From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?

A Brief History of Cybersecurity Advice

Efforts to secure, or in the vernacular of the time “audit” computers, existed before the Ware Report,[1] but it was the report that codified principles and practices that served as the building blocks of what would become the multi-billion-dollar cybersecurity industry. Books like Computer Capers[2] in the 1970s and The Cuckoo’s Egg[3] in the 1980s show just how slowly the field progressed in both the commercial and governmental spheres, and how varied and disconnected cyber defense and crime-fighting efforts were at the time.

If the “wake-up call” associated with both the sovereign-state and non-state-actor threats was not ringing with the events of The Cuckoo’s Egg, the pounding on the door by hotel security was Eligible Receiver 97 (ER97): a no-notice interoperability exercise that had both physical and cyberspace components to it. With regards to the latter, National Security Agency red teams used common hacker techniques and tools freely available online to successfully compromise dozens of military and civilian infrastructure systems.[4]

No sooner did the dust settle from ER97 than the events of Solar Sunrise kicked off: a series of compromises of Department of Defense systems everyone was sure was being perpetrated by Iraq, right up until it was proven it was the work of three teenagers. Solar Sunrise reiterated the point that not only was the ability to apply force online possible with disturbing ease, but that the types of potential threat actors we needed to be concerned about was larger than originally thought, and our ability to deal with them was inadequate.[5]

In the same timeframe the aforementioned events were taking place, a set of recommendations for dealing with such problems was promulgated through the President’s Commission on Critical Infrastructure Protection (PCCIP),[6] which called out the need for:

  • Better policies
  • Public-Private partnerships
  • Information sharing
  • Central coordination and control
  • New or improved organizations and mechanisms to deal with cyber threats and vulnerabilities
  • The need to adapt to this new environment and to be agile enough to respond to emerging threats
  • Legal reforms
  • Improved training, awareness, and education
  • More research and development

These same recommendations were made in the National Plan for Information Systems Protection in 2000,[7] the National Strategy to Secure Cyberspace in 2003,[8] the National Infrastructure Protection Plan in 2006,[9] the Securing Cyberspace for the 44th Presidency report of 2008,[10] and the Comprehensive National Cybersecurity Initiative, also in 2008.[11] For those keeping score, that is 11 years of the same advice, as hacks against commercial and governmental systems kept growing.

It is not until 2010, with the publication of the National Security Strategy (NSS),[12] that some new advice is proffered. The NSS was not exclusively focused on cybersecurity issues, but it continued to recommend partnerships and sharing, better capabilities to deal with threats, training and awareness, as well as R&D. It also highlighted the need for capacity building, as well as the establishment and promotion of “norms.” The DOD Strategy for Operating in Cyberspace (2011), the DOD Cyber Strategy (2018), the National Cyber Strategy (2018), the DHS Cybersecurity Strategy (2018), and the much-hyped Cyberspace Solarium Commission report (2020) all offer a mix of both old and new advice.[13] That’s another 10 years of telling people what ought to be done, while attacks continued apace and their negative impact grew (see Appendix Afor details).

Meanwhile Back at the Server Farm

What impact has all this good advice had on the state of cybersecurity? Well at the federal level the answer is a mixed bag. We have a history of going through “cyber czars” [14] and other senior executives responsible for cybersecurity like most people change underwear.[15] Efforts like Einstein[16] are highly touted, but its effectiveness is often called into question.[17] Every military service has to have its own “cyber command” – not counting the actual Cyber Command – and all sorts of efforts are underway to try and reinforce the ranks with information-age skills[18] in very much industrial-age institutions, with predictable effect.[19] It is hard to think about events like successful attacks against government systems during Allied Force,[20] the efforts of “patriotic hackers” after the EP3 force down,[21] the accidental bombing of the Chinese embassy in Belgrade,[22] the scope and scale of damage associated with the OPM hack,[23] and the loss of offensive tools from not only the CIA[24] but also the NSA[25] and not wonder about the value of this evergreen advice.  

