Speed and Scale

News about ransomware gang takedowns and ransom recoveries make for great headlines, and the way some people talk you’d think we had this ransomware thing licked. But while these are certainly “wins,” they’re not really having a noticeable impact, and if we keep going at these issues in a plodding, ad hoc, linear fashion they absolutely won’t.

Not that long ago that botnet takedowns were receiving similar levels of attention. I was lucky enough to be a part of some of these actions. Nay-sayers at the time said there was no real impact because replacements popped up so quickly. I was inclined to agree, but argued that the value of such actions would be realized once more people could do them, and do them more often.

Botnet takedowns required a lot of challenging legal legwork. If you’ve ever worked with lawyers, you know very few of them like to be at the cutting edge. In a system that places a high value on precedence, being the first at anything poses a serious risk of failure. But once that nut was cracked and a few cases got through the system, the potential to move a lot faster in more jurisdictions seemed like a real possibility.

Years later, botnet takedowns are still not a frequent occurrence, even though botnets are certainly still a thing. This is, to my mind, one of the bigger ‘shames’ in this space (“it’s a shame that…” not shameful behavior), because if we could manage to take down multiple botnets on a weekly basis vice, say, one a year, it dramatically drives up the risk factor (and potentially the cost) for would-be botnet creators. If you’re more likely to get hit by a meteor than arrested, life as a digital crime lord seems pretty attractive. As soon as prison becomes likely, suddenly it is time to consider getting a regular job.

Bad actors will always have a number of advantages over defenders and law enforcement. In some cases you’re dealing with super-empowered individuals, who can work much faster than adversaries that have to operate in an industrial-age model, be sure to address the ‘equities’ of all the ‘stakeholders’ involved, fight for budget, hunt for increasingly rare talent to do the work, etc. Especially when you’re dealing with governmental organizations, “taking down 1000 botnets” is probably not a bullet on anyone’s performance evaluation. From the organization’s point of view it is important to “measure what matters,” but from the employee’s point of view all that matters when it comes to applying effort is what is measured. These types of activities require extensive industry cooperation, and such measures are not revenue-generating. Read into that what you will.

The work that goes into both botnet and ransomware takedowns is not insignificant, and those involved deserve to be recognized and congratulated. But until actions like these become so commonplace that they cease being news, they are novelties. Unless government, defenders, and industry can devise a system of processes and incentives that make such actions practical and rewarding, such activity will eventually wane, and it will be like nothing anyone did mattered.

Buccaneer.com 2.0

Fifteen years ago, parallels between the age of piracy and the state of cyber-insecurity illustrated how we might combat malicious online activity by leveraging private resources. While the call to do just that has grown louder over time, there are still those who feel the increased use of private sector resources for computer network operations is a controversial issue. Enthusiasts tend to have a facile understanding of certain absurdities and dangers, while their opposites fail to recognize just how far-gone things are. Privateering is reality. The only outstanding issue is how much autonomy private concerns will be given going forward.

Re-Introduction

Securing resources and technologies that depend on the Internet to function is a national security issue. That hasn’t changed in 15 years.[1] Neither has the fact that cyber threats have grown at a pace that exceeds both government’s and industry’s ability to address them. The cybersecurity market is $156 billion dollars strong,[2] yet victims still fall prey to the same sorts of problems identified decades ago. We have a National Security Agency,[3] Cybersecurity and Infrastructure Security Agency,[4] ISACs,[5] ISAOs,[6] and service and national level cyber commands,[7] but there has been no obvious indication that their existance has made our adversaries – both state and non-state – think twice about conducting offensive actions against us.

We attempt to address these issues at the national level with familiar but flawed ideas like arms control and deterrence, because in policy-making circles we are heavy on students of Kahn and Kissinger and Kennan and light on people who know how the  Internet actually works. Concepts like “defend forward” and “persistent engagement” are attempts to improve our ability to display strength, but with no statistics from the government to illustrate how effective such measures are, we are left to look at things like the effects of the scourage of ransomware and assume that while we may have turned the dial up, we’re still closer to 0 than 11.

