Monday, June 13, 2016

What Playpen Hath Wrought

Before looking at the Playpen miasma that resulted from the FBI’s use of a “NIT” (aka, Remote Access Trojan) to unmask users of a website with illicit material, it’s good to look at the larger picture of how an offensive capability usually evolves. However, few people in the policy space have looked at the technical capabilities of many actors to see these patterns, which I’ll go over now. It’s important when trying to write laws and regulations that respect our legal traditions, but account for the realities of hacking technology as used by law enforcement to know where these capabilities are heading, instead of writing policy for where they are now.

Law Enforcement, like all remote access organizations, follows a predictable tree of technology paths when developing their capabilities. If you look at the Russian Sofacy group or any other signals intelligence group, you will see the same basic path from left to right on the below graph of features.

Just to put one of them into context: why would you start with symmetric or no cryptography at all, as the graphic indicates, and as the FBI is using, according to reporting? The answer is reliability. When operating in the field, reliability is an extremely elusive property and doing complex things such as mutual authentication and encryption in a reliable way, is prohibitively expensive for young groups just starting down the path. This is as true for the Israeli, Russian, or Chinese teams as it is for the FBI.

Some of these things you cannot rush with massive injections of money. This is why it is hard to bootstrap a Unified Cyber Command or Law Enforcement capability quickly. Often you do not even know what capability you need to build (massive testing framework that includes real-iron machines, not just VMWare ESX! Warehouse-sized collection of old Unix hardware! Global-sized web crawler!) - these things are not obvious until after you have failed in the field and learned from your failures, which takes time. Operating at scale is hard to test for unless you are truly operating at scale. We are not investing billions of dollars in “Cyber Ranges” for fun.

Going right on this chart adds exponential cost and allows for higher levels of operational tempo and OPSEC requirements. If someone is going to die if you screw up, then you want to be as far right as possible, but you probably won't have the Infinity Budget to get where you want to be on this chart anymore than you can afford the San Fran apartment with enough room to hold your three kids and their stuff.

A follow-on article will suggest some preemptive ways to regulate Law Enforcement use of this technology that jive with how it is obviously going to evolve. This is important because the option of “Let the FBI do whatever it wants” is just as bad as “Never use hacking tools to solve crimes”.

1 comment: