Warning: I get a bit ranty.

A surrealist is walking down the street, and sees a banana peel in his path; he says, “Mon Dieu! I am going to fall down again!” and keeps walking.

The Senate Intelligence Committee is having meetings about “Worldwide Threats” – an elaborate simulation of thought, in which they pretend that the United States is not the biggest worldwide threat, even to itself. But we cannot take our share of blame because then some rocket surgeon genius would say “well, then stop.” That way we can talk oh, so seriously, about what to do about those threats, especially if that means employing America’s multi-purpose crisis response: dropping bombs on people.

The chair of the meetings is apparently Senator Obvious, because the carefully-chosen topics are mighty Obvious, indeed. I’m going to focus on two of them, because they touch on my professional expertise, namely Information Security.

1: Lies

The first topic is pretty easy: [business insider]

Sen. Mark Warner, the ranking member, told the panel that the US was “caught off guard” by the way Russia weaponized social media during the 2016 election to push pro-Trump propaganda and sow discord within the country.

In addition to using Twitter and Facebook to spread fake news, Russia-linked Facebook accounts also bought ads focused on exploiting American divisions over issues like race and immigration.

The accounts’ activity did not stop at posting controversial memes and hashtags — many even organized events, rallies and protests, some of which galvanized dozens of people.

The US Senate, then, is now up to date with the idea that “propaganda works” – all of them having gotten their jobs through relentless propaganda; the revelation that social media can be used to affect US politics (and other nations’ politics, too!) dates back to around 2004 when Facebook was founded and took over for MySpace, and 2006 when Twitter was founded. Immediately, those platforms became channels for “astroturfing” (what politicians call their propaganda) and outright propaganda (the other guys’ propaganda).

What, O what can we do about this? Are we doomed to walk forward and slip and fall on the banana peel?

There is an answer, and it’s scarily obvious. The two party system has almost stumbled on it several times, but they recoil in horror: return to valuing authenticity. That’s a polite way of saying ‘stop lying so much.’ Basically, they have two options:

1. Lie more
2. Lie less

My prediction is that, since they depend overmuch on lying already, they will find themselves unable to return to authenticity as a value, so social media will continue as it began: a trading-ground for marketing (lies), political positioning (lies), and disinformation (lies). After all, it’s exactly what happened to television. How can anyone complain about social media being full of fake news, when Fox News and The New York Times are putting on such a great demonstration of old-school social media manipulation via lies?

2: Interfering With Elections And Sacred Democracy

Coats warned that Kremlin influence operations would continue for the foreseeable future, and that Russia’s next target is the 2018 midterm elections.

“We need to inform the American public that this is real … We are not going to allow some Russian to tell us how we’re going to vote,” Coats said. “There needs to be a national cry for that.”

Collins told Coats it was “frustrating” that Congress has not yet passed legislation to help states combat Russian cyber attacks on critical election infrastructure. She then asked the DNI about NATO’s assessment of Russia’s influence operations.

“Mon Dieu! I am going to fall down again!”

It’s also a bit of a lie, to protect someone’s incompetence. Let me explain: back in around 1995 when the internet was starting to be a Big Thing and the Soviet Union had collapsed, there was this idea that there was going to be a “Peace Dividend.” People in the Department of Defense and the Intelligence Community were, frankly, scared that there were going to be budget cuts. Then, Winn Schwartau wrote a book called Information Warfare [amazn] that was, frankly, a lot of bullshit about then-nonexistent cyberwar capabilities that have since come into existence. Suddenly, the intelligence community and DoD were excited: here was a new “battlefield domain” to spend lots of money on! And spend money, they did. The NSA established an “information assurance” program (and an offensive program for dirty tricks) the CIA established an “open source intelligence collection” program (and an offensive program for dirty tricks) the Army’s Defense Information Systems Agency established a cyberwar defense operation, the National Institute for Standards and Technology started writing security policies, the NSA started writing security policies, various federal agencies started writing security policies, and the FBI got AOL accounts and thought they were on the internet. There was a tremendous amount of money spent on computer security from 1995 on; even if you accept my guesstimate that 90% of it was spend on offense, the 10% spent on defense would have amounted to billions of dollars. There was a time, and I was in the thick of it, when NIST and NSA were actively competing to see who could set standards for federal agency security. Meanwhile, the federal agencies more or less did their own thing – some competently, some not so competently. US Government attempts at actually doing computer security floundered and sank without a trace – mostly because of policy enforcement problems: it turned out to be difficult for the NSA to tell the State Department how to run their computers, because that meant (effectively) letting the NSA control part of their budget, which is bureaucratic death for an agency.

