Monday, January 29, 2018

Non-State Actors Practice Deterrence!

I know it's going to annoy the International Relations/Law people when I say this, but non-state actors have a more developed deterrence methodology in the cyber domain than state actors at the moment.

There's a whole slide about this in the Immunity T2/S4 keynotes:

Governments, including the USG, need to be aware of the levers of power projection various private entities have. "Access/Analysis/Remove/Offer" come from the Immunity cyber weapons categorization methodology as explained elsewhere.

To be fair, I think Microsoft and Google can do many things that will, completely legally, hamstring the USG in many ways.

For whatever reason, the thing that has awoken many in Government to this threat is the much more innocuous Strava Heat Map. I know that a month ago if you asked "How would I unmask every US drone base in Africa" the answer would not be an SQLi bug in a jogging data app.

But of course the fact that the international consortium of industry players working on the Meltdown bug were able and willing to keep it a secret from the USG is another interesting data point when it comes to way private industry can hold its own interests above governments.

One thing I look at with a lot of this technology analysis is whether or not we have crossed the cell membrane that separates a world where the USG is a market driver, or whether it is considered a niche market and the rivers all run in the opposite direction. For information security, it was true ten years ago the USG was driving the latest technological trends. They were a huge market and had specialized needs that they were very clear about.

I don't think anyone believes that's the case anymore, and it has massive implications for important things like supply chain security, export control, and strategic issues around technological diffusion and power projection.

No comments:

Post a Comment