Speed and Scale

News about ransomware gang takedowns and ransom recoveries make for great headlines, and the way some people talk you’d think we had this ransomware thing licked. But while these are certainly “wins,” they’re not really having a noticeable impact, and if we keep going at these issues in a plodding, ad hoc, linear fashion they absolutely won’t.

Not that long ago that botnet takedowns were receiving similar levels of attention. I was lucky enough to be a part of some of these actions. Nay-sayers at the time said there was no real impact because replacements popped up so quickly. I was inclined to agree, but argued that the value of such actions would be realized once more people could do them, and do them more often.

Botnet takedowns required a lot of challenging legal legwork. If you’ve ever worked with lawyers, you know very few of them like to be at the cutting edge. In a system that places a high value on precedence, being the first at anything poses a serious risk of failure. But once that nut was cracked and a few cases got through the system, the potential to move a lot faster in more jurisdictions seemed like a real possibility.

Years later, botnet takedowns are still not a frequent occurrence, even though botnets are certainly still a thing. This is, to my mind, one of the bigger ‘shames’ in this space (“it’s a shame that…” not shameful behavior), because if we could manage to take down multiple botnets on a weekly basis vice, say, one a year, it dramatically drives up the risk factor (and potentially the cost) for would-be botnet creators. If you’re more likely to get hit by a meteor than arrested, life as a digital crime lord seems pretty attractive. As soon as prison becomes likely, suddenly it is time to consider getting a regular job.

Bad actors will always have a number of advantages over defenders and law enforcement. In some cases you’re dealing with super-empowered individuals, who can work much faster than adversaries that have to operate in an industrial-age model, be sure to address the ‘equities’ of all the ‘stakeholders’ involved, fight for budget, hunt for increasingly rare talent to do the work, etc. Especially when you’re dealing with governmental organizations, “taking down 1000 botnets” is probably not a bullet on anyone’s performance evaluation. From the organization’s point of view it is important to “measure what matters,” but from the employee’s point of view all that matters when it comes to applying effort is what is measured. These types of activities require extensive industry cooperation, and such measures are not revenue-generating. Read into that what you will.

The work that goes into both botnet and ransomware takedowns is not insignificant, and those involved deserve to be recognized and congratulated. But until actions like these become so commonplace that they cease being news, they are novelties. Unless government, defenders, and industry can devise a system of processes and incentives that make such actions practical and rewarding, such activity will eventually wane, and it will be like nothing anyone did mattered.

End Cybersecurity Awareness Month

Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why October – Cybersecurity Awareness Month – is such a bad idea.

For the 31 days of October, everyone in the world who is not involved in cybersecurity is going to be rendered deaf by the cacophony uttered by those who purport to want to improve cybersecurity. In truth, all this noise will drive people to tune out, unsubscribe, unfollow, or otherwise distance themselves from what some well-intentioned but misguided souls think is being useful.

The idea that a month of non-stop mentioning cybersecurity is going to actually improve the state of cybersecurity is like thinking you can declare “war” on poverty or drugs and come out the other side a winner. Doing more of a thing that isn’t working isn’t virtuous, its stupid. It becomes a thing you can’t not do because you’re more afraid of what people will say than the efficacy of the deed.

Come November 1st everyone will sit back to enjoy the silence and promptly forget whatever they might have heard or read. They will not remember a single vendor name or pitch or product name. They won’t forget about cybersecurity writ large, because in a day or two they’ll get notice that yet-again their personal data has been compromised via a breach at a company that … if they had just paid more attention in October…

This brings us to Drucker and the idea that people pay attention to what they’re evaluated on or against. We’ve all had jobs where on the first day you’re told company policy (don’t commit fraud, follow safety rules, don’t harass people, etc.), and every subsequent day after that you’re told what your quota or goals are. Is it a wonder then, that people do as sorts of things in violation of policy in order to maximize their reward? Every day its ‘earn, make, do’ and once a year its ‘don’t forget to be a decent human being.’ And we wonder why we have toxic workplaces and endless breaches.

What is the usual agenda for your Monday morning staff meeting? Operations update? Accounting and finance? Personnel? You talk about these things because they’re important. People know they are going to be held accountable for those issues, so they work on them. If you want to level up your cybersecurity posture you need to talk about it at least as frequently as you do everything else you care about. Treating it as something that only gets addressed occasionally, or when something bad happens, is a sure-fire way to get people to pay attention only for as long as they must.

Buccaneer.com 2.0

Fifteen years ago, parallels between the age of piracy and the state of cyber-insecurity illustrated how we might combat malicious online activity by leveraging private resources. While the call to do just that has grown louder over time, there are still those who feel the increased use of private sector resources for computer network operations is a controversial issue. Enthusiasts tend to have a facile understanding of certain absurdities and dangers, while their opposites fail to recognize just how far-gone things are. Privateering is reality. The only outstanding issue is how much autonomy private concerns will be given going forward.


Securing resources and technologies that depend on the Internet to function is a national security issue. That hasn’t changed in 15 years.[1] Neither has the fact that cyber threats have grown at a pace that exceeds both government’s and industry’s ability to address them. The cybersecurity market is $156 billion dollars strong,[2] yet victims still fall prey to the same sorts of problems identified decades ago. We have a National Security Agency,[3] Cybersecurity and Infrastructure Security Agency,[4] ISACs,[5] ISAOs,[6] and service and national level cyber commands,[7] but there has been no obvious indication that their existance has made our adversaries – both state and non-state – think twice about conducting offensive actions against us.

We attempt to address these issues at the national level with familiar but flawed ideas like arms control and deterrence, because in policy-making circles we are heavy on students of Kahn and Kissinger and Kennan and light on people who know how the  Internet actually works. Concepts like “defend forward” and “persistent engagement” are attempts to improve our ability to display strength, but with no statistics from the government to illustrate how effective such measures are, we are left to look at things like the effects of the scourage of ransomware and assume that while we may have turned the dial up, we’re still closer to 0 than 11.

At the time Buccaneer.com was written, the idea of adopting a privateering model was novel, even if the range of complications was extensive and seemingly intractable. Yet the reality even then was that we could neither defend ourselves nor take the fight to our adversaries if it were not for what are effective combatants who draw their salaries from private payrolls, not the U.S. Treasury.

A Spade by Any Other Name

The word “privateering” in relation to online activity evokes a number of strong emotions and allows imaginations to run wild. Privateering is the employment of private sector resources to conduct activity authorized by the government in furtherance of national policy. It is not restricted to offensive activity, and it is not about acquisition or recovery of “treasure.”[8]

Privateering is not “hack back” – allowing the victims of attacks to attempt to retaliate against their attackers. Hack back is vigilantism: an emotionally satisfying idea, but one that only makes sense if you suspend a great deal of disbelief about the capabilities of the average private concern. Some will look at “privateering” and “hack back” and see a distinction without a difference. But hack back is illegal under 18 U.S.C. 1030,[9] while the government has regularly employed private sector resources in support of national policy since the founding.[10] In this context we just don’t call them privateers, we call them contractors. Viewed through that frame, privateering is not an issue for debate, it is a fait accompli.

