Thursday, December 30, 2021

Guest Post: HostileSpectrum’s futures: Looking back on 2021’s estimative signposts

Dave has kindly agreed to turn the keys to his blog over to me for a brief discussion of what may yet come to pass, as we consider the wars and rumours of wars that are the constant drumbeat which forms the backdrop of what has turned vulnerability discovery, weaponization, and employment from an obscure specialist niche to front page headlines (and barely disguised polemic all too popular in the Beltway). Since this discussion is owed in no small part to his persistent, “very annoying” but entirely helpful attempts to spur further engagement on the big questions at the intersection of technical matters and policy, it seems right and proper to find its home on his pages. JD

We are all familiar with the constant flurry of predictions for the coming year that flood our inboxes around this time, where vendors and their marketing teams all compete for decisionmaker attention as folks take stock of where their organizations have been, and where they are going. In their best forms, such products are supposed to be formal futures intelligence estimates – crafted through deliberate tradecraft in which novel hypotheses are weighed by experienced analysts, supported or challenged based on unique collection, and tested through structured methodologies. In industry, delivering such finished intelligence (FINTEL) was originally intended to support decisionmakers setting strategy and investments for the new year, or at least considering the stance by which they would approach the problems coming down the line they had not yet anticipated.

Like many things in the cyber threat intelligence business, the annual estimate has been copied in form without consideration of function. Along the way, it is bastardized by pressures of marketing teams which serve as both production requirement and funding lines for all too many intel shops, but introduce unique analytic pathologies to the process. Our community increasingly abandons established analytic methodologies in favour of single point predictions relying solely on “expert” judgement. Needless to say, this is generally not how good intelligence is done.

Recent years have taken this to a breaking point of absurdity. We were fortunate, then, to be able to laugh in the face of the absurd. Kelly Shortridge showed us all the way, letting a Markov generative text take over one year. While almost certainly lightly edited for human readership, the piece was not only quite funny in its own right, but a biting observation of what had become formulaic repetition of evergreen tropes devoid of thought and comfortably numbing in presentation of the familiar. Of course, this hit in a year when the world we knew was reshaped.

But when the laughter dies away, what are we left with? A void, into which the same empty imitations of FINTEL are poured, and that continues to stare back at practitioners and policymakers alike. In the darkness of the long winter’s evening, this challenges us to do better.

Having stepped away from the production line of the intelligence machinery, and eschewing for this purpose the archaic rituals of academic publishing , one naturally turns to the medium of the age. As revolutionary as the blog format has been to the intelligence communities of practice (sufficiently so as to both result in an unusually well popularized effort anchored from an early paper in what was the most secretive of environments), the maintenance and sustainment of lightweight publishing platforms in an ecosystem overrun by parasites and cannibalized by the major platforms has left only a few remaining bastions of both longform and relevant thought. 

Last year, I published my own yearly predictions, attempting to break the analytical mold, on Twitter. They caused, for what it is worth, somewhat more of a stir than I expected, but analysis is only as good as it is re-examined, as we do below.

There are distinct limitations to the Twitter format, to be sure. Analytic nuance is lost, supporting lines of argument and foundational evidence are nearly obscured. Even estimative language may be curtailed, if one is not cautious. All that is left is what would effectively be the key judgement (KJ) bullet points in a finished intelligence product.

It is for this reason I argued for years against attempting to publish to consumers in this way, due to the expectations that weigh upon intelligence as an organization. The irony of doing so now is not lost on me. If it had been, I am sure many of my friends and colleagues would continue to remind me. Delivering only KJs is particularly challenging in futures intelligence estimates, where the bulk of the value of a product is actually found in the reasoning about trends, drivers, and the processes of their interactions.

Thus it is more appropriate to consider each tweet not a KJ, but rather an estimative signpost – a marker in the unknown stream of future time, around which one may see the flow of present uncertainties as they may yet manifest, or divert. The process is much like casting stones into the water, where attention is paid as much to the ripples out from the initial point of impact.

