Saturday, June 15, 2019

Bytes, Bombs and Spies - A guest review

After reading his book review on ‘Bytes, Bombs, and Spies’ Dave was kind enough to offer me a guest blog post to share my own thoughts. First I think it helps to understand what this book is. It’s not exactly another cyber research/policy book. It’s a look at ‘The strategic dimensions of offensive cyber operations’ through ‘a collection of essays’.

The reason I think this is important to note is because many of its authors contradict one another whether they intended to or not. Because this book is about offense I feel obligated to state the obvious. In offense the details matter. In fact they’re everything. It’s ‘you can write values k through kN but not beyond 258 bytes from the end of the struct, and the Nth position in your overwrite must have bits 1-4 set’ levels of accuracy or it just won’t work.

I tend to judge books like this based on how many new things I learned, not how many flaws I can find. In that regard this book is fantastic. Many of its authors are people I follow on Twitter and aggressively consume anything they write. They come from various academic, .mil, and .gov backgrounds. But there are also things in this book that give me cause for concern.

Anytime one of the book's essays ventures from abstract thinking into concrete implementation an experienced technical reader will cringe. Reading the terms ‘the {network, mail server}’ or ‘sysadmins’ makes me think the author did not sit down with an experienced SRE to understand how the cybers work in 2019. The way these simplistic architectures are described will make you nostalgic for a simpler time back when you were reading that 2001 CCNA exam prep guide. The internet in 2019 is comprised of massive platforms and ecosystems run by private companies. Find me a Fortune 500 outside the United States whose infrastructure doesn’t, in part, resolve to an AWS data center in Ashburn Virginia. Are there people who think a LAN of Win2k boxes with a single AD controller and an Exchange server is powering Gmail?

In the closing paragraphs of the ‘Second Acts In Cyberspace’ chapter Libicki makes the point that re-architecting is the only solution after a successful attack. Even organizations, public or private, that have the skills to build their own infrastructure build things that look nothing like it did 10 years ago. The platforms that power the modern internet are composed of hundreds of microservices. It’s likely that these design choices were specifically to meet the precise needs of global scale and cannot be “re-architected” without enormous effort. When DoD tackled Heartbleed they gave an award and a public nod to the team because the challenge was something like 8 million computing devices.

I was especially surprised by the ‘The Cartwright Conjecture’ chapter. I will read anything Jason Healy puts his name on but to me that theory fell apart entirely over the last few years.

“We’ve got to talk about our offensive capabilities … to make them credible so that people know there’s a penalty for attacking the United States” - General James Cartwright

I’ve never really bought into this concept as it assumes that the United States can deter cyber attacks by showcasing its own cyber capabilities. This line in particular “The bigger your hammer the less you have to swing it”. Did no one question what happens when your adversary takes your hammer and hits you in the face with it? Clearly a ‘stockpile’ of 0days and persistence tooling instills so much fear in our adversaries that they published it and then trolled people on Twitter. 

What groups such as the Shadow Brokers have done to the United States is what I have been advocating we should have been doing all along: publicly exposing the technical details of exploits and toolchains seen in the wild against American interests. That’s a ‘defend forward’ strategy I can get behind. Law enforcement does this to some degree but it's usually after you've been breached. The trolling bit, of course, is unnecessary. One of the things I found particularly interesting about this chapter was its mention of the United States having to co-opt or coerce, and weaponize technology companies in order to create fear in adversaries. Healy rightly points out the consequences of doing this. I’m not convinced this is needed at all. Our adversaries are likely already threatened by the fact their own operators have Gmail accounts or that they have to use operationally compromised systems in the US in order to reach Twitter. Doubling down on a free, secure, and open Internet is probably the best tool we will ever have.

This book is worth reading, and its authors deserve credit for exploring such a highly debated topic. What I think is lacking from most essays in this book is the understanding that we cannot have a strong offense without assuming some risk on others behalf. In 2019 every company is a technology company and if we are to get serious about defending an economy built on technology then we need to be honest with ourselves, it will come at the cost of a strategic offense.

Chris Rohlf

Friday, June 14, 2019

What does "On Team" mean?

One issue with the VEP is that hackers, those who form the core of your offensive national-grade team, find it extremely off-putting when you kill their bugs. Even the terminology of that statement should give a policy-maker pause. While there are no absolutes in life, a VEP process is only not going to hamstring your recruitment and retainment when it is known internally to lean towards never killing bugs.

This brings us to Will Hurd and political divisions within a country. In many countries (Turkey, for example) the military has a very different cultural dynamic from the political sphere. This is extremely evident for the nascent cyber capabilities of a number of places, which if you are at the right conference or have the right Twitter network, you can ask about directly.

While Twitter is not available in China, Chinese hackers definitely are on it. The same is true for Iranians, and the Iranian team is exposed to a tech culture that is almost universally atheistic, pro-LGBQT, and with a wider global focus than their domestic policy team. Half the Iranian team is watching Dexter in their spare time for some reason. To be a hacker is to be an outlier and if your society or political organization does not support outliers, it is hard to recruit them.

This is also easy to see domestically - you hear DHS complain that nobody in the tech community will stand up and propose a good key escrow system. The DoD seemed both confused and concerned that company after US company is refusing to sell them advanced AI. If by structure your government lags on issues like gay rights, you will suffer in this domain.

It is equally true in almost every other country as well. It's hard to predict how these schisms will affect the balance of power in cyberspace. But I think it does.

In other words, I like Will Hurd a lot and I think he's an important voice in the community, but I also, if I had to predict, would say there is a good chance he will not end up keynoting BlackHat.

Tuesday, June 11, 2019


Neal Stephenson and William Gibson and Daniel Keys Moran all treated the problem of disinformation and over-information differently in their books. MINOR SPOILER WARNING btw.

NS's latest book is a cool 900 pages, longer than even those compendiums of cyber policy we usually review on this blog. I read it the entire way to Argentina and realized when we landed I was only 50% of the way through. The whole first section is about a near future where someone runs a successful strategic disinfo-op (using actors and faked media) against a town in America claiming that it has been attacked with nuclear weapons, while using cyber means to cut it off from the rest of the country. This works surprisingly well, and changes the nature of how people interact with the Internet as a result.

Good science fiction grapples with policy problems, in many ways, sooner and more accurately than policy writing. All the consternation over "Deep Fakes" is a proxy grieving process for "Mass media can no longer be used to control the masses". The recent controversy over the NYT's reporting on the Baltimore ransomware attack is perhaps a symptom of ongoing consensus fragmentation. You can, for any given factset, fool SOME of the people ALL of the time. We are essentially tribal in all things.

In other words, we always lived in Unreality, but the rise of the cyber domain means we now live in a Chaotic Unreality which seems to make a lot of people uncomfortable.

To be fair, everything about cyber makes policy people uncomfortable because the whole thing is so weird. The clearest example of this, to me, is Targeting, an aspect of projecting cyber power that is basically ignored. This is why someone ends up hacking a fish tank to later own a casino.

I don't know what makes good targeters. Smaller organizations tend to be better at it for obvious reasons that Cybercoms should probably address at some point because having a significant cyber effect is almost always perpendicular to the way a planner thinks it ought to be done.

VEEP covered another angle on this: In one episode the Chinese pay back a debt to a politician not by hacking an election itself, but by messing with the traffic lights and power in North Carolina during the Democratic Primary, in certain districts known to vote against her, which works perfectly well.

Good targeting is just not believing all the things you see around you because they actually don't exist, as the Matrix pointed out but as so few can internalize. In other words, Fall is a good book; I highly recommend it.