Speed and Scale

News about ransomware gang takedowns and ransom recoveries make for great headlines, and the way some people talk you’d think we had this ransomware thing licked. But while these are certainly “wins,” they’re not really having a noticeable impact, and if we keep going at these issues in a plodding, ad hoc, linear fashion they absolutely won’t.

Not that long ago that botnet takedowns were receiving similar levels of attention. I was lucky enough to be a part of some of these actions. Nay-sayers at the time said there was no real impact because replacements popped up so quickly. I was inclined to agree, but argued that the value of such actions would be realized once more people could do them, and do them more often.

Botnet takedowns required a lot of challenging legal legwork. If you’ve ever worked with lawyers, you know very few of them like to be at the cutting edge. In a system that places a high value on precedence, being the first at anything poses a serious risk of failure. But once that nut was cracked and a few cases got through the system, the potential to move a lot faster in more jurisdictions seemed like a real possibility.

Years later, botnet takedowns are still not a frequent occurrence, even though botnets are certainly still a thing. This is, to my mind, one of the bigger ‘shames’ in this space (“it’s a shame that…” not shameful behavior), because if we could manage to take down multiple botnets on a weekly basis vice, say, one a year, it dramatically drives up the risk factor (and potentially the cost) for would-be botnet creators. If you’re more likely to get hit by a meteor than arrested, life as a digital crime lord seems pretty attractive. As soon as prison becomes likely, suddenly it is time to consider getting a regular job.

Bad actors will always have a number of advantages over defenders and law enforcement. In some cases you’re dealing with super-empowered individuals, who can work much faster than adversaries that have to operate in an industrial-age model, be sure to address the ‘equities’ of all the ‘stakeholders’ involved, fight for budget, hunt for increasingly rare talent to do the work, etc. Especially when you’re dealing with governmental organizations, “taking down 1000 botnets” is probably not a bullet on anyone’s performance evaluation. From the organization’s point of view it is important to “measure what matters,” but from the employee’s point of view all that matters when it comes to applying effort is what is measured. These types of activities require extensive industry cooperation, and such measures are not revenue-generating. Read into that what you will.

The work that goes into both botnet and ransomware takedowns is not insignificant, and those involved deserve to be recognized and congratulated. But until actions like these become so commonplace that they cease being news, they are novelties. Unless government, defenders, and industry can devise a system of processes and incentives that make such actions practical and rewarding, such activity will eventually wane, and it will be like nothing anyone did mattered.

Buccaneer.com 2.0

Fifteen years ago, parallels between the age of piracy and the state of cyber-insecurity illustrated how we might combat malicious online activity by leveraging private resources. While the call to do just that has grown louder over time, there are still those who feel the increased use of private sector resources for computer network operations is a controversial issue. Enthusiasts tend to have a facile understanding of certain absurdities and dangers, while their opposites fail to recognize just how far-gone things are. Privateering is reality. The only outstanding issue is how much autonomy private concerns will be given going forward.


Securing resources and technologies that depend on the Internet to function is a national security issue. That hasn’t changed in 15 years.[1] Neither has the fact that cyber threats have grown at a pace that exceeds both government’s and industry’s ability to address them. The cybersecurity market is $156 billion dollars strong,[2] yet victims still fall prey to the same sorts of problems identified decades ago. We have a National Security Agency,[3] Cybersecurity and Infrastructure Security Agency,[4] ISACs,[5] ISAOs,[6] and service and national level cyber commands,[7] but there has been no obvious indication that their existance has made our adversaries – both state and non-state – think twice about conducting offensive actions against us.

We attempt to address these issues at the national level with familiar but flawed ideas like arms control and deterrence, because in policy-making circles we are heavy on students of Kahn and Kissinger and Kennan and light on people who know how the  Internet actually works. Concepts like “defend forward” and “persistent engagement” are attempts to improve our ability to display strength, but with no statistics from the government to illustrate how effective such measures are, we are left to look at things like the effects of the scourage of ransomware and assume that while we may have turned the dial up, we’re still closer to 0 than 11.