But looking back, how do the estimative signposts in last year’s Tweet storm of predictive analysis hold up? This is for the reader to judge. But it is worth laying out the case here. Note  that the following is slightly re-ordered from the original thread, to link discussions across observed issues.

On medical intel / care target breaches, and political hack & leak objectives

Adversaries indeed discovered the utility of compromising private medical information for political pressure. The Iranian attributed Black Shadow operations against Israeli medical targets are among the most visible of these developments. Additional criminal extortion actions against other medical services providers have also surfaced material offering potential political leverage, but it remains unclear the extent to which hostile services have been accumulating this material in circulation, or in private transactions.

This CONOPs has not yet however extended to high profile leadership (at least as far as publicly known to date). Such extension is in some ways likely inevitable in an aging West, where the longevity, vigour, and even competence of major political figures is subject to frequent speculation. Yet the value of such privately held knowledge, particularly in times of crisis, remains a substantial inhibitor for random disclosure – as is the likelihood of reciprocal disclosures more likely to call into question the control that may be exerted by the heads of authoritarian regimes.

The health of leaders will of course remain a substantial intelligence target (as Rose McDermott and Jerrold Post have each written about). And the impact of selectively timed disclosures will almost certainly continue to remain problematic for societies unable to adapt to the pressures of adversaries’ deliberate active measures. Even if the adversary never chooses to actively leverage such espionage take for influence operations campaigns, the value of stolen medical intelligence may nonetheless remain substantial in allowing hostile services - and competing states’ decisionmakers - to focus on the leaders they are more likely to be dealing with over the longer term. Substantial advantages also accrue here in positioning for the turbulence of unexpected political transitions caused by illness or incapacity.

Stunning 0days disclosed with metronomic regularity

There is no question that 2021 saw the exploit treadmill running faster than enterprises or even the best individuals in our field could keep up. For each major bug disclosed, the rotten wood of decayed legacy software beneath yields additional exploitation value. And our adversaries have not only noticed, but seem to be pressing ever faster on these rapidly collapsing attack surfaces. Each of the stunning bugs of ’21 indeed only served as blood in the water, calling in predators for the feeding frenzy. We still have not yet come to terms with highly parallelized, independent threat evolution across multiple actors as a result of these events. Nor are we cogent what this means for ever more exhausted defenders.

On the tarnishing of myths regarding US, FVEY offensive dominance

One remains skeptical of comparative capabilities evaluation rankings, despite multiple attempts by different parties to establish varying indexes. The continued consensus that the US and Five Eyes allies remain firmly ensconced at the top of these rankings must also likewise be looked at with appropriate caution. We may in the first instance question entirely the character of offensive advantage in the domain, as my friend and colleague Jay Healey does. We may also consider capabilities demonstrated by conspicuous display, as in the profligate burning of bugs on parade at the Tianfu Cup and other recent events hosted in China. One must be cautious not to measure only what has been caught, because here it is the things that are not seen that define the highest end edge of the capabilities spectrum. It is to be hoped that there remains stunning, game changing portfolios held in the reserve somewhere in the dark of a closely held allied program.

But that is increasingly not the impression conveyed by those in the US government, or among allies. When a senior intelligence community official acknowledges publicly that the US now must become fast followers, we have reached a tipping point. Yet it may still take some time for this awareness to ripple through the policy community, let alone to influence its engagement with scarce technical talent and the fragile engines of capabilities development.

On offensive talent proliferation, and automated exploit development

Red sourcing and other commodity acquisitions strategies do indeed continue to have notably dominated lower tier programs, and served to create a generalized baseline mean for intrusions leveraging all the usual implant and infrastructure tooling. Proliferation was amply demonstrated not only in direct movement of talent, but in the disclosure of playbooks and associated process tooling. It was almost certainly not the first time that adversaries had seen each other’s operator checklists, and the development of formalized stepwise action models serves to diffuse knowledge within larger numbers of less experienced cadres with reduced initial training and education burden. Quality does suffer, but as always only needs to remain “good enough” against the class of targets to be serviced. Which rapid programmatic expansion defines in part at lower thresholds of sensitivity through its own scaling. Hit enough things, and an intrusion set’s quantity of accesses has a quality of its own.

