David Blake writes, “The problem, to date, is that formal, online education is still being packaged in all-or-nothing degree programs, falsely constraining education innovation.”

Is it a problem that as a collective over the last ten centuries a process of delivery of educational material has derived a program of study that is inclusive and holistic rather than segmented and servile? Is the structure of education so far behind the cognitive and learning strategies of a rapidly evolving human species? I admit technology has revolutionized human interaction and ability to grasp concepts but is the guy from 1000 years so significantly different mentally and physically?

If you suggest the mere aspect of being a modern human means you are exposed to more information then breaking up the university curriculum falls on the sword of inherent requirement. It being that if there is more information and the human being only having so much input and output capacity more time may be needed and more focus required to educate the student. If the argument hinges on the requirement for depth rather than breadth in which aspect will you allow the student to cut? The trivialities of ethics, law, and mutual citizenship thus eroding further the bounds of society and the social contract of expectations?

David Blake writes, “Technology creates efficiencies by decreasing unit size while increasing utility.  To falsely constrain anything to historically larger canons is to render technology impotent to do what it does best.”

Though I’m loathe to say it the aspect of utility is illusory. In what utility is calculus to the student studying it? What aspirant to engineering hasn’t sat back and looked at a tool like MatLab and thought, “Why in the world do I need to do this stuff by hand?” Yet, the thinking and problem solving strategies of working through a quadratic calculus problem instantiate significantly more than an understanding of negative one versus one. Until experienced this is learning unsought and not understood in many cases until long after the student has left the university.

Expecting the student to know what they should know is a logical false statement and determination of parochialism by those who force it. Though logically false, how many of the people suggesting this form of unstructured learning were successes from that unstructured learning environment? A kindergartner should not be put in a course with high school seniors. The absurdity of the edge cases should inform us of the risks in the center cases. Who are you willing to leave behind?

David Blake writes, “Jailbreaking the degree and making courses the “unit” of education will unlock a flood of unmet demand and a new wave of possibilities in how we learn and consume education.”

Though mildly appealing I have seen the results of breaking learning into learning units, modules, or subsections. It is one of those mind boggling educational unicorns that is fanciful for a variety of reasons. Most of the educational module systems that have been designed have to have a hierarchical and inherent structure behind them because learning is based on learning techniques or strategies prior to moving on to the next level.  When you break courses up into modules you lose the flow of the course, the engagement of students, and the group interaction and peer to peer interactions.

The learning module works across a hierarchy of peer courses but will not work in a depth of courses. You must take arithmetic prior to taking trigonometry prior to taking calculus. There has to be a level field of students moving into each course module. Otherwise a large number of them are abandoned. The resources to assist students and provide feedback in a large course of study would be cost prohibitive. The expectation that all (or even most) students enter prepared for anything is elitist.  The sink or swim approach may be inviting to some, but all are paying customers. So another element of the hubris of the argument is uncovered.

It is TechCrunch and not the Chronicle of Higher Education. Mr. Blake has an interesting analogy for the learning environment, but not one that is sustainable across the university system. The educational system contrary to many peoples beliefs in my opinion is not broken. It has been eroded and bent upon the anvil of politics, but in ten centuries it has done pretty good by our ability to create and innovate. I would fully admit that our costing system, administrative system, and various other widgets of corporatism in education are broken. I don’t think that those high impact items reflect the educational environment between student and professor.

In the end this argument like many in higher education is about who pays for what. The push to distance learning education is in my opinion is a good direction. I enjoy watching lectures by the best people in the field and the use of interactive training and education tools. The denigration of the university education has to stop. It is an affront to faculty and students alike. A university education isn’t a hamburger and you shouldn’t be able to get it at the drive thru. Education is a process of discovery and some of that discovery is uncomfortable or even distasteful.

A technical degree program has a liberal arts core because it supports the educational development of the student whether they want it or not. A liberal arts degree program will have math and technical courses because students need that background too. It is easy to argue against a single course, but it is quite another to argue against the system. Innovation and expression are important across the curriculum and inherently there are elements people feel they don’t need. What is ignored is that the mashing together of students into courses they may not want to take serves more than their purpose. It may serve the purpose of the university or even society.

Another aspect to “jailbreaking” the degree is that you don’t always know where you’re going when you start. I’d like to think that most of the discussion is in the students interest and not part of the business plan of people looking at the bones of academia as a way to make a buck. I’d like to think most people realize that higher education was never meant to be a jobs program and that attending university was supposed to be a elitist effort as in only the most academically elite could attend. The fact that businesses in the interest of cutting costs cut their training programs and now want a vote on what universities teach is laughable.  Though I do see the same mistake being made by government within the Joint Professional Military Education environment. There are dozens of ways to cut costs to students and decrease the overall costs of higher education. Ripping the heart out of the university and the denigrating the experience because it is currently trendy is not the best course.

Bull pucky. I’ll take five minutes out of my day and discuss some of the issues. I reserve the right to go back and edit this. It’s a rant so be aware I’m going to be snarky.

We only need to do a few things to secure our information infrastructure but they are radically off course from where we are today. They aren’t politically fancy. They aren’t cheap. And, you won’t get a bronze star for doing them. In fact if you suggested how to actually fix information (cyber) security you’d likely get fired. So in summary the way to fix information (cyber) security is bury defense in depth, assume breach, secure the information not the hardware, think resilient, and pay the cost. 

1. Bury defense in depth

Defense in depth and defense in breadth work when you can control all avenues of entry and exit from an environment. In matrices where the connectivity options approach infinity there is not adequate method to control all mechanisms of approach. You’re wasting your money buying perimeter defense and internal mechanisms of containment. Will they stop the low level guys? Yes they will and for that reason go ahead and keep what you bought. What it won’t stop is anybody who understands hacking into networks. Not “computer” networks but the social, cognitive, technological networks of the actual cyber realm. Go ahead mister silly pants information security guru and blame the user for all of your problems. They are the reason you have a job.

Defense in depth is dead because the network structures are so inter-related that teasing out control mechanisms is outside the realm of possibility. Even air-gapped networks can be found. Accessing highly confidential systems is simply a matter of figuring out which pawn to move when nobody is looking. Artificial constructs where security is based around ONLY network accesses being considered are moronic. Bad guys will not follow your rules so you need to have flexible non-deterministic rule sets to follow. Defense in depth is based on the principle of control and that is absent in any sophisticated network.

