Saturday, December 24, 2016

2017: The Year of the Better Metaphor?

If the holidays are known for anything, it's heated discussions about the same contentious issues
with the same bone-headed relatives who don’t know what they’re talking about; and why did my sister marry that guy; and when grandma is gone I’m never coming back here…..
Likewise, nothing says you’re about to get into a heated discussion on cyber security like the use of a bad metaphor.
Since so few of the people involved in cyber-security actually know anything about computers to a sufficient level of granularity, or by the same token understand the wider social implications of their ‘simple’ technical fix, everyone falls back on their half-remembered high school history to try and help make sense of it all. Herewith our most misused and abused metaphors, and some suggestions to help make actual sense going forward.

Digital Pearl Harbor

What people think they’re saying: “We don’t want to be caught unaware by a surprise cyber-attack.”
What they’re not getting: Private sector, governmental, and critical infrastructure systems have been under attack for decades. We’re not in danger of being caught unaware, we’ve been hitting the snooze button and acting surprised and annoyed when it goes off…again and again and again.
Suggested alternative: Digital Trench Warfare (or Digital Ypres, if you must). The good guys are over here, the bad guys over there, and between them is this very risky area. Sometimes the bad guys are strong enough or lucky enough to make it across that area, in which case the good guys have to work very hard and expend a lot of blood to kick the bad guys out.

Manhattan Project

What people think they’re saying: “We need a multi-disciplinary effort to come up with a better way to do X, where X is some defensive/protective mechanism.”
What they’re not getting: The Manhattan Project was a multi-disciplinary effort to build the world’s most deadly offensive mechanism. That mechanism was only used twice, and the planet has lived in collective fear of it being used again every day since.
Suggested alternative: Cyber CERCLA (a/k/a Cyber Superfund). Back in the day we didn’t care two whits about the environment. The Valley of Drums and Love Canal (and a crying Indian) changed all that. In cyber security they don’t call DFIR-types ‘digital janitors’ for nothing. I’m not saying we tar-and-feather the founders (what they built made sense at the time), we just need to accept that bringing what used to be OK up to the standard for what is OK now is going to cost a metric-***-ton of money, and if we care about security we should be prepared to pay for it.

Digital Maginot Line

What people think they’re saying: “You need defense in depth because static defenses don’t work because the bad guys will just go around them.”
What they’re not getting: The Maginot Line was not supposed to stop invaders, it was supposed to slow them down and/or channel them to a point where the smaller and weaker defenders could rally in strength in order to put up a half-decent fight. The Line did exactly what it was supposed to do.
Suggested alternative: Use “Digital Maginot Line” properly. Defense in depth has its issues, and no one is suggesting you unplug your computers and lock them in a vault, but let’s be honest: if someone devised a system that delayed and channeled attackers into a zone where you could more effectively fight them and keep them away from your most precious data/valuable resources, you’d buy that today.

Digital Magna Carta

What people think they’re saying: “We need to protect ourselves from oppressors who would arbitrarily punish people without due process based on what they say or do online. Come and see the violence inherent in the system.
What they’re not getting: If you say these words from a country with a governmental system that is more liberal-democracy than autocracy, dictatorship, or kleptocracy, you have no idea what oppression looks like. The fact that you get to say those words in public or in print and still walk the streets is proof enough of that. Your good wishes and strongly worded demarches aren’t advancing the cause of freedom.
Suggested alternative: Digital Jedburghs. Foreign regime using digital means to enhance their ability to find, detect and oppress dissidents and you’re not down with that? Stop writing manifestos and start putting some skin in the game. Give people the means to not only resist but fight back. A word of caution: this might come back to bite you in the ***.

Going Dark

What people think they’re saying: “If we don’t preclude the use of encryption, or weaken it to the point that (the appropriate authorities) can break it, the world will be overrun with ISIS and  pedofiles.” 
What they’re not getting: This being America, investigations (of citizens) is supposed to be hard. If literally the only thing stopping you from keeping a monster off the streets is his PGP pass phrase, you’ve not done a very good investigation. And not for nothing, but encryption didn’t help the 200,000-odd sex offenders currently in prison, nor does encryption help every jihadist in the sights of USAF UAV weapons officers.
Suggested alternative: Fourth Amendment After Next. I’d much rather we focus our energies on rights and liberties and not crime and punishment. When you define the former its easy to identify the latter; when you come at it the other way around it doesn’t work out nearly so well. “After Next” is a military think-tanky way of saying “these are the issues we think we will face in the war after the next war we fight.” The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures in the information age could not be more important. Courts are already beginning to realize the problems with things like the border exception, and as we step tentatively into the age of implantables, this is an area that is only going to get more complicated and dangerous if we don’t get it right.
By the same token, if you think political dissent and child abuse are both worthy of equal protection under math, you’re not someone I want to meet in the new year.

Cyber Arms Control

What people think they’re saying: “If we can impose a layer of control over the things you need to make (dangerous things), we can stop those less responsible/polite/sane than ourselves from getting and using (dangerous things).”
What they’re not getting: Since nuclear arms control became a thing, more countries have the bomb than before it was a thing, and keeping a handle on code is infinitely more difficult than keeping track of fissile material.
Suggested alternative: Nothing. This is the most ridiculous idea in computer security. The sooner we stop talking about it, or proposing things remotely like it, the sooner someone will come up with a more practical approach to the issue.


This was a bit heady for the morning of Christmas Eve, but it's something we talk (laugh?) about in the office and over beers, and at just about any opportunity, I get the questions often --I had the question a few weeks ago while on the podium briefing the commander of US TRANSCOM. The question was "What should we be thinking about a national policy level?" This is a simple list of some of those thoughts. It seems every few years someone rolls out, and the ideas start all over again. Ever seen the moving Groundhog Day? It's the story of a weather man who repeats groundhog day over and over until he gets it right, and then he's released from the daily loop.  Ours seems a little longer, but we're stuck in the loop --and the new young iron majors have the same ideas over and over and we see history repeat itself, and while public reaction has become largely ignorant bliss, we hear the same stories over and over from vendors and the government... 

So let's lighten this up a bit. It's the morning of Christmas Eve. We at Wapack Labs very much wish you the happiest day. Me? I'll be doing two masses tonight (three if you count praying at the alter of the New England Patriots! Go Pats!).

Merry Christmas (or if you prefer, Happy Holidays!) from the team at Wapack Labs!