“Cyber MAD” is a Bad Idea. Really Bad.

I don’t know how many times I have to say this, but nothing screams “legacy future” like trying to shoe-horn cold-war thinking into “cyber.” This latest attempt doesn’t disappoint (or maybe it does, depending on how you look at it) because it completely miss two key points:

  1. Cyberspace is not meat-space;
  2. Digital weapons are nothing like atomic ones.

Yes, like the nuclear arms race, it is in fact more expensive to defend yourself than it is to attack someone. Generally speaking. Its OK to paint with a broad brush on this point because so many entities online are so woefully inadequate when it comes to defense that we forget that there are actually some who are quite hard and expensive to attack. Any serious colored-hat who is being honest will tell you that they deal with more than their fair share of unknowns and ‘unknown unknowns’ when going after any given target.

But unlike malicious actions in cyberspace, there is no parsing nuclear war. You’re nuked, or you’re not. Cyber-espionage, cyber-crime, cyber-attack…all indistinguishable in all technically meaningful ways. Each has a different intent, which we are left to speculate about after-the-fact. In the other scenario, no one is around to speculate why a battalion of Reds turned their keys and pushed their buttons.

Attacker identity is indeed important whether you’re viewing a potential conflict through nuclear or digital lenses, but you know what excuse doesn’t work in the nuclear scenario? “It wasn’t me.”

Um, IR burn says it was…

There is no such equivalent in cyberspace. You can get close – real close – given sufficient data and time, but there will be no Colin Powell-at-the-UN-moment in response to a cyber threat because “it wasn’t me” is a perfectly acceptable excuse.

But we have data.

You can fabricate data

You know what you can’t fabricate? Fallout.

All of this, ALL OF THIS, is completely pointless because if some adversary had both the will and the wherewithal to attack and destroy our and just our critical infrastructure and national security/defense capabilities via cyber means…what are we meant to strike back with? Who are those who happen to be left unscathed supposed to determine who struck first? I was not a Missileer, but I’m fairly certain you can’t conduct granular digital attribution from the bottom of an ICBM silo.

What is the point of worrying about destruction anyway? Who wants that? The criminals? No, there is too much money to be made keeping systems up and careless people online. The spies? No, there is too much data to harvest and destruction might actually make collection hard. Crazy-bent-on-global-domination types? This is where I invoke the “Movie Plot Threat” clause. If the scenario you need to make your theory work in cyberspace is indistinguishable from a James Bond script, you can’t be taken seriously.

MAD for cyberspace is a bad idea because its completely academic and does nothing to advance the cause of safety or security online (the countdown to someone calling me “anti-intellectual” for pointing out this imperial nudity starts in 5, 4, 3….). MAD, cyber deterrence, all this old think is completely useless in any practical sense. You know why MAD and all those related ideas worked in the 60s? Because they dealt with the world and the problem in front of them as it was, not how they wished it to be.

I wholeheartedly agree that we need to do more and do more differently in order to make cyberspace a safer and more secure environment. I don’t know anyone who argues otherwise. I’m even willing to bet there is a period of history that would provide a meaningful analog to the problems we face today, but the Cold War isn’t it.

Between Preppers and FEMA Trailers

Today, for want of a budget, the Federal government is shutting down. If the nation suffered a massive cyber attack today what would happen? If you think the government is going to defend you against a cyber attack or help you in the aftermath of a digital catastrophe – budget or no budget – think again. The government cannot save you, and you can no more count on timely assistance in the online world as you can in the physical one in the aftermath of a disaster. Help might come eventually, but your ability to fight off hostiles or weather a digital storm depends largely on what you can do for yourself.

The vast majority of the time, natural or man-made disasters are things that happen to someone else. People who live in disaster or storm prone areas know that at any given moment they may have to make due with what they have on hand, consequently they prepare to deal with the worst-case scenario for a reasonable amount of time. The reason you don’t see people in the mountain-west or north-east in FEMA trailers after massive snow or ice storms is a culture of resilience and self-reliance.