At the state, local, and tribal level the situation is far worse. They have all the same functions of government to execute as their counterparts at the federal level, but none of the budget or human resources. Municipally focused ransomware attacks of the past few years are illustrative of the problem and how difficult it is to address.[26]

In the commercial sector the situation is not much better. The government has an obligation to look after the well-being of its citizens; private enterprise is driven by a profit motive and the interests of a tiny sub-set of the citizenry: shareholders. Time and time again we see ‘risk acceptance’ as the reason for failing to adhere to sound security practice, and why not? The amount of money that can be made before the inevitable compromise far exceeds the amount required to clean up the mess and compensate the victims. No one is in the cybersecurity business, not even cybersecurity companies, they are just in business.

What Might be Wrong?

21 years of asking people to do the “same old” and expecting a different result calls into question the sanity of those giving the advice, and the advice itself. The author lacks the medical qualifications to assess anyone’s mental health, but one can examine the advice given and formulate some reasonable theories to consider.

This may be the wrong advice. No one who has worked in this field for any length of time has much good to say about public-private partnerships, information sharing schemes, or the state of security awareness training. Big “R” research that has practical implications is rare, while little “r” research as presented in most conferences is lost in a wilderness of wheel-reinvention and stunt hacking.

The right advice, not always the right audiences. The number of organizations that can actually derive benefit from following such advice is actually quite small, though they themselves tend to be quite large. The security poverty line is a real thing,[27] and maybe expecting the largest segment of the economy (small and medium sized businesses) to carry on like they are JPMorgan Chase with its half-billion-dollar security budget is a bridge too far.[28]

Good advice, bad implementation. We are free with advice but parsimonious when it comes to things that would lead to adherence. With a few exceptions, everything is voluntary. We suggest, we do not mandate. We cajole we do not require. We encourage but we do not incent. Everyone is hesitant to use a stick, but we make no effort to offer carrots. Outside of the military and certain government circles, cybersecurity is something people are obliged to have, not anything they want. We appeal to people’s sense of patriotism or talk of “doing the right thing,” but the NSA is not here to save your private enterprise, and advice from people on high horses is hard to swallow.[29]

What Might Make Things Better?

If those in both policy and technology circles can agree that the recommended advice is sound, then we should be examining how we might do things differently, and how we can demonstrate success.

If it matters measure it. At a high level, asking for “better” does not make sense if you do not define what “better” means. Not hand-wavy abstractions, but hard metrics that can be measured, communicated, and evaluated.

The most important efforts must be mandatory. No one does anything voluntary for long. Such efforts start well, and everyone participating means well, but it quickly becomes number 11 on the top 10 list of things to do. Particularly with regards to government and critical infrastructure providers, no one should be able to lobby their way out of their responsibilities, which leads us to…  

Align everyone’s incentives. I am not aware of any meaningful metrics on the value of being a member of an ISAC, ISAO, or joining InfraGard (and the author has been on both sides of these relationships). In the political sphere telling someone to do something without providing resources has a name: unfunded mandate. Better security does not pay for itself. There are any number of incentives that might be offered that would drive compliance, but incentives are almost never an agenda item in panel or policy discussions.

Limited liability and full accountability. Those who provide data to help assess threats and gauge risk must be provided sufficient protection against adverse legal action (short of negligence or incompetence).[30] The lack of such data in sufficient volume makes it hard to understand the scope of the problems we face.[31] Likewise, we have to stop pretending that code, in the right context, is any different than concrete, steel, or silicon. You do not pick random people off the street to build a suspension bridge or pacemaker. This is not a call for a licensing scheme nor protectionism, but adherence to standards and imposing costs on those who willingly fail to do so.

More R&D only makes sense if you know the state of the art. There is no dedicated repository of cybersecurity knowledge that researchers at the academic, corporate, or independent levels can access to understand what prior art exists in any given security discipline. We cannot hope to level-up the science portion of the art-and-science that is cybersecurity without adhering to more scientific practices, of which a repository is a cornerstone.