Sounds Like a ‘You’ Problem

Most commentators get wrapped around the axle about the idea of privateering because it sounds like we’re outsourcing the right or authority to wage war. Now, the use of Authorizations of the Use of Military Force and not Declarations of War is a serious topic in political circles that – after a 20-year war of great cost and nominal value – needs to be resolved.[11] And the extensive use of private military companies in Afghanistan and Iraq (and the crimes and general bad behaviour of same – proven or alleged) only adds fuel to the fire.[12] So the idea that we would extend that sort of thinking and behavior onto the medium that plays such an increasingly important role in our lives does seem at best irresponsible and at worst catastrophic.

Yet adversary[13] governments[14] have no qualms about using private actors to execute online tactics in support of national policy. The primary reason we look askance at such efforts is that we emphasize the use private sector resources for defensive or supporting functions,[15] yet every agency with the authority to conduct Computer Network Operations (CNO)[16] does so with the help of contractors. Our offensive power would be a shadow of itself were it not for commercial concerns who can attract and retain the talent necessary to staff an effective capability. If you are at all familiar with the military services’ inability to retain pilots,[17] linguists, or other highly skilled practitioners with rare talents, you understand the dynamics at work.

In fact, if it were not for the defensive role contractors have played over the years, our offensive capabilities may not have evolved as quickly or grown to the size it is today. Government and private sector collaboration (overt or discrete) is laid bare with every indictment filed or accusation levelled against a foreign officer or agent. It is unlikely that all the data necessary to make such statements come exclusively from governmental sources. This is the private sector supplying the government with ammunition of sorts, not treasure.[18]

Westphalia Online: Does Not Compute

Governments do not have a monopoly on the ability to project power online. They never have. In the physical world you might own a gun, but you cannot wage war. The government is the sole arbiter of decisions like that. Yet every conference, panel, seminar, or working group held on these issues always consists of experts in government or policy, not technologists or CNO practitioners. This is why we have so many discussions about “norms” and ideas like a “Digital Geneva Convention” [19] when, if they had invited a few people with online “combat” experience, the folly of that sort of thinking would have been painfully obvious.

It is not that we should not try to make cyberspace a better place, but for everyone who still holds on to those early pipe dreams of what good the ‘Net would do, note that even John Perry Barlow didn’t believe his initial ravings at the end.[20] In fact monetization – of misinformation[21], disinformation[22], deep fakes, and “Q”[23] have almost certainly driven more minds to close than open, and spread more hate than peace, love, and understanding. We dream of Mr. Rodgers’ Neighbourhood[24] while we live in Mr. Robinson’s Neighbourhood.[25]

And while cyberspace may have physical underpinnings that can be controlled (or destroyed), the military doesn’t actually have a lot of say when it comes to the control of that environment. The U.S. Air Force cannot control the weather, but they use technology that enables them to fly regardless of the weather. Likewise, Cyber Command doesn’t control the Internet, service providers do, but there is no technology that can help them overcome that issue. We do not know how closely government and telecoms may collaborate, but here is one thing I think we can all agree on: if someone started a “cyber war” that started to interfere with revenue, there is probably an EVP at Verizon or Deutsche Telekom who has more power over the outcome of that conflict than any General does.

Whether we are talking about medieval free lances, or hackers with government sanction, the point of using contractors is the same: it allows the government to put the right – rare – resources against a problem for as long as that problem exists, and to disperse them when the job is done. The use of the private sector to address cyberspace-related issues works well because no government agency can afford to attract and retain the necessary talent for a career,[26] and they most certainly cannot move at Internet speed. Our adversaries know this and embrace it,[27] but we are only now proposing that these ideas be studied.[28]

The Real Issues

The use of private sector resources to support government policy is not controversial; increased autonomy for private sector resources is a very real risk that warrants serious discussion and broad input.  Imagine you have the authority and ability to gain access to some of the most sensitive systems a country or state-owned enterprise may have. As we have seen with regards to much more trivial matters, there is a sub-set of people who simply cannot be trusted. [29] Temptation of this sort exists regardless of where your paycheck comes from and no matter how trivial the matter. [30]

Opponents of increased involvement of private actors fear that adding one or more players to the list of belligerents is a sign that government is giving preference to lex talionis over other courses of action.[31] Such a move would certainly stand in contrast to light weight actions like indictments, but the real danger is not at the national level but the personal one. It is only a matter of time before U.S. CNO practitioners will find themselves the targets of legal (and possibly extra-ordinary) action by other nations. Ask Michael Spavor or Michael Kovrig how they feel about being pawns in the digital great power competition.[32]

More aggressive activity carried out online by incentivized private actors triggers the hand-wringing crowd, who are concerned about the negative impact of increased adversary activity on the quality of life in a heavily tech-dependent society. Yet they can only point to ‘what ifs’ and short-term examples of their proposed extremes. What is almost universally absent in their calculus is how societies in adversary nations will respond when they find themselves in the same situation, and their response to the actions of their own industry and government. This is not to say that our strategy should be an advanced game of ‘chicken’ but a recognition that good equations have balance.  

It is also important to note that no matter how adversarial your relationship, there is very little value in damage or destruction. Events like Stuxnet or Saudi Aramco[33] are notable for many reasons, not the least of which is that they’re rare. You want the other side to recover because they’re just going to put more valuable resources back online. It might be harder to compromise them, but it is never impossible.


Of the super-power class of nations practicing CNO, we’re the only one debating whether or not the private sector should play a role in CNO, while conveniently ignoring the fact that the private sector is effectively the backbone of our CNO capabilities. It is as if the literal lack of eye patches and parrots is creating some sort of cognitive dissonance amongst otherwise clear-thinking people. Our adversaries are not encumbered with such burdens. They literally wrote the book on this sort of thing decades ago,[34] which we talked about, but then promptly ignored because it ran counter to our preferred way of waging war.

Privateering is still the most feasible approach to the problem, especially given the changing dynamics associated with the projection of power, though one that could have serious repercussions if allowed to expand without careful management and diligent oversight.

The only real alternative to privateering – a large and powerful government enforcement capability – is unlikely. The excessive cost of such a capability and lack of political will are the two key mitigating factors. One need only look to the inadequacy and unoriginality of governmental efforts to retain cybersecurity experts to realize there is no scheme that troops would find attractive that government can afford, or organizations would find paletable on cultural grounds.

A greater level of autonomy amongst private actors would require a strong, independent, and transparent mechanism for oversight. But this begs the question:  in the midst of a talent shortage where would we draw sufficiently skilled and knowledgeable practitioners for an oversight function? Who wants to join the watchers, when the do-ers are making x3 the money?

