Yet another cyber treatise

With the impending release of the 60 day cyber review and myriad conferences to cover cyber security I wish to put a stick in the ground and make a pronouncement about cyber security, information assurance and security and anybody who knows what the letters SCADA actually mean. You are all full of it. And let me tell you why.

1. In over forty years of computing the basic issues, problems, and concerns have cropped up and been discussed without anybody actually fixing them. In every decade there has been a cycle of continuous yammer and computer perfidy without any solutions being implemented. This should be clear evidence that there are no solutions and we should stop worrying about it.
2. The default neo-geek standard answer to a technology problem is to layer on additional technologies that can then be defeated. This is analogous to somebody fixing a leaky earthen dam by opening more holes in it. Don’t mind that rising water it isn’t a bug it is a feature.
3. Given the billions of dollars spent on research, technology, loss, and purveyed in the literature and reporting of cyber loss you would think somebody would have developed a good system of metrics. Since that hasn’t happened the obvious thing must be true. Nobody cares.
4. Cyber warfare and cyber terrorism are real and imminent threats. Yet most everybody says nobody can point to a specific case and say that is cyber BLANK. Even when there are numerous cases. This is selective blindness. Nobody wants to know.
5. Given that the technologies are well developed and filled with Grand Canyon security holes that suggests the incentive models for developers and commercial entities are messed up some how. Not that we have ever seen corporate America and the world in general sew salt in the fields of future profit (*cough WALL STREET cough*). Tell me why warranty and product laws do not apply to software and computer hardware? Can you imagine if they recalled Windows?
6. The fervent attacks against privacy, and lifestyle by the corporate data scraping and government tracking technologies represent a clear and present danger to liberty and sanity. The fact nobody cares is a concise example of the limited utility of working on the issue. Quit caring about the color and eat your soylent green.
7. Insider threats remain the primary problem according to the weak statistics we have. If the human resources rules and regulations involving invasive testing and vetting by Gucci wearing socialable human resource types are unable to detect malevolence. How in the world can we expect khaki, vendor polo-shirt wearing, introverted, pale, tanned by the twinkling router lights, stuttering, geeks to detect security lapses in people?
8. In a little over 35 years Einstein and a small group of dedicated physicist took an idea and created nuclear weapons. In that period of time the Untied States went through prohibition, gave women the vote, fought a world war, and ended another with a bang.  We have done big projects in the midst of huge societal upheaval and moved on to the next big task. Computer scientists are still talking about information security like it was 1969.

As long as we consider attacks on the World Wide Web such as defacing web pages and denying access to them as cyber warfare we’re good to go. This is the real world equivalent of wiggling our kilt wearing bare backsides at the enemy while shouting obscenities. Poor behavior for tea totaling professors but perfectly adequate behavior for blood thirsty Marines. If people talking with hostility on web forums and generating scripted attacks is cyber warfare well kiss my patoottey.

Maybe those computer scientists and enlightened evangelical vendors touting IPV6 and virtual private network technologies worried about the TCP/IP stack of the Internet are onto something. Scare me to death if the Internet doesn’t function. My experience with information technology failures is that I might get more work done, but the only thing that will likely get through an outage is male enhancement spam. What would I do without constant indications of my lack of masculinity? I will have to console myself with my vendor can cozey surrounding my Mountain Dew. The Internet is good stuff but it isn’t going to kill anybody.

You want to kill people you need mad hacker skillz. In fact you can wipe out a bunch of the Internet while dragging the anchor of a ship, but better yet get deeper into the control systems or SCADA systems. Since so many of the programmable sensors are attached to the local area network and equally ignored by information technology professionals and building maintenance people you would be surprised how much you can do without anybody caring.  Find the edges of these types of systems where they bump against the processes and procedures of safety and health and grind into the reef of apathetic people. That is where you can create chaos, pain, injury, and destruction.

Look for those places where health and safety are at their highest risk potential and things are automated to save people from risk. Increase point security at the expense of societal security and open opportunities for fearful repercussions. Since we’ve already identified the fact nobody cares, nobody will take action, and there is substantial blindness to the issues opportunity begets access. For historical examples to what is capable look at technology grand failures and massive disasters to determine risk opportunities. Bhopal India is a good example of how technology can create huge risk and danger. I shudder at their loss.

It seems we have the web, the Internet, and the department of everything else. When we talk about information assurance and security what we really are talking about is some data being partially obscured from users and mitigating the loss of our job. Nobody really wants to talk about information as that is a lot of stuff that isn’t web or Internet. Security is some topic nobody wants to talk about.

Here is the final deal. The economic incentives for information assurance and security are screwed up. Vendors and researchers aren’t going to fix this problem. Why would they? The dollars would go away, the sales would end, and nobody would be happy. Computing scientists and organizations have successfully lobbied and created a stigma of being different. Software is copyrighted, traded as specific intellectual property and has no warranty or legal binding agreement to service. We accept onerous anti-consumer driven end user licensing agreements without qualm.  We get excited about upgrades when the software we are already patching and using is horribly wrong .Why would we think something new would be better? The process of creating software is flawed by the expectations of consumers. Why in the world would we accept data at any point other than being displayed in an unencrypted form? Maybe because the only encryption technologies government and industry want are actually hostile to the user.

Information technology is no different than any other utility. Who accept caps, or mandatory outages on their electric bill? Who would accept multi-tiered electricity usage so that my toaster costs 1000 times more than my television to use like text messages on cell phones versus browsing the web on my computer? We want information technology to be totally different and the incentives of society are set up to make sure of that. As long as information technology is different security will not be possible. Until information technology is treated like any other public utility with standards, controls, licenses, and such there will be no security.

All those experts with multiple decades of experience will continue to tell Congress how bad things are, it is the end of the world, and everybody will likely die. All the vendors like crack smokin’ dope peddlers will offer up just one more technology solution to solve all your problems and make the pain go away. Savvy students will sneak through security programs to take jobs in companies pandering security techniques that haven’t worked in the last 40 years as if they might work in the future. The cycle will continue. The conferences of fretting academics stodgily plodding along in lock step with the literature that recycles ideas like uncle Leonard does aluminum will they bow to ideas as antiquated in the world of Moores law as Egyptian tomb hieroglyphics in the day of the modern web.

Information assurance and security is people, process, and technology. Only one third of that equation is equipment or bit and bytes. It is the easy part, it is the part that non-conformist, introverted, khaki wearing, pasty geeks, are easiest dealing with. I reject that as a model and say here and now that security is possible in a world where computing is no longer special. Security is possible in a world where companies are held accountable to standards we would hold any consumer device. Security is possible in a world where incentives are for solutions rather than perpetuating the problem. Security is possible when government binds privacy and data into a contract of respect and personal control. Security is possible when corporate greed and centralization of assets is placed into the perspective of one electric circuit breaker away from catastrophe. There is more but nobody ever reads to the end anyways.