Instead of getting some real work done this morning, I started collating some thoughts on cyber security strategy. I guess it’s a lot easier to think about strategies than to fix buggy, risky code.
For most people – there are two worlds, the cyberspace world and the physical, people-populated world.
This dichotomy of two separate spaces has deeply influenced everything we do with information security.
There are corporate physical security people that handle doors and locks and phones and corporate information security people that handle data and network security. The two people and their staffs often do not report to the same manager.
On a government level, we have intelligence, military and police forces and cyber warfare and cyber crime groups inside each organization that may or may not be part of an integrated effort in the war on crime, drugs and terror.
It is a curious facet of our modern, technology-driven life that the adoption of a new technology is inversely proportional to the amount of publicity given to the technology. Who talks about plain old phones? Who talks about email as killer application? No one.
People still tend to discuss the Internet and Facebook and their own social/work lives as if they are separate entities.
Using this model of gradated technology adoption, we can see that social media has not mainstreamed to the point where it as much a part of our life as a phone. When as many people use Facebook or other social media to the same extent that they use a phone, there will be little to talk about the “phenomenon of social media”.
However, there are already at least two large communities of people where the Internet and social media has already become part of their day-to-day work life.
These two notable examples are the software developer and hacker communities. There is no cyber space and physical space, second life and real life; there is only the software and the communications channels that are a means to an end.
If physical, people and cyber space is a continuum, there is no reason to build a security portfolio that treats cyber space and physical/people space separately.
People attack other people and their assets using multiple channels: physical, personal, removable device, email, web, wireless and cellular. Is cyberstalking less severe than a man following women home from the gym?
1) The first part of my proposed cyber security strategy is to adopt a single continuum of threat vectors, people and communications channels, whatever and wherever they are.
2) The second part of my strategy regards means of reducing the cyber terror threat surface.
The academic definition of a terrorist, is a person who attacks civilians.
If we consider that cyber terror is not fundamentally different than bombers with suicide belts, we are drawn to consider the amount of damage caused by any terror attack whether on the street or in a database of customer records. Reducing the probability of attack means first of all, reducing the threat surface.
We can reduce the threat surface by dividing and conquering, keeping cyber terrorist strength small and counter-terrorist effectiveness high and deny incentives for glorification and bandstanding of cyber terror activities. To minimize the glam and sympathy factor, we should withhold real-time disclosure of information regarding the terror activities. See more on counter terrorism on the Wikipedia. Because we live in a real-time world of smart phones, Twitter and satellite phones, denying real-time exposure is denying one of the key attacker advantages.
3) I am an advocate of proper thinking over brute force. A government, and certainly a business cannot spend its way into a secure information posture.
This part of the cyber security strategy mandates spending less money on reactive countermeasures like anti-virus software and reduce vulnerabilities by reducing the number of Windows machines by 10% a year and using Linux and FOSS technologies instead that are cheaper and more secure. I have written here, here and here about why using Microsoft Windows is a bad idea. The discipline of software engineering (older and much better developed than information security engineering) has known for years that adding people to a late software development project only makes it even later. Adding more anti-virus software only makes the Windows PCs even more vulnerable.
If we are serious about leveraging private-public partnerships in the war against cyber terror, instead of pouring billions into big defense contractors, let’s call up information security professionals for annual reserve duty in the war against cyber terror. I believe that the Chinese and Israelis already do this.
4) The fourth part of the cyber security strategy is a to use offensive measures proactively against attackers before the fact and not after an event. Retaliation after an attack is not an effective security countermeasure for the next attack since it only gives the attackers free publicity and increases their motivation. Taking focused, violent measures before an attack, given accurate intelligence, may be the best and safest way to reduce damage to civilian assets.
5) The fifth part of my proposed cyber security strategy suggests a demand-side strategy to reduce the social value of being a hacker.
Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. Perhaps we can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.
Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.
Since malware is a form of terrorism – this strategy might be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.