Sunday, January 8, 2017

The CSIS Paper Review - Part 1

So the CSIS paper shines when it gets a bit "salty", in the parlance of the times. In many ways the INTRODUCTION of the paper is its best part, which is rare.

"Turning to technologists didn't work" - I wonder if this was written by a lawyer! :)

This section is the best section in the whole paper, and worth a deeper look. Because all of these papers are the same, be they from MIT/Brookings/Stanford/CSIS or the team I'm working with. They all look at where we are, realize it was not a huge success (which frankly, several months ago was not consensus), and then try to determine a GRAND BARGAIN that can break the logjam we're in and move the needle.

Many of these groups think that moving the needle means "Securing the whole internet", which is a conceptual trap they've fallen into. But every group seems to know that without dealing with everything holistically, you are getting nowhere. That means we have to actually come to an agreement on gnarly domestic issues, such as encryption, warrants, and liabilities, to international relations issues such as what it means to go to war over the internet.

And there is, somewhere, a core of agreement between all of the policy groups positioning themselves on this issue.

The easiest way to judge these papers is to look at where they stand on a few clear issues that I've selected as tests:

  1. How do they prevent the next OPM
  2. How do they prevent the next "electoral hacking"?
  3. What harsh truths do they admit, in particular, do they admit we are going to have strong crypto on phones one way or the other, and what are they going to do about it?
  4. How do we protect Jordan in cyberspace since we need them to project our power in meat-space?
  5. Do we have any answer whatsoever to ransomware?
For the first one, which is legitimate espionage on one hand, but something we need to defend ourselves against, it's clear the answer is not in the thicket of "deterrence", which always drags every discussion towards "this is someone else's problem, maybe the military's, maybe the State Dept, but not mine, for sure?" 

The Federal CISO's Role

Federal policy types (stereotyping here to annoy Mara), as in that CSIS introduction, often see a CISO role or CIO's role as "manage the IT stuff to make it secure so I can run my business/administration". Nothing could be further from the truth. A CISO's role is to manage what your business is. They don't tell you what computing infrastructure you need to have a branch office in China securely; they tell you you can't have a secure branch office in China. 

And this is where the policy people with deep expertise in federal structure can really lend value in this process: Tell us the organizational innovations that can make it possible to manage the Information Security of the federal government in all its complexities. Where non-technologists go wrong is in trying to set policy in a space they cannot predict tomorrow in. And where technologists go wrong in these papers is in trying to suggest policy solutions that don't work in the current management miasma of the federal government. 

But we need both: A federal government that is unmanageable in the information security sense is unmanageable in any sense in the modern world. Eight years from now, one way or the other, the federal government will have a biometric record of every person in the States, or who has ever been in the States.  And if your Cybersecurity Agenda for the 45th President can't get us there, then it needs to be reworked.


Let's move on to what I consider some debatable prospects. I don't think many of these papers are really meant to be read for content, so much as a collection of resumes applying to have influence and a statement of worth, but it's still worth doing:

attack->attacks (I do all the proofreading for you). Also interesting how Risks are measured in dollars here mentally, and I'd caution that stealing the RIGHT billion dollars worth of information can have strategic effect larger than the monetary value...

Ask yourself if any reasonably sized penetration testing team (NCCGroup, for example) could have done the attacks against our electoral process that resulted in our recent Russian Sanctions. Even the small players in this field do similar attacks EVERY DAY. And somehow policy teams continue to insist that the greatest risk is from attacks whose effect is equivalent to use of physical force? Nothing could be further from the truth. This weird fetish for "equivalent to physical force" is an example of people who are not comfortable with the cyber domain. 

Is the internet just some machines routing packets? "They exist in physical space somewhere!" you can hear the Tallinn philosophers opine. Or is it a software layer where no particular request is routed to any particular storage center, as Microsoft would inform you if you ask them. 

But this is why when lawyers, especially those with backgrounds in the law of war, try to project the future, they fail at seeing the risks right in front of them. The only actors capable of the most damaging attacks are nation states? Yet 90% of politico was Julian Assange this year, and as much as people try to make him out as a Russian Stooge, he's something else even more annoying to our worldview - a non Nation-State actor.

Reread this document with an eye that non-nation-state actors already have the capabilities they assumed they would not "for the next few years" and you'll come to different conclusions.

The Security Umbrella

This is a two-pronged question but deep down WHO do we have doing a more formal approach to building security and stability is the hard part. We tend to focus on really big countries, like Brazil and India and China and Russia but equally important are Jordan and Israel and Singapore and Argentina.

How do you extend your security umbrella to your allies? What does that even mean? These are hard questions and I try to read all these papers for ideas around that.

In some senses, this is similar to our domestic problem of sharing information with industry partners, but sharing information doesn't help you unless you also share actions, as we've learned.


Every single working group on this subject wants to finally get over the encryption issue and has come out against backdoors or any legislative solution. Law Enforcement is going to have to deal. In the long run, we need to remove crypto from export control as well. I'm not making this as an argument here, only pointing out that every single working group producing these papers says the same thing in slightly different ways. They should probably be more explicit with what the FBI would do with more dollars, and include state and local police in the solution. But we've gone over that before.

This particular paper comes out against active defense as well, which is worth discussing later, but at least they have a position and section on it. :)


These sorts of papers represent a lot of work, and it's interesting that they don't get ripped up a bit more - possibly because I overthink them. But regardless, if you're one of the authors and you disagree feel free to ping me and I'll amend this in place or add a section on why I'm wrong. MAYBE MORE BEST PRACTICES FROM NIST IS EXACTLY WHAT WE NEED! :)

1 comment:

  1. The link to the paper at the top of the article is to a file on someone's Windows machine. Google finds an accessible online copy at — maybe that or another location is a better choice of link.