At the time Buccaneer.com was written, the idea of adopting a privateering model was novel, even if the range of complications was extensive and seemingly intractable. Yet the reality even then was that we could neither defend ourselves nor take the fight to our adversaries if it were not for what are effective combatants who draw their salaries from private payrolls, not the U.S. Treasury.

A Spade by Any Other Name

The word “privateering” in relation to online activity evokes a number of strong emotions and allows imaginations to run wild. Privateering is the employment of private sector resources to conduct activity authorized by the government in furtherance of national policy. It is not restricted to offensive activity, and it is not about acquisition or recovery of “treasure.”[8]

Privateering is not “hack back” – allowing the victims of attacks to attempt to retaliate against their attackers. Hack back is vigilantism: an emotionally satisfying idea, but one that only makes sense if you suspend a great deal of disbelief about the capabilities of the average private concern. Some will look at “privateering” and “hack back” and see a distinction without a difference. But hack back is illegal under 18 U.S.C. 1030,[9] while the government has regularly employed private sector resources in support of national policy since the founding.[10] In this context we just don’t call them privateers, we call them contractors. Viewed through that frame, privateering is not an issue for debate, it is a fait accompli.

Sounds Like a ‘You’ Problem

Most commentators get wrapped around the axle about the idea of privateering because it sounds like we’re outsourcing the right or authority to wage war. Now, the use of Authorizations of the Use of Military Force and not Declarations of War is a serious topic in political circles that – after a 20-year war of great cost and nominal value – needs to be resolved.[11] And the extensive use of private military companies in Afghanistan and Iraq (and the crimes and general bad behaviour of same – proven or alleged) only adds fuel to the fire.[12] So the idea that we would extend that sort of thinking and behavior onto the medium that plays such an increasingly important role in our lives does seem at best irresponsible and at worst catastrophic.

Yet adversary[13] governments[14] have no qualms about using private actors to execute online tactics in support of national policy. The primary reason we look askance at such efforts is that we emphasize the use private sector resources for defensive or supporting functions,[15] yet every agency with the authority to conduct Computer Network Operations (CNO)[16] does so with the help of contractors. Our offensive power would be a shadow of itself were it not for commercial concerns who can attract and retain the talent necessary to staff an effective capability. If you are at all familiar with the military services’ inability to retain pilots,[17] linguists, or other highly skilled practitioners with rare talents, you understand the dynamics at work.

In fact, if it were not for the defensive role contractors have played over the years, our offensive capabilities may not have evolved as quickly or grown to the size it is today. Government and private sector collaboration (overt or discrete) is laid bare with every indictment filed or accusation levelled against a foreign officer or agent. It is unlikely that all the data necessary to make such statements come exclusively from governmental sources. This is the private sector supplying the government with ammunition of sorts, not treasure.[18]

Westphalia Online: Does Not Compute

Governments do not have a monopoly on the ability to project power online. They never have. In the physical world you might own a gun, but you cannot wage war. The government is the sole arbiter of decisions like that. Yet every conference, panel, seminar, or working group held on these issues always consists of experts in government or policy, not technologists or CNO practitioners. This is why we have so many discussions about “norms” and ideas like a “Digital Geneva Convention” [19] when, if they had invited a few people with online “combat” experience, the folly of that sort of thinking would have been painfully obvious.

It is not that we should not try to make cyberspace a better place, but for everyone who still holds on to those early pipe dreams of what good the ‘Net would do, note that even John Perry Barlow didn’t believe his initial ravings at the end.[20] In fact monetization – of misinformation[21], disinformation[22], deep fakes, and “Q”[23] have almost certainly driven more minds to close than open, and spread more hate than peace, love, and understanding. We dream of Mr. Rodgers’ Neighbourhood[24] while we live in Mr. Robinson’s Neighbourhood.[25]

And while cyberspace may have physical underpinnings that can be controlled (or destroyed), the military doesn’t actually have a lot of say when it comes to the control of that environment. The U.S. Air Force cannot control the weather, but they use technology that enables them to fly regardless of the weather. Likewise, Cyber Command doesn’t control the Internet, service providers do, but there is no technology that can help them overcome that issue. We do not know how closely government and telecoms may collaborate, but here is one thing I think we can all agree on: if someone started a “cyber war” that started to interfere with revenue, there is probably an EVP at Verizon or Deutsche Telekom who has more power over the outcome of that conflict than any General does.

