The Lessons of PFC Manning

Make no mistake: PFC Manning made some very bad decisions and he should pay a very heavy price. Taking a step back, however, one can see that in his betrayal he has done something of a public service for both the security and operational communities in both the military, government, and commercial world.

Lesson number one is that your current computer security regime is probably a waste of time and effort. Even in what should have been an extremely secure environment, computer security was something approaching a joke. If Manning’s M.O. is confirmed, there was a complete security breakdown. Military necessity has always trumped certain non-combat-related protocols during wartime, but being able to run roughshod through Top Secret networks and rip classified material to cracked music CDs beggars belief. No amount of briefings, posters, forms and extra-duties will remedy this problem.

Next: you can’t ensure the confidentiality or integrity of anything on SIPRnet or JWICS (private sector entities who find themselves with a similar insider threat issue, insert your own network here). There are intelligence community agencies that don’t like to use SIPRnet, the military’s secret-level network, because they think it isn’t nearly as secure as it should be. PFC Manning has demonstrated that neither is the military’s top secret-level network. The intelligence posted to JWICS by any DOD-intelligence activity (which is most of the intelligence community) has been at risk for who knows how long. If one misguided, low-level troop can do what he is alleged to have done, I don’t even want to think about what a determined adversary – or an agent-in-place – could have been doing all this time.

Finally, more certifications and billions of dollars worth of grand strategies will not improve security. Ten CNCIs would not have stopped this, only a fundamental change in culture – both operational and security – would have worked. To the best of my knowledge, money doesn’t fund the widespread dissemination of good security ideas; it just buys more of the same boxes, software and bodies to reinforce the same dysfunctional security models.

If we are truly serious about improving computer security, if we don’t want $17 Billion in CNCI money to go completely to waste, if we are finally tired of shooting our own feet while trekking towards security nirvana, we need to pay attention to reality, design our security solutions accordingly.

If your approach to security impedes a unit’s (company, agency, etc.) ability to operate effectively, you’re doing it wrong. Security that presumes a condition or series of conditions that do not exist in the real world – much less combat environments – will fail. The people who need to get things done will intentionally cause it to fail . . . in order to get things done. This is not an original thought, but it one that needs to be revised in both military, government, and business circles. Good security is not perfect, it is good enough for what you need to do, what environment you are operating in, and for the duration of your decision-making cycle.

Presume your adversaries know everything you do at this point: react accordingly. Things are fairly speculative at this point, but when the damage assessment is done I’m fairly sure most sane people involved will probably walk away thinking there is no way to verify the confidentiality or integrity of any piece of information on SIPRnet or JWICS. I think that makes this a perfect time to implement some living intelligence solution. Maintaining the static production model gives our adversaries the advantage, because what was a mystery is now history and their Pentagon-ology skills have just gotten a huge boost. An environment of living intelligence also makes spy/leak hunting a lot easier by allowing a more granular view of who accessed what, when.

Clinging to outmoded security models and approaches is only going to end up endangering soldiers and national security because no one will adhere to them when they are needed most. Stop focusing on moats and walls because the enemy is already inside the wire (literally and figuratively). Most arguments against change – radical or incremental – don’t carry a lot of weight because they presume that what was done to date made us secure. What was done to date made us more insecure than ever; doing more of the same won’t bring improvement.

My greatest concern is that when he is in prison and the final chapter on the story of his actions is written, our “solution” will be more strongly-worded policy, more stringent procedures, more paperwork . . . all of which will promptly be ignored the next time the operational need demands it. We’ll carry on – business as usual – thinking that now we’re safe and secure in our own digital cloister, when in fact we’re simply doing more of the same things that got us in trouble in the first place. The tragedy here is not that we were undone by a shit-bird GI who didn’t have his head screwed on straight, it’s that we will ignore what he is teaching us.

Sam and His (not so) Crazy Ramblings

If you haven’t already done so, start here.

Go ahead, I’ll wait.

Sam and I don’t go way back, but he’s easily the most intellectual and yet accessible thinker on these sorts of issues, especially as they interact with other disciplines. While he can’t draw from decades of experience behind closed doors, you’d never know it based on his grasp of the issues.

Having said that, there are some things that only a grizzled old veteran of the intelligence wars – actual and bureaucratic – can shed light on, hence the following response…

1) NSA will be half the size it is today.

Why I think he’s wrong.

It takes a LOT to reduce the size of a federal agency; even more so an intelligence agency. I’ve been in the IC through fat times and lean, cold war, hot wars, peace dividend and war on terror and I’ve never seen an agency shrink in any significant way. It might not grow as fast as expected, it might shrink somewhat through natural attrition, but to say “half the size” is basically nonsense from a historical perspective.

Where I think he might be on to something.

The NSA is really two outfits in one: an intelligence agency and a security agency. They can complement each other but they don’t have to be under the same roof. In fact pulling the security agency out of NSA, making it a separate entity, and retooling it into an agency that supports security at both the national and individual level would go a long way in both winning back public trust, as well as actually making it harder for malicious outsiders to hurt us.