Our insistence of fighting in a certain way, or viewing issues through frameworks that are understood rather than applicable, is not a uniquely American phenomenon, but one we seem to excel at. By that I mean we would rather subject ourselves to unnecessary misery, expense, and loss over an extended period of time in the name of culture rather than point out imperial nudity. Suffering is not a virtue when justifiable options exist that address the problem as it is, not as we wish it to be.

The argument over privateering has run its course. National insecurity in cyberspace is not a problem that is going to be effectively addressed by a tactic, but by the formulation and application of technically coherent policy. That will not happen without the increased involvement – at a level of parity with those proficient in policy – of those with technical acumen at the strategic level.

[1] https://www.haftofthespear.com/wp-content/uploads/2021/04/Buccaneerdotcom.pdf

[2] https://www.globenewswire.com/news-release/2021/03/17/2194254/0/en/Global-Cybersecurity-Market-Size-to-Grow-at-a-CAGR-of-12-5-from-2021-to-2028.html#:~:text=The%20global%20cybersecurity%20market%20size,the%20global%20market%20for%20cybersecurity.

[3] https://nsa.gov

[4] https://cisa.gov

[5] Information Sharing and Analysis Center https://www.nationalisacs.org/

[6] Information Sharing and Analysis Organization https://www.cisa.gov/information-sharing-and-analysis-organizations-isaos

[7] https://en.wikipedia.org/wiki/United_States_Cyber_Command

[8] https://www.zdnet.com/article/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history/#:~:text=NSA%3A%20Cybercrime%20is%20%27the%20greatest%20transfer%20of%20wealth,to%20support%20cybersecurity%20legislation%20being%20pushed%20through%20Congress.

[9] https://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim)

[10] https://www.history.com/news/american-privateers-revolutionary-war-private-navy

[11] https://www.fcnl.org/updates/2021-04/2002-iraq-aumf-what-it-and-why-congress-should-repeal-it


[13] https://www.nytimes.com/2020/03/29/technology/russia-troll-farm-election.html

[14] https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion

[15] https://www.fedscoop.com/recorded-future-cyber-command-contract/

[16] https://apps.dtic.mil/dtic/tr/fulltext/u2/a506188.pdf

[17] https://www.defenseone.com/ideas/2021/04/usafs-bad-bets-pilot-retention-show-it-needs-outside-help/173431/

[18] https://www.scientificamerican.com/article/how-the-chinese-cyberthreat-has-evolved/

[19] https://www.cnbc.com/2018/01/26/microsoft-calls-for-new-digital-geneva-convention-after-spate-of-high-profile-cyberattacks.html

[20] https://www.eff.org/cyberspace-independence

[21] False, inaccurate, or misleading information that is communicated regardless of an intention to deceive. https://en.wikipedia.org/wiki/Misinformation

[22] False or misleading information that is spread deliberately to deceive. https://en.wikipedia.org/wiki/Disinformation

[23] https://en.wikipedia.org/wiki/QAnon

[24] https://en.wikipedia.org/wiki/Mister_Rogers%27_Neighborhood

[25] https://en.wikipedia.org/wiki/Recurring_Saturday_Night_Live_characters_and_sketches_introduced_ 1980%E2%80%9381#Mister_Robinson’s_Neighborhood

[26] “Contractors are more expensive than employees” is a familiar refrain, but the calculus behind the logic assumes that a soldier or GS employee will stay on the job until they retire, which means the government is on the hook for all those years of salary and benefits, plus their retirement expenses, which could go on for decades. In theory, a contractor may only work on a government project for 4 or 5 years, after which they would move on. That makes them expensive now, but not in the long run. In reality one can complete a career in military or government civilian service and get hired on as a contractor doing effectively the same job, often in the same agency, and log another 20 years supporting government projects. Contractors are more expensive than employees, but then the use of contractors has nothing to do with economics, and everything to do with politics and culture. The government uses

[27] https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF

[28] https://www.meritalk.com/articles/senate-bill-asks-for-dhs-study-on-hack-back-options/

[29] https://www.cnn.com/2013/09/27/politics/nsa-snooping/index.html

[30] https://nypost.com/2021/07/13/facebook-reportedly-fired-52-workers-who-were-caught-spying-on-women/

[31] https://en.wikipedia.org/wiki/Eye_for_an_eye

[32] https://www.nbcnews.com/news/world/canadian-sentenced-11-years-china-spying-case-tied-huawei-n1276524

[33] https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

[34] https://en.wikipedia.org/wiki/Unrestricted_Warfare


They’re not cybersecurity experts, but they did stay at a Holiday Inn Express last night.

Because we have no common body of knowledge from which to explore and learn from prior art, you can predict like the seasons when another cohort of professionals from other disciplines will attempt to tell us what is good for us, despite not understanding the fundamentals of information technology, or how the Internet works.  Whether the idea is deterrence or arms control or any other pressing global security issue of the past 100 years, they’re free with their analogies and advice because their approaches are perfectly suited to deal with threats that are realized hourly, every day, worldwide, for the past several decades.

That’s a joke.

To be fair, their ability to fit so much tripe, trope, hyperbole, and nonsense into a single opening sentence much less an entire op-ed is a skill that has to be acknowledged. Of all the topics I have a passing familiarity with, it would probably take months before I could replicate such a feat. Of course, I would be soundly pummeled about the head and shoulders for doing so because people who actually know what they were talking about would not hesitate to point out what a bumbling neophyte I was.

Yet for some reason, when it comes to things-cyber, people from other fields feel like they can just man ‘splain their way into the discussion and expect their ideas to be treated with respect because of their credentials in an entirely different discipline. This is false authority syndrome at its worst, and for some reason we just sit there and take it.

Maybe it’s a status thing? Thinking heavy thoughts about this space is a relatively new endeavor compared to the broader study of things martial or international. We want to be effective, but we haven’t figured out how to do so without simultaneously being walked on like a hallway runner.  

Maybe it’s a nerd thing? Legions of subject matter experts could point out the shortcomings of these ill-conceived ideas but are too busy actually working problems to care what people who only say polite things politely to other polite people at polite gatherings (which strangely rarely if ever invite technical experts) are saying?

Whatever the reasons may be, it is high time we started pushing back.

The resistance should start by asking every expert in political science, international relations, public policy, or other disciplines to explain exactly how their methodologies will work against cyberspace problems. Not hand-wavy answers extrapolated from the most tenuous similarities: with precision. How exactly are regimes that works for bugs, gas, or isotopes going to work for code? Go ahead, we’ll wait.

