What’s the Alternative?

The Director of the National Security Agency argues that the NSA should be in charge of computer security in this country. Long the home of some of subject matter experts in computer technology and cryptography, this would seem to make a lot of sense.

But the NSA is an intelligence agency, and free people in a democratic society don’t like the idea of an intelligence agency – built to listen in on the conversations of “others” overseas – turning its extremely powerful data collection apparatus on them. The same or at least a similar argument is made whenever the topic of a domestic intelligence agency is brought up and the FBI argues that they should do the job: People don’t like the idea of those who can arrest you also having the authority to snoop on you. Dig hard and long enough into anyone’s life and you’re bound to find them committing a “crime,” and when you’re rewarded by the number of arrests you make and convictions you win, well, the recipe for abuse becomes obvious.

The hyperbole surrounding computer security that has been bantered about over the past few years aside, it’s clear that the more pervasive computers (in all their forms) become in our lives, the more of a problem insecure systems pose. But if access to, and the use of, such technology is increasingly viewed as a “right,” then some mechanism for defending that right is in order. If that defending entity isn’t the NSA, what is the alternative?

The Department of Homeland Security is often touted as the place where domestic computer security (if that’s even a thing) should be addressed, but I know of no one who would entrust such a mission to an organization that is famous for its dysfunction, and there is enough of that in computer security already. Remember, this is the agency that changes out “cyber czars” more frequently than Liz Taylor changed husbands (am I dating myself?).

Before we completely discard the idea of NSA involvement it may be useful to point out that the NSA is actually two large organizations underneath the same umbrella: an intelligence collection and analysis organization, and an information security organization. The former is the part that listens in on people’s conversations; the latter is the part that is in charge of wrapping math around our own conversations. There is an obvious symbiosis there, but what if you spun the INFOSEC organization out of big-NSA and let if focus on cyber security for all of us? Removed from Ft. Meade, ideally out of the Washington DC area altogether, it could be the center of expertise both the government and private sector need and would trust because they’d be about “security” not “intelligence.”

There is also an argument to be made that there isn’t a compelling need to do anything new from a governmental perspective. Leaving industry to its own devices seems like a bad idea, but cases where poor computer security led to the outright downfall of a company are notable because they’re so rare. The fact of the matter is that companies that get hacked and lose intellectual property suffer no long-term financial penalty, and since that’s what Wall Street grades C-level executives on, where is the incentive to change? It’s worth noting that the loudest voices lamenting the cost of IP theft all have a vested interest in more security, not higher profits.

This begs the question: is “economic prosperity” truly a national security issue? If that were the case the Chinese would have started chopping off French heads once they learned d’Entrecolles had stolen the method for making ‘china;’ the British would have hunted down and shot Slater and his ilk. Protecting IP and R&D that supports defense is a stronger argument, but traditionally our government isn’t in the business of making sure private enterprises can turn a profit (let’s not get side-tracked talking about farm subsidies). This is not the case in other countries, but since when is the US, France? If we became France (in this regard) at some point while we weren’t looking, then it’s time to make that policy known so that we can all act accordingly.

At this point, if forced to do something, I’d say we shift our resources as noted above. I’d rather have a solution that wasn’t a big-government one, but I can’t come up with one at this point. Anyone have any other, original ideas that don’t involve more spooks in the wire?

No New Cyber Security Legislation is Better Than Any New Legislation

The head of the U.S. Cyber Command, the former head of the NSA, and various national security wonks recently told Congress that we must pass new cyber security legislation now or risk worse legislation later. The serious cyber security problems we are dealing with today, left unchecked, could lead to a catastrophic attack tomorrow. In the aftermath of such an attack there would be calls for immediate action, but no time to think clearly about the unintended consequences of a snap decision.

It is hard to reconcile the sound and the fury coming from Capitol Hill about the need for new cyber security legislation with the reality cyber security practitioners are facing on a daily basis. If cyber security is such a problem, why hasn’t funding for the Comprehensive National Cybersecurity Initiative been extended? How come we have such a spotty law enforcement response? If cyber security is so important to the homeland, how come DHS – the organization the Congress would have setting security standards for industry – can’t keep a cyber czar on the job?

We have laws on the books that address cyber crime now: the Computer Fraud and Abuse Act  and the Electronic Communications Privacy Act, both of 1986, come immediately to mind. They’re good laws in that they address the vast majority of behaviors that are associated with cyber crime, they’re just effectively un-enforceable. That does not stop just because we pass new law. The Cyber Security Enhancement Act is proof of that.

The idea that we would later come back to adjust bad legislation, as offered by former NSA Director Hayden, is an equally laughable proposition. There are a lot of things wrong with the PATRIOT Act – legislation passed in a panicked rush because something had to be done – but when we had the opportunity to amend or even repeal what is essentially a wartime law, we did nothing despite the crippling of the threat it was created to combat.

