked and lose intellectual property suffer no long-term financial penalty, and since that’s what Wall Street grades C-level executives on, where is the incentive to change? It’s worth noting that the loudest voices lamenting the cost of IP theft all have a vested interest in more security, not higher profits.

This begs the question: is “economic prosperity” truly a national security issue? If that were the case the Chinese would have started chopping off French heads once they learned d’Entrecolles had stolen the method for making ‘china;’ the British would have hunted down and shot Slater and his ilk. Protecting IP and R&D that supports defense is a stronger argument, but traditionally our government isn’t in the business of making sure private enterprises can turn a profit (let’s not get side-tracked talking about farm subsidies). This is not the case in other countries, but since when is the US, France? If we became France (in this regard) at some point while we weren’t looking, then it’s time to make that policy known so that we can all act accordingly.

At this point, if forced to do something, I’d say we shift our resources as noted above. I’d rather have a solution that wasn’t a big-government one, but I can’t come up with one at this point. Anyone have any other, original ideas that don’t involve more spooks in the wire?


You Might be Cyber Retarded

/* With a hat tip to Jeff Foxworthy */

If you think the big bad military is a recent intrusion into cyberspace, which should only be used for things that are right and good, and is powered by the rose-scented flatulence of unicorns . . .

If you think Stuxnet is the first time a digital “pandora’s box” has been opened because digital technology is a multi-edged sword with a high potential for blowback . . .

If, despite the Cuckoo’s Egg, Ellery Systems, Nortel, Lockheed Martin, E.O. 13010, the PCCIP report, National Plan for Information Systems Protection, the National Strategy to Secure Cyberspace, the National Infrastructure Protection Plan and the CNCI, you’re still telling people to worry about a “digital Pearl Harbor” . . .

If you make fun of people who employ a Maginot Line-type defense of their IT enterprise and don’t know what the actual Maginot Line was designed to do . . .

If you think domestic and international politics-as-usual and the shoe-horning of nuclear arms race analogs into information-age problems is going to help “secure” cyberspace . . .

. . . you might be cyber retarded.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

IO: meet the new boss, same as . . .

From Inside the Pentagon (subscription):

As the Air Force prepares to open a new Cyber Command in May, a top service general overseeing the effort is calling on policymakers to consider how far the United States should go to safeguard its electronic communications and data storage.

“This is an area where technology has outstripped our ability to make policy,” Air Force Gen. Ronald Keys told reporters at a Feb. 9 press conference. “We need to have a debate, I think, and figure out how are we going to defend ourselves.”

No shortage of ex-pilots who get dumped into IO and don’t feel the compulsion to review the
work carried out by their predecessors. Next step: finding a wheel to reinvent:

Though a hacker’s penetration into computers in the United States is akin to an armed foreign aircraft crossing the border, “there’s nothing like [air defense] on the Internet,” he said. “You can toodle on in and you can do anything you want and there’s nobody asking you, “Who are you? What are you doing?”[or] following you. You can’t be forced down.”

Asked if the Cyber Command, which is to report to Keys’s Air Combat Command, will be authorized to shut down intruders that threaten U.S. government or business
interests, the general replied, “Can’t do it. It’s illegal. We live in a democracy.”

Our form of government has little to do with it, which gives you some insight into how in
tune with the mission this Command is. You can’t shoot back because you are
inevitably going to be shooting at innocents. The General goes on to note (with
no sense of irony) that we can’t shut down cyber attacks, but that our
offensive capability should serve as a deterrent to potential ‘bogies.’ When your
strategy says you reserve the right to nuke those who hack you,
you’d
better make sure your targeting cell knows what it is doing.

Enemy bytes and enemy planes are not the same thing. For starters we wouldn’t stand for the
latter to violate our airspace, but we allow the former to happen all
the time
. It’s been going
on for decades
and the DOD has never taken the mission seriously enough to
throw up a wall of ack-ack.

JTF-CND/O/GNO was a great start but can they enforce compliance? SPACECOM got the ball
rolling but then got careless; STRATCOM was a more appropriate home but calling
senior airmen IO-ers who last week were SIGINTers was no strategy. Gen
Cartwright moved things forward (as you would expect a Marine to do) but where
is the real expertise? Being reorged out of existence back in DC. To paraphrase
Syndrome:
When everyone does IO, no one does IO.
I have been as guilty of this as anyone, but I still have a problem with trying to force facile
physical world metaphors onto the digital world. Everyone is worried about the
Digital Pearl Harbor, but we get surprised and deal with attacks like that
everyday; it’s the Digital Chicago Fires* that throw us for loops.
* Credit to A.M. for coming up with that one.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.