Monday, May 22, 2017

Hack back and the Yamamoto Chapter

So, I've tried my best to get the policy world to read Cryptonomicon, because it's important if you want to understand modern cyber policy in any sort of context.Weirdly, for an obviously over-educated crew that likes to read a lot, Cryptonomicon is not on the reading list.

But if you have time, just read this one short chapter: here.

What happens when you hang out with US spooks who don't know each other and Europeans at the same party is that you see an interesting feedback loop. Because US spooks have a natural tendency to play not just "stupid" but exactly half as smart as whoever they are talking to. This leads to a bemused European watching on as two US spooks each land on the lowest common denominator of explaining how they have actually never seen a computer in real life, and hope to one day meet a hacker who can tell them how this newfangled technology like "mice" works.


But if you are doing cyber policy work, you cannot help but notice there has been a truly odd number of papers essentially advocating hack-back coming from various arms of the policy world most connected with the "deeper state". I've listed a few recent links below.

In order to parse this properly - to "unpack" it, in the parlance of the policy world - you have to have hacked a few thousand networks personally, I think. And like any penetration testing company knows: Network Security is a rare thing. 

But it is exceptionally rare outside the United States. Here, we have West Coast charlatans selling us snake oil boxes and solutions which typically cause more problems than they help. But we've also invested heavily in education, and process. You have to LEARN how to have a penetration test. It has to hurt a bit the first few times. Developers hate it, managers hate the cost and delays. Network engineers hate designing around new nonsense requirements. 

Penetration testing, and security services in general are not an easy service to know you need, and know how to consume. You have to learn what code security looks like, and how to test your third party vendors, and, frankly, you have to learn how to give a shit to the point where you'll pay insane money for people to tell you that you suck in new and fascinating ways, without getting upset.

Most of the world doesn't want to go through this painful process. And in this case, I mean most of the developed world: Korea is still trying to get over how every banking app there uses ActiveX. Japan has a weird addiction to ignoring security while being technologically very advanced. China has a huge problem with pirated software and the great firewall of China. The Europeans wish they could regulate the whole hacking problem away. The Russians spend their time talking about kick-backs for recommending various security software, rather than penetration-testing results. 

In other words, their offensive teams are much more experienced than their defensive teams, and while this is changing, (Qihoo360! Tencent!), it is still new. They haven't had time to make as many mistakes as the US has on defense. They haven't learned how to care as much.

There are spots of brightness everywhere - you'll find clued-up people doing their best to secure their enterprises in innovative ways all over the world. It's no accident that all of Europe was on Chip And Pin ten years before Target got hacked. 

What you really want is this map, but normalized to "number of Internet connected Windows boxes" so you can get a percentage mapping. This map would look even more extreme in that case. Also, if it has the correct Peter's projection!

US Policy is to always say the following sentence until you believe it: "We are the most at risk nation for cyber attacks because we have adopted technology the most!" It's hilarious when people believe us.

Because if you've been in the biz you know the truth which is that overall, as Wannacry demonstrated (see above), there's a real security gap between nations. And I'd like to tie it together by pointing out that when the US policy teams talk about hack-back, the not-so-subtle subtext is "We are holding back. BlackHat alone had 9000 people at it last year. I swear to god, I could build a top notch hacking team by going into any random StarBucks in Fairfax and yelling out loud 'I will give this hard-to-find legacy SPARC TADPOLE LAPTOP to the first person to write my name on's front page without having to fill out Teaming Agreement paperwork!'. 

BlackHat and RSA are a peacock's tail of beautiful useless fitness-function announcement. No other country has anything like them in this space.

So when we talk about hack back what we're saying is that we may, very well, build a working hack back policy into our national strategy to combat what we consider unfair economic espionage. But we're also saying this: "Your companies are secured with raw hope and duct tape and you know we have a colossally massive back-bench of people waiting to go active if we just give them a mission. We are playing pretty stupid and helpless but ... don't fuck with us."

No comments:

Post a Comment