90% Sounds About Right

There are many agencies that have some degree of charter for computer security – but “defense” has been a bit of a hot potato. Meanwhile, the NSA (and now we know CIA, and probably every other Three Letter Agency) used to go to security conferences like DEFCON and advertise that they were hiring hackers. Of course they were.

If you know anything about how the US empire operates, you’d predict right away that the effort in computer security has been pretty much all offense and no defense – like our Department of “Defense” and you’d be pretty much right. Back when Department of Homeland Security was being formed, I wrote a book about what a mess it was going to be (don’t buy it, I said some dumb things in it)  especially regarding computer security: DHS was the “lead agency” for cyber-security. As was NSA. As was NIST (National Institute of Standards and Technology). As was DISA (Defense Information Security Agency). And then the Air Force had their own AFIWC (Air Force Information Warfare Center) – everyone wanted a slice of the budget and none of the players charging after it had any great track-record of defensive security.

Around 2002-3, when the US was plowing huge amounts of money into retaliation for 9/11, there was a brief window of time in which we collectively might have decided to play defense. There was a chance to hire lots of great security people, re-examine security infrastructures, look at smart grid security, operationalize response and configuration management – to harden our infrastructure and simplify it – to build systems immune to malware (or nearly so) and analytic engines capable of rapidly identifying new forms of attack. I served on a bigshot technical review committee (Senior Industry Review Group) for NSA, trying to make recommendations for how inter-agency communications could be done best in the post 9/11 world and we suggested some really cool stuff …

… And all for naught. Because playing defense is not cool.

President Donald Trump’s budget proposal would put about $1.5 billion into cyber-security defense at the Department of Homeland Security (DHS). Private industry and the military also spend money to protect themselves. [reuters]

Back when DHS started doing their cyber-alerts, in 2003, they just signed up for ISS’ “X-Force Recon” service (now part of IBM under a grown-up name) and copy and pasted from the X-Force bulletins into their alerts.  They could be counted on to, fairly consistently, tell people about problems that they already had. I stopped reading the various security alert-streams back around 2005 because there was no strategy behind them at all, just an endless encyclopedia of bugs. Rather than telling everyone “duck and cover from this particular bug of the day” there should have been serious thought given to questions like, “why do we have to have bugs?” and “how do we get off this treadmill?”  Instead, America has continued to embrace the treadmill, and has made the treadmill worldwide – instead of building vastly better operating systems and software, America decided to build vastly better bugs.

I’ve written a more reasoned treatment of this topic elsewhere [fabius maximus] as part of an argument I’ve been trying to make for over a dozen years: In cyberspace, the Best Defense is a Strong Defense. The reasoning is simple: unlike in topological warfare, where you’re dealing with a single clearly identified enemy at a time, you can have dozens or thousands of capable enemies simultaneously. Attacking one of them doesn’t deter the others, nor – even if a “good offense is a good defense” – does it strengthen you against all of them. The best defense in cyberspace is to have defenses that are so good, that your opponent has to invest significantly in R&D for any offensive move they make, and if your defenses are really good you can moot their offenses as fast as they research them. They wind up trying to destroy a mountain with a thousand paper-cuts. If you’re incredibly resistant to attack, your enemies will either go somewhere else, or stay on a treadmill of endless frustration.

But the secret part of the U.S. intelligence budget alone totaled about $50 billion annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.

This is not unlike when, post 9/11, Congress gave the FBI a large pile of money to improve their security and the FBI bought: new guns and laptops. Sun Tzu wept.

Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.

“Lopsided” is not the right word. “Unwise” is. That’s 90 percent of the unclassified budget. They don’t classify any of the defensive programs, so we should probably assume that there’s mountain of ice below the little bit that’s jutting above the surface.

“It’s actually something we’re trying to address” with more appropriations in the military budget, Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well.”

This is how computer security is practiced in the US Government: “We screwed up with the money Congress gave us but that’s OK, we’ll get more money and we’ll fix it when we do. The problem, as I pointed out in my book, “If you give more budget to an incompetent bloated bureaucracy, you don’t suddenly get efficiency – you just get a bigger more bloated bureaucracy.”

