The United States Air Force shut off the Internet connection for Maxwell Air Force Base, the home of the Air War College. Across the Internet security experts have been applauding this effort as a method of holding the institutions at Maxwell accountable for their lax information assurance and security practices. To me this is absolute proof of the dictatorial, autocratic, ill-informed, pedantic, egotistical, inflexible, irreparable ignorance of security practitioners.
The security of authoritarianism is only slightly worse than the hacker plague. When security is allowed to run over the user community and engage in dictatorial practices users will revolt. Even in a government organization the mood will not be conciliatory and as with any power when used against the user base security practitioners will now find themselves and the head of raging dragon. How can shutting off the flow of information, breaking applications, breaking tools, creating ill-will, exposing the fact it is possible to sever that connection (opsec), and treating users as pawns be considered a good idea?
It is a consistent tension between business needs and the practices to protect those business needs and if security wins out business has a tendency to halt. In the case of a tradesman hiring guards to protect his product it is much more secure to never leave the castle, but trades is never accomplished. What we have here is the analogous security for the tradesman whipping the servants of the tradesman and refusing to leave the castle because somebody left the door open. In other words security has become a denial of service.
Brittle security as an axiom is nothing new to the security practitioners. It is much easier to be dictatorial and proffer binary solutions of secure and insecure. In the case of Maxwell Air Force Base an intrusion occurred that might have put the entire Air Force network at risk. This would be bad. A good security practitioner might look at that and say how are shared systems at risk, fix the root cause, and enable a successful solution working the process. Instead we get a self imposed punitive denial of service. This is the epitome of brittle security. Brittle is the practices of binary security methods and protocols where things snap and break instead of flex and when required to fail gracefully. Technology under enough pressure will always fail. The same is true for people too.
Security is not a technology problem. No amount of encryption, firewalls, intrusion detection systems, protective devices, black boxes, aluminum foil hats, or blocking people from using USB or CDROM storage media is going to increase security of a network. The pervasive and ubiquitous nature of the network and the inherent scope and breadth of the global information grid have over reached the minimalist considerations of most security technologies. Security has been and will always be a people problem.
Resilience is the only possible way to begin thinking about security. What was forgotten at Maxwell and by most of the pundits discussing this topic is that security is a process of management and more importantly of risk. There is inherent risk waking up every morning, and more importantly there is inherent risk in running a network every day. A network that people want to access for good and bad purposes is a juicy target. Security though is fickle in the pedantic minds of people who impose their will on others. Of all the possible tools in technology, policy and procedure, and the individuals involved are doing a denial of service attack against their users as a form of punishment. Thereby impacting the mission capability of the base, the personnel, the organizations, and somebody somewhere signed off on this.
You can tear dandelions out of your lawn, you can poison them, you can attempt to pull the roots from the ground and they will always spring back and in some perverse zeal expand. This is the nature of information assurance and security problems. The reason there is always a tension that exists between users and practitioners. The job is and will never be done and security can only be managed at some level of risk. There will always be risk. There is no pat, defined, easy, binary, or finite solution to the milieu of security issues. There can only be best practices and a continued effort to manage the widely varied systems to the best of the practitioner’s ability. There must also be the understanding that it will always fail. It is the nature of the asymmetries of threat that the defender must be perfect and protect perfectly every time, and that that attacker need only be successful one time, and nobody is perfect. You cannot get all the dandelions.
Security versus the user cannot be tolerated. All that will have occurred is trading one onerous problem of hackers for another onerous problem of self imposed restrictions. Security practitioners who think in binary solutions are an endemic problem to the practice. The art of the win-win has been lost in the barren fields of intellect. The idea of security as a process is being lost to dictatorial and autocratic processes that neither fix the issues exposed, nor do they create resilience in the processes. Security practitioners do not like the fact that their job is never done, they really do not like the idea that the job will not be done perfectly, and they have a tendency to talk in apocalyptic speech about what will happen if they do not get their way.
Information assurance and security of the enterprise is a layered problem filled with extensive holes and pit-falls for the unwary to fall into. A huge literature of security protocols, procedures, and techniques exists to fill many of the gaps and bridge the larger areas or problems. Vendor based technologies are often the belt and suspenders approach, or the designated blame point when something is wrong. In the end security is not about having no incidents but insuring that users can keep working even when an incident occurs. At Maxwell Air Force base this is the rule they have forgotten. The security practitioners retreated and sealed themselves up instead of fighting through the attack. What an embarrassment.
1 comment for “Maxwells hammer: Ringing up a denial of service against their own users”