Likewise, we need to force digital dilettantes to acknowledge the corrupting power of code and its impact on behavior. It took an age before all the countries in the UN working group on cybersecurity to agree that countries should behave themselves online. A declaration that has, is, and will continue to be violated continuously by the intelligence and security organs of those same signatories. Agreeing to truly meaningful norms means agreeing to give up one of the most powerful intelligence capabilities and “weapons” platforms ever invented. No nation will agree to that with a straight face, and no nation who signs such an agreement believes any of the others will adhere to its terms. Acknowledgement of this reality delineates those serious about contributing from those advocating busy work.

Every piece of work from a professional from another field that does not have a co-author who is an expert in this field should be looked at with a jaundiced eye, and the editorial judgement of the outlet viewed askance. Electricians don’t get published in JAMA – unless of course they’re working with an MD writing about how they built a better medical mousetrap. Disseminating uncritically the work of “eminents” and “formers” gives credibility to ideas that have long since been dissected, discredited, or otherwise shown to be unworkable. Save those precious column inches for the credible and novel.

Lest frustration get the better of me, let me make it clear that the world would be a worse place without the dedication and diligence of prior generations of national and international security professionals. But just as security policy required a whole new set of expertise and thinking on August 6th, 1945, so too are we more likely to find solutions to the problems we face from people who understand the technology and the issues in context.

Ransomware: The Present We Deserve?

The scourge of ransomware is the inevitable result of decades of schizophrenia about our relationship with information technology and security. Treating this problem like all the ones that came before it, in the same fashion we always have, will only prolong our suffering. Clarity, creativity, and will are required if we are to have any hope of a future where ransomware is an annoyance and not a plague.

Ransomware is not new, and neither is using alternative payment systems to fund criminal activity. Cryptocurrency has certainly made ransomware much more prolific, and thanks to persistent access to computing technology and ubiquitous connectivity, its impact has been much more significant than in the past.

Recently a task force was formed to help come up with ideas on how to address the ransomware problem. The release of their findings coincided with a ransomware infection that caught the attention of – if not all – certainly half of the country. You could almost be forgiven for thinking that collectively we – government, industry, and citizens – are finally ready to mobilize against a cybersecurity problem.

Don’t hold your breath.

Über Alles

The problem with getting too worked up about most proposed solutions to security problems, especially ransomware, is that they inevitably default to “things we know how to do” not necessarily things that might work. Most efforts ignore some important issues that neither security nerds nor policy wonks seem to want to factor into their calculus.

We place a much higher value on functionality than we do security. When the average Jane started getting online without services like AOL or CompuServe, all that (Web) activity was unencrypted. It was not long (1995) before SSL came along, yet it took until 2021 for ‘a majority’ of traffic was encrypted. That is not just a long time in ‘Internet time’ it is a long time, period. Meanwhile, outside of the security realm, in that same timeframe we went from CGI and Perl scripts to ASP, SOAP, Rest, etc.

Cash rules everything around us. The ransomware infection on the Colonial Pipeline company is on everyone’s mind, but Colonial Pipeline’s pipeline system was not hacked; the system that allowed them to bill customers did. Most hacks of economic note can trace their origins to the attitude that ransoms and DFIR expenses are a cost of doing business, and not necessarily something to be avoided at all costs.

We would rather talk about “security” even if security is not the best approach to the problem. A $162B dollar industry will not be ignored. Ask 100 different security product or service vendors what the best defense against ransomware will be and none of them will bring up a sound, validated, and secure backup scheme (and related recovery procedures). Why? Because that is a system administrator’s job. Security companies would literally rather blow an advantage over the adversary to make a buck. We would rather whinge on about the “talent shortage” than admit that one of the world’s biggest security problems can be effectively addressed by the “mere” IT guy.[1]

We avoid conflicts at all costs. Public private partnerships, information sharing schemes; with very few exceptions everything you might consider doing in the name of cybersecurity is entirely voluntary. Organizations like NIST establish standards, but unless you work for the government you are not obliged to follow them (and even then…). Any mention of requiring commercial concerns to adhere to standards, policy, or practices brings out the lobbyists and arguments about how industry can regulate itself, which I am sure makes for a very compelling tale if you are running for re-election.

We cannot think clearly about the problem. Ransomware is a criminal activity. Full stop. It is not “cyberwar” and it is not “terrorism.” As a tactic it could be used in support of both war and terror, but getting paid has nothing to do with the violent promotion of political ideology.[2] Such talk really only serves as a defense for the use of currently foreign-facing intelligence capabilities against domestic targets. This is a scenario only a totalitarian could love, because once the government starts doing something, it never stops. The Internet would become a panopticon that you are forced to pay for (at least the apps that spy on you now are “free”).

We argue morality when we should be practicing humanity. Without a doubt paying a ransom rewards criminals and supports further criminal (and likely worse) activity. But understand what people are saying when they say, “don’t pay the ransom.” What they’re saying is that denying a criminal – who will almost certainly never see the inside of a prison cell much less a courtroom – a payday is more important that the businesses that will go under, the jobs that will be lost, and the families that will be impacted because they cannot recover. If you are of a certain age this sort of thinking will seem familiar. A solution built on a graveyard of bankruptcies and broken lives is not a solution to be proud of.

Accept the Things We Cannot Change…

Now that we have recognized the reality of our situation, it is time to think about how to move the ball forward in a fashion that fits within that reality. I am under no illusion that they are perfect solutions, or even very palatable ones (they are certainly not comprehensive), but they are also not dependent upon the world becoming a spherical cow of uniform size and density.

Leverage market forces; explain risk and affirmative risk acceptance. The desire for more functionality will always win out over security. So make it clear to users exactly what the risks are with regards to a given product or service. Not legal-ese in 4-point type on a click-through no one reads; up-front and in plain English. Zero-trust? Right now most people are dealing with zero-knowledge. With time the right balance of functionality and security will out, as people decide what level of risk they are comfortable with online, just everything else in their life.[3]

Make a market when there is none (or it is weak). Banks take security seriously because they would not be banks very long if they could not ensure an acceptable level of security for the float in the cell in the spreadsheet on the disk in the data center that represents our life savings. Every patient trusts that their doctor is not going to tell the world about their issues, but what their doctor’s computer has to say is another story. The market to support security in banks is massive; the market to support security in small medical practices is almost non-existent. Is that a cybersecurity-ACA for underserved markets? Maybe.

Enough Security, More Resilience. As long as there are jobs that require opening email and clicking on attachments, no amount of yelling about the evil that lurks in email (how most ransomware happens) is going to change things. You can try to avoid taking punches, which means you will only lose tired, or you can build up the ability to take punches, which extends how long you can fight, or if you become a target at all.[4]

Hate the players not the technology. No one calls for the abolishment of fiat currency because it is the spendable medium of choice for criminals. No one calls for the shuttering of financial institutions – who are supposedly professionals who know better – when they get caught doing shady deals and dealing with shady characters. Cryptocurrency is not the villain here. We should demand and enforce better behavior (know your customer, etc.), we should not be attacking technology.[5]

Think Safety. Security regulations are all about what you cannot do, and enforcement of such rules brings out the baton-wielding pseudo-cop in every security practitioner. Safety regulations are often about what you cannot do as well, but they’re also about how you can do things in a fashion that won’t result in your workforce missing limbs or otherwise hospitalized. It turns out we know how to reduce risk “without adverse effects to employment, sales, credit ratings, or firm survival” we just don’t apply that model to cyberspace.

