Tuesday, January 17, 2017

The Atlantic Council Paper

The Atlantic Council released a new paper on cyber security strategy from Jason Healey: PDF Link

Video Introduction Panel:

You can learn a lot from watching the video, and most importantly that in Jason's worldview, the attackers are the Other. The video itself, like many of these panel discussions, is largely people agreeing with each other.

They start the discussion by talking about strategies of the past and how easy they were to summarize. Two examples below:

Containment: A one word strategy ftw!

COIN: Kill the bad guys, win the hearts of the good guys.

But more truthfully, if you had to draw COIN into a memo it would be "Know everything about everyone". In WWII we used to send these spotter planes out into the ocean, which "happened" to come across shipments which we then sunk. The goal, obviously, was to have the ships radio back "SHIT WE'VE BEEN SPOTTED", and protect our real source, which was breaking their crypto and knowing their exact path. Drones are the same thing. They're the scary face of our surveillance, the frontman built mostly out of Java middleware. But they're just like those spotter planes - sent to give you something to fear that's not the real boogeyman. In other words, our COIN strategy is our cyber strategy, mostly redirection and slight of hand.

But yes, when we take a hit, we realize that what we need is a mixed martial art for cyberspace. And that's what this paper SHOULD be.

In the early 2000's, I sat in Harlem starting Immunity and also helping build the early version of our cyber war strategy (and in particular how to glue CNE to IO, which is what Assange was figuring out as well).  Quickly we realized we needed to understand how humans form groups in the internet age. Only one professor has interesting things to say about that as far as I can tell, and that's Clay Shirky. You'll want to read his blog and his book. He was a visionary around all of this material which at the time had very little traction in the computer security world, but if you specialized in offense (as we did) you could see how important it was because so many of our instinctual reactions in defense are wrong.

In Jiu-Jitsu, the first thing you learn is that many of your built in instincts about protecting yourself will get you tapped out. In particular, when someone is sitting on your chest, and you push them off you with your arms, you immediately get your arm broken (armbarred).

The crowd that argues that we should always "lean towards defense" in the cyber policy world likes to use vulnerability discovery as their demonstration for how we should create policies that do that. In particular they think our use of unknown vulnerabilities should be highly limited, and any we find should be immediately given to the vendor. This establishes an outstretched link of information from our signals intelligence arms to our adversary, which is as good an idea as reaching out your arm to a BJJ fighter sitting on top of you.

You can not "lean" in any one direction. In fact, rather than "offense" and "defense" a better mindset is understanding what you control and what you do not, just as in jiu-jitsu. Is ubiquitous stronger crypto leaning towards defense or is it preventing defense (because you cannot look into and filter traffic?).  Advantage in this space is not linear, and the core argument of the paper is overly simplified because of that.

Let's talk more specifically about the paper's arguments:

Note that Dept of Commerce funding is on a trendline down, from 10.2 to 8.5 Billion USD. Dept of Defense is at $521B or so. Let's just say TWO ORDERS OF MAGNITUDE BIGGER. But more than that, the mission of the Dept of Defense is to be a giant software and IT company. They connect millions of people as a matter of day to day survival, and always have.

But part of the reason for why the DoD is a center of gravity in cyber policy is simply that power in cyberspace is maybe best defined as "We know things that you don't." The IC is a natural fit. Commerce is not.

This entire paper is mostly about item 6 on his list. Immunity gave a whole talk in 2011 on why this is misleading, but we will go over how this paper handles it in depth in this blogpost. It's interesting that despite the fact that Jason is from Columbia University, his worldview is directly rooted in Silicon Valley. :)

I have been on the offense for two decades and I can say one thing about it: The grass is always greener on the other side of cyberspace. While every defender, including this paper, laments that the field is tilted towards offense, offensive teams know that you only have to be caught once to lose your entire toolchain, a toolchain that was going bad faster than tomatoes left out in the Florida sun, except a million times more expensive.

You think the NSA wants to be writing and maintaining an entire toolkit that trojans the microcode inside hard drive controllers? They do this because they are at a disadvantage, not as a show of strength.

Let's examine his argument for why Offense > Defense a bit:
Attackers have had an easier time than defense, owing to at least four key failures: Internet architecture, software weaknesses, open doors for attackers, and complexity.