Higher end capabilities indeed continue to remain a separate grammar, to the point that even when publicly disclosed they go largely unexamined. There are rare exceptions, and at some delay, such as the over ten month lag in public analysis of the stunning FORCEDENTRY iOS exploit – but it is the exceptions that prove the rule. 

Evidence of automated exploit development remains more elusive than expected, at least insofar as the public record has established. Lower tier adversary interest continues to be observed, but it remains unclear how many programs have effectively integrated these approaches into their capabilities development processes. The leap from mere fuzzing to a more sophisticated operational use of modern program analytic technologies seems to be for some teams harder than they anticipated.

On disclosure, VEP, & exploit portfolio sales, & export control

Commerce snuck its rulemaking on export control in before ’21 ended, only to see resounding silence in part because this only really bubbled up during the holidays but moreso in the otherwise largely rational response by large organizations already under substantial threat pressures to ignore this as one more government imposed paper exercise as meaningless in its implementation as it is voluminous in its word salad. Yet this merely defers reckoning to another day, and compounds billable hours for those lobbyists and lawyers as things come into effect, regardless of industry feedback. The policy community continues the unfortunate trend of treating 0day like they are only found in the US, when evidence mounts that the locus of real action has moved elsewhere. In this, other states are increasingly choosing to exercise stronger controls – not out of altruistic motivations, to protect the wider ecosystems or even to regulate negative externalities of vulnerability markets – but rather to better control early access and first mover advantage when presented with valuable portfolios. Any illusions of a Chinese government VEP policy similar to the one in US and Allied states were also very much shattered, and no one expected even the semblance of such a thing from Russian, DPRK, or Iranian offensive cyber programs.

On lethal outcomes from offensive cyber effects

The old tired debates continue. Those that understand dependencies, and higher order effects, felt all too keenly the weight of adversary action even as mounting morbidity and mortality data continued to be ignored. And it seems that within the span of the ‘21 estimate, if not the year itself, we may well once again see lethal contributions on foreign battlefields. 

Inadvertent trigger of pre-positioned implants

Thus far as publicly disclosed, unintended effects from the execution of implants intended for operational preparation of the environment have apparently not yet come to pass. For which we are thankful. But in multiple major crisis events, with immediate geopolitical (in the true international relations sense of that term) and other pol-mil-econ tensions, the potential for missteps by immature operators with poor oversight, limited process structure, and deeply entangled nth party access complications remains a serious concern through the estimative window. One would nonetheless continue to hope that this signpost remains wrong, and at the furthest edge of the possible.

On autonomous, wormable payloads

Here, the distinctions between public knowledge and private intelligence holdings and researcher findings are substantially highlighted in the past year. We have seen multiple vulnerabilities in major targets that are manifestly suited to wormable RCE. Yet for some reason, there remains not only a reluctance to accept the potential for such outcomes, but even direct hostility to indications of adversary interest and development. The most recent of these cases of course being the Log4j bug, which devolved into debates over definitions of autonomy, and fundamental questions over the degree to which behavioral observables manifest in artifacts may be seen to demonstrate adversary intentions (alone, or in concert with other collection). If this is where the consensus knowledge of the year ended, there is limited prospect of taking up the other questions of worms that remain harder to find in constrained propagation dictated by complex targeting logic, and harder to reverse and understand (in the very modularity that makes such tooling powerful in application). One would have expected better from the community of practice, but such is where we are in the present moment.

On Russian espionage compromise of cloud targets, and other operations in major platforms

The full dimensions of adversary enablement operations, and compromise of key common dependencies across the ecosystems, remain very much unclear. The continued corrosion of an effective common intelligence picture as post-incident findings are redacted, minimized, or withheld degrades our assessments. In the absence of the kind of log and artifact observables that cyber threat intelligence practitioners are more used to working with, other collection activities and analytic techniques must be brought to bear. Where this is done, or not done, has resulted in a divide between camps that simply see the world differently – often as a result of their orientation towards offensive or defensive problems, and sadly as much due to anchoring on prior estimates not revised in the face of subsequent events. Narratives have indeed taken hold, and hardened, in ways that will complicate assessment of future problems.

