Wednesday, November 25, 2020

Our Top Priority for US Cyber Policy

Progress is cyber policy is mostly apolitical and organic and international. A mistake we in the US have sometimes made is viewing our cyber policy as being purely domestic, when the key feature of the cyber domain itself is to transcend borders and to be interlinked.

If you look at what works for other countries, one policy effort in a major ally stands out as being something we desperately need to adopt: The UK's NCSC Industry-100 platform.

At its heart, it's very simple. Essentially, you can find talent within private industry, ask them to take 20% of their time and donate that as work for the US Government. In exchange, they get experience they can't get elsewhere, and we hold their clearance. 

It requires management, and funding, some basic distributed infrastructure, and the ability to scale, and it requires the will to enact a different way of recruiting and dealing with talent. But the follow-on effects would be vastly out of proportion to what we invest, and we need to do it as soon as possible. With this effort, we solve clearance issues, counterintelligence, recruitment and training, industry relationship building. We inform our government and our technical industry at the same time. Instead of saying private-public partnership, we actually build one. 

It's past time. Let's get to work.

Sunday, November 15, 2020

Fifth order effects

There are methods of cyber policy and strategy thought that various countries keep quiet about the way ADM/TESO kept their 0day. When it takes a long time to integrate information warfare into your techniques and operationalize it and test it and learn from the practice of it, then knowing its relative weight in hybrid warfare before your adversary does is useful enough to hide.

But of course, the same thing is true on the other side. You could call out the United State's primacy in early lessons on ICS hacking as the results of opportunistic investment, or you could see them as payoff for forethought around the policy implications of ongoing technology change, slowly evolving into the Stuxnet-shaped Stegosaurus Thagomizer that pummels any society advanced enough to have email.

Persistent engagement might be one of these. Look far enough into the future on it and what you see is a sophisticated regime of communication strategies to reduce signal error between adversaries, sometimes leveraging the information security industry (c.f. USCC sending implants to VirusTotal), but also sometimes USCC silently protecting the ICS networks of Iran and Russia from other intruders

Recently I did a panel with one of the longest serving CSOs of a major financial that I know about, and one thing that struck me is how at the scale of a large financial institution, your goal is raising the bar ON AVERAGE. As an attacker, my goal is to find ways to create BINARY risk decisions, where if you lose, it's not ON AVERAGE but all at once. Your goal as a defender is to make any offense have a cost that you can mitigate on average.

Phishing is the obvious example. So many training courses (aka, scams) have been sold that provide a metric on reducing your exposure to phishing from 5% of clicked attachments to 2% of clicked attachments. But anything above 0% of clicked attachments is really all the attacker needs. There's a mismatch here in understanding of the granularity of risk that I still find it difficult to explain to otherwise smart people to this day! "It doesn't matter how deep the Thagomizer went into your heart, there's no antibiotics in the Jurassic and you're going to die!" might be my next attempt.

But other examples include things like "JITs" where any vulnerability can become EVERY vulnerability - from replacing an object to introducing a timing attack. You can't even understand the pseudo expression that defines what a JIT vulnerability is because it's written in an alien language only a specialist in x86 code optimization can even pretend to understand, and usually doesn't.

This is true for a large section of the new technology we rely on, especially cloud computing. What we've lost sight of is our understanding of fragility, or conversely of resilience. We no longer have tools to measure it, or we no longer bother to do so. What used to be clear and managed is now more often unclear and unmanaged and un-introspectable. 

Tuesday, November 3, 2020

A second byte at the China apple

Recently I read an interesting paper by Michael Fischerkeller, who works at IDA (a US Govt contractor that does cutting-edge cyber policy work). The first concept in the paper is that the Chinese HAD to implement a massive program of cyber economic espionage in order to avoid a common economic trap that developing countries fall into, the "middle-income trap". 

One thing that always surprises me is that most people have missed the public and declassified announcement that the USG made when it came to how primary the effort of cyber economic espionage was to the Chinese strategy - to the point of having fusion centers to coordinate the integration of stolen IP into Chinese companies.

It shouldn't surprise anyone on this blog that security policy and economic policy are tightly linked, but it's worth taking a second look a this paper's recommendations and perhaps tweaking them. Especially in light of US Government actions against Huawei, which demonstrate a clear path towards US power projection. 

But our path probably runs more efficiently in a different direction - protecting Intel, AMD, Synopsys, ASML, TSMC, and other firms key to building the chips China desperately needs, and which the US has recently restricted via export control. Because TSMC and ASML are not US companies, we would need to flesh out policy that would enable US "Hunt Forward" teams to operate on their networks proactively, instead of reactively.

And offensive cyber operations could be levied against the fusion centers distributing stolen IP, and against companies that receive that IP. "Hacking the hackers" is flashy and sounds good in terms of defensive operations that USCC can do, but as a long term strategy, it might simply be training up the hackers to have better OPSEC. Deploying an intelligence capability against the fusion centers, or the companies LIKELY to receive stolen information maybe have better return on investment, especially if that intelligence capability can be turned into a deterrent effort with the push of a button (something we also need to build policy around).