Recognize the limitations of political approaches. No nation is giving up the advantages that operating in cyberspace affords them in a military or intelligence context. “Norms” are a double-edged sword; if you expect others to adhere to them, you are obliged to do the same. Now re-read the first sentence. What we may want to accomplish politically and what the Internet as-designed will allow are two different things. Aspiring Achesons and Kennans that improve their understanding of the technology that underpins cyberspace will develop approaches more likely to produce positive, achievable results.

The Next 10 Years

If history is any indication, we are a few short months away from the release of another set of policy recommendations that will encompass most of the ideas put forth previously. It will almost certainly contain nothing novel, but it will be received with a great deal of sound and fury, repeated over again annually, signifying nothing.

Forward progress in cybersecurity is entirely dependent upon the will of political leadership. Understandably blood, not bytes, takes precedence in governmental affairs, but our willingness to be so casual about something we claim to be a priority suggests that cybersecurity is not the issue we in cybersecurity think it is. That is a fair point: stealing credit card numbers, social security numbers, medical files, even taking over one’s entire identity does not equate to death. 

But the fact of the matter is that, by and large, we only learn from death. Nothing is really a problem until the body count is high enough, at which point it comes a national imperative. One need only remember their last trip to the airport to realize that this is not hyperbole. Cybersecurity is one field where we have a rare opportunity to bring about meaningful change before we have to hold a memorial service for those we lost.

Better security is a three-legged stool: You need to identify the problem, you need to devise a solution, and you need to measure the effectiveness of that solution. What has impact stays, what does not goes back to the drawing board. For 21 years we have been reinforcing two of those legs and wondering why we are still falling over. Repeating the same mantra while continuing to plug random boxes into a global network is the cyberspace equivalent of “thoughts and prayers.”

This is not a call to declare a war on cyber insecurity, if for no other reason than the wars on drugs and poverty have not exactly produced ideal results. It is a declaration that if something is worth doing then we should do it properly or reprioritize accordingly. To the extent that cybersecurity practitioners have been crying “wolf” for the past few decades, mea culpa, but it is worth remembering that eventually the wolf shows up.


[1] https://en.wikipedia.org/wiki/Ware_report

[2] https://www.amazon.com/Computer-Capers-Thomas-Whiteside/dp/0451617533

[3] https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book)

[4] https://en.wikipedia.org/wiki/Eligible_Receiver_97

[5] https://www.globalsecurity.org/military/ops/solar-sunrise.htm

[6] https://www.hsdl.org/?abstract&did=487492

[7] https://www.hsdl.org/?abstract&did=341

[8] https://us-cert.cisa.gov/sites/default/files/publications/cyberspace_strategy.pdf

[9] https://www.cisa.gov/national-infrastructure-protection-plan

[10] https://www.csis.org/analysis/securing-cyberspace-44th-presidency

[11] https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/national-initiative

[12] https://obamawhitehouse.archives.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf

[13] https://www.solarium.gov/report

[14] https://www.nbcnews.com/id/wbna6151309

[15] https://www.cnn.com/2020/11/17/politics/chris-krebs-fired-by-trump/index.html

[16] https://www.cisa.gov/einstein

[17] https://www.business2community.com/cybersecurity/dhs-einstein-fail-01462281

[18] https://www.goarmy.com/army-cyber/cyber-direct-commissioning-program.html

[19] https://thehill.com/opinion/cybersecurity/391426-pentagon-faces-array-of-challenges-in-retaining-cybersecurity-personnel

[20] https://www.researchgate.net/publication/228605067_The_Cyberspace_Dimension_in_Armed _Conflict_Approaching_a_Complex_Issue_with_Assistance_of_the_Morphological_Method

[21] https://www.wired.com/2001/04/a-chinese-call-to-hack-u-s/

[22] https://www.wired.com/1999/09/china-fought-bombs-with-spam/

[23] https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

[24] https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html

[25] https://en.wikipedia.org/wiki/The_Shadow_Brokers

[26] https://www.nytimes.com/2020/02/09/technology/ransomware-attacks.html

[27] https://www.uscybersecurity.net/csmag/the-cybersecurity-poverty-line/

[28] https://www.forbes.com/sites/stevemorgan/2016/01/30/why-j-p-morgan-chase-co-is-spending-a-half-billion-dollars-on-cybersecurity/?sh=2e4f84062599

[29] https://www.tripwire.com/state-of-security/featured/fbi-dont-pay-ransomware/

[30] https://www.lexology.com/library/detail.aspx?g=91d7fce9-4f04-4376-b4ae-b80b141f9291

[31] We are, effectively, at the mercy of private security companies who choose to publish reports on the findings they extract from the cases they are called upon to support. While informative, such reports capture the details of a fraction of a percentage of the total number of cases worldwide.