At the time Buccaneer.com was written, the idea of adopting a privateering model was novel, even if the range of complications was extensive and seemingly intractable. Yet the reality even then was that we could neither defend ourselves nor take the fight to our adversaries if it were not for what are effective combatants who draw their salaries from private payrolls, not the U.S. Treasury.

A Spade by Any Other Name

The word “privateering” in relation to online activity evokes a number of strong emotions and allows imaginations to run wild. Privateering is the employment of private sector resources to conduct activity authorized by the government in furtherance of national policy. It is not restricted to offensive activity, and it is not about acquisition or recovery of “treasure.”[8]

Privateering is not “hack back” – allowing the victims of attacks to attempt to retaliate against their attackers. Hack back is vigilantism: an emotionally satisfying idea, but one that only makes sense if you suspend a great deal of disbelief about the capabilities of the average private concern. Some will look at “privateering” and “hack back” and see a distinction without a difference. But hack back is illegal under 18 U.S.C. 1030,[9] while the government has regularly employed private sector resources in support of national policy since the founding.[10] In this context we just don’t call them privateers, we call them contractors. Viewed through that frame, privateering is not an issue for debate, it is a fait accompli.

Sounds Like a ‘You’ Problem

Most commentators get wrapped around the axle about the idea of privateering because it sounds like we’re outsourcing the right or authority to wage war. Now, the use of Authorizations of the Use of Military Force and not Declarations of War is a serious topic in political circles that – after a 20-year war of great cost and nominal value – needs to be resolved.[11] And the extensive use of private military companies in Afghanistan and Iraq (and the crimes and general bad behaviour of same – proven or alleged) only adds fuel to the fire.[12] So the idea that we would extend that sort of thinking and behavior onto the medium that plays such an increasingly important role in our lives does seem at best irresponsible and at worst catastrophic.

Yet adversary[13] governments[14] have no qualms about using private actors to execute online tactics in support of national policy. The primary reason we look askance at such efforts is that we emphasize the use private sector resources for defensive or supporting functions,[15] yet every agency with the authority to conduct Computer Network Operations (CNO)[16] does so with the help of contractors. Our offensive power would be a shadow of itself were it not for commercial concerns who can attract and retain the talent necessary to staff an effective capability. If you are at all familiar with the military services’ inability to retain pilots,[17] linguists, or other highly skilled practitioners with rare talents, you understand the dynamics at work.

In fact, if it were not for the defensive role contractors have played over the years, our offensive capabilities may not have evolved as quickly or grown to the size it is today. Government and private sector collaboration (overt or discrete) is laid bare with every indictment filed or accusation levelled against a foreign officer or agent. It is unlikely that all the data necessary to make such statements come exclusively from governmental sources. This is the private sector supplying the government with ammunition of sorts, not treasure.[18]

Westphalia Online: Does Not Compute

Governments do not have a monopoly on the ability to project power online. They never have. In the physical world you might own a gun, but you cannot wage war. The government is the sole arbiter of decisions like that. Yet every conference, panel, seminar, or working group held on these issues always consists of experts in government or policy, not technologists or CNO practitioners. This is why we have so many discussions about “norms” and ideas like a “Digital Geneva Convention” [19] when, if they had invited a few people with online “combat” experience, the folly of that sort of thinking would have been painfully obvious.

It is not that we should not try to make cyberspace a better place, but for everyone who still holds on to those early pipe dreams of what good the ‘Net would do, note that even John Perry Barlow didn’t believe his initial ravings at the end.[20] In fact monetization – of misinformation[21], disinformation[22], deep fakes, and “Q”[23] have almost certainly driven more minds to close than open, and spread more hate than peace, love, and understanding. We dream of Mr. Rodgers’ Neighbourhood[24] while we live in Mr. Robinson’s Neighbourhood.[25]

And while cyberspace may have physical underpinnings that can be controlled (or destroyed), the military doesn’t actually have a lot of say when it comes to the control of that environment. The U.S. Air Force cannot control the weather, but they use technology that enables them to fly regardless of the weather. Likewise, Cyber Command doesn’t control the Internet, service providers do, but there is no technology that can help them overcome that issue. We do not know how closely government and telecoms may collaborate, but here is one thing I think we can all agree on: if someone started a “cyber war” that started to interfere with revenue, there is probably an EVP at Verizon or Deutsche Telekom who has more power over the outcome of that conflict than any General does.