How does this translate into the digital world? Don’t efforts like the Comprehensive National Cybersecurity Initiative and all the attention foreign state-sponsored industrial espionage has gotten recently belay the idea that the government isn’t ready, willing and able to take action in the face of a digital crisis?

Federal agencies are no better at protecting themselves from digital attack than anyone else. The same tricks that lead to a breach at a bank work against a government employee. Despite spending tens of billions of tax dollars on cyber security we continue to hear about how successful attackers are and that attacks are growing and threatening our economy and way of life. The increasing amount of connectivity in industrial control systems puts us at even greater risk of a disaster because very few people know how to secure a power plant or oil refinery.

It’s not that the government does not want to make the Internet a safer and more secure; it is simply ill-equipped to do so. Industrial-age practices, bureaucracy, a sloth-like pace, its love affair with lobbyists, and its inability to retain senior leaders with security chops means “cyber” will always be the most talked-about also-ran issue in government. You know what issue has shut down the federal government this week? It isn’t “cyber.”

Protect you against threats? What leverage do we really have against a country like China? Cold War approaches won’t work. For one, you’re probably reading this on something made in China; your dad never owned a Soviet-made anything. We cannot implement “digital arms control” or a deterrence regime because there is no meaningful analog between nuclear weapons and digital ones. Trying to retrofit new problems into old constructs is how Cold Warriors maintain relevance; it’s just not terribly useful in the real world.

So what are we to do? Historically speaking, when the law could not keep up with human expansion into unknown territory, people were expected to defend themselves and uphold the rudiments of good social behavior. If someone threatened you on your remote homestead, you needed to be prepared to defend yourself until the Marshal arrived. This is not a call to vigilantism, nor that you should become some kind of iPrepper, but a reflection of the fact that the person most responsible for your safety and security online is you. As my former colleague Marc Sachs recently put it:

“If you’re worried about it, do something about it. Take security on yourselves, and don’t trust anybody else to do it.”

What do you or your business need to survive in the short- and long-term if you’re hacked? Invest time and money accordingly. If computer security is terra incognita then hire a guide to get you to where you want to go and teach you what you need to know to survive once you’re there. Unless you want to suffer through the digital equivalent of life in a FEMA trailer, you need to take some responsibility to improve your resilience and ensure your viability.

Stop Pretending You Care (about the NSA)

You’ve read the stories, heard the interviews, and downloaded the docs and you’re shocked, SHOCKED to find that one of the world’s most powerful intelligence agencies has migrated from collecting digital tons of data from radio waves and telephone cables to the Internet. You’re OUTRAGED at the supposed violation of your privacy by these un-elected bureaucrats who get their jollies listening to your sweet nothings.

Except you’re not.

Not really.

Are you really concerned about your privacy? Let’s find out:

  1. Do you only ever pay for things with cash (and you don’t have a credit or debit card)?
  2. Do you have no fixed address?
  3. Do you get around town or strange places with a map and compass?
  4. Do you only make phone calls using burner phones (trashed after one use) or public phones (never the same one twice)?
  5. Do you always go outside wearing a hoodie (up) and either Groucho Marx glasses or a Guy Fawkes mask?
  6. Do you wrap all online communications in encryption, pass them through TOR, use an alias and only type with latex gloves on stranger’s computers when they leave the coffee table to use the bathroom?
  7. Do you have any kind of social media presence?
  8. Are you reading this over the shoulder of someone else?

The answer key, if you’re serious about not having “big brother” of any sort up in your biznaz is: Y, Y, Y, Y, Y, Y, N, Y. Obviously not a comprehensive list of things you should do to stay off anyone’s radar, but anything less and all your efforts are for naught.