In other words, the centralized control of the current dominant cloud platforms makes collaborative forensics analysis harder, and thus challenges our longer term strategic understanding.

On failure to warn

Failure to warn as a theory of liability did indeed become prominent in ’21, but from an admittedly unexpected source. It has long been understood that USG desires to regulate its way into visibility, if not centrality, during cyber incidents impacting private enterprises who see little value in engaging with a host of competing agencies and their component elements that provide no meaningful assistance, and only level further conflicting demands. Proposals to advance mandatory incident disclosure notification with increasingly (if not unrealistic) ambitious scope and timeline requirements still have not achieved legislative traction, although executive actions to implement similar obligations are accumulating across multiple sectors. Beyond regulatory demands, FBI has now advanced the theory, in comments contemporaneous to a superseding indictment in the matter of the 2016 Uber extortion case, that executives may be directly charged if firms do not provide information to the government, where there exists the possibility that such disclosures could have been leveraged for future warning to other victims. One expects other civil actions will rapidly follow – especially where multiple firms increasingly seem to assert that they need provide no disclosure to customers regarding implications for their products of even known vulnerabilities exploited in the wild; or any information regarding substantial intrusion incidents on their platforms, regardless of potential impact to the customers of those platforms. As usual, it seems these things will be tested not through cool rationality of policy debate and decision – but through the heated contests and random outcomes of the courtroom. The resulting precedents will inevitably lead to risk aversion, further overlawyering, and ultimately yet more disincentives for the private sector common intelligence picture.

On changing CTI production

The collapse of traditional media as its revenue sources are cannibalized by the advertising infrastructure underpinning the entirety of the technology ecosystem has displaced a lot of folks that string words together for a living. Many of these folks are used to doing so under deadlines, and with a focus on shorter and direct pieces. As intelligence organizations have long recognized, these are useful traits in a line analyst. However, these are very different professions, and the tasks of an intelligence professional are more than simply writing something the customer likes to read.

Worse yet, where intelligence production is seen as useful to the organization solely as a means of generating marketing collateral that is then pushed in the hopes of generating positive media coverage, devolution to a more journalist friendly audience may creep in as a requirement. As we have seen, some shops have sought to cut out the middleman and directly hire former press talent not only in intelligence roles, but to support their own newly established “new media” model outlets. Such pseudo-journalism has in the past year very much challenged established analytic tradecraft standards, blurring the line between collection, analysis, and delivery. 

This in turn spurred even further devolution in newly established shops where tradecraft remains apparently unknown. Suffice it to say such noise will always plague us, but there is an expectation that the market can be self-correcting. However, I routinely underestimate the longevity of mediocrity in this space.

Yet there is an absolute clock running, where the tipping point for new technologies to displace the labour intensive and talent specific tasks of much of cyber threat intelligence is ticking. There are interesting start-ups this year that seem poised to disrupt the space. And the volume of reporting generated from automated processes that practitioners at multiple levels regularly consume has been ticking up inexorably this year.

On economic espionage value in foreign technology production

The continued attempts to deny the military and economic utility of cyber espionage in cumulative effects remain puzzling. But Western awareness of PLA development and deployment of new systems that bear unmistakable lineage in compromised programs has lagged, as much due to deliberate attempts to avoid considering what this means for military budgets in a time when political leadership would prefer much deeper austerity. Yet the adversary not only gets a vote, but has set the meeting agenda. 

It remains to be seen when this argument shifts. Perhaps when other self-delusions regarding broken promises of restraint are also abandoned, or perhaps it will require a flaming datum to illustrate the point.

On infosec cons

Pandemic travel restrictions not being over, the effect on the con scene remains as yet uncertain. The brief period of optimism of late summer and early fall ’21 does not provide sufficient basis for retrospective evaluation.