2. Assume breach

Look at your networked enterprise environment. Assume that you have a breach at the worst level. You now know that every information asset under your control is going to be in the hands of your worst adversary. What are you going to change in behaviors and controls? How are you going to respond? You can’t possibly remove the breach so the only thing you can do is mitigate the effect on your enterprise. What kind of policy decisions would you make? How would you change your operational characteristics? This is the point where most information (cyber) security professionals start to try and change the scenario. They don’t want to even think that they have failed. Their hubris rises to the surface and they “uh huh not me”.

When your information (cyber) security professional tells you that they can never be hacked, breached, exploited, and they stand there with the smug look on their face. Fire them. They are less than useless. You want somebody who is willing to tell you bad things happen and mitigation is your only strategy. If bad things don’t happen they’re good, but there is always the possibility because bad things happen to good people too. Hubris speeds that process along because the arrogant never consider the unexpected. I want my security people to be paranoid as the day is long and hyper aware of the information environment. I kind of want them pissed that they have users but always aware that users are why they get paid.

3. Manage (secure) the information not the hardware

Government and corporate entities refer a lot to locking down computers, securing servers, and other pedantic wrong headed talk. Of course we’re going to do some level of due diligence, but go ahead and abandon hope of securing hardware. Look at the information assets whether it be databases, telemetry for medical devices, operational military plans, or photographs of aging starlets and consider securing the information.

Information is data with context. It has to mean something or have some value or you are spending money to secure the equivalent of digital diarrhea. A lot of computer information appears to have no specific worth or context so be careful that the whiplash effect isn’t enabled by not securing enough. The way you know if you’ve secured enough is when you evaluate the value of the assets.

Do you even know the value of your categories of data? Have you inventoried the security use case of your user population to consider the information flows of your environment? Do you know what really matters and what is merely ancillary to your organization? Can you tell me the flow rates of data from the cognitive potential of your user base to the operational and strategic hierarchies for decisional support? If you have no idea what I’m talking about you are working at information (cyber) security at a tactical level with no conceptual framework for actually solving the problem.  You are bound to fail.

We can look at cases of resource fail pretty easily. Are you the information (cyber) security professional who diligently runs vulnerability scans against your information hardware assets? Why? Are you checking for known configuration issues and perhaps assessing that everything is in a known secure configuration? Don’t you think Sony, RSA, and Lockhead Martin all did that too? How many variances on the vulnerability assessments do you have to register because the software/hardware requires an insecure configuration? If the answer is even one then you’ve got an issue.

A common thread from government types and corporate types is that sophisticated red teams show up and get into their networks. There is nothing you can do to stop them, and these red teams are operating under rules of engagement and codes of conduct. Do you think the adversaries are so constrained? If you’re going to expend resources on securing the environment look at the information. That is what you care about. Secure the asset not the cardboard box.

4. Think resilient instead of brittle

Risk to critical information assets can be reduced if their loss is mitigated or the impact of their exfiltration is mitigated. The mind leaps to breaches of confidentiality, but we’re not saying that is even the case here. If all of my data is heavily encrypted at rest and the adversary slurps it up who cares? I will lean on the well-trod path of time-based security and not care. There is the problem of protecting the keys to the crypto server but that is a use case where I should use appropriate strategies to mitigate risk. Focusing on one central primary asset versus the peripheral multitude should effectively reduce my work factor.

We can see examples of brittle architectures in how we build network connection points. Single points of failure became high availability shared points of failure. Those became cloud points of failure. Then we snapped back and said we were going to create fewer connections points in hopes of slowing adversaries down. Unfortunately the adversaries follow us home wearing invisibility cloaks and we’re to drunk to smell their foul stench. That is just a little tiny Lord of The Rings reference there for the multitudes.

5. Pay the cost

When we talk about information (cyber) security budgets we’re often talking about less than ten percent of the entire information technology budget of a corporation. Much of that number is going to be eaten up by licensing costs and hardware costs that should be part of the information technology budget. If you have running water you don’t think twice about somebody cleaning the bathrooms and having water faucets for people to use. Yet our security budgets often revolve around fighting for that level of utility budget. The security office is often the smallest office, in the smallest corridor, in the least funded area of the company. Until the big breach happens. Then there is an impact against profit and then a bright shiny well paid computer security officer joins the company with a great big fix it, hide it, make it go away quick budget. Until they forget and cut the budget year-to-year even though the information asset base rises.

Information technology was invested in because it made people more effective, it reduced the number of people to do a job, it made industry more competitive. Lots of information technology replaced lots of people and the profits from that continued. Unfortunately in the era of knowledge economy the information technology boom was continued, expanded, and subjugated to a set of metrics never appropriate to the environment. Security was ignored though many authors pointed out the flaw to this thinking. Information (cyber) security resources were skimmed, and in a shame to industry and academia the security chapter of most textbooks is the last lecture (computer science geeks just grinned). Just like the engineering practices are last into the project plan.

The cultural and business practices in industry and government were never aligned with reality. Now the entire technology stack in the information age economy is insecure, riddled with vulnerabilities, and confidentiality, integrity, and availability are not sustainable. Acceptance of poor programming practices, vulnerable hardware, and inappropriate strategies run through the information environment like a torpid snake. You don’t really have to worry until it bites you.

Nobody likes the answer

You’ll get no traction with the above information. We’re not walking back from this abyss anytime soon. There are ways to fix it and we’re in the middle of what might be one of those change vectors. Segmentation of the software environment into single use case applications with restricted utilization vectors represent a significant leap in technical security. That kind of sand-boxing means that application exploitation should not have the whole of system effects of other less protected execution modes.

The spend more money of this argument falls equally on deaf ears, but there are rising risks and awareness that might change the equation for a small time period. This cycle runs hot and cold nearly every decade. In this small window pushing secure architectures, protection mechanisms, and holistic security inclusive of the specific security use case analysis strategies just might change things.

Sorry, it only took four minutes to make 1700 words.