It’s only natural that Washington’s solution to every problem is new law, but new law doesn’t address the root cause of the problem; it simply allows more bureaucracy to grow up around it (imagine the TSA sticking a gloved hand in your laptop). The problems we’ve been facing are a product of both behavior and technology. You can’t legislate behavior, and technology will change three or four times in the span of a Congressman’s term, which means any proposed legislation is outdated before it ever comes to a vote.

The government has known about the security problems associated with the spread of information technology for decades, but despite countless recommendations and warnings we are no better off today than we were 20 years ago. It has taken years for the agencies that would protect us from digital evil to stop receiving “F” grades on their own cybersecurity report cards, but now industry is supposed to consider their advice “expert.”

Bills like the Cybersecurity Enhancement Act in the House want to fund the educations of those who study cyber security, but cyber security education is a band-aid for a kludge. It does not address what is essential for a more secure online environment: better programmers and engineers who are able to build functional but at the same time less vulnerable systems.

The Cybersecurity Act in the Senate emphasizes the need for “sharing,” but Information Sharing and Analysis Centers have been in existence for years. There are no statistics that show sharing has led to a more secure industry. Holding security contests to develop the security workforce is another tired idea. Security contests are always “capture the flag” affairs, which simply train tomorrow’s digital janitors to clean up yesterday’s engineering messes. There is no shortage of technical talent in this country, it’s simply that not everyone wants or is able to work for the government.

There are a number of things the government can do that would have a more meaningful impact on cyber security without new law.

Start by professionalizing and making cyber security a career field in which you can advance to the highest ranks in both law enforcement, defense and intelligence. When an agent, analyst or operator can have a career, not just a rotation, combating cyber crime we can help ensure people on the front lines have the most current skills and can begin to build up institutional knowledge (something sorely lacking in most cyber security organizations today).

Stop relying on shortcuts like certification to determine who gets to join in the fight. You cannot express dismay that our networks are indefensible if you’d rather have a poor performer with a credential instead of someone with who lacks a credential but has demonstrated expertise. The same goes for security requirements. Not everything dealing with government cyber security is classified. The idea that cyber security is some kind of gentleman’s game didn’t make sense 80 years ago and it makes even less sense now when the capability to become a cyber power is within any-one persons grasp.

Encourage more creative approaches to combating cyber crime and cyber criminals. The government cannot and should not do it all. Instead of trying to force the reluctant in industry to share, why not supply administrative and legal support they need to act in their own defense?

Cyber Village People

It takes all kinds to make the world go ’round…or a village to raise a firewall, or something like that. Yet when it comes to the training, equiping and deploying a government workforce for things-cyber, why, why can’t we stop stepping on our tricks?

There is almost certainly room for efficiency with regards to staffing IT positions in general. Every discrete entity will claim some form of “special-ness” but TCP/IP doesn’t discriminate based on Service or mission. The amount of customization and specialization needed in any given org doesn’t justify effectively replicating the same IT org over and over again.

Is every IT generalist going to ease into a CNO position just like that? Of course not. Training is in order, but if you want both a trained AND cleared workforce, this is really your only answer. The latter item is the true value of this proposal, because there is no shortage of people with CNO skills; there is simply a shortage of people who are either clear-able or willing to be cleared.

A more subtle factor in play, though I doubt it will be carried out effectively to any scale, is the injection of defensive thinking into the offensive world. The problem with the CND-CNE/A divide is that everyone specializes in their “thing” and thinks they know what the other side is all about, often forgetting that advances in both sides march ever onward. Everyone thinks the other guy has it easier than they do. Putting both sides in a room to battle over a specific security problem is like deciding who bats first; one hand over the other till someone clearly comes out on top. ‘If you did X, I would do Y. Well if you did Y then I would do Z.’ The end result – assuming everyone involved is a true expert – is that defenders realize they can’t stop a given attack and/or attackers realize they can’t get past a given defense.  I’ve seen it work, but only when everyone checks their attitude and parochialism at the door.

Good luck with that in the government bureaucracy.

Finally, I’m tired of hearing about few “world class” people we have on the roster, or that there is a number we can pin to “world class” talent period. Really? Who defines “world class?” The CIA? GCHQ? Guinness? Was there a census taken? Did we test everyone who claimed ‘1337 $killz?  What exactly would an order of magnitude increase in very-high-end talent provide us? If you put three engineers into a room and ask them to solve a problem did you know you’ll get five answers? Shouldn’t we be focusing _less_ on human resources and more on how we can make computers (which, oddly enough are really good at high-volume, high-speed, complex tasks) do more of the heavy lifting for us?