People complain about their movements being tracked and their behaviors being examined; but then they post selfies to 1,000 “friends” and “check in” at bars and activate all sorts of GPS-enabled features while they shop using their store club card so they can save $.25 on albacore tuna. The NSA doesn’t care about your daily routine: the grocery store, electronics store, and companies that make consumer products all care very, very much. Remember this story? Of course you don’t because that’s just marketing, the NSA is “spying” on you.

Did you sign up for the “do not call” list? Did you breathe a sigh of relief and, as a reward to yourself, order a pizza? Guess what? You just put yourself back on data brokers and marketing companies “please call me” list. What? You didn’t read the fine print of the law (or the fine print on any of the EULAs of the services or software you use)? You thought you had an expectation of privacy?! Doom on you.

Let’s be honest about what the vast majority of people mean when they say they care about their privacy:

I don’t want people looking at me while I’m in the process of carrying out a bodily function, carnal antics, or enjoying a guilty pleasure.

Back in the day, privacy was easy: you shut the door and drew the blinds.

But today, even though you might shut the door, your phone can transmit sounds, the camera in your laptop can transmit pictures, your set-top-box is telling someone what you’re watching (and depending on what the content is can infer what you’re doing while you are watching). You think you’re being careful, if not downright discrete, but you’re not. Even trained professionals screw up and it only takes one mistake for everything you thought you kept under wraps to blow up.

If you really want privacy in the world we live in today you need to accept a great deal of inconvenience. If you’re not down with that, or simply can’t do it for whatever reason, then you need to accept that almost nothing in your life is a secret unless it’s done alone in your basement, with the lights off and all your electronics locked in a Faraday cage upstairs.

Don’t trust the googles or any US-based ISP for your email and data anymore? Planning to relocate your digital life overseas? Hey, you know where the NSA doesn’t need a warrant to do its business and they can assume you’re not a citizen? Overseas.

People are now talking about “re-engineering the Internet” to make it NSA-proof…sure, good luck getting everyone who would need to chop on that to give you a thumbs up. Oh, also, everyone who makes stuff that connects to the Internet. Oh, also, everyone who uses the Internet who now has to buy new stuff because their old stuff won’t work with the New Improved Internet(tm). Employ encryption and air-gap multiple systems? Great advice for hard-core nerds and the paranoid, but not so much for 99.99999% of the rest of the users of the ‘Net.

/* Note to crypto-nerds: We get it; you’re good at math. But if you really cared about security you’d make en/de-cryption as push-button simple to install and use as anything in an App store, otherwise you’re just ensuring the average person runs around online naked. */

Now, what you SHOULD be doing instead of railing against over-reaches (real or imagined…because the total number of commentators on the “NSA scandal” who actually know what they’re talking about can be counted on one hand with digits left over) is what every citizen has a right to do, but rarely does: vote.

The greatest power in this country is not financial, it’s political. Intelligence reforms only came about in the 70s because of the sunshine reflecting off of abuses/overreaches could not be ignored by those who are charged with overseeing intelligence activities. So if you assume the worst of what has been reported about the NSA in the press (again, no one leaking this material, and almost no one reporting of commenting on it actually did SIGINT for a living…credibility is important here) then why have you not called your Congressman or Senator? If you’re from CA, WV, OR, MD, CO, VA, NM, ME, GA, NC, ID, IN, FL, MI, TX, NY, NJ, MN, NV, KS, IL, RI, AZ, CT, AL or OK you’ve got a direct line to those who are supposed to ride herd on the abusers.

Planning on voting next year? Planning on voting for an incumbent? Then you’re not really doing the minimum you can to bring about change. No one cares about your sign-waving or online protest. Remember those Occupy people? Remember all the reforms to the financial system they brought about?

Yeah….

No one will listen to you? Do what Google, Facebook, AT&T, Verizon and everyone else you’re angry at does: form a lobby, raise money, and button hole those who can actually make something happen. You need to play the game to win.