In the late 1950s the first automated/electronic computers started making in-roads to the information processing environment. Mechanical computers that allowed for breaking crypto had been used extensively during world war two but the idea of using them for more than singular tasks just wasn’t on the horizon. By the early 1960s computers were becoming something that people and corporations could own at great cost. Concerns started to rise in late 1969 and early 1970 about the security of information in these centralized data repositories. In 1976 Bell and Lapadula write the first secure computing system paper that would become the hallmark of common criteria. Saltzer, Neuman and many others writing about the Multics operating system define the idea of secure coding standards. By the late 1970s the cost of securing these systems was determined to be to great and by 1980 was largely forgotten. The span of a mere decade security of information went from BIG problem to not worth anybody’s time.

In the mid 1980s personal computers were making their way to the desktop of people and being bought by individuals rather than corporations. The Apple 2, the IBM PC, and the hoard of clones swamped the environment. In early 1983 the movie War Games came to a cinema and people were SHOCKED that all of those computers were open to attack. There was great hand wringing and then the cute cuddly teens were forgotten fairly rapidly. It is interesting to note that the magazine 2600 comes out during this time (1984). The Trusted Computer System Evaluation Criteria (Orange Book) was written in 1983 and updated in 1985. The Cuckoos Egg by Cliff Stoll was happening during this period but the book was yet to be written until 1989. In that story you have foreign espionage, military plans being exposed to communist nations, attribution to the house level of the individuals, and the investigator lost his job and was nearly imprisoned. Most assuredly in that period we were not doing computer security. In fact there were many barriers to the concept. There is a bit of a drought from mid 1980s until the mid-late 1990s.

In 1991 John McCumber writes a paper detailing the risk management model known as the McCumber Cube. This would be instantiated in policy, law, and procedures across the government having by 1994 similar effects to the Bell Lapadula paper in 1976. In early 1993 we get the world wide web (DNS) and then we also get the movie Hackers. Though the movie was hated by critics who can complain about Angelina Jolie running around in leather? Government tripped about this time and realized they had a huge problem. In early 1995 military commands to study the problem were instantiated. The Defense Information Systems Agency had it’s authorities changed. The big problem for the military was sensationalized by the publication of Cliff Stolls book (note he wasn’t a hacker or security professional he was an astronomer). Military leadership has always been worried about the concepts of information security (work in 1974 was supposed to fix it).

Consider that a general in 1994 was likely a captain in 1974 and you have a learning gap. Studying the demographics of leadership a thread began and has continued that leadership wasn’t even aware of computers when they were in college which is a concept erroneously used as an excuse still today. This leadership was more than willing to use the capability to wage network centric warfare and decimate Iraq in the first Persian Gulf war, but they didn’t really understand the exposure the technology provided.  Here we see the onset in the late 1960s peaking around 1974, a similar peak in 1984 and a peak in 1998.

In 1996-97 a set of exercises were started and a particular set of intrusions were practiced against government systems by what would become known as the NSA Red Team (cue spooky music). Still since those first big issues in the mid 1980s (and the creation of the Computer Fraud and Abuse Act) computer security was basically ignored. Even the reports from inside the military security apparatus were largely not seen as “big” issues. Until 1998 when a computer intrusion nearly duplicating the NSA Red Team approach entered government systems and began whiffing off information. This was a bit of a problem because a major operation was occurring. One of the largest computer investigations in history was began. It is not flippant to say military leadership freaked out. This “freaking out” is one part how come we didn’t know this was possible, and two parts we hope nobody realizes we just had an exercise that told us this was possible.

When technologists look back at that period we have a tendency to focus on 1999 and Y2K. The people charged with protecting information assets focus on 1998. Y2K became a convenient excuse to buy lots of goodies and protect the infrastructure as much as possible. The diaspora of people from that moment in time is very interesting. Many people who are famous computer security experts today were generated at that place and time. By 9/11/2001 most of the fears about computer security were starting to be forgotten in the wake of the dot com bomb, the World Trade Center collapse and the ensuring global war on terrorism.  We have a rising cycle of computer security interest mirrored from around 1997 to 2001 then rapid drop off again.

After or around 2005 a series of events started to pique peoples interest in computer security again. A series of high level exploits started to be released. The SEC would soon require corporations to disclose customer data breaches. It is no surprise that HIPPA and other laws started to take into account confidentiality. Government started detecting technology based intrusions (notice the dropping of “cyber”). The hyping of cyber as a security issue was starting. By the summer of 2008 most people were focused on the collapse of the stock market but a select few had started focusing on “cyber” issues. In January 2008 Anonymous began project Chanology and took on the Church of Scientology. Dorthea Denning had written nearly a decade previously about Hacktivism (2000) and Anonymous was getting their hack on.  In 2010 the wheels came off as previously unknown capabilities were being publicly disclosed.  In June 2010 Stuxnet is discovered in the wild and is labeled the first cyber weapon. An appellation lacking in meaning, but likely the touch point for this cycles peak.

Each cycle a major story breaks creating interest, and in general lots of equipment is sold to companies to “fix” the security holes. Yet, the reality is that this equipment acquisition just increases risk and doesn’t take care of the actual problems in the technology stack. At no point in the last five decades have we actually fixed the security problems. In general an engineering and technology problem is handled as a political problem and as such never actually solved. Once the media cycle has moved on the security guys are fired, the admins are paid less, and a set of experienced middle managers in information security move on to banking, finance or selling cars. There is a core of people who remain for whatever reason. I came into this world of information security in the mid 1980s fully two decades after the first security papers were being written.

We can see the end of this cycle in the derogatory information being suggested by relatively new people to the space of information assurance and security. These are not “evil” or even wrong people. They are focusing on the hype rather than the issue and that would drive anybody to distraction. If you focus on the technology stack, the principles that are important, and realize the inherent risk relationships then appreciation for the issue is much greater. Politicians talk about the end of civilization, or generals spout off about great wars in cyberspace, and yet none of those people take any actions that are really significant in solving the problem. Some of the criticism of the contrarians is warranted. I’ve seen those stories at least three or four times before. I could give them the script about the issues with the current computer security culture.