The Wolf Approaches

In the government, the use of the term “grave” means something very specific. That meaning should be obvious to you, but on the off chance that you haven’t had your first cup of coffee yet, it means that whatever the issue is, messing it up could cost someone (or more than one person) their life.

The attack against the water system in Oldsmar, Florida was a potentially grave situation. A water system is not a trivial technology enterprise and as such it has numerous checks – including a human in the loop – to make sure malicious activity or honest mistakes don’t end lives. But the fact that an outsider was able to get such access in the first place makes it clear that there exists a disconnect between what such systems are supposed to be, and what they are.

We give the Sheriff of Pinellas County a pass on the use of the term “wake-up call” because he has not spent a large portion of his life in the belly of the cybersecurity beast. A wake-up call only happens once, how we respond indicates how serious we are about taking action:

  • In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”
  • In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call”
  • In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora “a wake-up call”
  • In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident “an important wake-up call.”
  • In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”
  • In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”
  • In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident “a wake-up call.”
  • In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”

The details of this particular case are probably never going to see sufficient sunlight, which only adds to the ignorance on these matters at all levels, and sustains the fragility we so desperately need to improve. This is particularly important when you consider how our relationship with technology is only getting more intimate.

These are issues that are decades old, yet if you want to have some idea of what it will take to spur action, keep in mind that we intentionally poisoned 100,000 people via a water system for five years and no one is in jail (yet). The idea that the people rooting around in such systems have the ability to cause such effects but don’t because they appreciate the moral, ethical, and legal implications of the matter is increasingly wishful thinking.

We in security have long been accused of “crying ‘wolf’” and for a long time those critics were right. We knew bad things could happen because Sturgeon’s Law has been in full effect in IT for ages, but it has taken this long for matters to go from merely serious to grave. Like everyone who puts off addressing a potentially fatal issue until the symptoms cannot be ignored anymore, our ability to survive what comes next is an open question.

Cyber Security Through the Lens of an Election

Inauguration day has come and gone, giving us some time to reflect on both the previous election process as well as what lies ahead for the next four years. There are a number of parallels between running for office and running a cyber security operation, and a few lessons learned from the former can help those involved in the latter.

It’s a Campaign, Not a Day Hike

Depending on the office you’re running for, your campaign might start years before the winner takes the oath of office. Likewise, it is likely to take years to reach the ideal end-state for the IT enterprise you’re responsible to protect. To further complicate things, technology in general and security threats specifically will change over time, which means the probability you’ll see the end of the race is very close to 0. Not running is not an option, so pace yourself.

You Need a Team

Every chief executive needs a team to get things done. In government, it’s called a “cabinet” and in business the “C-suite.” Regardless of the nomenclature, the purpose is the same: they are the people who specialize in certain things who help you formulate and execute policy. If you’re lucky you’ll get a team that buys into your vision, trusts you implicitly, and has the resources necessary to get the job done. More than likely you’re going to have something more akin to a Team of Rivals, but not ones you got to pick.

 (All Kinds of) Experience Matters

There is no one-size fits-all career path that leads to the White House. People that get into cyber security have a wide range of backgrounds. Yet in both fields people love to poke at perceived shortcomings of those who aspire to (or end up in) top positions. We pick on Michael Daniel or Rudy Giuliani for their lack of technical acumen, forgetting that George Washington never went to high school and his first job was blue collar. Being able to cast a vision, manage people under stress, mange limited resources, and inspire confidence; none of those things requires a given type or level of education, and all of them can be developed in a variety of ways.

