Friday, October 14, 2016

The Russia Question

Right now people in the policy space are asking themselves what to do about the Russians hacking the DNC and basically every political operative in DC and leaking it to Wikileaks or via Guccifer 2.0. The best article right now is on FP which has as its conclusion: Something must be done, and soon.

But what?

First of all, one of the big misunderstandings about cyber war is that it is somehow an inherently asymmetric operation. But if you use this as a thought experiment you will see just how hard targeting a real attack against Russia is. There are two areas of cyber operations that are impossibly expensive at scale: Maintenance and Targeting.

It is hard to explain just how mind bogglingly expensive these two items are to policymakers who haven't written a rootkit lately.

There are a few other features of cyber operations that have massive sunk costs (building a real computer is one of them) but just in terms of operational cost, real targeting is going to be something done by T-Rex-sized behemoths. Which is why when the Germans asked me how amazing Israel was in this space I said it was largely marketing, because it is. No country that size can compete at this level.

And the Indominus Rex hybrid mutant mega-fauna in this space is still the USG. Despite the attitude of helplessness policymakers hold publicly, a retaliation is 100% doable and 100% could be entirely done in cyberspace and probably some operators are sharpening their swords against the aged FreeBSD servers that run as we speak.


Offensive operations take a long time though - always twice as long as you think they will, no matter how much padding you've added, like house renovations. The Bene Gesserit used to just tell their victims "You will be punished." and nothing more and frankly it is scarier that way.

Let me put it this way though: we manage the IT of our campaigns and election systems like complete idiots.

The only smart solution for securing our election systems is to centralize them and assess them, and even OPEN them so they can be assessed by third parties. Every other option is clear insanity as every security professional has said for more than a decade.

And having been involved in trying to help with the security of a Presidential campaign I can say that they are not securable the way they are run now. If you were going to do it right, you'd use the same level of security you would with any other billion dollar enterprise - you'd have an IT department handing out special purpose iPhones and ChromeBooks and you'd have professionals helping you secure things the same way you have professionals making your campaign videos.

If we want the USG to retaliate when the DNC gets owned because our electoral process is that important, we have to start with those two steps.

On another note, some people have asked me why I do so much critique without offering my own cyber war book, and I would say there is a long body of work dating back to 2011 here and here, and of course many Prezi's on the subject here. But largely we at Immunity use our model of cyber war to put our money where our mouth is, which is why we now sell INNUENDO and other tools to test for modern threats. :)

No comments:

Post a Comment