That being said there are huge risks. Principles that are building on previous principles and patterns that instantiate those principles are continuing to be prevalent in the cyber/technology realm. That previous sentence is purposely recursive. Convergence, connectivity, melding of the man-machine interface (cybernetics), and so much more are allowing for new threat-vulnerablity vectors. Industrial control systems, and commodity processing systems are not “new” but the breadth of that knowledge is a threat-vulnerability vector. In general there are two ways to solve computer security. Minimize the threat-vulnerabilty tuple by spending vast amounts of money on countermeasures and kicking the problem down the time line to the next generation or spend money on minimizing the impact of an effectuated threat-vulnerablity tuple so an effective attack is meaningless.

In some ways the dichotomy between those two ideas is exactly what the argument between the contrarians and the politicos is hinged upon.

Those who are experienced and knowledgeable about the totality of information assurance and security will focus on both sides of this equation. To me it is interesting that hackers focus on vulnerabilities and politicians focus on countermeasures. Look at what the hacker collective publishes at DefCon and BlackHat (exploitation). Then look at how laws are written by politicians to share information, and control the technology  (constraints). What some of the contrarians are reacting to is the lack of focus on the impact vector or remediation of the technology stack used in commodity computing. Some will argue that impact is already negligible but absence of evidence does not suggest absence of capacity to inflict impact. Succinctly there are a lot of guns in America but not everybody is shooting everybody else regardless of the media accounts. There is substantial evidence to suggest capacity to inflict damage but motive and opportunity have likely not aligned. Much like driving down the road we are trusting that other drivers are not going to do stupid things and in general we are right.

Just some thoughts, but also some caveats:

1) This kind of narrative is fitting evidence to a pattern. It is not good science, but I hope it resonates a tiny bit with the reader. It is explanatory while not expected to be empirical.

2) If you’re interested, mining the literature of computer security and piling bibliometrics up against known events, rips this whole theory apart. Adding in high level (NY Times, LA Times, etc.) news stories then gives some idea to this pattern. This is also likely to the fact legislative agendas follow the pattern pretty closely.

3) I’ve got no hate toward the contrarians. I think it is fun to watch what I’ve seen before and be able to realize that this is just a repeat. I do think the wheels come off this pattern if there is ever a really big event, and I thought the Enron fiasco might have been that. No luck it has faded already from memory.

4) I hate the term cyberwar. It should always be cyber war, like land war, sea war, space war, etc… Though I’m coming around again to cyberspace.

5) Even though we have had computers since before most generals were born the thread continues that nobody can keep up with the technology. One of the effects is we allow people to run information assets that have no clue about information security as an expectation. In military terms we’d never allow command of a military unit by somebody with no experience in that branch of arms. Yet we do this with computers. The tool to combine and control those arms.

6) This was written from memory in about five minutes, so if I’ve gotten the spelling of anybody’s name wrong, dates wrong, etc.. My apologies.

The ongoing economic recession has made it more challenging for all of us to get the new and shiny so many think they just have to do without. I think there is an alternative we are overlooking – making do.

What do I mean when I say we need to make do? I mean we make use of what we already have. We re-purpose old stuff. Maybe it is throwing a tablecloth over a couple of boxes to create an end table. Maybe it is cleaning up and refinishing a piece of furniture. It might even be taking apart an old t-shirt to make a new playsuit for the baby. It is even making a new dress from curtains .

When we make do, we figure out how to create what we need, or even what we want, out of something we already own. It is rearranging things to make them meet our needs in ways they weren’t before. It is much less expensive than buying new and shiny. It does mean we need a few skills but those are easily learned and very useful.

And one more benefit of making do is that we waste less. We live in a disposable culture. We buy so many new and shiny things and as soon as the shine wears off we just throw them away. When we make do, we figure out a new way to use those old things, ways to restore the shine and in the process we reduce the waste.

Personally, I like making do. I like rescuing things from the trash bin and breathing new life into them.  It is thrifty and creative.

I’m presenting two posters at the symposium. Usually poster presentations are kind of a ho-hum affair but at Purdue you usually get some pretty senior people quizzing you about the research, and I’ve had a blast playing stump the chump with some of the other presenters. The depth and breadth of the research at an organization like CERIAS is one of my favorite things about being involved with an R1 research institution.

The first poster is a snapshot of my doctoral dissertation. Would a risk management model, a technical model, or no model (as a control) inform or influence conceptual understanding of cyber conflict. The answer? Well none. In fact across the board the results suggest that nobody really understands the domain of cyber warfare (within my sample).

ETA: this poster won first place at the symposium. Considering how excellent the competition was it was a sincere surprise and great honor to earn such n award.

Cyberwarfare as a form of conflict: Evaluation of models of cyber conflict as a prototype to conceptual analysis (click to make larger)

Poster two is a work in progress that I wanted to socialize a bit for comments. My former students will recognize this as something I’ve been working on for quite some time. This research looks at the risk management paradigm, and then looks to see if we are doing what the principles of risk management actually suggest. The analysis framework uses a taxonomical model that is only partly defined at this point. It also builds upon the work of several excellent scholars. There are lots of caveats to go with this research so don’t get all crazy about the results. Poster presentations are great places to do this kind of analysis and discuss it. Of course this same research is also a targeting mechanism but that is a topic for another day.

Risk assessment in an information centric world: Threats, vulnerabilities, countermeasures and impacts (a work in progress) (click to make larger)

Hold up your left hand and look at your fingers. Each finger denotes a domain that United States doctrine defines. The palm of your hand represents the joint functions of these domains. When formed into a fist this meshing of national power assets represents a significant amount of power that is bent toward national strategic objectives. When you splay your hand fingers wide all of that space between your fingers is the vacuum of strategic blindness.  Strategic blindness is always there but often hidden by might of the fist. Strategic blindness is the unknown unknowns you can’t define because you are not even looking for them.  Strategic blindness is the hidden risks that weaken the whole of the military.

As silly as it sounds I want the reader to step out of the policy, doctrinal, and literature heavy world of United States centric thought on military affairs. As such I’ve constructed a little thought exercise to help see how strategic blindness is inherent in the process. Suspend disbelief, have some fun with it, and please do expand beyond the trivialities provided here.

