Sunday, March 21, 2021

Cyber is perfectly fine for Signaling

The other day I read an article about cyber signaling. Signaling in international relations contexts confuses me because so much of it is about an uncertain reality, and the truth behind intensions is never know, and it weaves so much geopolitical and military context together.

I pasted a section of the article, including links to the authors, below.

To quickly summarize the article's arguments, as I saw them, I also include the following bulleted list:
  • Cyber Signals are easily muddled or misconstrued, such as with overall noise or system outages.
  • Reliance on "attribution" may make Signals delayed (and hence, less powerful)
  • Hard to say what a cyber event was intended to Signal
  • Most cyber events don't cause big visible effects which makes them cheap (and hence, basically worthless)

The article mentions that yes, nations can call each other on the phone after a cyber event has happened, and point out why that event happened and provide additional threats and context.

I would say these arguments are unpersuasive, and that cyber both IS and HAS BEEN great for signaling between nations and often also between non-state actors.

First I think signaling can be split nicely into warnings and demonstrations of capabilities, and these are not the same things. But to start off, I want to tell a few stories of yesteryear.

Back in 2002, there was a mailing list known as Bugtraq that was used the way Twitter is used now - to post flotsam and jetsam about information security, including exploits. At the time, ISS XForce was, as the name might imply, a pretty powerful force. They released a number of great exploits and had a lot of talent that went on to do great things, but that's not the story I'm trying to tell.

Back in 2002 ISS XForce announced a vulnerability in the Apache Webserver - one that was only exploitable on Windows. This was essentially a "good" bug, but worthless in the sense that most people running Apache were not on Windows. 

Then, out of nowhere, a hacking group known mostly for shitposting published a working and reliable exploit for that same vulnerability, but that affected Apache on Unix operating systems, complete with an advanced shellcode, as you can see from the article below and this made people reassess the situation.

I don't mean "reassess the situation about Apache". What I mean is that a lot of us were thinking "Hey, maybe the best in the world doing commercial work and releasing exploits to vendors are not, in fact, ahead of this game". This wasn't about Signaling in the sense that one nation was trying to deter or coerce another. But it was Signaling in the sense that one community ("hackers") was pushing back on another community ("the commercial security market").  

That brings me to TianFu Cup. 

If you don't know about it, the TianFu Cup follows in the tradition of Pwn2Own and other hacking contests in which you use an 0day on a product in a demonstration, and then you get money as a prize and the contest gives the 0day to the vendor to be fixed (in most cases). These contests are often watched carefully and vendors often drop patches to their products right before them, in an attempt to make exploiting them difficult. 

Except that while even the highest end contests in the US have notable successes, none have ever reached as high as TianFu Cup does effortlessly, when one of the researchers owns every major browser, and every other hard target falls as well. You can compare this to the 2020 Pwn2Own here.

Again, this is a stunning display of not coercion or deterrence, but capability. 

But there ARE lots of examples of coercion and deterrence in cyber. I will list them below in my favorite thing, a bullet-list:

If anything cyber signals (and other covert but demonstrable effects) are extra powerful because they can say "KNOCK THIS OFF" without saying who sent it, or HOW they managed to send that signal - which in some cases is a lot scarier. 

Likewise, countries signal with policy changes. They announce quite clearly when the move to a more aggressive posture, or when they step back. You can't go two weeks without some country or another, like New Zealand, announcing their own private interpretation of how international law applies to Cyber. 

But that doesn't mean signals aren't also done with restraint, or through side notes in Track 2 meetings. The HolidayBear attack is a lot less transgressive than the NotPetya attack. The Exchange server hacks are an element of continued relationship breakdown between the US and China. Leaking data as a "signal" is an element of the original terminology of the cyber domain ("Dropping a mailspool" being the traditional term). And we continue to see that to this day. It's probably worth pointing out that while leadership-to-leadership is often required for traditional military capability signaling, Twitter with its pseudonymous accounts is often good enough for cyber.

Incident response can also be used for signaling. Many major anti-virus or endpoint protection firms make efforts to signal, by exposing US or allied operations, that they are international companies, wishing to do business in China or other locations. And this can get even more complicated, since many incident response firms will downplay the findings from particular countries they wish to curry favor with or exaggerate those from "adversaries". 

In conclusion, signaling with cyber is both effective and likely to continue.

Thursday, January 21, 2021

While in Kyoto, a comprehensive review of Cyberpunk 2077

Until recently I hadn't realized just how terrible I was at playing video games. And now after finishing Cyberpunk and watching a bunch of "spoiler" reviews I realize most people think the goal of these games is to increase some stats numbers so that the already braindead enemy AI is somehow even easier to beat up. Anyways, here's how you play open world video games, or as they will be known in the future: Games. 