Everyone is a Constituent

If you’re in security, everyone is “your people.” You don’t have a party, you don’t have a faction, you have to make everyone happy. At the very least you have to keep everyone from revolting. Everyone has a different agenda, different needs, different outlooks. You will make enemies, and different people will be your friend or foe depending on the situation. Success depends on keeping all those factors in balance so that you can move the center forward.

It’s a great parlor game to try and figure out what the next four years is going to be like on the political front, but the fact of the matter is we have no real idea how things are going to go. In that sense politics is a lot like cyber security: you prepare for the worst, you assume every day is going to be rocky, but sometimes you get pleasantly surprised.

Hail to the Chief! All of them.

We Learn From Death

Why are we perpetually surprised (or not, depending on how you look at it) at the failure of so many at both the organizational and individual level to take cybersecurity seriously? I would argue that most people are placing cybersecurity exactly where it should be when it comes to the myriad risks in their lives, and that is unlikely to change until it is far too late for some.

On the radio the other day there was an interview with an airline crash investigator. Airline crashes are rare, and when one happens the investigation defines “comprehensive.” But contrary to what amateurs or outsiders may think, there is really only one reason why an investigation is conducted:

It’s not to let the families know what happened and it’s not to let the lawyers know what happened, it is to prevent this happening again in the future. That’s absolutely the reason for an air crash investigation.

Closure for the families? Don’t care. Assigning blame so lawyers can address issues of liability? Don’t care. I mean, investigators are human beings, they care on one level, butthe true motivation for a crash investigation is singular: reducing the probability that what caused this crash ever happens again. I know you don’t pay attention, but airlines have safety briefings for a reason. They de-ice control surfaces for a reason. You can design and engineer and test all day long, but sometimes problems don’t surface until thousands of hours of flight time under real-world conditions has been logged. To that point:

Aviation has never been safer because we have essentially conquered most of the problems that emerged in the first century of commercial flight. But now we’re starting into the second century of commercial flight and there’s all sorts of new and different challenges.

She goes on to point out that one of those challenges is cybersecurity, but it is not necessarily the most pressing challenge. Why? The interview doesn’t get that in-depth but it is worth noting that ransomware-for-cockpits is not a thing; aircrews not grokinghow automation works is most assuredly a thing.

Stealing credit card numbers, bank account details, social security numbers, medical files, even taking over one’s entire identity doesn’t equate to death. The economics of cybercrime today are such that malicious actors can cause pain, but victims are readily made whole again. In such an environment why would we expect cybersecurity to get better? Why would we expect individuals to care? Why would we expect businesses to do anything more than is absolutely mandated? We don’t catch enough bad guys to provide closure. The industry has successfully fought off efforts to assign liability. The system is basically designed to ensure we will remain victims in perpetuity.

We don’t learn from incompetence, we don’t learn from inconvenience, we don’t even learn from pain: we learn from death. Cybersecurity will get better when people die in sufficiently large numbers.“Cyber” has certainly killed, but as callous and morbid as this sounds, it hasn’t killed enough. How much is enough? I suspect a lot more than have died due to pilot error.

Better Design, Better Security Participation?

A new study by NIST found that a majority of typical computer users experience “security fatigue” that often leads to risky computing behavior at work and in their personal lives. Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, a cognitive psychologist and co-author of the report . “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.” (Biometric Update)

Security products are developed by security nerds, for security nerds, which are an increasingly rare breed. Think about how you get a new app for your phone: search, click link to install, start using app. Now think about all the flaming hoops you had to jump through the last time you had a security problem, or tried to install some security mechanism. The less users have to think about making sound security decisions, and the easier it is for them to take action, the less likely they are to become victims. Hard core security wonks will laugh at the idea of cybersecurity UX, but there is a reason why the more elegant and efficient a tool the more passionate its users. 

Good Cyber Security is Not Glamorous

One of the more common reasons why most organizations push back on spending for cyber security is the lack of a “return on investment.” All that fancy, shiny cyber-y stuff costs a lot of money without providing a clear benefit that is commensurate with the expenditure. Firewalls are expensive. IDS/IPS are expensive. SIEMs are expensive. Talent to run it all (if you can even find it) is expensive.