The Future We Want

For five days in December of 1952 the city of London was hit by “the big smog.” Officials estimate that as many as 10,000 people died and 100,000 were made ill as a direct result of this confluence of weather and coal smoke. The Clean Air Act of 1956 was the result.

In 1962 the Cuyahoga River in Cleveland Ohio caught fire, one of the last of a series of environmental disasters that led to the creation of the Environmental Protection Agency.

In 2010 the Deepwater Horizon oil spill was the largest environmental disaster in U.S. history and “the biggest public health crisis from a chemical poisoning in the history of the country.”  It resulted in the passage of the RESTORE Act, funded by $20B in fines paid by BP.

We have an opportunity to do decisive and meaningful things that reduce the risks associated with our increasing dependence upon information technology before we the world burns and people die. This, of course, requires a level of will at individual, corporate, and governmental levels that heretofore has been absent when it comes to cybersecurity issues. We can improve the likelihood that our collective intestinal fortitude will rise to the occasion by addressing these issues in ways that are likely to work because they are rooted in reality, even if they seem conciliatory, or the approach is unfamiliar to us. To create a future where ransomware doesn’t exist, or is merely an annoyance, the usual way and pace of doing business will not suffice.

[1] In the interest of full disclosure, the author was formerly merely an IT guy.

[2] We want it to be more than just crime because we paid all this money for things like Cyber Command and CISA and feel like we need to get our money’s worth in a publicly attributable fashion.

[3] Ready, willing, and able to accept that we’ve already achieved that state, we just haven’t made it official yet.

[4] Again, unsexy IT stuff, not fancy blinky box security stuff for which you can charge a premium.

[5] What is the difference between malware and an app? Intent.

The Best Defense?

We have all heard the mantra:

“Attackers only have to be right once; defenders have to be right every time.”

It is, of course, complete nonsense and something only people who don’t understand how compromising computers actually works. The more accurate statement is:

“Attackers have to be right every time, and in series.”

To draw a simple analogy, imagine you are about to enter a house that is not yours. You can see the outside of the house and the door into the house, but inside the house it is pitch black. You’ve been inside the same style of house before so you have a rough idea of where the walls and doors and stairways are, but you don’t know what furniture is where and what modifications to the actual house might have been made. To get from the foyer to a bedroom with a treasure chest in the closet involves you taking tiny steps and moving your hands around in front of you in the hopes that you don’t trip on a shoe or knock over a lamp — something that would let the owner of the house know you were there.

Extending the analogy a bit, you worry that the homeowners are not dead asleep. You worry that they have motion sensors installed around the house. That there are infra-red cameras watching you stumble around. That they own night vision goggles and are handy with a shotgun. These are all things that would bring your hunt for treasure to a quick halt and all things that could be deployed against you without your knowledge.

In the never-ending debate over the relative advantages of offense over defense, or vice versa, the trend recently has been to promote defender advantages. Attackers aren’t all that because this is your house! Nobody ****s with you in your house! 

The problem of course is that you might live in the metaphorical house, but you also might have no earthly idea how to use it to your advantage. If you’ve owned several houses in different parts of the country over the course of several decades, this is all old hat, but the new homeowner (so to speak) lacks a great deal of your knowledge and experience. 

Take recent events in Texas as an example. People who live in the northern part of the country know exactly what to do when the temperatures drop below a certain level in order to prevent their water pipes from freezing. If you’ve only ever lived in Texas and never experienced epic cold relative to the region, you’re going to have a bad day. The temperatures may be back to normal, but the cost, suffering, and inconvenience associated with those rare days lingers.

There is a growing chorus of defenders who are piling on the suffering and woe of other defenders (sometimes “defenders”) because the latter are not taking advantage of the benefits ‘home ownership’ affords. This is a special kind of arrogance considering:

  • You have no idea how complicated someone else’s network is.
  • You have no idea how skilled or knowledgeable another defender is.
  • You have no idea what resources that defender has (or doesn’t).
  • You have no idea what competing priorities that person has to contend with.

If you’re only responsible for defending yourself, or your home lab, or a relatively simple IT enterprise, or deal in research and theory, your opinion about what someone else woulda/coulda/shoulda done isn’t particularly useful. It is, in fact, divisive and detrimental. 

At some point in your career you were the person who was under the gun. Who was at a loss. Who didn’t know how they were going to get themselves out of the fix they were in. At that point in time you would have given anything for someone to extend you a hand and help shoulder the burden. There are times when the best thing one can do for cyber defense has nothing to do with technology and everything to do with empathy.

Or keep throwing drowning men bricks and see where that takes the community.

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?

A Brief History of Cybersecurity Advice

Efforts to secure, or in the vernacular of the time “audit” computers, existed before the Ware Report,[1] but it was the report that codified principles and practices that served as the building blocks of what would become the multi-billion-dollar cybersecurity industry. Books like Computer Capers[2] in the 1970s and The Cuckoo’s Egg[3] in the 1980s show just how slowly the field progressed in both the commercial and governmental spheres, and how varied and disconnected cyber defense and crime-fighting efforts were at the time.

If the “wake-up call” associated with both the sovereign-state and non-state-actor threats was not ringing with the events of The Cuckoo’s Egg, the pounding on the door by hotel security was Eligible Receiver 97 (ER97): a no-notice interoperability exercise that had both physical and cyberspace components to it. With regards to the latter, National Security Agency red teams used common hacker techniques and tools freely available online to successfully compromise dozens of military and civilian infrastructure systems.[4]

No sooner did the dust settle from ER97 than the events of Solar Sunrise kicked off: a series of compromises of Department of Defense systems everyone was sure was being perpetrated by Iraq, right up until it was proven it was the work of three teenagers. Solar Sunrise reiterated the point that not only was the ability to apply force online possible with disturbing ease, but that the types of potential threat actors we needed to be concerned about was larger than originally thought, and our ability to deal with them was inadequate.[5]

In the same timeframe the aforementioned events were taking place, a set of recommendations for dealing with such problems was promulgated through the President’s Commission on Critical Infrastructure Protection (PCCIP),[6] which called out the need for:

  • Better policies
  • Public-Private partnerships
  • Information sharing
  • Central coordination and control
  • New or improved organizations and mechanisms to deal with cyber threats and vulnerabilities
  • The need to adapt to this new environment and to be agile enough to respond to emerging threats
  • Legal reforms
  • Improved training, awareness, and education
  • More research and development

These same recommendations were made in the National Plan for Information Systems Protection in 2000,[7] the National Strategy to Secure Cyberspace in 2003,[8] the National Infrastructure Protection Plan in 2006,[9] the Securing Cyberspace for the 44th Presidency report of 2008,[10] and the Comprehensive National Cybersecurity Initiative, also in 2008.[11] For those keeping score, that is 11 years of the same advice, as hacks against commercial and governmental systems kept growing.