I’m not defending bad behavior. I used to live and breath Ft. Meade, but I’ve come dangerously close to being “lost” thanks to the ham-handedness of how they’ve handled things. But let’s not pretend that we – all of us – are lifting a finger to do anything meaningful about it. You’re walking around your house naked with the drapes open and are surprised when people gather on the sidewalk – including the police who show up to see why a crowd is forming – to take in the view. Yes, that’s how you roll in your castle, but don’t pretend you care about keeping it personal.

Explaining Computer Security Through the Lens of Boston

Events surrounding the attack at the Boston Marathon, and the subsequent manhunt, are on-going as this is being drafted. Details may change, but the conclusions should not.

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

  1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
  2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
  3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

The Importance of Being There

There is nothing new or special about the “cyber” aspect to the Arab Spring. The use of the Internet and tools that ride on and through it by pro- and anti-regime elements in China, Serbia, Mexico . . . we’ve been seeing this for at least 15 years and every time it surfaces it’s the same breathless coverage about how new, and game changing it all is.

I guess I have different definitions for those words.

“Cyber” might make it easier to organize or communicate if you’re the rebel force, but it’s not going to overthrow the government: that takes people putting themselves in physical danger. To steal a phrase I learned in the Army: If you’re not there, you don’t own it. The difference between “cyber” and pamphleteering? The medium. That’s it.

In the future, it would be great if we focused on what really mattered during events like this: the meat-space strategies and tactics and heroics that actually lead to change, not the fact that the rebels are using the online tool-of-the-month. Actually, it would be better if someone wrote an article about how such tactics alone rarely lead to real-world success, but something tells me that won’t sell a lot of newspapers.

Killing Trees for Cyberspace

At his CTO Vision blog my friend and colleague Bob Gourley found a fair amount of good in the new Cyber Strategy. Me, I see a glass half empty . . .

Let me start out by saying that I really would like to see some progress in this realm, and if this latest attempt at a strategy to secure cyberspace is what leads to progress than all the better for us.

My problem is less with any specific part of the strategy as it is with the whole idea of yet-another-strategy in the first place. Let me be perfectly clear: there is absolutely no reason to believe that any substantial, widespread good will come of this document. This is not our first rodeo . . .

. . . and yet by all measures we are no better off today than we were decades ago when the issues identified in the strategy were first brought up. The advance and ubiquity of information technology has both broadened the scope of problems and simultaneously made them more intimate. We have serious problems that need to be dealt with now, but we’re spending our time congratulating ourselves on a great piece of staff work that may never be realized.

A national or international strategy makes a number of presumptions, or simply ignores reality, which is the principle reason why such efforts fail. The Internet is not an instrument of national power in the traditional sense; such power rests in the hands of private concerns. The dominant forces online care not a wit for political or military concerns – the domain of nation-states – but for revenue and profitability (alien concepts to governments). Even the most prolific threat actors in cyberspace today pose no serious threat to the ‘Net itself (you can’t make money if connectivity goes away). As long as there is a patsy to off-load the risks of doing business online (read: consumers), and as long as the pain those patsies suffer is nominal, there is no incentive to invest in a safer cyberspace.

The strategy articulates a vision: A cyberspace that is filled with innovations, interoperable, secure enough and reliable enough. Great, except that’s pretty much the state of affairs today, so I guess that’s a ‘win.’ Do you know how we got that win? Aside from tracing the ‘Net’s roots back to ARPANET, it had nothing to do with government action. The prosperity that we would attempt to assure is already here and will continue to exist because of market forces, not legislation or international agreement.

That a strategy may be actionable is of little consequence if there is no incentive to act. To be more precise: when there is no penalty for failure, what do you think agencies and their leadership are going to focus on? Despite past federal efforts to “secure” cyber space, agencies consistently get failing grades, and no one is held accountable. I only know of one (State-level) cyber security official to have ever been fired, and that wasn’t because he was negligent, but because he spoke out of school. Lesson: it’s OK to get pwned, it’s not OK to admit you got pwned (because, you know, no one else is getting pwned so we might look bad).

