The Lessons of PFC Manning

Make no mistake: PFC Manning made some very bad decisions and he should pay a very heavy price. Taking a step back, however, one can see that in his betrayal he has done something of a public service for both the security and operational communities in both the military, government, and commercial world.

Lesson number one is that your current computer security regime is probably a waste of time and effort. Even in what should have been an extremely secure environment, computer security was something approaching a joke. If Manning’s M.O. is confirmed, there was a complete security breakdown. Military necessity has always trumped certain non-combat-related protocols during wartime, but being able to run roughshod through Top Secret networks and rip classified material to cracked music CDs beggars belief. No amount of briefings, posters, forms and extra-duties will remedy this problem.

Next: you can’t ensure the confidentiality or integrity of anything on SIPRnet or JWICS (private sector entities who find themselves with a similar insider threat issue, insert your own network here). There are intelligence community agencies that don’t like to use SIPRnet, the military’s secret-level network, because they think it isn’t nearly as secure as it should be. PFC Manning has demonstrated that neither is the military’s top secret-level network. The intelligence posted to JWICS by any DOD-intelligence activity (which is most of the intelligence community) has been at risk for who knows how long. If one misguided, low-level troop can do what he is alleged to have done, I don’t even want to think about what a determined adversary – or an agent-in-place – could have been doing all this time.

Finally, more certifications and billions of dollars worth of grand strategies will not improve security. Ten CNCIs would not have stopped this, only a fundamental change in culture – both operational and security – would have worked. To the best of my knowledge, money doesn’t fund the widespread dissemination of good security ideas; it just buys more of the same boxes, software and bodies to reinforce the same dysfunctional security models.

If we are truly serious about improving computer security, if we don’t want $17 Billion in CNCI money to go completely to waste, if we are finally tired of shooting our own feet while trekking towards security nirvana, we need to pay attention to reality, design our security solutions accordingly.

If your approach to security impedes a unit’s (company, agency, etc.) ability to operate effectively, you’re doing it wrong. Security that presumes a condition or series of conditions that do not exist in the real world – much less combat environments – will fail. The people who need to get things done will intentionally cause it to fail . . . in order to get things done. This is not an original thought, but it one that needs to be revised in both military, government, and business circles. Good security is not perfect, it is good enough for what you need to do, what environment you are operating in, and for the duration of your decision-making cycle.

Presume your adversaries know everything you do at this point: react accordingly. Things are fairly speculative at this point, but when the damage assessment is done I’m fairly sure most sane people involved will probably walk away thinking there is no way to verify the confidentiality or integrity of any piece of information on SIPRnet or JWICS. I think that makes this a perfect time to implement some living intelligence solution. Maintaining the static production model gives our adversaries the advantage, because what was a mystery is now history and their Pentagon-ology skills have just gotten a huge boost. An environment of living intelligence also makes spy/leak hunting a lot easier by allowing a more granular view of who accessed what, when.

Clinging to outmoded security models and approaches is only going to end up endangering soldiers and national security because no one will adhere to them when they are needed most. Stop focusing on moats and walls because the enemy is already inside the wire (literally and figuratively). Most arguments against change – radical or incremental – don’t carry a lot of weight because they presume that what was done to date made us secure. What was done to date made us more insecure than ever; doing more of the same won’t bring improvement.

My greatest concern is that when he is in prison and the final chapter on the story of his actions is written, our “solution” will be more strongly-worded policy, more stringent procedures, more paperwork . . . all of which will promptly be ignored the next time the operational need demands it. We’ll carry on – business as usual – thinking that now we’re safe and secure in our own digital cloister, when in fact we’re simply doing more of the same things that got us in trouble in the first place. The tragedy here is not that we were undone by a shit-bird GI who didn’t have his head screwed on straight, it’s that we will ignore what he is teaching us.

Sam and His (not so) Crazy Ramblings

If you haven’t already done so, start here.

Go ahead, I’ll wait.

Sam and I don’t go way back, but he’s easily the most intellectual and yet accessible thinker on these sorts of issues, especially as they interact with other disciplines. While he can’t draw from decades of experience behind closed doors, you’d never know it based on his grasp of the issues.

Having said that, there are some things that only a grizzled old veteran of the intelligence wars – actual and bureaucratic – can shed light on, hence the following response…

1) NSA will be half the size it is today.

Why I think he’s wrong.

It takes a LOT to reduce the size of a federal agency; even more so an intelligence agency. I’ve been in the IC through fat times and lean, cold war, hot wars, peace dividend and war on terror and I’ve never seen an agency shrink in any significant way. It might not grow as fast as expected, it might shrink somewhat through natural attrition, but to say “half the size” is basically nonsense from a historical perspective.

Where I think he might be on to something.

The NSA is really two outfits in one: an intelligence agency and a security agency. They can complement each other but they don’t have to be under the same roof. In fact pulling the security agency out of NSA, making it a separate entity, and retooling it into an agency that supports security at both the national and individual level would go a long way in both winning back public trust, as well as actually making it harder for malicious outsiders to hurt us.

