I’ve seen a lot of stuff in the press recently about cyberwar, both as a complement to traditional military action and in the sense of a shadow war that may occur between nations that are ostensibly not at war with each other. And don’t even get me started on Advanced Persistent Threat. If I tattooed “APT” on my ass and walked along 101 naked, I’d have VCs stopping and handing me bags of cash. I have, in the past, publicly scoffed at the idea that the U.S. or any of its close allies is in any way competent to prosecute a cyberwar. Neither offensive nor defensive capabilities exist in proportion to the threat. We are as unprepared for this threat as we were for people with box cutters to commandeer planes on 9/10. I see several reasons why this will not change any time soon.
The first reason is economic. Anyone who does computer security knows that increasing security almost always decreases the utility of a system to users. It would be much easier if we didn’t have to use passwords, right? The same is true on a much larger scale; to secure our financial institutions, utilities, transportation, and communications would cost a lot of money. Not just a one time stimulus package, either, but huge ongoing costs in the form of less convenience and lower productivity. The problem is, who is going to bear this cost? The software vendors, whose software isn’t secure enough because they want to deliver the most useful software they can, as fast as they can? Private industry, who skimps on infosec spending because they figure the cost shouldn’t be borne by them alone, and it affects their bottom line? The government, who, even if it was politically palatable, would then be faced with the task of going in to every software vendor and large organization and enforcing standards?
Security spending is like insurance. It has to be less money than what you expect to lose if you don’t spend it. So credit card companies will come up with ways to keep fraud at manageable levels. The expected loss is calculated by multiplying financial loss by the likelihood of it occurring. But no one thinks a large scale cyberattack with devastating consequences is likely right now. They appear to find it even less likely than, say, a huge earthquake or similar natural disaster, to judge from how much they spend on cybersecurity compared to traditional business continuity. How many companies have a business continuity plan that specifically deals with a widespread cyberattack? How would you even begin to recover if your network was toast, all your servers were pwned, your desktops were suspect, you couldn’t verify which backups were good, you had contaminated a bunch of your vendors, partners and customers, and all of your corporate Blackberries refused to do anything but play “Taps”? What if it happened to a dozen major stock exchanges on the same day?
The second reason can be deduced from the first. Traditionally, at least in recent centuries, a country’s defense is outsourced to a professional military class, which includes, for purposes of this discussion, border patrol, Coast Guard, etc. (or the equivalent in your locale.) Most citizens, corporate employees and organizations are not responsible for preventing an attack on a day to day basis. In cybersecurity, however, the attackers are essentially already inside the national boundary. Everyone who uses a cell phone or computer is at risk of being personally attacked, at any time, by a nation-state level adversary. I’d say it’s like living in a nation of walled towns, where transportation between towns is only via heavily armed and armored caravan, but it’s worse than that. If the towns are corporate networks, where some of the risk has been centralized on to corporate IT departments, and the transportation is encrypted network traffic, then we live in a nation of walled commercial centers, where everyone lives outside the walls, and is, therefore, on their own in case of an attack!
Don’t jump to the conclusion that we should build a Great Firewall, that every country should. For one, it wouldn’t work. We need to realize that we cannot draw a circle around a piece of the Internet the way we can around a piece of land and treat it as a single, defensible entity. Like it or not, every one of us is a combatant.
Finally, the biggest reason of all for losing the cyberwar is having the wrong people fighting it. Do you really think that anyone in the federal government or the upper levels of the Pentagon understands computer security? No. Fucking. Way. I have a friend of a friend of a friend who advises a Secretary on cyber security. Is this person a former black hat? A Ph.D. in computer science? Someone who has spent 20 years in the trenches? No, they’re a politically savvy bureaucrat with an MBA in Management or some such bullshit. The people who are making decisions now were already almost retirement age when the Internet, email and cell phones got big.
But wait, they’ve got a cadre of smart, young up-and-comers to advise them, right? Wrong. The people who understand computer security are hackers, in the original sense of the word. They try things that aren’t supposed to be possible. They demand hard evidence before they believe. They question things and find out the difference between the artificially created rules and the actual limitations of reality. They have little use for social mores that don’t make sense.
These kind of people will never, ever get a security clearance, succeed in the military, or even be interested in joining it. People who succeed in the military and intelligence communities have to be good at following rules, at conforming, and most of all at Believing. Hackers aren’t good at any of those things, or, by definition, they are not hackers. Also, hackers don’t agree that, say, marijuana is evil and alcohol is good just because of an arbitrary law. They sometimes have weird religious beliefs, unusual lifestyles, and a tendency to speak out strongly about things they believe in. None of these is conducive to getting a TS/SCI.
Take a look at the presentations at Black Hat or something. The most interesting technical talks are by people who have ponytails, haven’t shaved, are wearing a T-shirt and are often not the best public speakers. The guys who work for the feds, vendors or big name consulting companies have metrosexual haircuts, a CISSP, and a 3 year old Bachelor’s degree. They give talks on “methodologies” and insert not-so-subtle plugs for their products. These are the “security gurus” for the feds and contractors like Blackwater and CACI.
Oh, I’m sure there are some brilliant people hidden away in the basements at Ft. Meade and Langley; they just aren’t allowed to speak at Black Hat. And certainly, some of the TLAs have no qualms about hiring a “real” hacker for certain jobs, regardless of security clearance; they just won’t admit it. But by and large, the people making decisions – and even implementing those decisions – about cybersecurity on a national level are entirely unqualified to do so.
Some of you will say, oh, he’s just bitter because his last name is “Cocaine” and he can’t get a job doing cool white hat stuff. Nah. I like the life of a freelancer, and I’m sure not cut out to be a cop. Cubicles make me itchy. But that’s what I’m saying – the two mindsets are almost completely exclusive of each other.
Anyway, enough bloviation. See you after the #Hackpocalypse.