It is not until 2010, with the publication of the National Security Strategy (NSS),[12] that some new advice is proffered. The NSS was not exclusively focused on cybersecurity issues, but it continued to recommend partnerships and sharing, better capabilities to deal with threats, training and awareness, as well as R&D. It also highlighted the need for capacity building, as well as the establishment and promotion of “norms.” The DOD Strategy for Operating in Cyberspace (2011), the DOD Cyber Strategy (2018), the National Cyber Strategy (2018), the DHS Cybersecurity Strategy (2018), and the much-hyped Cyberspace Solarium Commission report (2020) all offer a mix of both old and new advice.[13] That’s another 10 years of telling people what ought to be done, while attacks continued apace and their negative impact grew (see Appendix Afor details).

Meanwhile Back at the Server Farm

What impact has all this good advice had on the state of cybersecurity? Well at the federal level the answer is a mixed bag. We have a history of going through “cyber czars” [14] and other senior executives responsible for cybersecurity like most people change underwear.[15] Efforts like Einstein[16] are highly touted, but its effectiveness is often called into question.[17] Every military service has to have its own “cyber command” – not counting the actual Cyber Command – and all sorts of efforts are underway to try and reinforce the ranks with information-age skills[18] in very much industrial-age institutions, with predictable effect.[19] It is hard to think about events like successful attacks against government systems during Allied Force,[20] the efforts of “patriotic hackers” after the EP3 force down,[21] the accidental bombing of the Chinese embassy in Belgrade,[22] the scope and scale of damage associated with the OPM hack,[23] and the loss of offensive tools from not only the CIA[24] but also the NSA[25] and not wonder about the value of this evergreen advice.  

At the state, local, and tribal level the situation is far worse. They have all the same functions of government to execute as their counterparts at the federal level, but none of the budget or human resources. Municipally focused ransomware attacks of the past few years are illustrative of the problem and how difficult it is to address.[26]

In the commercial sector the situation is not much better. The government has an obligation to look after the well-being of its citizens; private enterprise is driven by a profit motive and the interests of a tiny sub-set of the citizenry: shareholders. Time and time again we see ‘risk acceptance’ as the reason for failing to adhere to sound security practice, and why not? The amount of money that can be made before the inevitable compromise far exceeds the amount required to clean up the mess and compensate the victims. No one is in the cybersecurity business, not even cybersecurity companies, they are just in business.

What Might be Wrong?

21 years of asking people to do the “same old” and expecting a different result calls into question the sanity of those giving the advice, and the advice itself. The author lacks the medical qualifications to assess anyone’s mental health, but one can examine the advice given and formulate some reasonable theories to consider.

This may be the wrong advice. No one who has worked in this field for any length of time has much good to say about public-private partnerships, information sharing schemes, or the state of security awareness training. Big “R” research that has practical implications is rare, while little “r” research as presented in most conferences is lost in a wilderness of wheel-reinvention and stunt hacking.

The right advice, not always the right audiences. The number of organizations that can actually derive benefit from following such advice is actually quite small, though they themselves tend to be quite large. The security poverty line is a real thing,[27] and maybe expecting the largest segment of the economy (small and medium sized businesses) to carry on like they are JPMorgan Chase with its half-billion-dollar security budget is a bridge too far.[28]

Good advice, bad implementation. We are free with advice but parsimonious when it comes to things that would lead to adherence. With a few exceptions, everything is voluntary. We suggest, we do not mandate. We cajole we do not require. We encourage but we do not incent. Everyone is hesitant to use a stick, but we make no effort to offer carrots. Outside of the military and certain government circles, cybersecurity is something people are obliged to have, not anything they want. We appeal to people’s sense of patriotism or talk of “doing the right thing,” but the NSA is not here to save your private enterprise, and advice from people on high horses is hard to swallow.[29]

What Might Make Things Better?

If those in both policy and technology circles can agree that the recommended advice is sound, then we should be examining how we might do things differently, and how we can demonstrate success.

If it matters measure it. At a high level, asking for “better” does not make sense if you do not define what “better” means. Not hand-wavy abstractions, but hard metrics that can be measured, communicated, and evaluated.

The most important efforts must be mandatory. No one does anything voluntary for long. Such efforts start well, and everyone participating means well, but it quickly becomes number 11 on the top 10 list of things to do. Particularly with regards to government and critical infrastructure providers, no one should be able to lobby their way out of their responsibilities, which leads us to…  

Align everyone’s incentives. I am not aware of any meaningful metrics on the value of being a member of an ISAC, ISAO, or joining InfraGard (and the author has been on both sides of these relationships). In the political sphere telling someone to do something without providing resources has a name: unfunded mandate. Better security does not pay for itself. There are any number of incentives that might be offered that would drive compliance, but incentives are almost never an agenda item in panel or policy discussions.

Limited liability and full accountability. Those who provide data to help assess threats and gauge risk must be provided sufficient protection against adverse legal action (short of negligence or incompetence).[30] The lack of such data in sufficient volume makes it hard to understand the scope of the problems we face.[31] Likewise, we have to stop pretending that code, in the right context, is any different than concrete, steel, or silicon. You do not pick random people off the street to build a suspension bridge or pacemaker. This is not a call for a licensing scheme nor protectionism, but adherence to standards and imposing costs on those who willingly fail to do so.

More R&D only makes sense if you know the state of the art. There is no dedicated repository of cybersecurity knowledge that researchers at the academic, corporate, or independent levels can access to understand what prior art exists in any given security discipline. We cannot hope to level-up the science portion of the art-and-science that is cybersecurity without adhering to more scientific practices, of which a repository is a cornerstone.

Recognize the limitations of political approaches. No nation is giving up the advantages that operating in cyberspace affords them in a military or intelligence context. “Norms” are a double-edged sword; if you expect others to adhere to them, you are obliged to do the same. Now re-read the first sentence. What we may want to accomplish politically and what the Internet as-designed will allow are two different things. Aspiring Achesons and Kennans that improve their understanding of the technology that underpins cyberspace will develop approaches more likely to produce positive, achievable results.

The Next 10 Years

If history is any indication, we are a few short months away from the release of another set of policy recommendations that will encompass most of the ideas put forth previously. It will almost certainly contain nothing novel, but it will be received with a great deal of sound and fury, repeated over again annually, signifying nothing.

