Tuesday, March 24, 2020

Recruit, Retain, Reject?

I want to talk about my experience working for the Federal Government, but also look at some wrinkles in the Cyberspace Solarium's efforts to address recruitment and retainment. At some level, every government proposal to address this problem is a twelve-dimensional remastering of Groundhog Day. You can see this in the supporting document on Lawfareblog, which focuses on the military talent shortage, possibly inspired by a meeting with CyberCom?

Most reports of this nature nibble around the edges of the problem and the Lawfareblog article proposes the following:

  • Relaxing military grooming and fitness standards for people in IT roles
  • Paying IT people more to compete with private industry
  • Opening offices in cities that people want to work in (or say, in Silicon Valley, where nobody WANTS to work but apparently people end up)
  • Building a skills database (which ironically would probably get hacked)
  • Offering unique perks (like training on emerging technologies, or one-of-a-kind challenge coins!)
All of the typical suggested measures largely ignore the the number one issue with recruitment and retainment which is the clearance system. In this day and age, not being able to offer a clearance within a week is insane. In many ways, we need to completely rethink the clearance system, which right now is a one way door - people are required to be working in the Government or for a Government contractor to hold a clearance, and when they lose it, they rarely get it back as it requires a full-on reprocessing, which can take years.

That brings me to my story. I filed for some scholarships in high school, one with NASA and one with the NSA. My high school grades were not great, but the NSA application included an interview and I was even then, as obviously geeky as it got. I had, as it were, mad Turbo Pascal skills, and some beginner assembly language, and the NSA had a voracious appetite for minority students in technical fields like computer science, which I already knew was my focus to the total exclusion of anything else, like social skills or any fashion sense. 

At the time the program was called the Undergraduate Training Program and started in 1986 (legend has it a member of the Congressional Black Caucus got a tour of the NSA and didn't see any minorities and threatened to yank funding until he did), but it appears to have been renamed the Stokes Educational Scholarship. I highly recommend it, if you are a high school student reading this blog, or happen to have one near you! 

But also, I think the UTP/Stokes program has offered massive strategic advantages to the United States, getting students into the NSA who otherwise never would have considered it, who have gone on to contribute immeasurably to our national security. It has had high return on investment, in other words. So please don't take this blogpost as saying these efforts are not worth it. However, they will not change the game or solve the problem.

One reason for that is that these programs exist and have for forty years. So what are the new proposals in the Cyberspace Solarium efforts? 

Not that we can't "Do more" but aside from the "institutional barrier" of clearances, it's hard to see what we can drastically change to open a huge pipeline of new applicants for the 33K billets we need to fill. 

Ask yourself this:
  • Why does it take 2 years to get a TS-SCI?
  • Why do you lose your clearance after five years of not using it?
  • Why can't a small company hold a facilities clearance? Why do companies hold your clearance, and not the government itself?  
  • Do we know anyone who has given up their clearance, gone on to have a successful private industry career that involved extensive travel, and then re-applied and been accepted? If not , why not?
  • Why have we not already copied and expanded the massively successful NCSC Industry-100 program?

To be fair, the report acknowledges this pain point by asking for a new report!

We don't need another report - we need a massive change to an obviously broken system.

If you've been following DARPA's work in the area, you may have noticed they've already done research on getting people a clearance in a week - we just need the political wherewithal to follow through on implementing it. 

It may be, of course, that even with the clearance roadblock removed, the Culture roadblock, as identified by the authors of the Solarium report, would remain. Culture is not about haircuts and fitness levels - and in fact most hackers I know are very into Brazilian Jiu Jitsu and can run a reasonably fast mile.

Culture is about a deeper set of problems, none of which are in the cyber domain: 
  • Politicization of the Mission, including the ICE mission
  • The Drug War
  • "Stop and Frisk"
  • "Why are we still in Afghanistan?"
If exposure to Stop and Frisk already pre-tuned you to thinking that law enforcement was an unacceptable career path, you're not going to apply to fix IT security issues at the FBI.  CISA's mission may be amazing, but you can't retain workers who have their friends getting detained by ICE in front of their kids. You can't have the AG writing polemics against End to End encryption and then try to recruit people out of Facebook into DoJ because they already know the head boss is full of it.

Sometimes you can't solve your recruitment problem by throwing money at the problem, or more scholarships, or reaching out to more people. A better solution would include an agency that is removed from these complications - entirely out of the executive structure, with a mission that attracted the best and brightest because they believed it was uncorrupted. We can still call it CISA!

But until we solve the personnel problem, we can't solve the other problems the Solarium report tries to address. And until we address the Culture and Clearance problems, we can't even begin.


A quick note from someone...

Another note:

Thursday, March 12, 2020

The Solarium Review - What Sticks Out

Most comprehensive reviews of government policy have little-to-no impact, because they involve complex unpopular legislation, or implementation by an unwilling executive branch, or more often, both.

That's why it's understandable that the members of the Solarium have embarked on a marketing tour, doing podcast after podcast and panel after panel to sell not just the ideas in their paper, but the idea that these things have a hope of getting implemented. It may even be true! To that end, it's good to look at many of the ideas with a critical eye, and in depth.

Some things immediately stand out:

  • Six paragraphs of absolute cowardice on the End-2-End encryption issue
  • The document portends a heavy lift and massive investment in CISA which is under DHS
  • So so so much about norms - which in certain circles is like going to a scientific convention and talking about astrology 
  • The section on adding liability to software vendors (4.2) is so unworkable as to make you wonder about the whole Solarium process

Each of these items requires a massive paper to analyze. But none of them is "good", and in some cases, they are a millstone that might drag the whole plan underwater. The lack of a stance on E2E encryption while at the same time throughout the document giving the standard polemic on public private-partnership evidences that the Commission was not of the view that the overall technical community needed to be wooed - that you can on one hand go to war with the community on major issues key to their worldview, and on the other hand recruit, retain, and partner with them. This is not how the world works. They missed a once-in-a-decade opportunity. 