Having laid out the predictive record, warts and all, it is traditional to close with an exhortation to intelligence professionals to take up the burden to do better than what has been presented before. If one considers the analogy of casting stones, this is all perhaps just one more thing to be slung towards those that may take up the burden. As the old Greek inscriptions on sling projectiles read: “DEXAI” (Catch!)

a stone, with greek "CATCH" embedded.

I may well throw another volley of estimative signposts for the new year (plus 6 months, to account for the span of Moore’s Law), once again via Tweet storm, in the coming days. One nonetheless hopes to see further more formalized efforts, grounded in properly rigorous tradecraft, from other shops this year. 

About the author:  JD Work is a former intelligence professional turned academic.

The views and opinions expressed here are those of the author and do not necessarily reflect the official policy or position of any agency of the U.S. government or other organization.

Tuesday, June 15, 2021

Pride Month

I've read several cyber policy papers on "Culture" and how to address that when trying to recruit and retain cyber security talent, especially within the US Government, and within that, especially at CISA and DHS, which are struggling to grow. A lot of times, this comes from a military background, where people talk about lowering fitness standards or letting people grow long haircuts, which is almost besides the point. Most hackers I know will definitely choke you out in a hand to hand fight.

Instead, although there's been no proper survey, but if you DID do a survey, you would find out that there are many more LGBQTIA+ people within the cyber security fields than religious people of any affiliation! This indicates a set of values that an organization looking to obtain cyber talent needs to pay close attention to, not just because they want to directly recruit people, but because all the companies and people they want to partner with likely share those same values. I said on a recent podcast that I saw something from the NSA, but not from anyone else, so I thought I would go do some research and get some ground truth.

So let's take a quick look at how various places are doing!

The gold star award this year goes to DIRNSA with a 41 second rainbow themed heartfelt personal video message to the world on behalf of the three organizations he heads. You'll note this was released right on June 1st. Someone thought ahead.

CISA also gets a GOLD STAR, with a personal message from the deputy director, and two tweets about it. Slightly later than NSA, so maybe slightly smaller star?

DHS gets a gold star as well. (There is also DHS_Pride, which they mention in another tweet). It seems the previous time they posted about this was 2013?

The FBI, which of course used to be rather on the other side of the issue, also posted on the issue. Gold star. Weirdly nothing from 2019 though.

And of course, the beginning of it all, the UK's GCHQ. Another gold star, although I don't think they have "pride month" in the UK, they do have a rainbow flag AS THEIR TWITTER ICON. And of course, this speech, given the way only the Brits can. [Update: This Tweet too ]

In summary, looks like if you look on June 1st, only the NSA (and GCHQ) cares, but if you look on June 15th, everyone has said something. That's surprisingly good news.

Oh wait, almost forgot someone! The CIA recruiting LGBTQ via Glassdoor is ironic somehow. And they posted in 2019 as well, bucking the trend. So two gold stars.

Sunday, March 21, 2021

Cyber is perfectly fine for Signaling

The other day I read an article about cyber signaling. Signaling in international relations contexts confuses me because so much of it is about an uncertain reality, and the truth behind intensions is never know, and it weaves so much geopolitical and military context together.

I pasted a section of the article, including links to the authors, below.

To quickly summarize the article's arguments, as I saw them, I also include the following bulleted list:
  • Cyber Signals are easily muddled or misconstrued, such as with overall noise or system outages.
  • Reliance on "attribution" may make Signals delayed (and hence, less powerful)
  • Hard to say what a cyber event was intended to Signal
  • Most cyber events don't cause big visible effects which makes them cheap (and hence, basically worthless)

The article mentions that yes, nations can call each other on the phone after a cyber event has happened, and point out why that event happened and provide additional threats and context.

I would say these arguments are unpersuasive, and that cyber both IS and HAS BEEN great for signaling between nations and often also between non-state actors.

First I think signaling can be split nicely into warnings and demonstrations of capabilities, and these are not the same things. But to start off, I want to tell a few stories of yesteryear.