Forward progress in cybersecurity is entirely dependent upon the will of political leadership. Understandably blood, not bytes, takes precedence in governmental affairs, but our willingness to be so casual about something we claim to be a priority suggests that cybersecurity is not the issue we in cybersecurity think it is. That is a fair point: stealing credit card numbers, social security numbers, medical files, even taking over one’s entire identity does not equate to death. 

But the fact of the matter is that, by and large, we only learn from death. Nothing is really a problem until the body count is high enough, at which point it comes a national imperative. One need only remember their last trip to the airport to realize that this is not hyperbole. Cybersecurity is one field where we have a rare opportunity to bring about meaningful change before we have to hold a memorial service for those we lost.

Better security is a three-legged stool: You need to identify the problem, you need to devise a solution, and you need to measure the effectiveness of that solution. What has impact stays, what does not goes back to the drawing board. For 21 years we have been reinforcing two of those legs and wondering why we are still falling over. Repeating the same mantra while continuing to plug random boxes into a global network is the cyberspace equivalent of “thoughts and prayers.”

This is not a call to declare a war on cyber insecurity, if for no other reason than the wars on drugs and poverty have not exactly produced ideal results. It is a declaration that if something is worth doing then we should do it properly or reprioritize accordingly. To the extent that cybersecurity practitioners have been crying “wolf” for the past few decades, mea culpa, but it is worth remembering that eventually the wolf shows up.

[1] https://en.wikipedia.org/wiki/Ware_report

[2] https://www.amazon.com/Computer-Capers-Thomas-Whiteside/dp/0451617533

[3] https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book)

[4] https://en.wikipedia.org/wiki/Eligible_Receiver_97

[5] https://www.globalsecurity.org/military/ops/solar-sunrise.htm

[6] https://www.hsdl.org/?abstract&did=487492

[7] https://www.hsdl.org/?abstract&did=341

[8] https://us-cert.cisa.gov/sites/default/files/publications/cyberspace_strategy.pdf

[9] https://www.cisa.gov/national-infrastructure-protection-plan

[10] https://www.csis.org/analysis/securing-cyberspace-44th-presidency

[11] https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/national-initiative

[12] https://obamawhitehouse.archives.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf

[13] https://www.solarium.gov/report

[14] https://www.nbcnews.com/id/wbna6151309

[15] https://www.cnn.com/2020/11/17/politics/chris-krebs-fired-by-trump/index.html

[16] https://www.cisa.gov/einstein

[17] https://www.business2community.com/cybersecurity/dhs-einstein-fail-01462281

[18] https://www.goarmy.com/army-cyber/cyber-direct-commissioning-program.html

[19] https://thehill.com/opinion/cybersecurity/391426-pentagon-faces-array-of-challenges-in-retaining-cybersecurity-personnel

[20] https://www.researchgate.net/publication/228605067_The_Cyberspace_Dimension_in_Armed _Conflict_Approaching_a_Complex_Issue_with_Assistance_of_the_Morphological_Method

[21] https://www.wired.com/2001/04/a-chinese-call-to-hack-u-s/

[22] https://www.wired.com/1999/09/china-fought-bombs-with-spam/

[23] https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

[24] https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html

[25] https://en.wikipedia.org/wiki/The_Shadow_Brokers

[26] https://www.nytimes.com/2020/02/09/technology/ransomware-attacks.html

[27] https://www.uscybersecurity.net/csmag/the-cybersecurity-poverty-line/

[28] https://www.forbes.com/sites/stevemorgan/2016/01/30/why-j-p-morgan-chase-co-is-spending-a-half-billion-dollars-on-cybersecurity/?sh=2e4f84062599

[29] https://www.tripwire.com/state-of-security/featured/fbi-dont-pay-ransomware/

[30] https://www.lexology.com/library/detail.aspx?g=91d7fce9-4f04-4376-b4ae-b80b141f9291

[31] We are, effectively, at the mercy of private security companies who choose to publish reports on the findings they extract from the cases they are called upon to support. While informative, such reports capture the details of a fraction of a percentage of the total number of cases worldwide.

The Wolf Approaches

In the government, the use of the term “grave” means something very specific. That meaning should be obvious to you, but on the off chance that you haven’t had your first cup of coffee yet, it means that whatever the issue is, messing it up could cost someone (or more than one person) their life.

The attack against the water system in Oldsmar, Florida was a potentially grave situation. A water system is not a trivial technology enterprise and as such it has numerous checks – including a human in the loop – to make sure malicious activity or honest mistakes don’t end lives. But the fact that an outsider was able to get such access in the first place makes it clear that there exists a disconnect between what such systems are supposed to be, and what they are.

We give the Sheriff of Pinellas County a pass on the use of the term “wake-up call” because he has not spent a large portion of his life in the belly of the cybersecurity beast. A wake-up call only happens once, how we respond indicates how serious we are about taking action:

  • In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”
  • In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call”
  • In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora “a wake-up call”
  • In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident “an important wake-up call.”
  • In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”
  • In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”
  • In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident “a wake-up call.”
  • In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”

The details of this particular case are probably never going to see sufficient sunlight, which only adds to the ignorance on these matters at all levels, and sustains the fragility we so desperately need to improve. This is particularly important when you consider how our relationship with technology is only getting more intimate.

These are issues that are decades old, yet if you want to have some idea of what it will take to spur action, keep in mind that we intentionally poisoned 100,000 people via a water system for five years and no one is in jail (yet). The idea that the people rooting around in such systems have the ability to cause such effects but don’t because they appreciate the moral, ethical, and legal implications of the matter is increasingly wishful thinking.

We in security have long been accused of “crying ‘wolf’” and for a long time those critics were right. We knew bad things could happen because Sturgeon’s Law has been in full effect in IT for ages, but it has taken this long for matters to go from merely serious to grave. Like everyone who puts off addressing a potentially fatal issue until the symptoms cannot be ignored anymore, our ability to survive what comes next is an open question.

The Global Ungoverned Area

There are places on this planet where good, civilized people simply do not voluntarily go, or willingly stay. What elected governments do in safer and more developed parts of the world are carried out in these areas by despots and militias, often at terrible cost to those who have nowhere else to go and no means to go if they did.

Life online is not unlike life in these ungoverned areas: anyone with the skill and the will is a potential warlord governing their own illicit enterprise, basking in the spoils garnered from the misery of a mass of unfortunates. Who is to stop them? A relative handful of government entities, each with competing agendas, varying levels of knowledge, skills, and resources, none of whom can move fast enough, far enough, or with enough vigor to respond in-kind.

Reaping the whirlwind of apathy

Outside of the government, computer security is rarely something anyone asks for except in certain edge cases. Security is a burden, a cost center. Consumers want functionality. Functionality always trumps security. So much so that most people do not seem to care if security fails. People want an effective solution to their problem. If it happens to also not leak personal or financial data like a sieve, great, but neither is it a deal-breaker.