Whether we are talking about medieval free lances, or hackers with government sanction, the point of using contractors is the same: it allows the government to put the right – rare – resources against a problem for as long as that problem exists, and to disperse them when the job is done. The use of the private sector to address cyberspace-related issues works well because no government agency can afford to attract and retain the necessary talent for a career,[26] and they most certainly cannot move at Internet speed. Our adversaries know this and embrace it,[27] but we are only now proposing that these ideas be studied.[28]

The Real Issues

The use of private sector resources to support government policy is not controversial; increased autonomy for private sector resources is a very real risk that warrants serious discussion and broad input.  Imagine you have the authority and ability to gain access to some of the most sensitive systems a country or state-owned enterprise may have. As we have seen with regards to much more trivial matters, there is a sub-set of people who simply cannot be trusted. [29] Temptation of this sort exists regardless of where your paycheck comes from and no matter how trivial the matter. [30]

Opponents of increased involvement of private actors fear that adding one or more players to the list of belligerents is a sign that government is giving preference to lex talionis over other courses of action.[31] Such a move would certainly stand in contrast to light weight actions like indictments, but the real danger is not at the national level but the personal one. It is only a matter of time before U.S. CNO practitioners will find themselves the targets of legal (and possibly extra-ordinary) action by other nations. Ask Michael Spavor or Michael Kovrig how they feel about being pawns in the digital great power competition.[32]

More aggressive activity carried out online by incentivized private actors triggers the hand-wringing crowd, who are concerned about the negative impact of increased adversary activity on the quality of life in a heavily tech-dependent society. Yet they can only point to ‘what ifs’ and short-term examples of their proposed extremes. What is almost universally absent in their calculus is how societies in adversary nations will respond when they find themselves in the same situation, and their response to the actions of their own industry and government. This is not to say that our strategy should be an advanced game of ‘chicken’ but a recognition that good equations have balance.  

It is also important to note that no matter how adversarial your relationship, there is very little value in damage or destruction. Events like Stuxnet or Saudi Aramco[33] are notable for many reasons, not the least of which is that they’re rare. You want the other side to recover because they’re just going to put more valuable resources back online. It might be harder to compromise them, but it is never impossible.

Conclusions

Of the super-power class of nations practicing CNO, we’re the only one debating whether or not the private sector should play a role in CNO, while conveniently ignoring the fact that the private sector is effectively the backbone of our CNO capabilities. It is as if the literal lack of eye patches and parrots is creating some sort of cognitive dissonance amongst otherwise clear-thinking people. Our adversaries are not encumbered with such burdens. They literally wrote the book on this sort of thing decades ago,[34] which we talked about, but then promptly ignored because it ran counter to our preferred way of waging war.

Privateering is still the most feasible approach to the problem, especially given the changing dynamics associated with the projection of power, though one that could have serious repercussions if allowed to expand without careful management and diligent oversight.

The only real alternative to privateering – a large and powerful government enforcement capability – is unlikely. The excessive cost of such a capability and lack of political will are the two key mitigating factors. One need only look to the inadequacy and unoriginality of governmental efforts to retain cybersecurity experts to realize there is no scheme that troops would find attractive that government can afford, or organizations would find paletable on cultural grounds.

A greater level of autonomy amongst private actors would require a strong, independent, and transparent mechanism for oversight. But this begs the question:  in the midst of a talent shortage where would we draw sufficiently skilled and knowledgeable practitioners for an oversight function? Who wants to join the watchers, when the do-ers are making x3 the money?