Whether we are talking about medieval free lances, or hackers with government sanction, the point of using contractors is the same: it allows the government to put the right – rare – resources against a problem for as long as that problem exists, and to disperse them when the job is done. The use of the private sector to address cyberspace-related issues works well because no government agency can afford to attract and retain the necessary talent for a career,[26] and they most certainly cannot move at Internet speed. Our adversaries know this and embrace it,[27] but we are only now proposing that these ideas be studied.[28]

The Real Issues

The use of private sector resources to support government policy is not controversial; increased autonomy for private sector resources is a very real risk that warrants serious discussion and broad input.  Imagine you have the authority and ability to gain access to some of the most sensitive systems a country or state-owned enterprise may have. As we have seen with regards to much more trivial matters, there is a sub-set of people who simply cannot be trusted. [29] Temptation of this sort exists regardless of where your paycheck comes from and no matter how trivial the matter. [30]

Opponents of increased involvement of private actors fear that adding one or more players to the list of belligerents is a sign that government is giving preference to lex talionis over other courses of action.[31] Such a move would certainly stand in contrast to light weight actions like indictments, but the real danger is not at the national level but the personal one. It is only a matter of time before U.S. CNO practitioners will find themselves the targets of legal (and possibly extra-ordinary) action by other nations. Ask Michael Spavor or Michael Kovrig how they feel about being pawns in the digital great power competition.[32]

More aggressive activity carried out online by incentivized private actors triggers the hand-wringing crowd, who are concerned about the negative impact of increased adversary activity on the quality of life in a heavily tech-dependent society. Yet they can only point to ‘what ifs’ and short-term examples of their proposed extremes. What is almost universally absent in their calculus is how societies in adversary nations will respond when they find themselves in the same situation, and their response to the actions of their own industry and government. This is not to say that our strategy should be an advanced game of ‘chicken’ but a recognition that good equations have balance.  

It is also important to note that no matter how adversarial your relationship, there is very little value in damage or destruction. Events like Stuxnet or Saudi Aramco[33] are notable for many reasons, not the least of which is that they’re rare. You want the other side to recover because they’re just going to put more valuable resources back online. It might be harder to compromise them, but it is never impossible.


Of the super-power class of nations practicing CNO, we’re the only one debating whether or not the private sector should play a role in CNO, while conveniently ignoring the fact that the private sector is effectively the backbone of our CNO capabilities. It is as if the literal lack of eye patches and parrots is creating some sort of cognitive dissonance amongst otherwise clear-thinking people. Our adversaries are not encumbered with such burdens. They literally wrote the book on this sort of thing decades ago,[34] which we talked about, but then promptly ignored because it ran counter to our preferred way of waging war.

Privateering is still the most feasible approach to the problem, especially given the changing dynamics associated with the projection of power, though one that could have serious repercussions if allowed to expand without careful management and diligent oversight.

The only real alternative to privateering – a large and powerful government enforcement capability – is unlikely. The excessive cost of such a capability and lack of political will are the two key mitigating factors. One need only look to the inadequacy and unoriginality of governmental efforts to retain cybersecurity experts to realize there is no scheme that troops would find attractive that government can afford, or organizations would find paletable on cultural grounds.

A greater level of autonomy amongst private actors would require a strong, independent, and transparent mechanism for oversight. But this begs the question:  in the midst of a talent shortage where would we draw sufficiently skilled and knowledgeable practitioners for an oversight function? Who wants to join the watchers, when the do-ers are making x3 the money?

Our insistence of fighting in a certain way, or viewing issues through frameworks that are understood rather than applicable, is not a uniquely American phenomenon, but one we seem to excel at. By that I mean we would rather subject ourselves to unnecessary misery, expense, and loss over an extended period of time in the name of culture rather than point out imperial nudity. Suffering is not a virtue when justifiable options exist that address the problem as it is, not as we wish it to be.