I know this is the best effort that those involved could produce. If anyone was going to get it drafted, coordinated, and out the door it was going to be Howard. I will do what I can to help realize the goals of a safer cyber space and I would like to think that this time we’re going to see some forward progress, but almost two decades of witnessing ‘fail’ in this area precludes me from holding my breath.

Turn Away from the (Fulda) Gap

Former DIRNSA/DNI McConnell is right in his assessment of the state of cyber conflict and the US’s disposition, but like so many of his generation he defaults to what he knows best and supposes we can secure the future if we look to the past. That would be great if the present, much less the future, were reflective of anything like the past so many cold warriors are familiar with. It is natural to try and frame current situations into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere.

Reducing the impact of cyber conflict through deterrence (as it is commonly portrayed) and the sharing of information are admirable goals; ones we’ve been trying to accomplish without significant results for years.

Attribution requires a level of effort so massive and onerous the only way to make it fast and easy is to re-engineer how the Internet works and the government’s access to the necessary mechanisms. That is a task that is anything but fast or easy or more importantly: cheap. Barring a combination technical-legal breakthrough that is free, global in scope and universal in acceptance, attribution isn’t happening. No attribution, no deterrence (in a traditional sense).

The point of deterrence is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government systems are attacked regularly; so are the systems of the private firms that support defense and intelligence work. There are only a few entities worldwide that can make use of the information that is stolen from targeted systems, so we have attribution in a meta sense, and justification to act in a meta fashion. Let me know how that strongly worded demarche goes over.

Public-Private partnerships are a great idea. We’ve got ISACs for just that purpose, but what have they done in any practical sense? Neither side is as open as they could or should be, no one talks about anything new. The NSA is a great national resource for critical industries that rely on a stable and secure cyberspace to operate, but no one is going to trust the assurance side of the NSA as long as it is tied to the snooping part. The reasons for keeping the agency’s two directorates together are strong, but the reasons for splitting them apart are more compelling (more on that in a separate venue).

It’s one thing to have an international agreement in place, but its folly to think that the most dangerous threats to a nation’s ability to operate in cyberspace would a) adhere to any regime they signed or b) would show up at the negotiating table in the first place. The most dangerous people in cyberspace – those who can and do actually use their weapons – don’t salute a flag, hold sovereign territory, or sign international agreements. For all the time, money and energy put forth trying to counter the proliferation of nuclear weapons, the world is surprisingly full of new nuclear powers (and those that belligerently aspire to achieve such status). Viewed through such a lens, every computer science department in every university is a weapons lab, every professor a national security resources that must be sequestered in Naukograds. Talk about unworkable.

It would be great if safety and security in cyberspace were a notional physics experiment where all the important factors are negligible and controllable, but it’s not, so the only real solutions are the practical ones. The way forward in securing cyberspace is not deterring threats, its making threats irrelevant.

Cyberspace is a construct with physical underpinggings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a reasonable amount of time, an adversary can attack all day, every day, to no avail. Someone once said the war on terror should continue until terrorism is a nuisance, and so should it be for cyberspace. As someone who has spent a good chunk of his career addressing these issues it almost pains me to say it, but securing cyberspace is less about security as it is about resilience.

Resilience and security are not the same thing. You can try to make sound the same, but they’re just not. The problem is that “security” sells, “resilience” is like continuity of operations, and we all know how that’s viewed. Just look over at the shelf to your left, that gigantic three-ring binder with your COOP plan that has ½” of dust on it. Yeah, guys with resilience on their minds put that together. If anyone gets less respect organizationally than cyber security guys its resilience guys, which is a shame because of the two communities, the one that is more successful is the resilience crowd. Resilience is achievable. It is happening. Backups and hot sites and redundancy in connectivity, etc., etc. all contributes more to making cyber attacks irrelevant than firewalls, intrusion detection systems, or anti-virus software. Of course the latter is sexy, the former tedious grunt work. It’s not call the Comprehensive National Resilience Initiative, but it probably should be.