Our insistence of fighting in a certain way, or viewing issues through frameworks that are understood rather than applicable, is not a uniquely American phenomenon, but one we seem to excel at. By that I mean we would rather subject ourselves to unnecessary misery, expense, and loss over an extended period of time in the name of culture rather than point out imperial nudity. Suffering is not a virtue when justifiable options exist that address the problem as it is, not as we wish it to be.

The argument over privateering has run its course. National insecurity in cyberspace is not a problem that is going to be effectively addressed by a tactic, but by the formulation and application of technically coherent policy. That will not happen without the increased involvement – at a level of parity with those proficient in policy – of those with technical acumen at the strategic level.


[1] https://www.haftofthespear.com/wp-content/uploads/2021/04/Buccaneerdotcom.pdf

[2] https://www.globenewswire.com/news-release/2021/03/17/2194254/0/en/Global-Cybersecurity-Market-Size-to-Grow-at-a-CAGR-of-12-5-from-2021-to-2028.html#:~:text=The%20global%20cybersecurity%20market%20size,the%20global%20market%20for%20cybersecurity.

[3] https://nsa.gov

[4] https://cisa.gov

[5] Information Sharing and Analysis Center https://www.nationalisacs.org/

[6] Information Sharing and Analysis Organization https://www.cisa.gov/information-sharing-and-analysis-organizations-isaos

[7] https://en.wikipedia.org/wiki/United_States_Cyber_Command

[8] https://www.zdnet.com/article/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history/#:~:text=NSA%3A%20Cybercrime%20is%20%27the%20greatest%20transfer%20of%20wealth,to%20support%20cybersecurity%20legislation%20being%20pushed%20through%20Congress.

[9] https://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim)

[10] https://www.history.com/news/american-privateers-revolutionary-war-private-navy

[11] https://www.fcnl.org/updates/2021-04/2002-iraq-aumf-what-it-and-why-congress-should-repeal-it

[12] https://www.researchgate.net/publication/276187873_PRIVATE_MILITARY_CONTRACTORS_WAR_CRIMES_ AND_INTERNATIONAL_HUMANITARIAN_LAW

[13] https://www.nytimes.com/2020/03/29/technology/russia-troll-farm-election.html

[14] https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion

[15] https://www.fedscoop.com/recorded-future-cyber-command-contract/

[16] https://apps.dtic.mil/dtic/tr/fulltext/u2/a506188.pdf

[17] https://www.defenseone.com/ideas/2021/04/usafs-bad-bets-pilot-retention-show-it-needs-outside-help/173431/

[18] https://www.scientificamerican.com/article/how-the-chinese-cyberthreat-has-evolved/

[19] https://www.cnbc.com/2018/01/26/microsoft-calls-for-new-digital-geneva-convention-after-spate-of-high-profile-cyberattacks.html

[20] https://www.eff.org/cyberspace-independence

[21] False, inaccurate, or misleading information that is communicated regardless of an intention to deceive. https://en.wikipedia.org/wiki/Misinformation

[22] False or misleading information that is spread deliberately to deceive. https://en.wikipedia.org/wiki/Disinformation

[23] https://en.wikipedia.org/wiki/QAnon

[24] https://en.wikipedia.org/wiki/Mister_Rogers%27_Neighborhood

[25] https://en.wikipedia.org/wiki/Recurring_Saturday_Night_Live_characters_and_sketches_introduced_ 1980%E2%80%9381#Mister_Robinson’s_Neighborhood

[26] “Contractors are more expensive than employees” is a familiar refrain, but the calculus behind the logic assumes that a soldier or GS employee will stay on the job until they retire, which means the government is on the hook for all those years of salary and benefits, plus their retirement expenses, which could go on for decades. In theory, a contractor may only work on a government project for 4 or 5 years, after which they would move on. That makes them expensive now, but not in the long run. In reality one can complete a career in military or government civilian service and get hired on as a contractor doing effectively the same job, often in the same agency, and log another 20 years supporting government projects. Contractors are more expensive than employees, but then the use of contractors has nothing to do with economics, and everything to do with politics and culture. The government uses

