Thursday, October 27, 2016
Recruiting and Retaining Cybersecurity Talent
Thoughts on IoT Vulnerabilities
- The business has a “great idea” that’s highly innovative
- Business leaders discuss the benefits, costs, and risk…usually without security personnel present.
- The business leaders get approval to pursue their idea and select a vendor…again, usually without input from security
- Sometime between proof-of-concept and going into production – and usually due to the fact that approvals of some sort are needed in order to go live – security is notified of the plan and asked to approve
- Security personnel start to (gasp!) ask questions about the security ramifications. They introduce risk concepts not solely related to profit and loss that are relevant to the implementation.
- Business leaders complain to executives that security is “slowing things down” and “disrupting” business
- In the end, one of two things happens: (a) the business implements a “shadow IT” infrastructure to achieve their objectives; or (b) the implementation is modified to account for security
- Regardless of the decision in (7), the desired results which drove the innovative idea aren’t fully recognized or realized. In the case of Shadow IT, this gap is usually because the rogue implementation cannot be fully supported and/or cannot be scaled appropriately. In the case of a modified implementation, the modifications usually end up limiting some of the originally planned functionality
- In the end, the business needs to take a different path to achieve its revenue objectives…resulting in further ideation and a brand new “great idea.”
Thursday, October 20, 2016
Cyberwar Revisited
Over the past couple of weeks, I've had occasion to reflect upon the concept of “cyber warfare.” On one occasion I found myself disagreeing with a member of the local cyber community when he said, “make no mistake we are at war." On another (more interesting) occasion I was speaking with a couple of law students who were discussing the possibility of redefining what “war” means in order to “deal with the new realm of cyberspace.”
The term war brings with it a certain amount of gravitas but with it also comes a plethora of baggage. The only thing more dangerous, though, than misrepresenting something as “war” is to invent new terms for things that are already well defined – similar to our reinvention of “torture” as “enhanced interrogation techniques.” (My father was water boarded as a POW in Korea; in his words, “torture” is the only accurate term to describe this practice).
Rather than redefining “warfare,” mayhap it is time to use the existing lexicon to see where illegal acts in cyberspace accurately belong. From a legal perspective, most activities have five basic components:
· A subject or actor…
· Takes an action…
· Against a recipient or object…
· With some intention…
· Achieving some result.
It is the combination of all five of these elements that helps differentiate actions within any legal framework. Intending to run down someone and kill them with your car, for example, is premediated murder (assuming you succeed) but might only be involuntary manslaughter if no intent was there.
When applied to nation-states, this legal calculus gets particularly interesting. We must assume that all nation-states will act with the intention of furthering their own existence and/or prominence…which, by definition means the weakening of some of the other nation-states around them. If this is indeed the case, then the question that arises is whether the actions – ANY actions – by one nation-state against another should be considered an act of war. Should the signing of a diplomatic treaty between two nations which limits a 3rd nation’s access to a desired resource/capability constitute an act of war against that 3rd nation? Let’s hope not, as this would call into question every nuclear proliferation treaty currently in existence. If a nation state uses its resources to infiltrate and sabotage part of a nation’s infrastructure-building efforts in order to maintain or achieve a certain advantage (either geopolitically or during a future kinetic war), is that act itself an act of war? Again, if it is then our participation in the Stuxnet attack against Iran in 2010 is tantamount to a declaration of war versus an act of espionage.
My point is this: while the attack surface is vast and the weapons are different – and can be frightful – leaping to terms such as “warfare” and/or redefining acts of espionage as “war” are inappropriate solutions to addressing acts of malfeasance in cyberspance. Make no mistake: I do believe that certain nation-state actors are indeed trying to limit if not destroy US influences and interests in the world…just as I believe that we have similar objectives when it comes to some of our more powerful (and more contentious) world neighbors. Weighting this actions, though, with the baggage of “war” carries with it the spectre of unintended consequences…
…similar to those we might experience during the next kinetic war when a US soldier is tortured and our enemy responds that they were only using “enhanced interrogation techniques.”
My two cents…