Florian smiled around the edge of his beer and said, wryly, “We Swiss are not pacifists because we are weak; it’s because we were rental soldiers in the dark age and renaissance. Fighting for your own selfish reasons is bad marketing.”
We were sitting in a restaurant made out of an old military armory, the Zeughauskellar, in Zurich, after a busy day spent arguing about computer security stuff and a trip to a shooting range for some friendly pistol competition that I lost, but not embarrassingly. This was around the time of Gulf War II, so we were discussing strategy over beer and sausages and potatoes: carbs piled on carbs. Florian is Swiss, I’m post-nationalist, the other people at the table were another American fellow-traveller, and a German who used to work for BND, now a consultant.
Florian continued, “You can tell a lot about the purpose of a military by how it’s structured, by its logistics. Now that Switzerland doesn’t send its armies out to fight for pay, we don’t need a standing army, we rely on terrain, emplaced weapons, cleared fields-of-fire, defense. Our strategy is that if we are invaded we will cost the invader a ridiculous amount of pain for every foot they go.”
That all made sense, but what stuck in my mind was the first bit:
You can tell a lot about the purpose of a military by how it’s structured, by its logistics.
I said, “That first bit. That’s profound. When you look at the US military, we call it ‘defense’ but there is no actual attempt to defend anything: it’s all ‘force projection’ all the time.”
Florian nodded, “Yes, see, force projection is a logistical problem. If, tomorrow, my government decided we were going to war with Monaco – we’d probably win – but I’d have to ask, ‘Sir? How should we get there? Should we book plane tickets on Lufthansa?” The guy from BND made happy chucklings at that mental picture, and the conversation continued.
When we look at the US’ strategic orientation regarding cyberwar, it’s pretty much 100% offensive. What does that tell us?
The US intelligence community has shown over and over again that it’s incompetent at secret-keeping. For years I have been referring to the US IC as “The Department Of Glass Houses” which keeps contracting for stone-throwing technology. I think I understand why: defending is hard. I’ve been hoeing that row for my entire professional career and if there’s any progress being made, it’s retrograde. The US IC has had disaster after disaster after disaster and apparently has decided that if they can’t be good at what they’re supposed to be doing, they’ll be good at something else. Besides, the food-trough looks mighty yummy and om nom nom nom contractor dollars nom nom black budget…*
Office of Personnel Management had been breached for over a year before they detected it. In fact, they’re not really sure when the breach started (because, if they knew that, they wouldn’t suck so much) When you read about how it was discovered, “accidentally” is the only word that comes to mind: someone installed some application white-listing on a system and noticed that all kinds of horrible things were running around in the network, when the software began pinging with warnings. That’s basic “unzip before you pee” defensive security. Meanwhile, the relatively sparse defensive efforts by the US Government look like US CERT’s “Einstein” project – which is a fairly basic intrusion detection system (nothing wrong with that) based on pattern-detection (nothing wrong with that) and backhauling lots of log data to look for patterns (nothing wrong with that) and blacklisting command/control sites for malware (nothing wrong with that). But systems like Einstein are detect/react systems: they predicate that you’re going to get owned. In fact, they only have value after you’ve been owned. The US Government’s strategy in cyber defense is “get owned, then figure it out.” Sun Tzu doesn’t even have a name for that strategy. If he did, it would be unprintable.
US CERT Einstein program
NSA’s Einstein 3 program repels threats in real time – I love government lies about cybersecurity. If you read the article, it clearly says that the system isn’t operational and isn’t expected to be operational for another 2 years. So if it’s repelling attacks, it’s only doing it on a whiteboard somewhere. More to the point, it’s nothing that commercial entities don’t already have – Akamai, Amazon, Google – they all do centralized detection and connectivity management. Besides, at this point, the NSA coming around and saying “we’re from the NSA and we’re here to help! just plug this black box into your network where it can ingest all your data – for security reasons…” that’s hard to swallow.
(* The role of secrecy in covering incompetence is a really interesting topic for me. Unfortunately, secrecy makes it impossible to discover how often secrecy is used to cover incompetence. Funny, that.)