1. Don't watch tips videos of any kind or read articles on the "best netrunner build" or any of that nonsense.
2. When you create a character, it's like in DnD where you are pretending to BE that character. Try to keep your roleplaying consistent! But also, the goal is to experience the world, which means doing ALL the side missions and reading all the various little texts that lay around the world explaining everything.
3. By the time you reach the cyborg-alien end-boss you will have become death, the destroyer of worlds, but you will also be OF the world, and a piece of it will stay with you even when you log off.

Anyways, here's my one line review of Cyberpunk 2077: it's a goddam masterpiece of art. It is better in it's own way than GTAV's joyful nihilism, or RDR 2's detailed reminiscence,  Skyrim's pathological weirdness, or even Breath of the Wild's cultured perfection. People online have spent gallons of ink complaining about the various bugs, but you know what else has bugs? Everything. 

We spent the last four years fuzzing out why having a unitary executive is as bad an idea as a monolithic kernel and so it didn't bother me in the slightest when some UI element wouldn't disappear or a car dropped in from nowhere. That's just part of the game - the world is a buggy place.

By "art", I don't mean the graphics, which, yes, are amazing - and in particular the animations of everything bring the characters to life in a way no other game really has - when some street busker plays a guitar, his fingers move in the correct chords in the correct times. What's truly exquisite about Cyberpunk 2077 is the writing and story and world creation. At the end, as a guard walks you to your cell/hospital room, he recites a poem to you, although the world is purple due to malfunctioning neural connections, and the concept of "you" itself has taken a royal beating.

While in Kyoto, I hear the cuckoo calling,
and long for Kyoto.

This is a fairly famous Basho Haiku, but it's a BETTER TRANSLATION than the most popular ones you will find on the internet or in books. And that's how the game's world building works: It's a better translation of the Cyberpunk gestalt than the books and movies that came before it.

It's possible that this game is not as good if you have not been immersed nearly from birth in hacker culture. We slip into the lingo of this game like it was tattooed on us underneath our clothes. Cyberpunk as a genre has always been about a crisis of identity as the wave of modern technology washes over it - of the concept of identity, not of any one person's identity. 

Seeing a fully realized vision like this is always surprising, like the way puzzles in BOTW tie to the physics engine so beautifully. In Cyberpunk, the physics engine may be janky but it's the philosophical engine that thrums smoothly just beneath the surface of everything. 

One of your first missions introduces you to a clan of post-humanoids, living like everyone else in the world does, through savage grift. They all have faces heavily augmented with metallic cybernetics and it's not until almost at the end of the story that you realize they....look down upon you. Normal humans can't see and hear the things they do. They have music you can't "get". "Dum Dum" is anything but.

One thing that strikes me is how few animals there are now in the real world, compared to when I was a kid. Cyberpunk takes that to its logical extreme - there just aren't any animals. Seeing a feral cat is a treasured experience for the people in this world. Everything is covered in trash - plastic bags of it line every waterway. Various "tips and tricks" on YouTube point out that in the early game you should pick up every little dildo and ashtray and other flotsam that the world is littered with and sell it for spare cash without commenting on why this is so.

If we look into the future, how could this not be the world we created? A newscaster reminds you the city's population has decreased by thirty percent year on year. But this is not a dystopian vision - it's a story of survival at all costs. Of what you have to become to exist. Our society has grown so long we forget they can also contract.

In Cyberpunk's Night City, which is in California, even the weather has changed - sandstorms, but also smogstorms, to the point where the giant solar power farms just outside the city are being decommissioned. All of this is relayed as news while you take an elevator, or snippets of text in documents throughout the city, or in odd bits of optional dialog. 

I've noticed that movies no longer hold anyone's attention - they are both too long and too short. But the characters in Cyberpunk are fully fleshed out - they get more screentime than even a major character would in a blockbuster. And the motivations and drivers behind them are carefully crafted - the ending words of the primary antagonist drive into you like a stake. You slot his inevitable and horrible death as you realize you are the unwitting tool of his evil father. 

The most poignant missions in the game have no shooting at all. Yet they require your participation, which is the sine-qua-non of the artform that is video games at this level. You can't help but be blended at some level with the character you play.

The truth is shooting things is ultimately a futile endeavor if you don't understand the world you live in. I recommend you take the time to experience the depth of the world they created, because it's worth confronting in a way few games are.

Wednesday, December 9, 2020

The Deep Wrong of Kyle on Platform Speech Governance

Kyle Langvardt (@kylelangvardt) recently wrote a piece for Lawfare on Platform Speech Governance - in a sense, how and when can the Government make censorship decisions for social media companies. He drives the argument with theories on how the First Amendment is interpreted and applied (as he is, in fact, a legal specialist in First Amendment law).