2) NSA becomes a contractor free agency.

Why I think he’s wrong.

Go into any intelligence agency today and you have 4 categories of people: managers, a thin slice of very senior subject matter experts, a lot of very junior people trying to be experts, and sandwiched in between is a layer of mid-careerists who, when they’re not trying to jockey for the senior SME slot once the geezer in it dies, is acting as a project manager or COTR for various efforts that are carried out by contractors. The IC can’t function without contractors because Congress won’t allow the IC to hire more employees. They won’t allow them to hire more employees but at the same time they won’t stand for a reduction in the number of missions that need to be executed. The only solution to that problem is contractors.

The IC also cannot hire enough technical experts in enough subjects to keep pace with the demands of their missions. The whole point of contractors is to bring them on to address new or advanced issue X, and then leave (or reduce their presence) once things are in hand. What we have is perpetual 1-base plus four option year contracts. Serving as a federal employee for 30 years, retiring, and then coming back as a contractor to work on the same mission for another a decade or more isn’t unusual, its standard practice. Same number of missions, same changes in technology, means contractors are here to stay.

Where I think he’s on to something.

Contracts need to be: short(er) term efforts that are focused on hard technical problems, with the goal of getting things to the point where more generalist feds can take over. The size of contracts need to be reduced. Hundreds of millions of dollars doesn’t buy more success, it just buys more butts in seats.

3) Elements of NSA working toward national infrastructure security are split off.

No argument.

4) NSA and CyberCom split

The sooner the better.

5) NSA has to invest in privacy preserving security as penance

See #1 above.

6) Individuals may find themselves under congressional investigation

Why I think he’s wrong.

NSA abuses, real or imagined, intentional or unintentional are a fringe issue. People in the crypto and privacy sub-culture care, some people in computer and information security care, people who have no idea how SIGINT works but are happy to have yet-another reason to hate the gov’t care…but the vast majority of everyone else doesn’t. Outside of New York, Washington DC, and a few other major cities, I challenge you to walk out into the street and find someone who has heard of this issue in any more than a passing sense. Then find someone so mad about it they’re going to take political action. Taxes, social security, health care: that’s what the majority of people in this country care about. NSA Internet surveillance of the ’10s is not NSA (and CIA and FBI) surveillance of people in the 70s.

Where I think he’s on to something.

If intelligence agencies are good at one thing its burying bodies. Is anyone going to find themselves in front of Church Committee 2.0? No. Will the people who were leaning the furthest in the foxhole on efforts that were exposed going to find themselves asked to quietly find their way out the door? Absolutely. This is how it works: the seniors thank and then shepherd those that pushed the envelope to the side, those who take their place know exactly where the line is drawn and stay weeeellll behind it. They communicate that to the generations that are coming up, and that buys us a few decades of sailing on a more even keel…

…until the next catastrophic surprise…

Cyber Village People

It takes all kinds to make the world go ’round…or a village to raise a firewall, or something like that. Yet when it comes to the training, equiping and deploying a government workforce for things-cyber, why, why can’t we stop stepping on our tricks?

There is almost certainly room for efficiency with regards to staffing IT positions in general. Every discrete entity will claim some form of “special-ness” but TCP/IP doesn’t discriminate based on Service or mission. The amount of customization and specialization needed in any given org doesn’t justify effectively replicating the same IT org over and over again.

Is every IT generalist going to ease into a CNO position just like that? Of course not. Training is in order, but if you want both a trained AND cleared workforce, this is really your only answer. The latter item is the true value of this proposal, because there is no shortage of people with CNO skills; there is simply a shortage of people who are either clear-able or willing to be cleared.

A more subtle factor in play, though I doubt it will be carried out effectively to any scale, is the injection of defensive thinking into the offensive world. The problem with the CND-CNE/A divide is that everyone specializes in their “thing” and thinks they know what the other side is all about, often forgetting that advances in both sides march ever onward. Everyone thinks the other guy has it easier than they do. Putting both sides in a room to battle over a specific security problem is like deciding who bats first; one hand over the other till someone clearly comes out on top. ‘If you did X, I would do Y. Well if you did Y then I would do Z.’ The end result – assuming everyone involved is a true expert – is that defenders realize they can’t stop a given attack and/or attackers realize they can’t get past a given defense.  I’ve seen it work, but only when everyone checks their attitude and parochialism at the door.

Good luck with that in the government bureaucracy.

Finally, I’m tired of hearing about few “world class” people we have on the roster, or that there is a number we can pin to “world class” talent period. Really? Who defines “world class?” The CIA? GCHQ? Guinness? Was there a census taken? Did we test everyone who claimed ‘1337 $killz?  What exactly would an order of magnitude increase in very-high-end talent provide us? If you put three engineers into a room and ask them to solve a problem did you know you’ll get five answers? Shouldn’t we be focusing _less_ on human resources and more on how we can make computers (which, oddly enough are really good at high-volume, high-speed, complex tasks) do more of the heavy lifting for us?