I was a participant in some of those meetings (in my capacity as a consultant to a consulting firm that was consulting to NSA) and I remember Very senior people from NSA telling equally senior people from CIA “if you want to send us your telemetry, we can help you guys defend” and the CIA responding, “if you want to send us your telemetry, we can help you defend.” Then, they both did a little tap-dance to the tune of an old Broadway chorus line, and belted out in harmony, “no way in hell will we ever let you see our data, but we’d love to see yours!” Meanwhile, those jokers were building parallel offensive stacks and not sharing them at all – this was going on in every agency that was part of the vast intelligence apparatus. (I’m not going to get into what SPAWAR, AFWIC, NPIC and NRO and DEA and everyone else was doing except it all involved spending money like Wall Street investment bankers tunneling into a mountain of Mexican flake cocaine, nose-first)

Somewhere around then, the FBI got an internet connection.

From 1995 to 2016, there was a gigantic game of “hot potato” while various federal agencies announced that “We are responsible for cybersecurity!” so they could try to grab a big chunk of budget, spend it on offensive tools, and fail to improve federal agency security at all.

Then 9/11 happened, and the Department of Homeland Security was created. “We are responsible for cybersecurity!” they cried. “They are responsible for cybersecurity!” Congress yelled. DHS’ budget was huge and they had top-level in the org chart over several of the sub-agencies, and what did they do? Mostly, they hired contractors. They hired gigantic numbers of contractors, and outsourced a lot of stuff. Some of it worked pretty well – the US Marine Corps’ network, for example, was outsourced to General Dynamics, who also run security for them, and it’s not as horrible as it could be. Some of it didn’t, like the FBI’s multiple “virtual case file” projects that cost over 1 billion dollars in three attempts to produce something like a Wiki. DHS began issuing alerts and starting educational programs (those weren’t bad) – the alerts were written for them by computer security trend-tracking firms, and were pushed out with DHS’ logo dropped on top; I know because I wrote some of them but didn’t have the clearances to look at them after they had the DHS logo added.

Following that, the next big event was the great US/China cyberwar of 2010-2012, which … didn’t happen. Basically, the US complained a tremendous about about Chinese hackers being all over US networks. And, they probably were! Why wouldn’t they be? Around 2010, anyone with basic hacking skills who wanted to be in any US agency network could be, especially if they had the support of a nation-state. Given the rate at which information security was being outsourced, any intelligence officer worth their weight in warm spit would have been placing pigeons at beltway bandits. The reason the US Government is so pissed off at Edward Snowden is only partly because of what he stole: Snowden and Manning demonstrated conclusively that the US Government (including the overrated NSA and CIA) had learned nothing since the Walker spy ring had gutted NSA security, Aldrich Ames had sold the CIA’s biggest secrets for the price of a motorboat and a house in Potomac, and Robert Hanssen had humiliated the FBI. These profoundly important “wake up calls” resulted in a flurry of activity, most of which was finger-pointing, and screeching to Congress for “More Money!”

What never did happen was a consistent push toward securing government systems. The great cyberwar of 2010 resulted in a bunch of talking-points about the Great Chinese Peril (“ohmygod the Chinese are going to be in all our routers!”) (Ha, joke’s on you, that was NSA that was in your router!) but what should have happened is for someone to realize that, yes, system integrity is paramount, and secure supply-chain management is a thing, and started designing a security-centric technology sourcing program. Around about the time I am describing, Cisco Systems did start building a secure supply-chain program and thinking about where their code and components come from. Several other businesses did that, as well. But their huge customer, the US Government, did nothing except complain about how thoroughly the Chinese owned all their systems. OK, that’s not fair: the NSA responded by developing a ton of attack tools, which they subsequently lost control of. So did the CIA. So it’s not as if the US Government did nothing; they did nothing effective on the defensive side of the equation. The great cyberwar of 2010 was when the US Government first spotted the banana peel, off in the distance, and thought, “oh, look, a banana peel.”