In particular, he claims that internet protocols were designed without security, software has bugs and there are not really market incentives to produce secure code, the cliche argument that attackers always attack the weakest point whereas defenders have to defend all points, and that the interactions between all sorts of our processes on the internet are so complex they cannot be reasoned about and hence defended.

Skip down to Page 30 where he tries to address our issues with cyber defense with strategic countermeasures.

The questions in this paper demonstrate how little we often know about this space before trying to make major policy decisions. The Wassenaar debacle this year is an example of us trying to "lean towards defense" and look where that got us.

Check out the wishful but patriotic thinking in the following paragraph, clearly written before the election happened:

Remember that time Apple told China to go to hell when they asked it to remove LinkedIn from all Chinese iPhones? OH THAT ISN'T WHAT HAPPENED?!?

William Gibson famously said about the future that it was not universally distributed. The paper suggests various ways we can get technology from silicon valley that will help us with this whole defense problem:

Generally the goal of this effort is to accomplish these three things, according to the paper:

  1. Secure Cyberspace as a Means to Advance Prosperity: First and foremost, US policy must ensure cyberspace and the Internet advance US and global prosperity, not least through continuous and accelerating innovation. Other priorities are important, but subordinate.
  2. Maintain an Open Internet to Support the Free Flow of Ideas
  3. Secure US National Security in and Through Cyberspace: (aka, spy)

Look at these policies in the language of "control" rather than "defense" and you'll see that a policy that "leans towards defense" is a thin cover for the desire more nakedly espoused by the outgoing NSC of controlling the entire vulnerability market, maintaining an open internet is a thin cover for trying to control other country's internets and "preventing balkanization".

This is essentially an ideology of complete control. A defensible internet is a totalitarian playspace for big software and media companies that somehow ignores the fact that China wants to censor the Falun Gong out of existence.

Ok, how do we create one of these playspaces, according to the paper?

  1. Issue a New Strategy Prioritizing a Defense-Dominated Cyberspace
  2. Improve US Government Processes on Cyber
  3. Sow the Seeds for Disruptive Change
  4. Develop Grants to Extend Nonstate Capabilities
  5. Regulate for Transparency, Not Security
  6. Long-term Focus on Systemic Risk and Resilience
  7. Look Beyond a Security Mindset to Sustainability

Basically we're going to hope Silicon Valley drags our ass out of the fire if we give them more money to "innovate"?

So, as I'm often criticized for simply criticizing, here is my counter-plan:

If we do need a motto, then it needs to be: Acknowledge that Cyberspace is Different.

  1. Immediately depreciate protocols and products that are as under-water as a Miami Beach house: specifically IPv4, email, Microsoft Office, Microsoft Windows. This is the one thing we could do immediately that would drastically change our defensive posture. 
  2. Fire the head of any agency when any massive data breach impacts the operations of it, up to and including DIRNSA
  3. Revise the clearance system which is old and brittle and not working well for anyone at this point other than Russia and China 
  4. Normalize and address the fact that foreigner's packets and data are identical to domestic packets and data. Nothing in our law and policy handles this at the moment. We clearly have to specifically revise title 10 vs title 50 issues as opposed to monkey-patching it with "legal understandings".
  5. Dominate the information battlespace including in the Law Enforcement area by giving the NSA and CIA room to work (i.e. no more VEP that "leans towards defense" but is just for PR) and building a national mobile forensics center.

This plan is better specifically because it works by controlling ourselves, and not trying to extend our control to the entire software ecosystem and internet.

In other words, we cannot wait for Silicon Valley to come up with a way to secure Microsoft Windows and our old way of doing business: We need to accept a new way of doing business on ChromeBooks and iPhones and other hardened devices that cannot run Microsoft Office or be Phished.

To make it a motto: My problem with Jason Healey's paper is that he proposes we wait for the future to secure us. But the future is now, if we want it.


Ok, as a P.S.: This is the craziest idea in the paper. I mean, I like that he's thinking about metrics, but it's an example of a way of thinking that is as carbonized as Han Solo.

That doesn't mean there isn't work to do, but that work needs to be spent building an internet that is immune to the effects of botnets, not trying to combat the existence of botnets themselves.

No comments:

Post a Comment