When you get down to it though, making cyberspace more secure isn’t about the physical, its about the behavioral. Most of the compromises suffered by the US government and the businesses that support national security and defense would go away if we had – early on in the ‘Net’s foray from the governmental to the public/commercial – established, promulgated, and enforced good behavior and safe practices. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the driveway. No matter how hard we try to educate our respective workforces about cyber security, they’re still the weakest link in the cyber security chain. We loose billions in lost R&D and proprietary information that supports national security, yet we still don’t punish people for their digital sins the same way we would if they had committed the same violation in meat-space. Knowingly violating espionage laws gets you prison; knowingly violating corporate security policy is hardly detected.

That’s a shame because cyber security is the root of national security in the information age. The ability to project physical power means nothing – the trillions we spend on defense a waste – if that power can be made irrelelvent with a few lines of code. That’s all it takes if any one of the millions of moving parts associated with the design, construction, acquisition, and deployment of our first-world weapons platforms is compromised by an adversary. Make no mistake: the chinks in the armor of the military-industrial complex are too numerous to count, much less monitor or secure.

I support wholeheartedly any effort to really make cyberspace a safer and stronger place, but every few years I listen to the same speeches, read the same studies and ‘strategies’ and watch the same budget cycles burn through billions with no discernible  improvement in our security disposition. What I’d like the heavy hitters in the national security arena to do is stop ignoring the recommendations, stop buying the same non-solutions, stop relying on cold warriors, and start acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over Washington, New York, and Omaha.

“reputation system”

From the Enterprise Resilience Management Blog:

Anyone who believes he knows of information relating to these proposed
patents will be able to post this online and solicit comments from
others. But this will suddenly make available reams of information,
which could be from suspect sources, and so the program includes a
‘reputation system’ for ranking the material and evaluating the
expertise of those submitting it.

“reputation system” – how the wiki-fied, blogosphered IC can sort the wheat from the chaff and cast off the last vestiges of the old way of doing things.

Now, to find out the status of that reform book draft . . .

Mission First, People Always

Not going to repeat the now well-worn story of Walter Reed-related issues, merely wanted to take a minute to point out a trend and offer up a lesson.

There was a time when, while serving on active duty, the Army just decided to stop paying me. Never did figure out what happened, the checks just stopped coming. I worked through the chain. I trusted it. I accepted the fact that things move slowly in the Army. I waited. I followed up. I waited some more. I exhausted every internal option available to me as I watched my savings dwindle (the chow hall was great, but I still had other bills to pay).  When loan defaults loomed I wrote my Senator who at the time was Army veteran Daniel Inouye.

Roughly 72 hours later I had a check for all my back pay and a line outside my barracks room door of members of my chain of command from battalion-level on down asking if everything was OK, and would I please work through the chain of command to resolve future problems ’cause we really get the heebie jeebies when Senator’s offices call.

The pay problems of one buck sergeant don’t compare to the woes of outpatients at Walter Reed, but this story – and many others any GI will be happy to relate to you – are indicative of the general mindset of those at the top. Nothing is their problem (“If you sloppy GI’s wouldn’t keep food in your rooms there wouldn’t be a rat problem”)  until someone makes it their problem, and that “someone” is never going to be someone they outrank. The operative phrase is “mission first, people always” until people do what people do and then it becomes “people whenever.”

Under different circumstances I’m sure everyone highest levels of Army medicine and the Department of the Army are great folks, but that they responded in typical Army fashion to this situation is beyond shameful. I hope this serves as a lesson for a wider variety of defense and national security leadership: fat lot of good your big initiatives are going to be if you are undone by the little things.