 

 

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

“reputation system”

From the Enterprise Resilience Management Blog:

Anyone who believes he knows of information relating to these proposed
patents will be able to post this online and solicit comments from
others. But this will suddenly make available reams of information,
which could be from suspect sources, and so the program includes a
‘reputation system’ for ranking the material and evaluating the
expertise of those submitting it.

“reputation system” – how the wiki-fied, blogosphered IC can sort the wheat from the chaff and cast off the last vestiges of the old way of doing things.

Now, to find out the status of that reform book draft . . .

The Q Prize

Funny what you think of in what passes for a traffic jam in these parts . . .

Ruminating about John’s recent post about tinkering with technology  and the mention of the X-Prize and DARPA Grand Challenges . . .

. . . remembering the post from the other day about how the explosion of available information  has not only overcome the government’s ability to categorize, search and make sense of it, the force of the wave is pushing efforts backwards . . .

. . . we have the CIA’s DNI’s Galileo Awards but that’s for insiders (no small font of great but untapped ideas btw): where is the parallel opportunity for outsiders and “amateurs ?” Where is the “Q Prize” for dealing with the IC’s information and technology problems? (1)

Many of the problems the IC faces WRT technology and information are identical to the ones facing large,
bureaucratic, information-centric institutions outside of the secret
world. The solutions that are turning around firms in industry – or
propelling start-ups beyond their more established competition – can
work on the inside. Large-scale contracting firms are full of competent
and talented people but projects like Virtual Case
File, Trailblazer and others are more indicative of what happens when large private
institutions try to help large public ones.

 

There will of course be reluctance to expose even a sliver of the inner workings to outsiders, but there are ways to anonymize and genericize details of problems and systems so that anyone can get involved without risk of exposing real secrets.

There will also be resistance from the traditional solution providers. The Q-Prize approach upsets the old RFP game and could put big firms at a disadvantage. Don’t underestimate the power of the bandits (what does SAIC spell backwards?).

More, better solutions have been put together by two dudes in a garage (or the big iron equivalent thereof) than have come out of a cross-functional, multi-domain corporate tiger-team. Maybe it is time to give the hungry, little, nimble guys a chance.

(1) I started with “I(ntelligence) Prize” but that didn’t sound right. The inspiration for “Q” should be self evident but it isn’t ideal because Q worked in the system, not outside of it. I mean, of all the things you can stick on a watch these days and Bond is still carrying around that stainless steel wrist-laser. Come on . . .

underrattelser – US style

Ralph Peters’ latest report on improvements in MI. Money graph:

Appropriate technologies can help us – but no database or collection
system is a substitute for seasoned human judgment. The key task in
intelligence is understanding the enemy. Machines do many things, but they still don’t register flesh-and-blood relationships, self-sacrifice or fanaticism.

Underrattelser: Improvement from below (how Swedes describe MI) covered at John Robb’s site.

 

Last one out of the SCIF, turn out the light

The cynic in me wants to laugh, but
this
is just sad
:

The National Security Agency is facing
significant budget shortfalls as the spy agency scrambles to respond
to a mounting electricity crisis, modernize its technology, maintain
current operations and add workspace, congressional and
intelligence officials say.

As a result, they say, the NSA has
slowed hiring, pared back upgrades in information technology, delayed
equipment purchases and shut offices.

Worth a full read.

I’ve said it before and I’ll say it
again: planning beyond lunch is a skill that escapes most IC
“managers.” NSA is highlighted in this article, but you could
find similar stories from every agency. When they’re fighting for
their fiefdoms they forget about things like the laws of physics and
the reality of the world outside the SCIF. Massive hiring surge
without a corresponding increase in office space. Can you say “hot
desk?” I mean, they’re lowering the thermostat. I’m waiting for the
report about how they’re asking employees to bring in their own
coffee beans and condiments because they have to scale back the food
service contract. An IT heavy agency can’t afford to pay for
top-notch tech support and they’re running out of power and this
is a surprise?!

That they can’t keep audit-able books
is a major part of the problem. Forget internal manager panels
evaluating budget proposals; it is time clean house and get
legit. Not doing so will only ensure that these same issues will
continue to raise their heads again and again. You’re going to trust  a new budget system developed by the same people who have an
interest in keeping it screwed up?

Also time to dump old portfolios and
lesser includeds. Scrub programs for duplication – of which there is a disturbing amount – and watch the savings add up. Hard decisions? One of the many “top priority”
projects has to fall away. Can’t risk missing something? You’re
missing plenty NOW. You have that CSS for a reason, let them carry a
heavier load.

Finally, as the article mentions, pack
up what you can and send it away. Take a lesson from Google and park
yourself next to a hydroelectric dam. Hawaii, Germany, UK,
Washington, Texas, etc. would all welcome a boost in Congressional
funding and a larger tax base. You’re not just mitigating current
problems, you’re boosting long term survivability and resilience.