2) NSA becomes a contractor free agency.

Why I think he’s wrong.

Go into any intelligence agency today and you have 4 categories of people: managers, a thin slice of very senior subject matter experts, a lot of very junior people trying to be experts, and sandwiched in between is a layer of mid-careerists who, when they’re not trying to jockey for the senior SME slot once the geezer in it dies, is acting as a project manager or COTR for various efforts that are carried out by contractors. The IC can’t function without contractors because Congress won’t allow the IC to hire more employees. They won’t allow them to hire more employees but at the same time they won’t stand for a reduction in the number of missions that need to be executed. The only solution to that problem is contractors.

The IC also cannot hire enough technical experts in enough subjects to keep pace with the demands of their missions. The whole point of contractors is to bring them on to address new or advanced issue X, and then leave (or reduce their presence) once things are in hand. What we have is perpetual 1-base plus four option year contracts. Serving as a federal employee for 30 years, retiring, and then coming back as a contractor to work on the same mission for another a decade or more isn’t unusual, its standard practice. Same number of missions, same changes in technology, means contractors are here to stay.

Where I think he’s on to something.

Contracts need to be: short(er) term efforts that are focused on hard technical problems, with the goal of getting things to the point where more generalist feds can take over. The size of contracts need to be reduced. Hundreds of millions of dollars doesn’t buy more success, it just buys more butts in seats.

3) Elements of NSA working toward national infrastructure security are split off.

No argument.

4) NSA and CyberCom split

The sooner the better.

5) NSA has to invest in privacy preserving security as penance

See #1 above.

6) Individuals may find themselves under congressional investigation

Why I think he’s wrong.

NSA abuses, real or imagined, intentional or unintentional are a fringe issue. People in the crypto and privacy sub-culture care, some people in computer and information security care, people who have no idea how SIGINT works but are happy to have yet-another reason to hate the gov’t care…but the vast majority of everyone else doesn’t. Outside of New York, Washington DC, and a few other major cities, I challenge you to walk out into the street and find someone who has heard of this issue in any more than a passing sense. Then find someone so mad about it they’re going to take political action. Taxes, social security, health care: that’s what the majority of people in this country care about. NSA Internet surveillance of the ’10s is not NSA (and CIA and FBI) surveillance of people in the 70s.

Where I think he’s on to something.

If intelligence agencies are good at one thing its burying bodies. Is anyone going to find themselves in front of Church Committee 2.0? No. Will the people who were leaning the furthest in the foxhole on efforts that were exposed going to find themselves asked to quietly find their way out the door? Absolutely. This is how it works: the seniors thank and then shepherd those that pushed the envelope to the side, those who take their place know exactly where the line is drawn and stay weeeellll behind it. They communicate that to the generations that are coming up, and that buys us a few decades of sailing on a more even keel…

…until the next catastrophic surprise…

Cyber Village People

It takes all kinds to make the world go ’round…or a village to raise a firewall, or something like that. Yet when it comes to the training, equiping and deploying a government workforce for things-cyber, why, why can’t we stop stepping on our tricks?

There is almost certainly room for efficiency with regards to staffing IT positions in general. Every discrete entity will claim some form of “special-ness” but TCP/IP doesn’t discriminate based on Service or mission. The amount of customization and specialization needed in any given org doesn’t justify effectively replicating the same IT org over and over again.

Is every IT generalist going to ease into a CNO position just like that? Of course not. Training is in order, but if you want both a trained AND cleared workforce, this is really your only answer. The latter item is the true value of this proposal, because there is no shortage of people with CNO skills; there is simply a shortage of people who are either clear-able or willing to be cleared.

A more subtle factor in play, though I doubt it will be carried out effectively to any scale, is the injection of defensive thinking into the offensive world. The problem with the CND-CNE/A divide is that everyone specializes in their “thing” and thinks they know what the other side is all about, often forgetting that advances in both sides march ever onward. Everyone thinks the other guy has it easier than they do. Putting both sides in a room to battle over a specific security problem is like deciding who bats first; one hand over the other till someone clearly comes out on top. ‘If you did X, I would do Y. Well if you did Y then I would do Z.’ The end result – assuming everyone involved is a true expert – is that defenders realize they can’t stop a given attack and/or attackers realize they can’t get past a given defense.  I’ve seen it work, but only when everyone checks their attitude and parochialism at the door.

Good luck with that in the government bureaucracy.

Finally, I’m tired of hearing about few “world class” people we have on the roster, or that there is a number we can pin to “world class” talent period. Really? Who defines “world class?” The CIA? GCHQ? Guinness? Was there a census taken? Did we test everyone who claimed ‘1337 $killz?  What exactly would an order of magnitude increase in very-high-end talent provide us? If you put three engineers into a room and ask them to solve a problem did you know you’ll get five answers? Shouldn’t we be focusing _less_ on human resources and more on how we can make computers (which, oddly enough are really good at high-volume, high-speed, complex tasks) do more of the heavy lifting for us?



We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.