The argument over privateering has run its course. National insecurity in cyberspace is not a problem that is going to be effectively addressed by a tactic, but by the formulation and application of technically coherent policy. That will not happen without the increased involvement – at a level of parity with those proficient in policy – of those with technical acumen at the strategic level.

[1] https://www.haftofthespear.com/wp-content/uploads/2021/04/Buccaneerdotcom.pdf

[2] https://www.globenewswire.com/news-release/2021/03/17/2194254/0/en/Global-Cybersecurity-Market-Size-to-Grow-at-a-CAGR-of-12-5-from-2021-to-2028.html#:~:text=The%20global%20cybersecurity%20market%20size,the%20global%20market%20for%20cybersecurity.

[3] https://nsa.gov

[4] https://cisa.gov

[5] Information Sharing and Analysis Center https://www.nationalisacs.org/

[6] Information Sharing and Analysis Organization https://www.cisa.gov/information-sharing-and-analysis-organizations-isaos

[7] https://en.wikipedia.org/wiki/United_States_Cyber_Command

[8] https://www.zdnet.com/article/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history/#:~:text=NSA%3A%20Cybercrime%20is%20%27the%20greatest%20transfer%20of%20wealth,to%20support%20cybersecurity%20legislation%20being%20pushed%20through%20Congress.

[9] https://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim)

[10] https://www.history.com/news/american-privateers-revolutionary-war-private-navy

[11] https://www.fcnl.org/updates/2021-04/2002-iraq-aumf-what-it-and-why-congress-should-repeal-it


[13] https://www.nytimes.com/2020/03/29/technology/russia-troll-farm-election.html

[14] https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion

[15] https://www.fedscoop.com/recorded-future-cyber-command-contract/

[16] https://apps.dtic.mil/dtic/tr/fulltext/u2/a506188.pdf

[17] https://www.defenseone.com/ideas/2021/04/usafs-bad-bets-pilot-retention-show-it-needs-outside-help/173431/

[18] https://www.scientificamerican.com/article/how-the-chinese-cyberthreat-has-evolved/

[19] https://www.cnbc.com/2018/01/26/microsoft-calls-for-new-digital-geneva-convention-after-spate-of-high-profile-cyberattacks.html

[20] https://www.eff.org/cyberspace-independence

[21] False, inaccurate, or misleading information that is communicated regardless of an intention to deceive. https://en.wikipedia.org/wiki/Misinformation

[22] False or misleading information that is spread deliberately to deceive. https://en.wikipedia.org/wiki/Disinformation

[23] https://en.wikipedia.org/wiki/QAnon

[24] https://en.wikipedia.org/wiki/Mister_Rogers%27_Neighborhood

[25] https://en.wikipedia.org/wiki/Recurring_Saturday_Night_Live_characters_and_sketches_introduced_ 1980%E2%80%9381#Mister_Robinson’s_Neighborhood

[26] “Contractors are more expensive than employees” is a familiar refrain, but the calculus behind the logic assumes that a soldier or GS employee will stay on the job until they retire, which means the government is on the hook for all those years of salary and benefits, plus their retirement expenses, which could go on for decades. In theory, a contractor may only work on a government project for 4 or 5 years, after which they would move on. That makes them expensive now, but not in the long run. In reality one can complete a career in military or government civilian service and get hired on as a contractor doing effectively the same job, often in the same agency, and log another 20 years supporting government projects. Contractors are more expensive than employees, but then the use of contractors has nothing to do with economics, and everything to do with politics and culture. The government uses

[27] https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF

[28] https://www.meritalk.com/articles/senate-bill-asks-for-dhs-study-on-hack-back-options/

[29] https://www.cnn.com/2013/09/27/politics/nsa-snooping/index.html

[30] https://nypost.com/2021/07/13/facebook-reportedly-fired-52-workers-who-were-caught-spying-on-women/

[31] https://en.wikipedia.org/wiki/Eye_for_an_eye

[32] https://www.nbcnews.com/news/world/canadian-sentenced-11-years-china-spying-case-tied-huawei-n1276524

[33] https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

[34] https://en.wikipedia.org/wiki/Unrestricted_Warfare

C.R.E.A.M. IoT Edition

I didn’t get to see the discussion between Justine Bone and Chris Wysopal about the former’s approach to monetizing vulnerabilities. If you’re not familiar with the approach, or the “Muddy Waters” episode, take a minute to brush up, I’ll wait….