Now we get to 2016. Something that the US was completely unprepared for, except for that it was predicted in Winn Schwartau’s lousy book (if not in Edward Bernays’ Propaganda) – it was the entire reason why the whole edifice of computer security for the US Government, post 1995, had been erected.

Meanwhile, in the commercial sector: businesses had to deal with hackers, industrial espionage, insiders stealing data, vulnerable systems, and so forth. I sat in on many of those meetings, too. Sometimes someone from the FBI would come and say something helpful like “we’re here to help” and then, when asked for traces or information about what they were saying hackers were doing, “sorry we can’t give you that.” Having sat in all sides of those meetings, I got a bit skeptical when the FBI (and later the NSA) started saying “give us your data and we’ll look at it and tell you what’s going on.” I had been in that meeting before, so I asked them if they would share information about blackhole nodes and ports to monitor.

I’m digressing; you need to picture me ranting this at the screen, with flecks of foam flying across the intervening space and sticking to the panel. This is serious business. I devoted my life to making this problem better. And what I hear is the intelligence community saying, basically:
“Mon Dieu! I am going to fall down again!”

This is a banana peel that has been ineluctably sneaking up on them since 1995.

This is the consequence of failure.

This is because the agencies “responsible for cybersecurity” spent 90% of their effort on offense and never tackled the very difficult problem of implementing a national cybersecurity strategy. Obama’s national cybersecurity strategy tsar, Howard Schmidt was an old acquaintance of mine and when I asked him how things were going he’d just shake his head and say, “it’s political.” In a brilliant attempt at revenge he threw my name into the hat when they were looking for his successor, but I was saved by the anarchist logo on the front page of my personal website.

So, gaze upon the spectacle of the US intelligence community, which spends between $25bn (declassified cumulative budget in 1995) and $60bn (2016) per year for 21 years – and says:

The intelligence chiefs unanimously agreed, when asked, that they had seen no decrease in Russia’s influence operations and that the Kremlin would continue targeting US elections, beginning with the 2018 midterms.

I mentioned the commercial world, earlier, because one of the other things I have done a lot of since 1995 is incident response. I’ve never done incident response for a Federal Agency because I am afraid I would just start screaming and hitting people and they’d have had to tase me. I have, however, been involved in technical analysis and designing reaction plans for two incidents that I am pretty sure that you’ve heard of and a third you probably haven’t. What is fascinating about how companies respond to a security breach (the good ones, anyhow) is: They change things. Sure, there are some, like Equifax, that just realize they don’t owe their customers even an apology, and keep plodding along – but others have dropped millions of dollars, quickly and effectively, into dramatic large-scale changes in enterprise infrastructure and practices. I have seen FORTUNE 500 companies go from sprawling badly-designed WANs to tightly laid-out virtualized infrastructure with layer 7 firewall segregation between zones, common authentication and logging architecture, performance metrics, and 24/7 security operations centers staffed with top-notch analysts. I have seen large companies suddenly decide to take security seriously and tell their users how to behave and make it stick (failure to do that is the root of 99% of US Government IT security disasters) – and I have seen large companies sensibly spend their security investment on solid defense because, well, offense is not an option for them, and they were smart enough to realize that you cannot defend yourself by attacking the whole world. I have seen Chief Security Officers (CSOs) of large companies tell the CEO “really, we need to change how we do this and here is why” and see change happen. Yes, I’ve seen incipient disasters like Equifax coming a long way off, but most businesses recognize them as examples of “how not to do it.”

So, look at the Federal Government’s response to the 2016 election hacking:
“Mon Dieu, I am going to fall down again.”