Yet for all that expense the end result may still be a breach that costs millions of dollars, and the source of that breach is almost assuredly something that makes all that expense seem like a waste, not an investment. Advancing cyber security starts with promulgating the message that like most things in life: success is about the grind.

The Importance of Blocking and Tackling

A good, sound security capability can in fact be very pedestrian. Take some time to look at the SANS Top 25 (formerly 10) lists going back several years. Do the same thing for the OWASP Top 10. If you look closely you’ll notice that while names may change, the basic problems do not. Buffer overflows and cross-site scripting are not “advanced” or “sophisticated” but they work.  All year, every year.

Addressing the most common security problems facing any enterprise does not require floor-to-ceiling displays showing maps of the world and stoplight charts and data flows from country to country. It doesn’t require a lot of software or hardware or subscriptions or licenses or feeds. The biggest problems are the most common ones that don’t necessarily require advanced skills or technology to resolve. You can harden your enterprise against the most likely and most dangerous problems without ever talking to a salesperson or worrying about how much you’re going to have to pay that guy with all the letters after his name.

Are You Ready For Some Football?

It wouldn’t be fall without a football analogy, so here is the first one of the season: If you knew who Odell Beckham Jr. was before Lena Dunham did, you know where I’m going with this. If you didn’t, go to YouTube and enter his name, I’ll wait…..

Amazing plays are not the result of practicing acrobatics in full pads. Wide Receivers don’t take contortionist classes. Training for football season at any level is about fundamentals. Everyone doing the same drills, or variations on a theme, that they’ve done since they first put on a helmet. Why? Because the bulk of success on the field is attributable to fundamentals. Blocking and tackling. Plays that make the highlight reels are the result of individual athleticism, instincts, and drive, but no receiver gets into position to make the highlight reel without mastering the basics first.

A team of journeymen who are well versed in the basics alone may not make the playoffs, much less the Super Bowl, but that’s not the point; you want to avoid being beaten by the second string of the local community college. If you want to know how well buying expensive “solutions” to your problems works, I invite you to check out the drama that has been Washington Redskins since 1999.

Its About Perspective

You can’t read an article on cybersecurity and not see the words “advanced” or “sophisticated” either in the text or the half-dozen ads around the story. Security companies cannot move product or get customers to renew subscriptions without promoting some level of fear, uncertainty and doubt. No product salesperson will bring up the fact that procuring the next-generation whatever they are selling is almost assuredly buying a castle that will be installed on a foundation of sand (to be fair: it’s not their job to revamp your security program).

This is not to say you ignore the truly advanced or dangerous, but you need to put it all into perspective. You don’t buy an alarm system for your house and then leave your doors and windows open. You do not spend more money on the car with the highest safety ratings and then roll out without wearing your seat belt. You don’t buy your kids bicycle helmets and then set them loose on the freeway. You do all the things that keep you and yours safe because to ignore the basics undermines the advanced.The same holds true in cyber security, and the sooner we put on our Carhartts and spend more sweat equity than we do cash, the sooner we are likely to see real improvements.

Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

The Airborne Shuffle in Cyberspace

I did my fair share supporting and helping develop its predecessor, but I have no special insights into what is going on at CYBERCOM today. I am loathe to criticize when I don’t know all the details, still I see reports like this and scratch my head and wonder: why is anyone surprised?

Focus. If you have to wake up early to do an hour of PT, get diverted afterwards to pee in a cup, finally get to work and develop a good head of steam, only to leave early to go to the arms room and spend an hour cleaning a rifle, you’re not going to develop a world-class capability in any meaningful time-frame. Not in this domain. Not to mention the fact that after about two years whatever talent you’ve managed to develop rotates out and you have to start all over again.

Speed. If you have to call a meeting to call a meeting, and the actual meeting can’t take place for two weeks because everyone who needs to be there is involved in some variation of the distractions noted above, or TDY, you have no chance. It also doesn’t help that when you manage to have the meeting you are forced to delay decisions because of some minutia. You’re not just behind the power curve, you’re running in the opposite direction.