OK, so if you’re in one computer security sub-community the first words out of your mouth are probably something along the lines of: “what a bunch of money-grubbing parasites.” If you knew anyone associated with this event you’ve probably stop talking to them. You’d certainly start talking shit about them. This is supposed to be about security, not profiteering.

If you’re in a different sub-community you’re probably thinking something along the lines of, “what a bunch of money-grubbing parasites,” only for different reasons. You’re not naive enough to think that a giant company will drop everything to fix the buffer overflow you discovered last week. Even if they did, because it’s a couple of lines in a couple of million lines of code, a fix isn’t necessarily imminent. Publicity linked to responsible disclosure is a more passive way of telling the world: “We are open for business” because it’s about security, but it’s also about paying the mortgage.

If you’re in yet another sub-community you’re probably wondering why you didn’t think of it yourself, and are fingering your Rolodex to find a firm to team up with. Not because mortgages or yachts don’t pay for themselves, but because you realize that the only way to get some companies to give a shit is to hit them where it hurts: in the wallet.

The idea that vulnerability disclosure, in any of its flavors, is having a sufficiently powerful impact on computer security is not zero, but its not registering on a scale that matters. Bug bounty programs are all the rage, and they have great utility, but it will take time before the global pwns/minute ratio changes in any meaningful fashion.

Arguing about the utility of your preferred disclosure policy misses the most significant point about vulnerabilities: the people who created them don’t care unless it costs them money. For publicly traded companies, pwnage does impact the stock price: for maybe a fiscal quarter. Just about every company that’s suffered an epic breach sees their stock price at or higher than it was pre-breach just a year later. Shorting a company’s stock before dropping the mic on one vulnerability is a novelty: it’s a material event if you can do it fiscal quarter after fiscal quarter.

We can go round and round about what’s going to drive improvements in computer security writ large, but when you boil it down it’s really only about one of and/or two things: money and bodies. This particular approach to monetizing vulnerabilities tackles both.

We will begin to see significant improvements in computer security when a sufficient number of people die in a sufficiently short period of time due to computer security issues. At a minimum we’ll see legislative action, which will be designed to drive improvements. Do you know how many people had to die before seatbelts in cars became mandatory? You don’t want to know.

When the cost of making insecure devices exceeds the profits they generate, we’ll see improvements. At a minimum we’ll see bug bounty programs, which is one piece of the puzzle of making actually, or at least reasonably secure devices. Do you know how hard it is to write secure code? You don’t want to know.

If you’re someone with a vulnerable medical device implanted in them you’re probably thinking something along the lines of, “who the **** do you think you are, telling people how to kill me?” Yeah, there is that. But as has been pointed out in numerous interviews, who is more wrong: the person who points out the vulnerability (without PoC) or the company that knowingly let’s people walk around with potentially fatally flawed devices in their bodies? Maybe two wrongs don’t make a right, but as is so often the case in security, you have to choose between the least terrible option.

Cyber Responsibility: The Trickle-Down Effect

There was a time when cyber security was the sole responsibility of IT, but those days are long gone. Today’s executives know better than to presume themselves and their enterprises immune from a cyberattack, which is why staying safe online requires more than an old “do as I say” mentality. A pair of Cisco leaders, CEO John Chambers and SVP and Chief Security and Trust Officer John N. Stewart place the responsibility squarely on the leadership’s shoulders. “The CEO must make it clear that security is not just an IT problem—it is a priority for the business that is top of mind. Business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike.” (CIO)

Toujours en Avant. I just made this very same argument recently to a room full of CxOs and board members, to varying levels of agreement. You’re never going to convince someone who has had the ‘lead from the front’ mantra drilled into his psyche that there is any other approach, but then in business circles not everyone at echelons-above feels the same way. Regardless of your leadership style remember one thing: people will focus on whatever they are rated on or compensated for. If cyber security is not something that impacts their personal bottom line, they won’t do it regardless of what you say or do.

