Winn Writes & Wrants

The DHS announced it wants to hire 1,000 security experts to defend the critical infrastructure of the U.S. Then a number of critics appeared, saying, “There aren’t 1,000 security experts in the whole wide world!”

Oops!

Security is a wide area and there are all sorts of experts – not one master set of skills that you can find on any single resume.

A few years ago ~1994 I was at dinner with Mr. X. (Don’t want to embarrass him cause he still claims he is the smartest of us all.) I had only been in the field about 10 years and was learning, as we all still are every day. He told me, “I know everything there is about security….” ad nauseum. NONE OF US DO! (I choked on my Ratatouille but kept PC-ish and moved my plate to another table.)

The error here is with DHS PR. Someone used the media term “security expert” (sans definition) and off we go in the wrong perception-description; just as we have allowed the media to blame every security incident on ‘hackers’ – clearly a massive nom-de-guerre error by any standard.

Once we allow them to lock in the term “security expert” as a catch-all for anyone who can find the ‘on’ button or push Defrag or even do slick coding hacks, we are in trouble. No more than a company can run on one set of expert skills, security itself (like any vertical technical discipline) is a highly granulated suite of skills that must be integrated.

A CND/CNA (Computer Network Defense/Attack) suite of expertise includes, at a broad stroke, many skills needed to deploy an “information army”:

- Mapping People
- Cracking People
- Coding (CNA & CND)
- Reverse Engineering
- Social Engineering
- C3I
- Sniffers
- Readers
- Research
- Moles
- Analysts/Synthesizers
- Manufacturing (CNA)
- Distribution (CND/CNA)
- PR (techie and accurate, not PC)
- Education
- Awareness
- Perception Management & PsyOps
- Failure Modeling
- Process Control
- Reconstitution
- DR
- Layered Technical Management
- The interdisciplinary expertise needed from psychology, neural behavior, etc. (Security is not technical, solely, now is it?)

No one can do it all. No one has all of these skills. Period.

I worry much less about DHS acquiring 1,000 people with skills than I do about them finding the right management who understands security, the temperament of the geek community, and can last more than a handful of months in a culture designed to fail.

There are millions of people with the varied skills that a well-organized information army needs. There are decidedly fewer people who know how to, or have even thought about how to, taxonomize the skills and organize them (skills and people) like a true business.

Get a free download of ‘Information Warfare’ at: http://www.winnschwartau.com/downloads.html and take a look at Chapter 16.

Sure, why shouldn’t we shut down the Internet? Of course, I am referring to the hoopla about various interpretations of whether the U.S. government should be able to turn off the Internet in case of severe cyber-attack. A couple points to consider:

- What is severe? Who decides?
- Can the Internet – even the U.S. portion – actually be turned off?

I’ve seen various discussions on these points, but for now let’s pretend they don’t exist. There are other issues:

1. We teach home and business users that if they think they are infected with malware to disconnect their Ethernet or wireless connection immediately to stop the propagation. No one has a problem with that. It makes sense.

2. On 9/11, we shut down all air traffic in a matter of hours. No one had a problem with that. (Being stuck in Fargo, though, might have been a hassle. Think the Steve Martin movie ‘Planes, Trains and Automobiles.’

Unplugging from hostility is not a new concept. The fundamental question in this case is which is worse: Disconnecting for a time and reconstituting with control, or allowing an attack to continue while we try to combat it and using the Net at the same time?

This returns to the question of what is “severe.”

From my view, disconnecting is a must-have option that should be on the table at all times. It makes sound engineering sense. In complex systems, isolation, analysis, repair and reconstitution (reconnection) is the only way. How else can you figure out what’s really wrong and how much damage has been done? Power companies have done it for years. The tacos did it in 1991 when the SS7 switches collapsed. Lasted a few hours. Should the feds decide to unplug the banks or should the collective wisdom of the Fed Reserve and leading financial institutions make that decision in a defensive step of self-preservation?

The problem I have with the majority of what I hear is the fear mongering of nationalization by technically ignorant politicos with media access and an agenda. The question should be how we properly plan for such an eventuality, instead of merely spreading unfounded fear.

Photo Credit: Kirk Lau

I’ve been doing this for a long time, and the latest hack into a Department of Homeland Security (DHS) coordination and planning network was really no surprise. If it wasn’t them it was going to be… what? Some nation-state still screwing with the FAA systems (with 3,800+ holes)… and that’s really bad.

Back in 1987, Congressmen Glickman and Valentine were the point men on the CSA, Computer Security Act of 1987. (This is the committee that told me cyberwar was a figment of my imagination.) One major goal of the Act was called “C2 by ’92.”

In the old security parlance of the Orange Book, C2 security was good enough for “sensitive but unclassified” information. Big push. Big initiatives. Big goose egg of security tongue wagging.

So DHS is downplaying this sensitive but unclassified hack as, “no information can be posted on Homeland Security Information Network (HSIN) that would cause anything more than minor damage to the homeland security mission.”

I am sorry. No, they should be!

Any data leak is potentially monstrous. So this data was C2. Fine. Then another C2-level hack here and another there… and you glue together all of the data from these hacks and suddenly the amalgamated data is MJ-12 (alien technology) secret. OK, you get the point.

Data in isolation may seem worthless, but a cut, a snip and a paste later you’ve got yourself a database worth boatloads to the bad guys.

What is even worse is that these days, the flipping DHS can’t practice Security 101 and avoid getting hacked? It’s not that hard… if you let the geeks do their jobs.

I find it immeasurably embarrassing that the guys and gals who are supposed to protect us can’t even protect themselves to the most minimal standards.

Of course the public information doesn’t say whether the situation was caused by a poorly configured machine (of what OS, by the way), unpatched vulnerabilities or the same type of criminal stupidity that allowed the details of Obama’s Helo to get into the hands of the Iranians.

Come on people: every bit of data is valuable. Just because you don’t see that doesn’t make it any less true.

Photo Credit: Raymond Yee