Having read many cyber security initiatives and reports I thought I might throw a few ideas up against the wall listed in problem and solution format. Consider the following more from the ideologically free position and not looking to sell or cost anybody more money rule of thought. Some basic biases of the following are that I’m not trying to answer all the risk and problems. I’m only trying to answer a few as I look at the landscape. We’ve solved a lot of the problems of computer systems security but nobody implements the solutions. All major operating systems support encrypting data at rest, but almost nobody does it. The key management techniques are fairly well known and even the less than perfect solutions work much better than losing information control. Shame on the security establishment.
To understand the following I am not trying to give the only way to solve these problems. Yes I could write BOOKS(!) on each issue for sure. There are just some ways to solve or describe the problem better following each issue.
Problem: The current paradigm of computer security is flawed. What we’re doing isn’t working, and what isn’t working is costing us money for non-solutions. The architectures of security actually decrease the resilience and effectiveness of efforts.
Solution: Stop trying to solve the problem the same old way as what got us into the current state of affairs. Shift the paradigm away from hardware security and start thinking about information security. What is needed is the ability to protect information at any point and in any state in a NEVER trusted environment.
- Stop thinking of security as perimeter defense. Adding more and deeper perimeters may increase adversary work factor but decreases resources exponentially.
- Do think of security as a set of risks. What do you want to protect and how much are you willing to spend protecting it. There is no such thing as complete security.
- Stop worrying about dollars alone. Worry about the value of something and money is only one measure of value. This is harder but makes communicating the risks easier.
- Do engage stakeholders in the discussion. The rule of unintended consequences is fed by the lack of communication.
- Stop using security management techniques to moderate user behavior on moral or social grounds.
- Do use good systems security practices (let’s not get stupid here)
- Stop using “dumb users” as an excuse for security lapses.
- Do support end to end solutions for protecting information.
Problem: There are persistent threats from state actors and proxies against intellectual property and national security apparatus.
Solution: Whether the solution is diplomatic or not a Moscow Rules type doctrine needs to be in place. This might be related to “MAD” (mutually assured destruction), but the resultant policy should be to
- Stop using the word “cyber” plus any of the following (attack, war, espionage, security, freedom, politics, or any other term you can think of).
- Do talk about goals such as information security (eg managing the risk of unexpected information exposure).
- Stop using fear, uncertainty and doubt to sell products or get resources for your agency/department/project.
- These are your cyber conflict principles:
- The adversary knows more about your network than you do.
- Intuition is just as valuable as metrics when time is fleeting
- The insider threat is purposeful and due to stupidity. Trust nobody.
- Operate as if you’ve already been exploited.
- If you tell a user “No” without giving alternatives you deserve what happens when they go around you.
- Never allow your systems to rise to target status.
- If you measure security based on the number of attacks you resist you have already failed.
- Distributed homogenous networks are still single points of failure
- The use of network traps (honeynets) and deadfalls (honeypots) are not politically correct but effective.
- Do not ever probe the adversary you give up more than you gain.
- Use temporal security to defend at a place and time of your choosing on the network.
- There is no valid defense in cyber conflict where you give up pieces like pawns. A loss is never regained.
- A process is a way to define failure.
- Stop thinking that “perfect” is even possible and while we’re at it do away with zero defect career mentalities.
- Do hold people accountable when they screw up.
Problem: We keep reliving and relearning history. There currently are set of myths in information security that should be done away. Those myths decrease security and impact capacity towards resiliency.
Myth 1: There are not enough computer security professionals to serve the current need of government or industry.
Reality 1: There are more than enough and many unemployed. The problem is that they can’t get security clearances without experience, or experience without clearances. Some smoked dope. Some aren’t hippies but they ain’t saints either. There are more than enough but zero defect decreases the pool to near zero. NO AMOUNT OF EDUCATION or INDUSTRY INNOVATION will fix this.
Myth 2: We can’t do attribution; security; surveillance; task a, b. c, etc..
Reality 2: In general we can do whatever we want to do but people have wildly in appropriate expectations when we talk about computer security. If the forensics on DNA or bullets takes weeks why would you expect computer forensics to be instantaneous? Setting up a platoon fire position for boots and bullets can take days for 20+ guys, but a network should be done in hours by one guy who digging firing positions too?
Myth 3: Cyber is totally different because it is moving so fast, or the equally facetious, computer security is so new nobody knows how to do it correctly.
Reality 3: Though Moores Law moves forward doubling at 18 month cycles the reality is that computers as a pattern of inputs and outputs have not significantly changed since they became ubiquitous. The principles of confidentiality, integrity, and availability are consistent throughout history. In other words this myth is totally false and anybody stating it is as a reason for failure is a fool. The patterns of information conflict have been the same since Caesar and the technology is always changing. People though are pretty much people.
Myth 4: Related to Myth #3 & #2 is the equally offensive “I’ve got to get me some young people in here who understand this new fangled technology”. As if youth bequeaths skill.
Reality 4: GET OFF MY LAWN YOU NIMWIDGET KIDS… Well I’ve got to get some pre-teen to drive this new car I bought. I mean only these youngsters really understand how to drive.
Any time I hear this out of some government official I’m concerned about pederasty. Thank you very much but this old gray beard with numerous computer science degrees just got jumped for a job by a kid who does well on Halo but can’t tell the difference between a compiler and virtual machine? I’d rather have some 20 something who can change his own sparkplugs than a numbskull phreaker who is pwning networks with script kiddy tools.
Problem: People mixing use of personal devices with government/business tools (like cell phones, computers, email) resulting in data exfiltration. Often banned then people end up carrying multiple devices or “working around” the restriction.
Solution: This problem has existed for a long time. First it was phones, then it was the computers, and now it is becoming mobile devices. Part of the underlying cause is a perspective of technologists or bureaucrats to focus on the tool, device, technology and forget about the human. Put the human or person first not the tool or device. Without the person the tool is useless. How can you serve that person better? Is restricting the use based on some cost metric? What is the cost to the corporation if they don’t use or refuse to use the device because of another device they prefer? The CIO/CSO needs to think about these things much more than has been the case. Part of this is caused by incentives. In zero defect worlds CSOs get paid to say no. They are NEVER asked the cost of saying no. They are only asked about the risk and cost of saying yes. Use holistic measures to overcome this and starting putting people first. The tools are there to secure information why aren’t you worried about that a lot more than use of technology?