How big a role the government should play in defending the private sector remains a matter of debate.

Former military and intelligence leaders such as ex-NSA Director Keith Alexander and former Secretary of Defense Ashton Carter say that U.S. companies and other institutions cannot be solely responsible for defending themselves against the likes of Russia, China, North Korea and Iran.

I also mentioned this 15 years ago: government’s job is to do the sort of things the private sector shouldn’t have to be geared-up for. We don’t expect AT&T to have a private army in order to defend its headquarters – everyone except the President and big companies pay taxes to the government so it can do that sort of thing because that is what governments are for. Absolutely, corporations and private citizens can do their part to keep their systems secure, but counter-intelligence and strategic defense is what we pay them to do. Don’t tell us “we don’t know how because we suck because we spent most of our money hiring contractors to write malware for us!”

A recent reorganization at the NSA, known as NSA21, eliminated the branch that was explicitly responsible for defense, the Information Assurance Directorate (IAD), the largest cyber-defense workforce in the government. Its mission has now been combined with the dominant force in the agency, signals intelligence, in a broad operations division.

The 262nd Network Warfare Squadron (no I am not kidding, WTF.) [source]

IAD was the group I was consulting for back in 2003. They were the ones concerned with firewalls, network design, system integrity, trusted software distribution, secure supply chain management, cross-domain solutions – all the defensive stuff. Meanwhile, the offensive guys’ defenses are so bad that their tools are leaking all over the place and causing backlash damage to the corporations and citizens they’re supposed to defend. The Trump administration’s cybersecurity strategy is more of the same crap the government has been pursuing since 2002: spend more money to hire better people then keep perfecting stone-throwing technologies for the Department of Glass Houses.

------ divider ------

DO NOT BUY MY BOOK. I said some embarrassingly favorable things about Bush in it. I did waffle appropriately, but I didn’t catch on to what a turd he was anywhere near as fast as I should have.

“Playing defense is not cool…” – The greatest commanders in history used to attack into their enemy’s main line of momentum. Consider Napoleon at Austerlitz, one of his greatest victories: he attacked out of a defensive posture once the Russians had begun a difficult maneuver.

One of the suggestions I made at the SIRG was to take advantage of Intel processors’ programmable microcode to build some tools that would allow the creation of shuffled instruction sets unique to particular machines, then transcode existing software so it would run correctly only on the machines with the correct shuffled instructions. Then you trap attempts to use the unmapped instructions to NOOP. Viruses and malware go bybye. It was considered “hard” (relatively speaking, it’s not, when I was at Digital we had a tool that converted VAX instruction set executables into Alpha 2164 executables. Now, that was a piece of work!) – Consider that the US Air Force’s own predator drone command consoles were owned by malware for over a year and they spent a vast amount of money and time trying to clean them up. The Air Force has a distorted notion of what “hard” is, apparently.

Re: hiring hackers – Hackers are good at breaking into stuff. The problem is that breaking into stuff is a lot easier than building stuff that’s hard to break into. It always pisses the hackers off no end when I point this out, but it’s true – they have to find one hole, the system builder has to think of (and block) all the holes. Which means that the system builder has to take an architectural approach to safety and failure that makes across-the-gameboard moves that block entire categories of problems. Or, the best system builders build systems that don’t have entire categories of problems. For example: a system that doesn’t have a mechanism for escalating privilege is going to be a lot harder to escalate privilege on. Meanwhile, the hacker comes to the game with 12 different tricks for escalating privilege. #Sad.


  1. Pierce R. Butler says

    Consider just whom you’re asking to do this.

    Me, I donwanna do the cyber equivalent of taking my boots off, and undergoing an intimate public patdown because I left a few pennies in one pocket, every time I log on to the Internet.

  2. says

    Pierce R. Butler@#1:
    I hadn’t thought of it as that they’d forklift airport security theater into cyberspace … but that is a scary possibility.
    That’s one issue underlying all the federal agencies that used to say “me! me! me!” about security: its more empire-building internally and another opportunity for them to intrude further into the private sector. PATRIOT already did a lot of that in the name of “security” but really it was NSA data-collection, not anything to defend anyone at all.