We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

IO: meet the new boss, same as . . .

From Inside the Pentagon (subscription):

As the Air Force prepares to open a new Cyber Command in May, a top service general overseeing the effort is calling on policymakers to consider how far the United States should go to safeguard its electronic communications and data storage.

“This is an area where technology has outstripped our ability to make policy,” Air Force Gen. Ronald Keys told reporters at a Feb. 9 press conference. “We need to have a debate, I think, and figure out how are we going to defend ourselves.”

No shortage of ex-pilots who get dumped into IO and don’t feel the compulsion to review the
work carried out by their predecessors. Next step: finding a wheel to reinvent:

Though a hacker’s penetration into computers in the United States is akin to an armed foreign aircraft crossing the border, “there’s nothing like [air defense] on the Internet,” he said. “You can toodle on in and you can do anything you want and there’s nobody asking you, “Who are you? What are you doing?”[or] following you. You can’t be forced down.”

Asked if the Cyber Command, which is to report to Keys’s Air Combat Command, will be authorized to shut down intruders that threaten U.S. government or business
interests, the general replied, “Can’t do it. It’s illegal. We live in a democracy.”

Our form of government has little to do with it, which gives you some insight into how in
tune with the mission this Command is. You can’t shoot back because you are
inevitably going to be shooting at innocents. The General goes on to note (with
no sense of irony) that we can’t shut down cyber attacks, but that our
offensive capability should serve as a deterrent to potential ‘bogies.’ When your
strategy says you reserve the right to nuke those who hack you,
better make sure your targeting cell knows what it is doing.

Enemy bytes and enemy planes are not the same thing. For starters we wouldn’t stand for the
latter to violate our airspace, but we allow the former to happen all
the time
. It’s been going
on for decades
and the DOD has never taken the mission seriously enough to
throw up a wall of ack-ack.

JTF-CND/O/GNO was a great start but can they enforce compliance? SPACECOM got the ball
rolling but then got careless; STRATCOM was a more appropriate home but calling
senior airmen IO-ers who last week were SIGINTers was no strategy. Gen
Cartwright moved things forward (as you would expect a Marine to do) but where
is the real expertise? Being reorged out of existence back in DC. To paraphrase
When everyone does IO, no one does IO.
I have been as guilty of this as anyone, but I still have a problem with trying to force facile
physical world metaphors onto the digital world. Everyone is worried about the
Digital Pearl Harbor, but we get surprised and deal with attacks like that
everyday; it’s the Digital Chicago Fires* that throw us for loops.
* Credit to A.M. for coming up with that one.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.