There are practical things that should be done, and could be done very quickly in any well-run business. First off, the election machines:
– It is an utterly stupid idea for each state to have its own election machines, which report in a state-dependent way, have no audit trail, no high integrity design, and are purchased at tremendously inflated prices from the lowest bidder.

The US Government needs to accept that election machines are critical national infrastructure and have NSA design and build a networked vote collection system that cross-records votes using hashes so voters can verify their votes were tallied and that there are no ‘additional’ votes; these systems should run atop a trusted operating system designed to TCSEC A1 target, with mandatory access control and a Ring0 kernel running on trusted hardware. Those systems should use a completely private network with point to point encryption over an open core that is closely monitored. Does that sound hard? It’s basically how the NSA’s Secure Telephone Unit (STU-III) worked except hopefully not so slowly. That system needs to be evaluated not just by the builders, but by outside experts as well. Last, but not least, it needs a design target life-span of 20 years; a new system refresh to be begun in 15 but the overall system design is to not require patching or upgrades for at least 2 decades. This is not rocket science. Well, actually, it is – it’s how NASA used to build systems. And it works.

The US Government needs to accept that having a massive swamp network that is classified “system high” but which has over a million users is not just “a disaster waiting to happen” it’s a “disaster in progress.” The entire system by which access is granted needs to drop back to a “need to know” not “need to share” model, and – at a minimum – there need to be strong audit controls so that in the event of a leak, it can be narrowed down to within a reasonable time-period. Yes, it means that more work needs to be done, to manage secret data effectively. Here is one suggestion: reduce the amount of secret data to 1/1000th of what there currently is.

Lastly, government networks need to be designed in the manner of state of the art business networks: data centers firewalled off from zoned networks with access controls and audit between the zones. Desktops (which get malware because people click on naughty things) should not be populating the same networks as servers, database servers, mail servers, and infrastructure platforms. Administrative access must be restricted and systems must be under configuration management; the cost of individually managing desktops is absurdly high and it’s wasted money.

Those are basic recommendations that I know every CSO in corporate America is pushing toward (except for the few, like Equifax… hey, I hear they’re looking for a gig) Those are the basics. There are more advanced things that government IT absolutely should be looking at, such as repeatable/manageable/recoverable private enclaves that can be instantiated, used, and destroyed on demand. That’s basically what you can do with Amazon AWS or other cloud servers: have a system image that represents a correctly-configured well-managed email server, or a correctly-configured well-managed web server. You build those and then people stop using the old, broken stuff. If they complain, tell them they need to look for a job elsewhere; I hear the Russians are hiring. I have described this before; it is utterly absurd that the US Government is sitting there watching the banana peel creeping closer and closer and nobody has thought to offer a cloud-based secure communications+VPN+recovery enclave for political campaigns while they are in progress. I know the CSO at a major Hollywood movie studio whose organization can and does offer exactly that sort of “temporary secure enclave” set-up for short-term or long-term use by directors that need to set up sharing and communications with outsourcers or vendors, but who want to tightly control where their data is. Some entrepreneur ought to be offering “political campaign office communications system in a box” cloud services except – as far as I can tell – the people who run political campaigns are the most IT-incompetent self-important imbecile users that there have ever been. They would just continue using Exchange servers on Windows 2000 with SMB file-sharing on Windows XP boxes connected to the internet behind a bargain-basement ‘stateful firewall’ with NSA and Chinese holes in it.

None of this is easy, but it’s a lot easier than watching that banana peel creeping down the sidewalk toward you, and having to tell Congress, “we have no fucking idea what we’re going to do in 2018 except we know the Russians are going to fuck us up.” I would commit hara-kiri in the hearing-room rather than have to admit that I was involved in such a massive, systemic failure to respond effectively to something so bloody obvious.

When these useless, corrupt, hacks start asking Congress for more money – hand them a sharp knife and say, “expiate your shame.”