  • Editing (by social media companies) is not speech (because if it is, any regulation has to pass strict scrutiny, which it would probably not)
  • Code is not speech (because not all language is speech and therefore govt regulation of social media company code is ok)
  • He also includes some argument about the scale of social media companies meaning that the speech of their customers overrides their own first amendment rights

Each of these arguments is nonsense, but he makes them because the ends justify the means, as stated quite clearly:

He states directly on his podcast that he does not believe there is a particular ideological intent to content moderation at modern social media companies, but that he would be worried if the Mercer family owned them. But we live in a world where the top media and news companies have been owned and controlled by just a few powerful families. He's skeptical that market pressures from the public do anything because the gravity of network effects are too strong, but this is more a feeling than any kind of data-based analytical approach. Social media networks go in and out of style all the time. They add and remove content moderation features as pressured by their customers. 

But let's start at the top: Editing is speech and also code is speech. Writing a neural network that scans all of Trump's tweets, and downgrades any tweet that matches their political views is an act of expression. It's highly ironic that a law professor would reach for arguments that had such a keyhole sized view on human expression. 

A banana taped to a wall can be art in the same way. It's not just the code itself that is expression, but also my choice to write that particular code

It's hard to explain how tortured the arguments made in the paper are - he throws in a straw-man that Google could potentially claim that buying office space in a particular city is an editorial choice, but a better analogy might be a restaurant owner picking their decor and requiring that loud people keep their conversations down, which is more closely a business policy of expression.

Apple made a First Amendment argument in the San Bernardino case - essentially saying that when the Govt forced it to write a backdoor that was a violation of their First Amendment rights. And a similar argument applies here, although perhaps even more clearly.

I also don't think there's any serious reason why scale matters - even Parler has 10M users. I'm not sure we have a threshold for scale anyone could agree on and I don't think we want the courts interpreting First Amendment rights based on how much of a marketshare or stock valuation you have.

What is most worrying about Kyle's paper however, is not the speciousness of his arguments, but the collateral damage of his recommendations. Gutting prior restraint because you are scared of "Viral Content" opens a door to unknown horrors. 

The ends, in this case, not only don't justify the means, but lead to unexplored dangers when it comes to government regulation of public content and the platforms we are allowed to build. For that reason, I highly recommend applying strict scrutiny not just to this paper's recommends, but to the rest of the Lawfare content moderation project.


Listening to the podcast while you run down the beach is the best way to analyze this piece.



Wednesday, November 25, 2020

Our Top Priority for US Cyber Policy

Progress is cyber policy is mostly apolitical and organic and international. A mistake we in the US have sometimes made is viewing our cyber policy as being purely domestic, when the key feature of the cyber domain itself is to transcend borders and to be interlinked.

If you look at what works for other countries, one policy effort in a major ally stands out as being something we desperately need to adopt: The UK's NCSC Industry-100 platform.

At its heart, it's very simple. Essentially, you can find talent within private industry, ask them to take 20% of their time and donate that as work for the US Government. In exchange, they get experience they can't get elsewhere, and we hold their clearance. 

It requires management, and funding, some basic distributed infrastructure, and the ability to scale, and it requires the will to enact a different way of recruiting and dealing with talent. But the follow-on effects would be vastly out of proportion to what we invest, and we need to do it as soon as possible. With this effort, we solve clearance issues, counterintelligence, recruitment and training, industry relationship building. We inform our government and our technical industry at the same time. Instead of saying private-public partnership, we actually build one. 

It's past time. Let's get to work.

Sunday, November 15, 2020

Fifth order effects

There are methods of cyber policy and strategy thought that various countries keep quiet about the way ADM/TESO kept their 0day. When it takes a long time to integrate information warfare into your techniques and operationalize it and test it and learn from the practice of it, then knowing its relative weight in hybrid warfare before your adversary does is useful enough to hide.

But of course, the same thing is true on the other side. You could call out the United State's primacy in early lessons on ICS hacking as the results of opportunistic investment, or you could see them as payoff for forethought around the policy implications of ongoing technology change, slowly evolving into the Stuxnet-shaped Stegosaurus Thagomizer that pummels any society advanced enough to have email.

Persistent engagement might be one of these. Look far enough into the future on it and what you see is a sophisticated regime of communication strategies to reduce signal error between adversaries, sometimes leveraging the information security industry (c.f. USCC sending implants to VirusTotal), but also sometimes USCC silently protecting the ICS networks of Iran and Russia from other intruders

Recently I did a panel with one of the longest serving CSOs of a major financial that I know about, and one thing that struck me is how at the scale of a large financial institution, your goal is raising the bar ON AVERAGE. As an attacker, my goal is to find ways to create BINARY risk decisions, where if you lose, it's not ON AVERAGE but all at once. Your goal as a defender is to make any offense have a cost that you can mitigate on average.