Back in 2002, there was a mailing list known as Bugtraq that was used the way Twitter is used now - to post flotsam and jetsam about information security, including exploits. At the time, ISS XForce was, as the name might imply, a pretty powerful force. They released a number of great exploits and had a lot of talent that went on to do great things, but that's not the story I'm trying to tell.

Back in 2002 ISS XForce announced a vulnerability in the Apache Webserver - one that was only exploitable on Windows. This was essentially a "good" bug, but worthless in the sense that most people running Apache were not on Windows. 

Then, out of nowhere, a hacking group known mostly for shitposting published a working and reliable exploit for that same vulnerability, but that affected Apache on Unix operating systems, complete with an advanced shellcode, as you can see from the article below and this made people reassess the situation.

I don't mean "reassess the situation about Apache". What I mean is that a lot of us were thinking "Hey, maybe the best in the world doing commercial work and releasing exploits to vendors are not, in fact, ahead of this game". This wasn't about Signaling in the sense that one nation was trying to deter or coerce another. But it was Signaling in the sense that one community ("hackers") was pushing back on another community ("the commercial security market").  

That brings me to TianFu Cup. 

If you don't know about it, the TianFu Cup follows in the tradition of Pwn2Own and other hacking contests in which you use an 0day on a product in a demonstration, and then you get money as a prize and the contest gives the 0day to the vendor to be fixed (in most cases). These contests are often watched carefully and vendors often drop patches to their products right before them, in an attempt to make exploiting them difficult. 

Except that while even the highest end contests in the US have notable successes, none have ever reached as high as TianFu Cup does effortlessly, when one of the researchers owns every major browser, and every other hard target falls as well. You can compare this to the 2020 Pwn2Own here.

Again, this is a stunning display of not coercion or deterrence, but capability. 

But there ARE lots of examples of coercion and deterrence in cyber. I will list them below in my favorite thing, a bullet-list:

If anything cyber signals (and other covert but demonstrable effects) are extra powerful because they can say "KNOCK THIS OFF" without saying who sent it, or HOW they managed to send that signal - which in some cases is a lot scarier. 

Likewise, countries signal with policy changes. They announce quite clearly when the move to a more aggressive posture, or when they step back. You can't go two weeks without some country or another, like New Zealand, announcing their own private interpretation of how international law applies to Cyber. 

But that doesn't mean signals aren't also done with restraint, or through side notes in Track 2 meetings. The HolidayBear attack is a lot less transgressive than the NotPetya attack. The Exchange server hacks are an element of continued relationship breakdown between the US and China. Leaking data as a "signal" is an element of the original terminology of the cyber domain ("Dropping a mailspool" being the traditional term). And we continue to see that to this day. It's probably worth pointing out that while leadership-to-leadership is often required for traditional military capability signaling, Twitter with its pseudonymous accounts is often good enough for cyber.

Incident response can also be used for signaling. Many major anti-virus or endpoint protection firms make efforts to signal, by exposing US or allied operations, that they are international companies, wishing to do business in China or other locations. And this can get even more complicated, since many incident response firms will downplay the findings from particular countries they wish to curry favor with or exaggerate those from "adversaries". 

In conclusion, signaling with cyber is both effective and likely to continue.

Thursday, January 21, 2021

While in Kyoto, a comprehensive review of Cyberpunk 2077

Until recently I hadn't realized just how terrible I was at playing video games. And now after finishing Cyberpunk and watching a bunch of "spoiler" reviews I realize most people think the goal of these games is to increase some stats numbers so that the already braindead enemy AI is somehow even easier to beat up. Anyways, here's how you play open world video games, or as they will be known in the future: Games. 

1. Don't watch tips videos of any kind or read articles on the "best netrunner build" or any of that nonsense.
2. When you create a character, it's like in DnD where you are pretending to BE that character. Try to keep your roleplaying consistent! But also, the goal is to experience the world, which means doing ALL the side missions and reading all the various little texts that lay around the world explaining everything.
3. By the time you reach the cyborg-alien end-boss you will have become death, the destroyer of worlds, but you will also be OF the world, and a piece of it will stay with you even when you log off.