Business Does Not Care About Your Chinese Cyber Problem

If you have spent more than ten minutes tracking cyber security issues in this country you know that if there is a Snidely Whiplash in this business it’s the Chinese. If it’s not the government its “patriotic hackers,” or some variation on those themes. The argument over “APT” rages on (is it a ‘who?’ Is it a ‘what?’) and while not clearly labeled “Chinese” we now have “adversaries” to worry about.

Setting aside issues related to the veracity of such claims, let me just state unequivocally: No one cares.

If you are a regular reader you know me and my background (if you don’t here is a snapshot), so you know that I know the scope and scale of the problem and that I’m not talking about this issue in a state-on-state context. My problem is that too many people are trying to extend that context into areas it is ill-suited. In doing so they are not actually improving security. They may in fact be perpetuating the problem.

Rarely do you talk to someone at the C-level – someone who has profits and Wall Street and the Board on his mind – who gives a shit about who his adversary is or what their motivations are. The occasional former military officer-turned-executive will have a flash of patriotic fervor, but then the General Counsel steps up and the flag would be furled. In the end the course of action they all approve is designed to make the pain go away: get the evil out of the network, get the hosts back online, and get everyone back to work. I haven’t talked to every executive about this issue, so your mileage may vary, but one only need read up on the hack-and-decline of Nortel understand what the most common reaction to “someone is intentionally focused on stealing our ideas,” is in the C-suites of American corporations.

This is not a new problem. You have never, ironically, heard of d’Entrecolles. American industrial might wasn’t a home-grown effort: we did the same thing to our cousins across the pond. Nortel is only a recent example of a worst-case industrial espionage scenario playing out. Ever heard of  Ellery Systems? Of course you haven’t.

IP theft is not a trivial issue, but any number of things can happen to a given piece of IP once it is stolen. The new owners may not be able to make full or even nominally effective use of the information; the purpose or product they apply the IP to has little or nothing to do with what the IP’s creators are using it for; the market the new owner is targeting isn’t open to or pursued by the US; or in the normal course of events, what made the IP valuable at the point of compromise might change making it useless or undesirable by the time its new owners bring it to market.

Companies that suffer the fate of Ellery and Nortel are notable because they are rare. Despite the fact that billions in IP is being siphoned off through the ‘Net, there is not a corresponding number of bankruptcies. That’s not a defense; merely a fat, juicy data point supporting the argument that if the fate of the company is not in imminent danger, no one is going to care that maybe, some day, when certain conditions are met, last week’s intrusion was the first domino to fall.

If you are honestly interested in abating the flow of IP out of this country, your most effective course of action should be to argue in a context that business will not only understand but be willing to execute.  Arguing Us vs. Them to people who are not in the actual warfighting business is a losing proposition. The days of industry re-orienting and throwing their weight behind a “war” effort are gone (unless you are selling to PMCs). “More security” generally comes at the expense of productivity, and that is a non-starter. Security done in a fashion that adds value – or at the very least does not serious impede the ability to make money – has the potential to be a winner.

I say ‘has the potential’ because to be honest you can’t count on business decision-makers caring about security no matter how compelling your argument. Top marks if remember the security company @Stake. Bonus points if you remember that they used to put out a magazine called Secure Business Quarterly that tried to argue the whole security-enabling-business thing. Did you notice I said “remember” and “used to?”

We have to resign ourselves to the very real possibility that there will never be an event so massive, so revealing, that security will be a peer to other factors in a business decision. While that’s great for job security, it also says a lot about what society values in the information age.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Preparing for the “Wake Up Call”

Despite the emphasis placed on IT security in
recent years, federal agencies are not testing their security controls
with any consistency or timeliness, and as a result may not realize
their systems’ weaknesses, a new General Accounting Office report has found.

Chinese in the wire, AQ running loose online, laptops walking off, annual report cards consistantly in D and F territory and the 800 lb simian in the corner is the insider problem. NCW? IO? Land Warrior? Not if someone else owns the systems. The wake-up call has been made; we just keep hanging up.