Agility. If your business model is to train generalists and buy your technology…over the course of several years…you are going to have a hard time going up against people with deep expertise who can create their own capabilities in days. Do we need a reminder inhow effective sub-peer adversaries can be against cutting edge military technology? You know what the people attacking SWIFT or major defense contractors aren’t doing? Standing up a PMO.

The procurement and use of tanks or aircraft carriers is limited to the military in meat-space, but in cyberspace anyone can develop or acquire weapons and project power. Globally. If you’re not taking this into consideration you’re basically the 18th Pomeranians. Absent radical changes no government hierarchy is going to out-perform or out-maneuver such adversaries, but it may be possible to close the gaps to some degree.

Focus. You should not lower standards for general purpose military skills, but in a CONUS, office environment you can exercise more control over how that training is performed and scheduled. Every Marine a rifleman, I get it, but shooting wars are relatively rare; the digital conflict has been engaged for decades (and if your cyber troops are hearing shots fired in anger, you’ve probably already lost).

Speed. Hackers don’t hold meetings, they open chat sessions. Their communication with their peers and partners is more or less constant. If you’re used to calling a formation to deliver your messages orally, you’re going to have to get used to not doing that. Uncomfortable with being glued to a screen – desktop or handheld? You’re probably ill-suited to operate in this domain.

Agility. You are never going to replicate ‘silicon valley’ in the DOD without completely disrupting DOD culture. The latter is a zero-defect environment, whereas the former considers failures to be a necessary part of producing excellence. You cannot hold company-level command for 15 years because its the job you’re best suited to; you can be one of the world’s best reverse engineers for as long as you want to be. What is “normal” should mean nothing inside an outfit like CYBERCOM.

Additional factors to consider…

Homestead. If you get assigned to CYBERCOM you’re there for at least 10 years. That’s about 20 dog years from the perspective of the domain and related technology experience, and it will be invaluable if you are serious about effective performance on the battlefield.

Lower Rank/Greater Impact. Cyberspace is where the ‘strategic corporal’ is going to play an out-sized role. At any given moment the commander – once their intent is made clear – is the least important person in the room.

Bias for Action. In meat-space if you pull the trigger you cannot call back the bullet. If your aim is true your target dies. In cyberspace your bullets don’t have to be fatal. The effect need only be temporary. We can and should be doing far more than we apparently are, because I guarantee our adversaries are.

Stop Pretending You Care (about the NSA)

You’ve read the stories, heard the interviews, and downloaded the docs and you’re shocked, SHOCKED to find that one of the world’s most powerful intelligence agencies has migrated from collecting digital tons of data from radio waves and telephone cables to the Internet. You’re OUTRAGED at the supposed violation of your privacy by these un-elected bureaucrats who get their jollies listening to your sweet nothings.

Except you’re not.

Not really.

Are you really concerned about your privacy? Let’s find out:

  1. Do you only ever pay for things with cash (and you don’t have a credit or debit card)?
  2. Do you have no fixed address?
  3. Do you get around town or strange places with a map and compass?
  4. Do you only make phone calls using burner phones (trashed after one use) or public phones (never the same one twice)?
  5. Do you always go outside wearing a hoodie (up) and either Groucho Marx glasses or a Guy Fawkes mask?
  6. Do you wrap all online communications in encryption, pass them through TOR, use an alias and only type with latex gloves on stranger’s computers when they leave the coffee table to use the bathroom?
  7. Do you have any kind of social media presence?
  8. Are you reading this over the shoulder of someone else?

The answer key, if you’re serious about not having “big brother” of any sort up in your biznaz is: Y, Y, Y, Y, Y, Y, N, Y. Obviously not a comprehensive list of things you should do to stay off anyone’s radar, but anything less and all your efforts are for naught.

People complain about their movements being tracked and their behaviors being examined; but then they post selfies to 1,000 “friends” and “check in” at bars and activate all sorts of GPS-enabled features while they shop using their store club card so they can save $.25 on albacore tuna. The NSA doesn’t care about your daily routine: the grocery store, electronics store, and companies that make consumer products all care very, very much. Remember this story? Of course you don’t because that’s just marketing, the NSA is “spying” on you.