At the start of the PC age we couldn’t wait to put a computer on every desk. With the advent of the World Wide Web, we rushed headlong into putting anything and everything online. Today online you can play the most trivial game or fulfill your basic needs of food, shelter, and clothing, all at the push of a button. The down side to cyber-ing everything without adequate consideration to security? Epic security failures of all sorts.

Now we stand at the dawn of the age of the Internet of Things. Computers have gone from desktops to laptops to handhelds to wearables and now implantables. And again we can’t wait to employ technology, we also can’t be bothered to secure it.

How things are done

What is our response? Laws and treaties, or at least proposals for same, that decant old approaches into new digital bottles. We decided drugs and povertywere bad, so we declared “war” on them, with dismal results. This sort of thinking is how we get the Wassenaar Agreement applied to cybersecurity: because that’s what people who mean well and are trained in “how things are done” do. But there are a couple of problems with treating cyberspace like 17th century Europe:

  • Even when most people agree on most things, it only takes one issue to bring the whole thing crashing down.
  • The most well-intentioned efforts to deter bad behavior are useless if you cannot enforce the rules, and given the rate at which we incarcerate bad guys it is clear we cannot enforce the rules in any meaningful way at a scale that matters.
  • While all the diplomats of all the governments of the world may agree to follow certain rules, the world’s intelligence organs will continue to use all the tools at their disposal to accomplish their missions, and that includes cyber ones.

This is not to say that such efforts are entirely useless (if you happen to arrest someone you want to have a lot of books to throw at them), just that the level of effort put forth is disproportionate to the impact that it will have on life online. Who is invited to these sorts of discussions? Governments. Who causes the most trouble online? Non-state actors.

Roads less traveled

I am not entirely dismissive of political-diplomatic efforts to improve the security and safety of cyberspace, merely unenthusiastic. Just because “that’s how things are done” doesn’t mean that’s what’s going to get us where we need to be. What it shows is inflexible thinking, and an unwillingness to accept reality. If we’re going to expend time and energy on efforts to civilize cyberspace, let’s do things that might actually work in our lifetimes.

  • Practical diplomacy. We’re never going to get every nation on the same page. Not even for something as heinous as child porn. This means bilateral agreements. Yes, it is more work to both close and manage such agreement, but it beats hoping for some “universal” agreement on norms that will never come.
  • Soft(er) power. No one wants another 9/11, but what we put in place to reduce that risk, isn’t The private enterprises that supply us with the Internet – and computer technology in general – will fight regulation, but they will respond to economic incentives.
  • The human factor. It’s rare to see trash along a highway median, and our rivers don’t catch fire Why? In large part because of the crying Indian. A concerted effort to change public opinion can in fact change behavior (and let’s face it: people are the root of the problem).

Every week a new breach, a new “wake-up call,” yet there is simply not sufficient demand for a safer and more secure cyberspace. The impact of malicious activity online is greater than zero, but not catastrophic, which makes pursuing grandiose solutions a waste of cycles that could be put to better use achieving incremental gains (see ‘boil the ocean’).

Once we started selling pet food and porn online, it stopped being the “information superhighway” and became a demolition derby track. The sooner we recognize it for what it is the sooner we can start to come up with ideas and courses of action more likely to be effective.

/* Originally posted at Modern Warfare blog at CSO Online */

Cyber War: The Fastest Way to Improve Cybersecurity?

For all the benefits IT in general and the Internet specifically have given us, it has also introduced significant risks to our well-being and way of life. Yet cybersecurity is still not a priority for a majority of people and organizations. No amount of warnings about the risks associated with poor cybersecurity have helped drive significant change. Neither have real-world incidents that get worse and worse every year.

The lack of security in technology is largely a question of economics: people want functional things, not secure things, so that’s what manufacturers and coders produce. We express shock after weaknesses are exposed, and then forget what happened when the next shiny thing comes along. Security problems become particularly disconcerting when we start talking about the Internet of Things, which are not just for our convenience; they can be essential to one’s well-being.

To be clear: war is a terrible thing. But war is also the mother of considerable ad hoc innovation and inventions that have a wide impact long after the shooting stops. War forces us to make those hard decisions we kept putting off because we were so busy “crushing” and “disrupting” everything. It forces us to re-evaluate what we consider important, like a reliable AND secure grid, like a pacemaker that that works AND cannot be trivially hacked. Some of the positive things we might expect to get out of a cyberwar include:

  • A true understanding of how much we rely on IT in general and the Internet specifically. You don’t know what you’ve got till it’s gone, so the song says, and that’s certainly true of IT. You know IT impacts a great deal of your life, but almost no one understands how far it all goes. The last 20 years has basically been us plugging computers into networks and crossing our fingers. Risk? We have no idea.
  • A meaningful appreciation for the importance of security. Today, insecurity is an inconvenience. It is not entirely victimless, but increasingly it does not automatically make one a victim. It is a fine, a temporary dip in share price. In war, insecurity means death.
  • The importance of resilience. We are making dumb things ‘smart’ at an unprecedented rate. Left in the dust is the knowledge required to operate sans high technology in the wake of an attack. If you’re pushing 50 or older, you remember how to operate without ATMs, GrubHub, and GPS. Everyone else is literally going to be broke, hungry, and lost in the woods.
  • The creation of practical, effective, scalable solutions. Need to arm a resistance force quickly and cheaply? No problem. Need enough troops to fight in two theaters at opposite ends of the globe? No problem. Need ships tomorrow to get those men and materiel to the fight? No problem. When it has to be done, you find a way.
  • The creation of new opportunities for growth. When you’re tending your victory garden after a 12 hour shift in the ammo plant, or picking up bricks from what used to be your home in Dresden, it’s hard to imagine a world of prosperity. But after war comes a post-war boom. No one asked for the PC, cell phone, or iPod, yet all have impacted our lives and the economy in significant ways. There is no reason to think that the same thing won’t happen again, we just have a hard time conceiving it at this point in time.

In a cyberwar there will be casualties. Perhaps not directly, as you see in a bombing campaign, but the impacts associated with a technologically advanced nation suddenly thrown back into the industrial (or worse) age (think Puerto Rico post-Hurricane Maria). The pain will be felt most severely in the cohorts that pose the greatest risk to internal stability. If you’re used to standing in line for everything, the inability to use IT is not a big a deal. If you’re the nouveau riche of a kleptocracy – or a member of a massive new middle class – and suddenly you’re back with the proles, you’re not going to be happy, and you’re going to question the legitimacy of whomever purports to be in charge, yet can’t keep the lights on or supply potable water.

Change as driven by conflict is a provocative thought experiment, and certainly a worst-case scenario. The most likely situation is the status quo: breaches, fraud, denial, and disruption. If we reassess our relationship with cybersecurity it will certainly be via tragedy, but not necessarily war. Given how we responded to security failings 16 years ago however, it is unclear if those changes will be effective, much less ideal.

/* Originally published in CSOonline – Modern Warfare blog */