For CISA - which is under DHS - there are two major issues: 
  • Can CISA handle the lift? Can they scale up and do all the things recommended in the report? Being able to hire and manage that many contractors alone is difficult. We have to assume everything this document asks is going to be done under someone else other than Chris Krebs...
  • Will industry ignore that they sit next to the EXTREMELY UNPOPULAR immigration arm of DHS, which has tainted DHS's whole image to an almost unrecoverable extent.

The software liability issue is complex but any detailed look at it can talk about how weird many of the ideas on this section are.  As Perri would say "There are too many issues in this section to list." Although, to be fair, a future blogpost will do so.

Tuesday, February 11, 2020

The Transmission Curve

Imagine everything your company does, but in terms of a RAR file. Every document, and email, and VOIP-call, and Teams message, every password and LDAP entry, every piece of source code in the git repo, and webex, and document scan, and database of PII, and Salesforce spreadsheet. Everything, no matter how trivial, related to the running of your company. If you're a five hundred person company, let's say that you generate about a Petabyte worth of information per year. This is dominated by useless webex video conference calls, which a hacker could not care less about. A more realistic total cost of ownership (TC0), in terms of bytes, for a five hundred person company for one decade, is 35 Terabytes (I backed this up with some real-world information and some calculations which I can share as needed - this includes all emails, documents, source code, and phone calls, but no video).

That is currently just over a month of downloading for our hacker friends - but we will be nice and say they only download data at night (aka, 1/3 the time). Also, a month is a very long time to be "on target" but download size is basically static over the years and the time is pressured down by increasing network speeds. If you are in the ever growing box-of-pain (see below) then every time you get hacked, your entire company's IP value walks out the door.

Everything in this graph is either my estimate or Crowdstrike's but just understand that as speeds go up, and corporate IP size remains static, the odds of any hacked company being completely downloaded before you catch the pesky hacker goes to 1.

Hackers or signals intelligence agencies deal with this question every day in a different form, because 99% of what you see on most networks is useless porn and Windows updates. You want to filter that out on-site and then only send back the good stuff. But as network speeds go up, and storage costs go down, it's often easier to download everything and sort through it later. This is of course similar to the problem a certain large SIGINT group reportedly had.

Following this curve is why I think the Endpoint Security people's 1/10/60 minute rule is ridiculous, and why humans in the loop for security response are also hilarious. Ask yourself, at what speed of network does your company enter the box of pain before 60 minutes is up?

Thursday, January 23, 2020

AI Cyber Controls and Bezos and MBS

I wanted to link to this post on CFR where I wrote about the right way to look at creating new export controls in a complex technical space.

Also, I'll be talking about cyber export controls at the 10th forum on Global Encryption, Cloud, and Cyber Controls, March 24th and 25th in San Fransisco if you want to come heckle.

But more I wanted to write a few words here about the recent Bezos hack, which is something still developing:

A good perspective on the "Civil Society" (ugh, what a phrase) take on this sort of thing is this lawfare article. Like many articles it leans heavily on export control of spyware as the solution to human rights ills. The first thing you'll notice about this, and other policy groups, is that they call for "Transparency", a term which is worth dissecting.

In particular, it is ironic that the FTI report on Bezos's phone is generated with the exact technology they want to control! It is the very definition of dual use! And it is incomplete, because the one thing you do not have on your own iPhone is Transparency, so we do not even know for sure what the exploit was that got KSA (allegedly) onto Bezos's phone. In fact, Apple is currently suing under weird parts of the DMCA a company that does help with transparency, Corellium, after trying to buy them (presumably to stop them from selling their virtualization platform for iOS).

When you hear Transparency from Citizen Lab what they mean is that they want long spreadsheets on basically everyone who buys any dual use software, based on confusing and inexact export control regulations which would strangle small companies who work in this space. This would in theory feed into stricter export control rules, or even domestic legislation. It would probably be easier and better to fix the DMCA and our vision of copyright so everyone can do forensics on their own phones and find out when they get hacked.

It's also worth noting that Israel is not a member of the Wassenaar group of export control nations (nor is China, obviously, although Russia IS a member) and that the Kingdom has extensive offensive resources that go far beyond buying off the shelf exploit toolkits. I did a quick open source Twitter survey a while back after the UAE Project Raven articles came out and all I found was good penetration testing and offensive research teams in the KSA.

Wednesday, January 15, 2020

Local PrivEscs that are Remote Code Execution

One thing you will notice if you read the NSA advisory yesterday and the Microsoft advisory is that the NSA advisory had MORE information in it. Despite both organizations being "defenders" this is because software vendors have views of the world colored by a completely different view of systemic risk. Sometimes this means advisories get issued for vulnerabilities that are not really exploitable, but typically it means the impact of a vulnerability is vastly underrated. This is presumably why Project Zero releases full details at 90 days, instead of letting the vendor do all public communication, but it's also why most bug bounties include non-disclosure clauses.

In other words, if vendors had their way, an advisory would have less information in it than a fortune cookie.

If you've been in the security research business then you also know that vendors, and often other researchers, will often under-analyze a vulnerability. It's an interesting metric to have to see which bugs got patched, but were called LPEs when you really know they are RCE. Some companies are known to label every remote heap overflow a "crash/DoS", which becomes a funny meme, but also has strategic implications for critical infrastructure.

I guess what I'm trying to say is that a disparity in information is a disparity of control, and nothing leverages this more than an operator in the cyber domain.