Later today huge alien ships without warning or prior detection appear orbiting the world. As such you are expected to provide an assessment of what their military capability and capacity might be, and how they might fight a war against the earth a non-space faring race. At first timidly you have to think about concepts such as order of battle, what represents the high ground, and how an adversary who has advantage against the Air Force might fight. Then a few things become apparent.

1)    The artificiality of the domain construct and joint fighting strategy are meaningless to a space faring race.

2)    The “natural” environment features are superfluous to the larger feature of planetary and solar system.

3)    The artificiality of the domain construct has led to a blindness in getting air craft off the ground, refueling, rearming and arranging for rest of pilots exposes them to periods of significant risk.

4)    From space any significant desire to hide submarines in the thin film of an ocean is overcome by deep radar or even pulsed neutrino scans.

5)    The intersections between “domain” entities are actually strategic chasms that joint operations doctrine has actually increased.

After reviewing the principles that such an analysis starts to illuminate it becomes apparent that only two domains exist. There is the domain of conflict regardless of tangential surface features and the domain of command, control, communication, coordination, data and cognition. You have conflict and cyberspace. You realize that any entity that can move between star systems is going to have some form of cyberspace. The question is what can you do with that insight (other than silly things like infect them with a virus)?

We see strategic blindness in how order of battle is being prepared and constructed currently to fight in cyberspace. The focus is on attacks against the confidentiality security service (hiding secrets) and minimally focused on attacks against the availability security service (distributed denial of service). Unfortunately the focus is also on the World Wide Web (DNS), Internet (TCP/IP), or global information grid (GIG).

The thought that constrains us to considering these elements ignores the Internet of things that are wired into pieces or portions of these other structures but aren’t defined by those structures. The protocol J1939 as part of the CANBUS standard wires cars to features of the Internet but isn’t part of the Internet. The ubiquitous Industrial Control Systems are often running on low voltage systems, but are controlled from a human interface computer. Large data warehouses represent significant repositories of information that could be used to determine capability, capacity, and level of persistence a nation might exhibit. Remember all of those old science fiction movies and how the aliens breached the computer systems and read the databases of the intrepid explorers space ships to determine intent and capability?

So, there is strategic blindness within the domains and at the seams of the domains. I know the use of aliens will cause some harassment, but you need a totally foreign construct to allow for stepping outside the steeped military traditions that enforce strategic blindness. You can see blindness arise as people invoke their favorite strategists Clausewitz or Sun Tzu as if that will solve the problem. The issue is that large militaries can afford that kind of blind spot right up until they meet a peer or superior adversary. If you had to fight a superior adversary what would the domain construct and silos within those constructs mean to strategic capability?

*Strategic blindness is created when doctrine, operations, plans, tactics, techniques and procedures ignore a significant risk or adversary capability or capacity to invoke change. Strategic blindness can be outward facing (not seeing an impending attack), but most often is inward facing (we didn’t know we had to do that)*

As to Avi Rubin what can you say. The guy explains several threats quite handily and is putting other peoples work on display. Some of these researchers simply can’t get any airplay and to use his time to show off others hard work is actually the ultimate in scientific greatness. Some will say they stole other peoples work, but that is missing the point of science. You build upon others and you teach the best of what you can find. Excellent Mr. Rubin and well done.

Avi Rubin talking about the threats from the Internet of things.

Dr. Kathleen Fisher Program Manager of High Assurance Systems of DARPA bringing up some of the issues of the Internet of things and a possible research vector to fix the darn stuff.

The answer likely revolves around the fact we only have four rules in our house. We don’t look to external entities to tell us what to do, and our rules are few.

1. Make mom happy

2. Take care of the family

3. Take care of yourself

4. Take care of the community

Some will argue with those rules and the order. Still the construction of them is very important. Some will argue “God, country, mom and apple pie!” but they can pound sand. How well that been working for society so far? Our rules are predicated on “if mom ain’t happy ain’t nobody happy”. Thankfully to the recent spate of conservative punditry espousing the horror of women’s freedom I’ve gotten to experience externalities of mom not being happy. Thanks Rush. In general making mom happy is a guiding principle of if you don’t want her to know about it then likely it ain’t a good idea. Rather than the standard “let’s hide it from her” which seems to be the action of the many today.

If the family unit is not in good repair the individual cannot succeed is a simplistic statement. Yet there is something there about knowing that there is somebody and something that is greater than yourself. The family unit is greater than the sum of the parts. If all entities understand it isn’t about them but each other. Similarly a society that accepts the devolving and destruction of the family unit will also not be whole and successful. I know that sounds awful conservative but chocolate chip cookies aren’t all chips and no cookie.

So why do my kids behave? I don’t know, but thanks for asking.

There is a fifth rule, but we live it daily.

5. Have fun!

The three basic security services are called confidentiality, integrity, and availability. Some strange people who don’t have the ability to think flexibly talk about authentication (mixture of integrity and availability) and non-repudiation (mixture of confidentiality and integrity). We won’t blame those people. Though most attacks against information will be a hybrid of all three confidentiality is what makes the news most often (called a breach). When the personal identifiable information (PII) of people is compromised we refer to breaches or hacking. The release of the PII isn’t the actual exploit rather it is the outcome.

Confidentiality is the principle we look towards for privacy. In the legal realm the Supreme Court of the United States (including the current Chief Justice Roberts) has referred to the penumbra of privacy as a right of people. Even the National Security Agency was charged with the role of protecting people’s privacy as far back as the 1976 by then President Ford. The right has weakened substantially as criticism of the penumbra has been slowly eroded. More importantly what has eroded is in a day of technology is the willfulness to object to breaches by government and corporations.

There are a lot of definitions for national security. In my opinion national security is the principle of nation-state sovereignty (self rule) and ability to resist hostile or eminent danger from domestic or foreign adversaries.  I would predicate that national security requires a certain amount of secrecy exists, and at the same time too much secrecy could be bad for society in general. If my construction of the national security argument is not too flawed it is important to national security that privacy exist as a principle for the people.

Information can come at an organization sideways. Time magazine in a 1990 article “And bomb the anchovies” stated that before large military operations the local pizza deliveries to the Pentagon would escalate. The local companies could simply look at the sales numbers and know if the United States was about to go to war. Whether hyperbole or not the pattern of one set of information being used to diagnose a separate behavior is a form of information leakage. Unanswered is what is the Pizza company’s particular responsibility to restrict the information of who is purchasing pizzas? If you answered none you would be right.