Did you sign up for the “do not call” list? Did you breathe a sigh of relief and, as a reward to yourself, order a pizza? Guess what? You just put yourself back on data brokers and marketing companies “please call me” list. What? You didn’t read the fine print of the law (or the fine print on any of the EULAs of the services or software you use)? You thought you had an expectation of privacy?! Doom on you.

Let’s be honest about what the vast majority of people mean when they say they care about their privacy:

I don’t want people looking at me while I’m in the process of carrying out a bodily function, carnal antics, or enjoying a guilty pleasure.

Back in the day, privacy was easy: you shut the door and drew the blinds.

But today, even though you might shut the door, your phone can transmit sounds, the camera in your laptop can transmit pictures, your set-top-box is telling someone what you’re watching (and depending on what the content is can infer what you’re doing while you are watching). You think you’re being careful, if not downright discrete, but you’re not. Even trained professionals screw up and it only takes one mistake for everything you thought you kept under wraps to blow up.

If you really want privacy in the world we live in today you need to accept a great deal of inconvenience. If you’re not down with that, or simply can’t do it for whatever reason, then you need to accept that almost nothing in your life is a secret unless it’s done alone in your basement, with the lights off and all your electronics locked in a Faraday cage upstairs.

Don’t trust the googles or any US-based ISP for your email and data anymore? Planning to relocate your digital life overseas? Hey, you know where the NSA doesn’t need a warrant to do its business and they can assume you’re not a citizen? Overseas.

People are now talking about “re-engineering the Internet” to make it NSA-proof…sure, good luck getting everyone who would need to chop on that to give you a thumbs up. Oh, also, everyone who makes stuff that connects to the Internet. Oh, also, everyone who uses the Internet who now has to buy new stuff because their old stuff won’t work with the New Improved Internet(tm). Employ encryption and air-gap multiple systems? Great advice for hard-core nerds and the paranoid, but not so much for 99.99999% of the rest of the users of the ‘Net.

/* Note to crypto-nerds: We get it; you’re good at math. But if you really cared about security you’d make en/de-cryption as push-button simple to install and use as anything in an App store, otherwise you’re just ensuring the average person runs around online naked. */

Now, what you SHOULD be doing instead of railing against over-reaches (real or imagined…because the total number of commentators on the “NSA scandal” who actually know what they’re talking about can be counted on one hand with digits left over) is what every citizen has a right to do, but rarely does: vote.

The greatest power in this country is not financial, it’s political. Intelligence reforms only came about in the 70s because of the sunshine reflecting off of abuses/overreaches could not be ignored by those who are charged with overseeing intelligence activities. So if you assume the worst of what has been reported about the NSA in the press (again, no one leaking this material, and almost no one reporting of commenting on it actually did SIGINT for a living…credibility is important here) then why have you not called your Congressman or Senator? If you’re from CA, WV, OR, MD, CO, VA, NM, ME, GA, NC, ID, IN, FL, MI, TX, NY, NJ, MN, NV, KS, IL, RI, AZ, CT, AL or OK you’ve got a direct line to those who are supposed to ride herd on the abusers.

Planning on voting next year? Planning on voting for an incumbent? Then you’re not really doing the minimum you can to bring about change. No one cares about your sign-waving or online protest. Remember those Occupy people? Remember all the reforms to the financial system they brought about?

Yeah….

No one will listen to you? Do what Google, Facebook, AT&T, Verizon and everyone else you’re angry at does: form a lobby, raise money, and button hole those who can actually make something happen. You need to play the game to win.

I’m not defending bad behavior. I used to live and breath Ft. Meade, but I’ve come dangerously close to being “lost” thanks to the ham-handedness of how they’ve handled things. But let’s not pretend that we – all of us – are lifting a finger to do anything meaningful about it. You’re walking around your house naked with the drapes open and are surprised when people gather on the sidewalk – including the police who show up to see why a crowd is forming – to take in the view. Yes, that’s how you roll in your castle, but don’t pretend you care about keeping it personal.

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.