Phishing is the obvious example. So many training courses (aka, scams) have been sold that provide a metric on reducing your exposure to phishing from 5% of clicked attachments to 2% of clicked attachments. But anything above 0% of clicked attachments is really all the attacker needs. There's a mismatch here in understanding of the granularity of risk that I still find it difficult to explain to otherwise smart people to this day! "It doesn't matter how deep the Thagomizer went into your heart, there's no antibiotics in the Jurassic and you're going to die!" might be my next attempt.

But other examples include things like "JITs" where any vulnerability can become EVERY vulnerability - from replacing an object to introducing a timing attack. You can't even understand the pseudo expression that defines what a JIT vulnerability is because it's written in an alien language only a specialist in x86 code optimization can even pretend to understand, and usually doesn't.

This is true for a large section of the new technology we rely on, especially cloud computing. What we've lost sight of is our understanding of fragility, or conversely of resilience. We no longer have tools to measure it, or we no longer bother to do so. What used to be clear and managed is now more often unclear and unmanaged and un-introspectable. 

Tuesday, November 3, 2020

A second byte at the China apple

Recently I read an interesting paper by Michael Fischerkeller, who works at IDA (a US Govt contractor that does cutting-edge cyber policy work). The first concept in the paper is that the Chinese HAD to implement a massive program of cyber economic espionage in order to avoid a common economic trap that developing countries fall into, the "middle-income trap". 

One thing that always surprises me is that most people have missed the public and declassified announcement that the USG made when it came to how primary the effort of cyber economic espionage was to the Chinese strategy - to the point of having fusion centers to coordinate the integration of stolen IP into Chinese companies.

It shouldn't surprise anyone on this blog that security policy and economic policy are tightly linked, but it's worth taking a second look a this paper's recommendations and perhaps tweaking them. Especially in light of US Government actions against Huawei, which demonstrate a clear path towards US power projection. 

But our path probably runs more efficiently in a different direction - protecting Intel, AMD, Synopsys, ASML, TSMC, and other firms key to building the chips China desperately needs, and which the US has recently restricted via export control. Because TSMC and ASML are not US companies, we would need to flesh out policy that would enable US "Hunt Forward" teams to operate on their networks proactively, instead of reactively.

And offensive cyber operations could be levied against the fusion centers distributing stolen IP, and against companies that receive that IP. "Hacking the hackers" is flashy and sounds good in terms of defensive operations that USCC can do, but as a long term strategy, it might simply be training up the hackers to have better OPSEC. Deploying an intelligence capability against the fusion centers, or the companies LIKELY to receive stolen information maybe have better return on investment, especially if that intelligence capability can be turned into a deterrent effort with the push of a button (something we also need to build policy around).


Tuesday, October 20, 2020

Projecting Cyber Power via Beneficience

So many articles come out decrying Europe's inability to create another Google or AWS or Azure or even a DigitalOcean, Oracle Cloud, IBM Cloud, Rackspace, Alibaba, or Tencent. Look, when you list it out loud, it's even more obvious how far behind Europe is in this space compared to where it should be.

And of course, projecting power via regulatory action only gets you so far. Governments like to negotiate with other governments, and you see this in cyber policy a lot, but it's worth mentioning that the European populace has a vastly different opinion on the value of Privacy than everyone else. We talk a lot at RSAC about Confidentiality, Integrity, and Availability, but in Europe personal Privacy is in the Triad, so to speak.

I think this is a unique strength. But I also think: Why try to beat the rest of the world at creating giant warehouses full of k8s clusters, when you can just pick almost any vendor now and get roughly the same thing. Moving the bits around and storing them redundantly is the BORING part. 

But there are things Silicon Valley categorically, for reasons built into the bones of the system, cannot do. Some of those things hold great power.

Education is the obvious market vertical for Europe. There's massive power projection in being able to provide useful services, as Hezbollah does, as the local city council does. Look at the disaster that is the underfunded US education system, and think about the opportunity there. And in smaller countries, it's even more useful as strength projection. You just need to invest in translation and customer service. The key is NOT to exploit it for the obvious opportunities it would present to an aggressive intelligence service. Trust is as important an element of cyber power as deterrence is in nuclear policy. 

I don't mean to understate the difficulty in doing good customer support across time zones and translation into the specific cultural dialects worldwide, but there's real technical innovation to be done in education as well. And innovation in software scales and has network effects and can provide the basis for a 21st century economy a lot easier than something built purely on advertising and surveillance.