Now enter the world of big data. When we look at the concepts of information aggregation allowed for by large unstructured data sets that can now be manipulated information leakage would be egregious. Consider in the Pizza example you wouldn’t just need to call up the Pizza delivery owner you could tie into a just in time inventory system and collect the data in real time. Perhaps you could tie into a GPS based “Where is your Pizza now” system and simply track how many stops are made at the Pentagon. The use of cyberspace as an attack platform against privacy of people to get to national security would look something like this (using the pizza example” for simplicity.

1. Query: Is America getting ready for war, and who is planning it?
2. Pizza deliveries increase by 20% in year to year comparison on a particular day. Data sets come from Pizza delivery situational awareness (groan), point of sale clearances, and just in time inventory controls.
3. Pizza order is paid for my senior colonels who are tied to plans and operations at the Pentagon (information is from credit card used online, point of sale system, and harvested biography information).
4. Two of said colonels have been listed as working in section dealing with likely target country (information harvested from on line biography, press releases and FaceBook status updates)
5. The two colonels are friended on FaceBook with X, Y, Z staffers and work for Assistant Deputy Secretary so-and-so (information available through FaceBook and various sharing services used by junior staffers)
6. Social network analysis of those entities show that they in previous engagements were at such-and-such level of coordination and planning (historical data)
7. In previous events time between Pizza delivery and operation commencement was a window of 72 to 96 hours (historical data)
8. At “potential target a” American citizens credit cards report a significant uptick in departures (not that Visa controls wouldn’t pick that up already).
9. So on and so on…

If the data set is large enough and can be manipulated quickly enough you don’t need to violate “national security systems” to violate national security. Some authors have discussed this as the inference problem. Unfortunately most of the information needed in the pizza example can be purchased in real time from a variety of data warehousing agencies. This same form of data intrusion could be accomplished against a corporate entity. If the entity has the ability to track searches by geo-location like a Google, Yahoo, or Bing then the data set becomes even richer. What are they interested in and what is the area that they are looking at in the way of knowledge. You don’t ‘google’ something you know. You can do analysis on what is searched on as much as what is not searched on.

By using the failure of privacy protections for citizens an adversary could use data aggregation to bypass significant efforts of national security systems. This though is not how government tends to play this issue. The pro forma argument is that we must give up a certain amount of privacy for national security. The other side of this is that you can’t have national security without privacy. This isn’t about using FaceBook or Google it is about the ability to manipulate and infer information based on the data rich sets available.

Since much of the data is available for purchase as “anonymized” there is some feeling of protection from untoward remote surveillance. This is in error. As an example use the colonels above. How many colonels are in the United States Military? How many work at the Pentagon? How many would be working late and “willing” to feed their workers pizza? How many becomes a set that can be easily deanonymized.

I used one specific example that isn’t to sensitive and worthy of discussion. There is a whiff of fear uncertainty and doubt contained in this little discussion, but spending some time looking at the data warehousing stake holders quickly takes the stink off. The one thing that is obvious is that privacy is inherently a requirement for national security. Go ahead and don’t believe me. Believe President Gerald Ford.

Part of the issue of understanding why cyberspace is not only in the EMS is looking at the analogies used to describe the relationships. If under the definition that operating with and through the EMS you have defined that man made tools are solely within the domain of EMS then outer-space is part of the EMS domain. You can only work through the physical principles of the EMS to operate the equipment in outer-space. You can’t flip a switch with your finger, change a setting, or dial in a new camera view without operating through the EMS when your end point is in space. The satellite is functionally a computer flying through vacuum accessed through the EMS. Yet outer-space is it’s own domain.

As to cyber being a man made domain there are a few refutations to that point. First, the sub-surface sea domain is a natural domain that can only be exploited through the use of mechanized tools that humans built yet nobody refers to sub-surface operations as being in a man made domain. The satellite exploiting the domain of space where men only recently have been able to actually operate is also a man made artifact. You can’t see, touch, feel, or operate as a human in the vacuum of space but most assuredly it can be used against you. That leads to the question is this discussion of cyber as a domain even important or is it a waste of time?

The conversation of EMS or cyber illustrates a few very specific points and a strategic weakness in current thought and practices as related to cyber operations. First let me alliterate a few positions. Cyber is not the network, cyber is not the bits on the network, cyber is not computers, cyber is not a Gibsonian space, cyber is not processing, cyber is not a virtual reality, and finally cyber is not new. Putting cyber into neat tidy buckets is what one government does to be exploited by another government that doesn’t bound the problem in the same way. That is how we end up with strategic blindness in a new domain.

I don’t expect anybody to agree with me today. In less than a few years my description of cyber space will be the common understanding of cyber space. Some ground rules in understanding cyber space is in order. Cyberspace is exactly like every other domain and you can drop “cyber” from your vocabulary to describe war, conflict, and just about everything else. There are things that make cyber special, but there are things that make all the other domains special too.

Tenet one: Cyber space has always existed

Cyber space is the realm of data that is contextualized into information and it is exploited through tools, techniques and procedures to include modern processors and networks. We are only now beginning to exploit the information environment which is what cyberspace really is and where we are really going. The data and connections between points of data exists upon creation and exploitation is subsequent to the relationship existence. We do the exploitation and creation everyday through meta-cognitive processes but computers make it a strategic capability. When you notice that the car in the lane is next to you a series of processes are kicked off that determine your action or inaction. If you are analyzing the analysis process you have stepped across the line into cyber space. It is a long road for most people to get to the point of understanding this. There is a significant amount of analysis by leaders in information theory from Norbert Wiener to Watson to Shannon that support this conceptual position.

To see tenet one in action that it is not part of the EMS but uses the EMS consider the manipulation of data by corporations. Disparate large data sets are manipulated into information that has meaning beyond the single data elements original intent. This meaning can be evaluated, analyzed and have meta-informative powers about your cyber fingerprint. All of this is data manipulation that could occur simply in the human mind, but is exploited through the use of modern computers. Just because we discovered the island in the middle of the ocean doesn’t mean we created the island or the ocean.

