TECH 581 E – Module 3: Spying, dataveilance, other tomfoolery you don’t know about

Where have we been? What are the effects of massive surveillance programs on society, but more importantly for our purposes on the enterprise? Companies use data mining and dataveillance technologies as techniques to increase profit share and that results in significant ethical and moral consequences. Beyond should we or shouldn’t we there is a question of how, why, and when? The various government agencies have written vision papers on where computer security should try and go, but are they being applied to the corporate enterprise? Each of the articles taken in the order presented here is a narrative constructed to examine various issues that return again and again to a theme of information security as a verb rather than a noun. Instead of being a passive hole we toss money into the principles expand to the point that information security as a process is an integral part of the enterprise instead of a layer.

Clarke, R.,  “Information technology and dataveillance”, Communications of the ACM, May 1988

  • How much does this 22-year-old article hold up to today?
  • The federal government has been moving forward since 1968 on total information awareness. Doesn’t it seem a little disingenuous that they would even think about giving up the tools used?

“Fusion Center Guidelines: Developing and sharing information and intelligence in a new world”, US Department of Justice, July 2005

  • In 17 years the idea of whole-of-government data surveillance really took off. The fusion centers are a remarkable instantiation of the ideas Clarke mentioned.
  • If law enforcements number one role is the protection of the citizen’s rights why is privacy and protection of rights #4 on after management, and outreach?
  • On “The Intelligence process” page 26 at no point is privacy or ethical boundaries considered eroding the idea of privacy or citizen rights.

Lewis, J. , “Computer espionage, Titan Rain and China”, Center for Strategic and International Studies, December 2005

  • Lewis makes a case predicated on “we can’t blame China because they suck so bad at information assurance and security anybody could be using their equipment”. Now turn that basic premise around and use nuclear weapons for the argument. Good for the goose, good for the gander.
  • The comments of Lewis in 2005 seem almost prescient in the immediate assumption by many that Google was hacked by the Chinese government. That is then born on the back of anti-democracy tones and claims of censorship. Mixing the two unrelated elements (espionage and censorship) in an unholy stew.
  • Regardless it is appearing that the hooks for law enforcement gathering of knowledge and intelligence is being used as a form of espionage.  So, is the only criminals have something to hide hubris still true? What about the recipe to the secret sauce? One form of protection has had a radical impact and increased risk from another direction. Is it worth it?

Cumming, A., “Limitation on congressional access to certain national intelligence”, Congressional Research Service, December 2005

  • The sharing of raw intelligence or massive amounts of what are basically secrets between branches of government is bound to have an effect. If only the teacher has the text book and there is going to be a test at the end the class is going to do poorly. Similarly in action if only particular information is given by the teacher to the class only particular options will be considered. This is a basic principle of information operations.
  • Why do you think this principle has not been pushed to the fusion centers or has it?
  • Is the benefit of protecting sources more important than sharing the information from those sources?
  • How does a high level policy like this effect privacy and societal interests?
  • Is the overall result of this executive policy in an era of national domestic spying actually protecting privacy?

Waldrop, E., “Weaponization of outer space: US National policy”, High Frontiers, Space Focus, p34 – 45,  Winter 2005

  • Read this article and in general (don’t be pedantic) change space to cyber space and see if the argument holds true.

“Global trends 2025: A transformed world”, Office of Director National Intelligence, November 2008

  • If anything the events of this year between Google and China show a quickening pace as found on (page 8). State capitalism is moving forward and the principles are conflicting with the capitalism found in America and most of Europe.
  • Why you should pay attention and quit whining that school based on creativity, technical sophistication, and substantial knowledge as well as a trade? Well page 17 you better get cracking higher ed is going to the developing nations more and more.
  • If youth bulges (page 42) are going to be an expanding demographic and worker shortages a continuing problem what does that mean to the enterprise? What does that mean to productivity and principles like “work from home” and the 40 hour work week?

“Vision 2015: A globally networked and integrated intelligence enterprise”, Office of Directior National Intelligence, 2008

  • Is the principle of decision advantage (page 10) only necessary for the government? What does information technology and information management of the enterprise bring to the table for allowing leadership to make decisions?
  • What are the elements of strategic surprises that leaders need to know? What are the metrics that an information assurance security program should be giving to their leadership? What are the key factors and grouping of those key factors? We tend to harp about connectivity, bandwidth, patches, and other very easily measured processes. What about quality of service, degradation of service, and other continuous (non-discrete) measured variables?
  • If the intelligence community is involved in the concept of “effects-based-analysis” what does that mean for the corporate enterprise? What are the effects from the information assurance and security world that need to be considered?
  • One aspect that can’t be overlooked is the perception of information overload (page 15). Intrusion detection systems with constant false positive noise, information security reports that don’t align with the strategies of the enterprise, information specialists with zero understanding of collection and correlation activities all lead to information blindness. How do you align corporate enterprise strategies with enterprise goals? What is important to the enterprise?
  • People, process, and technology are a triumvirate that is often ignored for one aspect of the three at ignorance of the other two (page 17). Consider this and balance any one aspect on the perceived goals of an enterprise and determine the likely scenarios that come out of mono-polar understanding.
  • The intelligence community throws out their own archaic business practices (page 18) and looks to the business world for modernization. In the first paragraph under Modern Business Practices what information security guru from the enterprise doesn’t see the EXACT same problems in corporate culture? As an example think about how vendors sell hardware/technology products to that mono-polar consideration of people, process, and technology.

“Tracking GhostNet Investigating a cyber espionage network”, Information Warfare Monitor, March 2009

  • The rise of cyber spies is starting to come forward in the media. GhostNet represents an empirical investigation into the capabilities and methods used. How does this capability change the corporate enterprise security model? If that model even really exists.
  • Spies against nation states get hung. Spies against corporate enterprises are rarely caught and if in third-nations rarely extradited. So, what is the risk assessment against the enterprise?
  • Why don’t we see more university projects like GhostNet being done by students and professors?
  • Is the methodology as explained valid? If not why? If so why?
  • Would the methodology as described pass an institutional research board review? Why?
  • The primary skill of the team at GhostNet was at determining through forensic analysis the processes used, the de-anonymization (attribution) of the adversary, and finally being able to elegantly report those results. Is that a process that can be duplicated?
  • Is what the GhostNet team did “live forensics (page 30)?
  • Are the goals of an adversary as presented starting on (page 47) the techniques, results, and effects incredibly different than the goals listed by the US intelligence organization in earlier articles?

“National security threats in cyberspace”, American Bar Association, September 2009

  • Leave it to lawyers to mix things up quickly. On the bottom of (page 1) they lay out some broad principles. Do we agree or disagree with how they describe cyberspace. Special attention to the footnote on this page too.
  • Go back to the discussion on “Space” and see if these are harmonized with that article. The authors are coming at it from totally different viewpoints, but as discussed in previous classes conflict has patterns that can be applied across domains. Cyber security being one of those domains.
  • The work shop participant said “… the key national security problem with our governmental response has not been lack of awareness. Rather… … lack of leadership and stability are the main factors limiting our capacity to respond.” Is this true? How long did it take to hire a cyber czar? What happened to the leadership of the Department of Homeland Security cyber offices?
  • The lawyers are concerned about insurance, information sharing, and how that impacts business. Is insurance valid in cyber warfare? Is it valid when you have not protected your network? Leaving the keys in the car so to speak?
  • The lawyers discuss metrics to success. Which harkens back to the article “Vision 2015”. On (page 28 – 30) they start looking at the kinds of numbers they want to see. What about them? Are they valid buckets?

Leave a Reply