Spies can't make cyberspace secure AND vulnerable to their own attacks

Originally published at: http://boingboing.net/2014/12/07/spies-cant-make-cyberspace-s.html

Sure they can, just ask 'em.

Until now, the NSA has had a cozy relationship with corporate America. But I don’t expect they bother to distinguish between amazon dot com and amazon dot co dot uk. It’s really their own secrets and their own power at stake, not “the national interest.” When corporations realize this, (and they are,) all hell is going to break loose.

1 Like

Just to point out that “exceptionally grave damage” is the term of art to justify a top secret classification.

1 Like

When I am training a new security guy, I have to break them of several false assumptions.

They always believe that effective defense can be learned from the lessons of attack. If you base your defense on preventing attack, you concede initiative. You also cause yourself to spend too much, defending too late, at the wrong locations. Defense that is driven by attack is ineffective defense.

The reality is that the focus and skills of effective defense are very different from the focus and skills necessary to attack. This is Sun Tzu and Clausewitz 101, but it always comes as a surprise to the trainees. Attack must inform Defense, but that is almost the limit of it’s contribution. Last year, I gave a presentation on the principles of effective defense to a security conference: https://it.wiki.usu.edu/UtahSaint2013Defense

The gist of it is:

  • Attack focuses on short term objectives. When immersed in the dance of attack and react, you lose sight of your long term objectives.
  • Reacting to Attack causes you to focus on the attackers agenda. You almost always lose sight of your own agenda.
  • Security is actually increased by providing a meaningful assurance that your goals are being accomplished.
  • We begin to create security when we teach Security folks how to support institutional goals.
  • Attack can be sharp and pointy. Defense must be deep and broad. The more people involved in Defense, the better. They must agree on purpose. They must be a community.
  • The first and most important layer of Defense is to engage and motivate the community.
  • The second critical layer of Defense is to create, prioritize and maintain clearly articulated and agreed on community goals.
  • The third critical layer of Defense is to defend the goals against substitution, dilution or distraction. Only here at the 3rd layer do you begin to consider the lessons learned from attack.
  • Secrecy does not enhance meaningful community security. Secrecy blinds security. Secrecy blinds the community. Secrecy isolates security from it's community. Secrecy favors the illegal over the legal, the private agenda over the public agenda, the attacker over the community.
An organization that is devoted to Attack (like the NSA) is exactly wrong to drive CyberDefense. The NSA has the wrong agenda. The NSA has the wrong focus. The NSA has the wrong skills. The NSA has a crippling addiction to secrecy. The Department of Health, or the Department of Education would do a much better job. They would also be cheaper and provide better accountability.

Another big problem is that there is no such thing as a safe or passive CyberWeapon. They aren’t like tanks. You can’t park them somewhere when you aren’t using them. CyberWeapons come with enormous and crippling costs:

  • Every CyberWeapon requires tolerated (possibly encouraged and created) vulnerability within your own defenses. We all use the same internet. We all use the same tools. You can't create vulnerability in your potential opponents and somehow eliminate it in yourself.
  • CyberWeapons have a horribly short lifespan. If you are going to have them, you have to create new ones all the time. You have to tolerate or create new vulnerability within yourself all the time.
  • CyberWeapons are nothing like nukes. They don't require massive infrastructure. If the vulnerabilities exist, any nation with access to the internet can create and deploy CyberWeapons.
  • You can not deploy a CyberWeapon against your opponents without giving them the ability to use it against you.
  • The time between you using a CyberWeapon on an enemy and them using it against you is almost always less than the time it takes to fix the underlying vulnerabilities within yourself.
  • CyberWeapons are useless unless they are wielded by practiced people who are expert in penetrating your possible opponents defenses. The only way you have this kind of people is if they are actively attacking your possible opponents **all the time**. In order to have an effective Cyber attack force, you have to wage continuous Cyberwar. if you stop attacking, you cripple your ability to attack.
  • Thanks to the whistle-blowers, we now know that the US/NSA has launched premeditated, unilateral, unannounced Cyberwar against the entire world (including our own population) for years. We are not the only ones who do this. The first act of war has been penetration and subversion of everybody's defenses. The second act of this omnipresent war has been appropriation of resources. It sometimes precedes further.

Based on what we know now, it is clear that waging Cyberwar is a self destructive and criminal act against our own civilian interests. Our only sane action is to immediately engage in diplomatic actions to stop the Cyberwar. We should immediately, unilaterally stop attacking other nations. We should levy diplomatic and trade sanctions against any nation found guilty of waging Cyberwar. We should classify Cyberweapons as weapons of last resort. They should be considered in the same class as nukes and biowar weapons.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.