Tenet two: Cyber space is not the network

Viewing cyberspace as the network alone fosters strategic weakness or blindness. Focusing on the network and the processing, storage, and transmission infrastructures is like trying to describe a population by the telephone poles, water, and sewer systems. You can exploit specific features of these critical infrastructures but you will be missing a center of gravity to leverage. If you ask plumbers how to attack a population you will get one answer and looking to somebody like the NSA a signals intelligence group your answer will be bounded by their skills and capabilities (the most formidable plumbers on the planet).  This focus on the plumbing misses the strategic backhoe digging in the back yard of your population. Cyber space is much bigger than the pipes and processors of the domain.

Cyber space is exploited through the network but there may come a time when the conceptual understanding of a network simply does match the current patterns of today. When David Ronfeldt and John Arquilla wrote about netwars they were really talking about people networks based of familiar relationship vectors.  Their earlier work on swarms is also instructive towards what we’re talking about but it is an error to bound the problem by the plumbing.

To be sure I use the plumbing example at my own hazard. At least a dozen times I have heard the arrogant technologist screaming “dude it’s the tubez!” That would be one of the problems in allowing the Internet to define the domain. It isn’t the tubez it is the information. The data is the dirt, the information is the forests, and the programs create the terrain. All of this exists, but must be exploited through tools. We currently use computers and the EMS to exploit the cyber domain. We don’t call space the “rocket domain” or the “hot gas propulsion domain” because that is how we get there.

Tenet three: For any domain to be defined as such it must be relevant forever

Forever is a long time, but it also means from this point forward and backwards. There is a key point where EMS and cyber play off of each other. I don’t think anybody is going to claim that EMS didn’t exist three or four hundred years ago before it began to be exploited (supposedly ancient Egyptians made batteries so thousands of years?). EMS has always existed but we have only relatively recently began to exploit the capabilities. Similarly I would state that cyber space has always existed and we have only more recently started to exploit it.

Yes I know many people will chafe at this point (but it’s the computers darn it!!!!) Well, with that view point you close off entire conceptual areas of the cyber domain.  So, we can agree to disagree and you’ll be coming around to my viewpoint in the future anyways, what about the future? To get there we start with history.

Today computers are built using the same principles as were defined in the late 1970s which were based on models and techniques from the 1950s. The modern transmission protocols have their roots in the 1960s. But, that isn’t where we are going to be stuck. What have to realize is that regardless of the tools humans are using them currently and that invokes patterns and behaviors. Those patterns and behaviors can be exploited as what we’ve seen recently proves. Cyberspace is existent regardless of the tools and is only limited by human perceptions.

Who knows what will work or won’t work in the future but the understanding of the domain must be moved forward or the strategic consequences will be substantial. If the domain is information and made up data then what do we know? One example is quantum computing and transmission that will change the context and richness of content. The big data problems of today will become nearly extinct to be replaced with the super mega big data problems of the future. Transmission security will become stronger, bandwidth will become significantly better, and end point security will become even more important than today.

One change we can see in the near term is bringing cyberspace into meat space. The capability has existed for years and Gibson (oh no!) discussed the idea of virtual reality in meat space years ago. Google is getting ready to create glasses that have the capability of bringing cyber space into reality easily. For to often the technospastics have tried to think of ways of getting humans into cyberspace through haptics, immersives, and other sensory delusions. When, right around the corner, we were bringing cyberspace out to meet us.

From the benign use of mapping, to the use of heads up displays for the intelligence community, the future of immersive information is only confounded by the network connectivity. The convergence of high-speed data techniques and heads up glasses suggests an entirely new way of relating to the world.

Tenet four: To be a domain there must be strategic consequence

History is filled with anecdotes of messengers caught or detained so messages could be read, changed, or denied in transit. Information that was exploited in one domain so that action could be taken in another domain is one way of looking at this problem. The tools of exploitation are specific to the domain or cross-domains as needed. RADAR could be used ashore to detect enemy bombers, much like it could be used to detect them from ships. EMS is a cross-domain capability. It should not be any surprise that EMS has functions inside of the cyber domain. How are specific capabilities of cyberspace exploited to allow for cross-domain strategic consequence?

An easy answer is to look at history and see events like Solar Sunrise for the consequence versus the actors involved. If as reported military action was changed regardless of the later investigations evidence this was a strategic consequence. If exploitation of information through cyberspace is possible regardless of the methods there is likely strategic consequence. It is likely use of the cyberspace domain as a cross-domain capability. Right about now the intelligence community folks are jumping up and down saying “We exploit information all the time!!!” Well of course you do and thank you for proving we’ve been doing this for a long time. Actually intelligence community folks don’t say anything to anybody ever at all, you know….

The use of information is facilitated by and utilized better through the use of computers than tired horses and relatively unprotected riders carrying messenger bags. However, the principles are the same. If a general had the capability to read the message in the satchel and exploit that intelligence they would most assuredly do so. That would not detract from the military capacity or intelligence effort nor undermine the capability. If the same general could change the information to the detriment of an adversary they would jump for glee and dance a little jig. Well maybe not. Still, that principle is exactly what we’re doing in first generation cyberspace exploitation. Second generation cyberspace exploitation is rapidly approaching.

Tenet five: The lock in of current capability and capacity is egregiously in error

The advent of the rifle changed the course of modern conflict. Where there were muskets with one kind of fire rate, the cartridge and then automation of loading changed how battles were fought.  We’ve always dealt with the idea of cyberspace much as we did with ballistics (arrows are a form of ballistics as well as rocks). Modern cyber warfare as exploitation of the domain of cyberspace will advance along the same pattern of implements and tools as other domains have done. The rise of Sputnik changed the domain of space and in the waning days of Hubble the two methods of exploiting space don’t even seem similar.

Future exploitation of cyberspace will inherently include all of the common patterns of conflict we have seen and a few more. First generation capabilities have been replicating the patterns and strategies of meat space in cyberspace. Second generation exploitation will look a little like using extra sensory perception to know the adversaries intent without having to read what is in the messengers bag. Big data is stumbling towards this technique rapidly. Knowing something by piecing the data out of disparate bits is possible when you know how to structure the query. Though sanity checking is required this kind of high capacity processing will remove the need to put fingerprints on the adversaries networks. This sounds like mumbo jumbo but talk to people who do significant large data trend analysis and begin to see what is capable today and how we are drawing towards this new capability.