[27] https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF

[28] https://www.meritalk.com/articles/senate-bill-asks-for-dhs-study-on-hack-back-options/

[29] https://www.cnn.com/2013/09/27/politics/nsa-snooping/index.html

[30] https://nypost.com/2021/07/13/facebook-reportedly-fired-52-workers-who-were-caught-spying-on-women/

[31] https://en.wikipedia.org/wiki/Eye_for_an_eye

[32] https://www.nbcnews.com/news/world/canadian-sentenced-11-years-china-spying-case-tied-huawei-n1276524

[33] https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

[34] https://en.wikipedia.org/wiki/Unrestricted_Warfare

You Were Promised Neither Security Nor Privacy

If you remember hearing the song Istanbul (Not Constantinople) on the radio the first time around, then you remember all the predictions about what life in the 21st century was supposed to be like. Of particular note was the prediction that we would use flying cars and jet packs to get around, among other awesome technological advances.

Recently someone made the comment online (for the life of me I can’t find it now) that goes something like this: If you are the children of the people who were promised jet packs you should not be disappointed because you were not promised these things, you were promised life as depicted in Snow Crash or True Names.

Generation X for the win!

The amateur interpretation of leaked NSA documents has sparked this debate about how governments – the U.S. in particular – are undermining if not destroying the security and privacy of the ‘Net. We need no less than a “Magna Carta” to protect us, which would be a great idea if were actually being oppressed to such a degree that our liberties were being infringed upon by a despot and his arbitrary whims. For those not keeping track: the internet is not a person, nor is it run by DIRNSA.

I don’t claim to have been there at the beginning but in the early-mid 90s my first exposure to the internet was…stereotypical (I am no candidate for sainthood). I knew what it took to protect global computer networks because that was my day job for the government; accessing the ‘Net (or BBSes) at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous or you got robbed. Everyone knew this, no one was complaining and no one expected anything more.

What would become the commercial internet went from warez and naughty ASCII images to house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But the police didn’t do that for you, you entrusted that to the people who were offering up the service in cyberspace, again, just like you do in the real world.

But did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and customers pay for functionality, not security. It actually makes more business sense to do the minimum necessary for security because on the off chance that there is a breach, you can make up any losses on the backs of your customers (discretely of course).

Secondly, your data couldn’t be too secure because there was value in knowing who you are, what you liked, what you did, and who you talked to. The money you paid for your software license was just one revenue stream; a company could make even more money using and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites; the people who were promised jet packs know it by another name: junk mail.

Let’s be clear: the only people who have really cared about network security are the military; everyone else is in this to make a buck (flowery, feel-good, kumbaya language notwithstanding). Commercial concerns operating online care about your privacy until it impacts their money.

Is weakening the security of a privately owned software product a crime? No. It makes crypto  nerds really, really angry, but it’s not illegal. Imitating a popular social networking site to gain access to systems owned by terrorists is what an intelligence agency operating online should do (they don’t actually take over THE Facebook site, for everyone with a reading comprehension problem). Co-opting botnets? We ought to be applauding a move like that, not lambasting them.

There is something to the idea that introducing weaknesses into programs and algorithms puts more people than just terrorists and criminals at risk, but in order for that to be a realistic concern you would have to have some kind of evidence that the security mechanisms available in products today are an adequate defense against malicious attack, and they’re not. What passes for “security” in most code is laughable. Have none of the people raising this concern heard of Pwn2Own? Or that there is a global market for 0-day an the US government is only one of many, many customers?

People who are lamenting the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed).

Talking about the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things hasn’t ruled on the issue. You can still live your life without using TCP/IP or HTTP, you just don’t want to.