Beating Around the Bush Administration

All of the technical kerfuffle, fuss, and bother I described above is irrelevant, should the US, Russia, and others pursue the only course that makes any sense at all – the one approach that is guaranteed to be effective, inexpensive, and ethical: de-escalate and negotiate. The US, UK, Russia, and China have proven in the past that they are capable of sitting down, establishing a legal and obligational framework, and (mostly) behaving themselves. They did it with biological weapons (almost completely) and nuclear weapons (kind of) – they could do it with cyberweapons.

You may find this hard to believe but it’s true: during the apex of the great China/US cyberwar of 2010 (which didn’t happen) China was proposing diplomatically to the US that there be joint talks with Russia, the UK, and others, to establish international standards defining the dividing-line between “international cybercrime” and “state-sponsored cyberwar” – basically scoping out the battlefield and deciding what’s off limits and what’s acceptable. The US, naturally, said it wasn’t interested.

The US, naturally, wasn’t interested because the US intelligence community believes (probably correctly) that it is ahead of everyone else in the game – in spite of its constant poor-mouthing and complaining. It’s the “cyberwar gap” scenario from 1957 and 1962, all over again. An international framework that said things like “let us all agree not to put trojan horses in anyone’s critical infrastructure” amounts to taking away their shiny new toys. It’s that simple.

International agreed-upon frameworks work, and work all over the place. Is there cheating? Of course there is cheating, but the framework does the all-important thing of defining what “cheating” is and providing a set of options (economic or retaliatory) that allow a cost-benefit analysis for the potential cheater.

The US is perfectly capable of turning to Russia and saying, “listen up, we won’t crater your economy by bottoming the price of oil with the help of our Saudi friends – like we did in 2015 – if you promise to stop messing with our pseduo-democracy like you did in 2016.” And, “let’s establish an international standard for attributing cyberattacks to nation-states, and place determination of fact in the International Criminal Court so that if someone misbehaves we don’t get into an escalating cycle of retaliation.”

Shocking, but it could just work. And implementing it involves no massive infrastructure or technology shifts – though, once there was a cybercease-fire in place, everyone would do well to take a deep breath and look to their defenses, anyway. Everyone still needs to keep the run-of-the-mill hackers and cybercriminals out of their systems and it’s never a bad idea to level up one’s IT expertise.

Buried in all of this is the main point: the US is not interested in negotiating about cyberwar, or doing anything more than complaining about the Russians “Mon Dieu! I am going to fall down again!” because any kind of systematic approach to de-weaponizing and de-escalating is seen as removing one of the US’ most entertaining weapons of privilege: its colonial control over the internet, and core internet technologies.

With that nasty, bitter truth on the table, I have said enough. We can resume watching the cyberkabuki performance coming from the US intelligence community and the corrupt US Congress. They dance beautifully, don’t they? They were supposed to defend this mess, and look at them now, begging for money, ye mortals, despair.

The joke was originally a “blonde” joke; it was one of my favorites back when we still used to tell them. I reformatted it and turned it into a joke about surrealism, rather than a joke about people being stupid. This is not to imply that surrealists are stupid; I could have just as easily used a taoist sage. It’s interesting to try to re-factor humor so that it’s not making fun of someone so much as making fun of the human condition.

OK, maybe I got a bit ranty there. It just really drives me nuts to have to watch these gomers in Washington act like they never had enough money to fix systems to be able to keep the Russians out and whining that they are going to get spanked again. Yeah, so now you know what I sound like when I’m pissed off.

I interview Fred Cohen (another old-school security guy) about “strategic security” for my column at Searchsecurity [ranum] Fred does a very good job of breaking the problem down from the top: start with your requirements, then your assumptions, then – and only then – think how to build a system that meets your criteria. Sounds simple. It’s not.

The election machines: it did not escape my attention that the states want to retain control over “their” election machines so that they can control “democracy” in case the outcome looks like the voters didn’t choose the candidate they were supposed to. That’s why George Bush beat Al Gore, isn’t it? Let’s accept that the two parties are both crooked vote-rigging bastards and let them do gerrymandering and voter suppression and all that stuff but for dog’s sake build some voting machines that don’t get demolished instantly at hacker convention hack-a-thons. [engadget]