Anyways, here's my one line review of Cyberpunk 2077: it's a goddam masterpiece of art. It is better in it's own way than GTAV's joyful nihilism, or RDR 2's detailed reminiscence,  Skyrim's pathological weirdness, or even Breath of the Wild's cultured perfection. People online have spent gallons of ink complaining about the various bugs, but you know what else has bugs? Everything. 

We spent the last four years fuzzing out why having a unitary executive is as bad an idea as a monolithic kernel and so it didn't bother me in the slightest when some UI element wouldn't disappear or a car dropped in from nowhere. That's just part of the game - the world is a buggy place.

By "art", I don't mean the graphics, which, yes, are amazing - and in particular the animations of everything bring the characters to life in a way no other game really has - when some street busker plays a guitar, his fingers move in the correct chords in the correct times. What's truly exquisite about Cyberpunk 2077 is the writing and story and world creation. At the end, as a guard walks you to your cell/hospital room, he recites a poem to you, although the world is purple due to malfunctioning neural connections, and the concept of "you" itself has taken a royal beating.

While in Kyoto, I hear the cuckoo calling,
and long for Kyoto.

This is a fairly famous Basho Haiku, but it's a BETTER TRANSLATION than the most popular ones you will find on the internet or in books. And that's how the game's world building works: It's a better translation of the Cyberpunk gestalt than the books and movies that came before it.

It's possible that this game is not as good if you have not been immersed nearly from birth in hacker culture. We slip into the lingo of this game like it was tattooed on us underneath our clothes. Cyberpunk as a genre has always been about a crisis of identity as the wave of modern technology washes over it - of the concept of identity, not of any one person's identity. 

Seeing a fully realized vision like this is always surprising, like the way puzzles in BOTW tie to the physics engine so beautifully. In Cyberpunk, the physics engine may be janky but it's the philosophical engine that thrums smoothly just beneath the surface of everything. 

One of your first missions introduces you to a clan of post-humanoids, living like everyone else in the world does, through savage grift. They all have faces heavily augmented with metallic cybernetics and it's not until almost at the end of the story that you realize they....look down upon you. Normal humans can't see and hear the things they do. They have music you can't "get". "Dum Dum" is anything but.

One thing that strikes me is how few animals there are now in the real world, compared to when I was a kid. Cyberpunk takes that to its logical extreme - there just aren't any animals. Seeing a feral cat is a treasured experience for the people in this world. Everything is covered in trash - plastic bags of it line every waterway. Various "tips and tricks" on YouTube point out that in the early game you should pick up every little dildo and ashtray and other flotsam that the world is littered with and sell it for spare cash without commenting on why this is so.

If we look into the future, how could this not be the world we created? A newscaster reminds you the city's population has decreased by thirty percent year on year. But this is not a dystopian vision - it's a story of survival at all costs. Of what you have to become to exist. Our society has grown so long we forget they can also contract.

In Cyberpunk's Night City, which is in California, even the weather has changed - sandstorms, but also smogstorms, to the point where the giant solar power farms just outside the city are being decommissioned. All of this is relayed as news while you take an elevator, or snippets of text in documents throughout the city, or in odd bits of optional dialog. 

I've noticed that movies no longer hold anyone's attention - they are both too long and too short. But the characters in Cyberpunk are fully fleshed out - they get more screentime than even a major character would in a blockbuster. And the motivations and drivers behind them are carefully crafted - the ending words of the primary antagonist drive into you like a stake. You slot his inevitable and horrible death as you realize you are the unwitting tool of his evil father. 

The most poignant missions in the game have no shooting at all. Yet they require your participation, which is the sine-qua-non of the artform that is video games at this level. You can't help but be blended at some level with the character you play.

The truth is shooting things is ultimately a futile endeavor if you don't understand the world you live in. I recommend you take the time to experience the depth of the world they created, because it's worth confronting in a way few games are.