Ascribing nefarious intent to government action – in particular the NSA as depicted in Enemy of the State – displays a level of ignorance about how government – in particular intelligence agencies – actually work. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. Our government’s number one responsibility is keeping you safe; that it has the capability to inflect harm on massive numbers of people does not mean they will use it and it most certainly does not mean they’ll use it on YOU. To think otherwise is simply movie-plot-thinking (he said, with a hint of irony).

Explaining Computer Security Through the Lens of Boston

Events surrounding the attack at the Boston Marathon, and the subsequent manhunt, are on-going as this is being drafted. Details may change, but the conclusions should not.

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

  1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
  2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
  3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

Business Does Not Care About Your Chinese Cyber Problem

If you have spent more than ten minutes tracking cyber security issues in this country you know that if there is a Snidely Whiplash in this business it’s the Chinese. If it’s not the government its “patriotic hackers,” or some variation on those themes. The argument over “APT” rages on (is it a ‘who?’ Is it a ‘what?’) and while not clearly labeled “Chinese” we now have “adversaries” to worry about.

Setting aside issues related to the veracity of such claims, let me just state unequivocally: No one cares.

If you are a regular reader you know me and my background (if you don’t here is a snapshot), so you know that I know the scope and scale of the problem and that I’m not talking about this issue in a state-on-state context. My problem is that too many people are trying to extend that context into areas it is ill-suited. In doing so they are not actually improving security. They may in fact be perpetuating the problem.

Rarely do you talk to someone at the C-level – someone who has profits and Wall Street and the Board on his mind – who gives a shit about who his adversary is or what their motivations are. The occasional former military officer-turned-executive will have a flash of patriotic fervor, but then the General Counsel steps up and the flag would be furled. In the end the course of action they all approve is designed to make the pain go away: get the evil out of the network, get the hosts back online, and get everyone back to work. I haven’t talked to every executive about this issue, so your mileage may vary, but one only need read up on the hack-and-decline of Nortel understand what the most common reaction to “someone is intentionally focused on stealing our ideas,” is in the C-suites of American corporations.

This is not a new problem. You have never, ironically, heard of d’Entrecolles. American industrial might wasn’t a home-grown effort: we did the same thing to our cousins across the pond. Nortel is only a recent example of a worst-case industrial espionage scenario playing out. Ever heard of  Ellery Systems? Of course you haven’t.

IP theft is not a trivial issue, but any number of things can happen to a given piece of IP once it is stolen. The new owners may not be able to make full or even nominally effective use of the information; the purpose or product they apply the IP to has little or nothing to do with what the IP’s creators are using it for; the market the new owner is targeting isn’t open to or pursued by the US; or in the normal course of events, what made the IP valuable at the point of compromise might change making it useless or undesirable by the time its new owners bring it to market.

Companies that suffer the fate of Ellery and Nortel are notable because they are rare. Despite the fact that billions in IP is being siphoned off through the ‘Net, there is not a corresponding number of bankruptcies. That’s not a defense; merely a fat, juicy data point supporting the argument that if the fate of the company is not in imminent danger, no one is going to care that maybe, some day, when certain conditions are met, last week’s intrusion was the first domino to fall.

If you are honestly interested in abating the flow of IP out of this country, your most effective course of action should be to argue in a context that business will not only understand but be willing to execute.  Arguing Us vs. Them to people who are not in the actual warfighting business is a losing proposition. The days of industry re-orienting and throwing their weight behind a “war” effort are gone (unless you are selling to PMCs). “More security” generally comes at the expense of productivity, and that is a non-starter. Security done in a fashion that adds value – or at the very least does not serious impede the ability to make money – has the potential to be a winner.

I say ‘has the potential’ because to be honest you can’t count on business decision-makers caring about security no matter how compelling your argument. Top marks if remember the security company @Stake. Bonus points if you remember that they used to put out a magazine called Secure Business Quarterly that tried to argue the whole security-enabling-business thing. Did you notice I said “remember” and “used to?”

We have to resign ourselves to the very real possibility that there will never be an event so massive, so revealing, that security will be a peer to other factors in a business decision. While that’s great for job security, it also says a lot about what society values in the information age.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.