What is beyond our current capability and capacity that informs the future of cyberspace? Nano, and other forms of self-replicating and highly embedded systems will become part of the landscape. Already medical devices are taking on some of this pattern as we see miniature cameras and other forms of probes and shunts that are automated through chemical or the EMS. Recent development of merging human nerves to prosthetics will advance this to the point cyberspace is meat-space. It may be that long before we enter third generation cyberspace there won’t be a need for the word cyber. I can perceive that cyberspace may become a secondary persona or element like water and air in our day to day life.

We currently are stuck at this second generation of cyberspace not because of processing or even doctrinal understanding, but because of bandwidth. Bandwidth is the Achilles heal of cyberspace. Until that wall is broken much will be held stagnant. However, cyberspace is not the network. The constraints though are congestion in the understanding of the domain. In what other domain would we say that the current capability is the only capability we ever expect to have?

Into doctrine

All nation states understand that information is power and constraining, containing, and amplifying are mechanisms for instrumentalizing that power. Whether creating false information that causes an adversary to behave in a particular way or declaring policy that sways an adversary to a particular path these are forms of nation state power. The considerations of how these choices are made, plans are created, and resources for execution of those plans are built are the fundamentals of doctrine. Currently most nation states understand the equivalent of exploiting secrets and engaging in snooping on each other as information dominance.

The next step will be to understand that exfiltration of information is only one phase of information dominance. Knowing what your adversary says allows for a minor cue as to goals, and objectives.  Knowing your adversaries capabilities and perceiving things about the adversary that they have not even identified is key to dominance in the information realm. This is more than exploitation, operations, or attack through networks. That is so last decade. Using all source intelligence inclusive of the EMS, inclusive of the narrative, and inclusive of the information the cyber domain can be exploited.

Intelligence analysis has been doing this for millennia. There is nothing new here and that is kind of the point. It is understanding the capabilities of the cyber domain and the subsequent special characteristics of the cyber domain that are important. If information is the trees of the cyber domain we can do things really fast like counting all the trees. We can categorize, evaluate, and know which trees are sick or rotten. Very fast. Exploitation of networks and communication technologies allows one small view of the world of an adversary. Integrity of the message though is problematic and consideration has to be given to checking and counterchecking. So it has been done for a long time.

Currently doctrine is stuck. It’s not really the NSA’s or Cyber Commands fault that we’re stuck looking at a capability of a domain through a soda straw. The symptoms of cyber myopia are focusing on information security through systems instead of looking at the information. Other forms of soda straw gazing are found in strict controls on functions instead of worrying about behaviors. There has to be more. If the cyber domain is real there should be things we could look at that reflect the other domains.  What is soft power in cyberspace? What is effective support to foreign nations? Where are the considerations of false flag and civilian casualties? The questions abound in the metaphorical understanding of the domain. If cyberspace is more like a naval model than land model is there an equivalent of a silent (sub) surface in cyberspace? There are many questions and once in awhile a few answers.

Doctrine is set by strategy and instantiated through mechanisms of training and operational capacity. Doctrine is not merely operations writ large. Doctrine is the core principles that are required to operate, defend, and execute operations in the domain. Operations are the requisite plans and resources necessary to “operate” using specific tactics and capabilities. We have problems discussing this because it is stuck in the intelligence community but over time people who have been doing it will filter out into the civilian world and the doctrine and operations capability will become known.

Though specifics of doctrine are beyond this discussion there will be changes in society that are required. Remember don’t limit yourself to the network and do look at cyberspace as information. Civilian security becomes paramount. Not because anybody gives a darn about civilians, but because the use of compiled data across large segments of the world population is possible. Weak privacy laws and the need for ones that are fairly strict become national security issues. Corporations that engage in data warehousing become strategic assets and possible collaborators with governments.  In the day you can determine Strawberry Pop Tarts utilization based on the weather you can also determine military actions based on the number of pizza deliveries to the Pentagon. Now imagine the same pattern analysis applied to social networks of entire countries populations. Even if just a small subset large social groups will always leak substantial information. You just need the tools to exploit it.

Doctrine will follow the capability and the action curve. What will have to happen though in the near term is to stop looking at cyberspace through artificial barriers. These barriers are created through organizational constructs that are not inherently bounding conditions to adversaries. The EMS versus cyber debate is a red herring that detracts from the larger issues of understanding cyber space.

In December I asked the president of the Univesity I work at should I be looking for a job and she said yes. The chancellor has basically said the same thing. The problem is that in many circles these budget battles are considered to just be part of the normal social fabric. My department head is a great guy and he says don’t get scared it will all blow over. I took the job I have for some pretty specific reasons.

1. As a DHS/NSA fellow I was required to provide a year of service to the federal government. For that I got $60k in student loans paid off, but I had to leave my tenured job at Purdue Calumet. I don’t think they understand yet at PUC that in forcing me to get a PhD they forced me out the door.
2. I broke my back and neck in 1986 and was medically discharged from the Marines. At the time I owed three years to the United States and this new job is about as close as I’m going to get to paying that uniformed military service back.
3. There are four faculty at the university I have  really enjoy working with over the years and wanted to have more interaction. One quit and went to Mitre, two are retiring in the June time frame, but there are other awesome people to be sure I have met.
4. While at my new job I have briefed generals, congressman, foreign dignitaries and heads of state , and I have traveled extensively over seas. I knew this job would expose me to many people. Serving my country has been fun and an honor.

There are a lot of positives and negatives to balance out on a job like this. The new budget is pretty scary and my new university president is the same guy who dismantled large sections of his previous command. I have skills so I’m not so worried about me finding a job in this climate if bad things happen. I’m a PhD with extensive infosec and forensic skills, and about 30 years experience. December starts the academic hiring season so i have some notice to look around. After all in a fit of pique when Purdue Calumet messed with my wife I said who is hiring and this job came along.

I’m concerned for my new friends and colleagues. I had planned on staying three years or more to fulfill the debt I felt I owed. I don’t know if I will be allowed and how fast a tear down would take if it came. If you see me grousing part of it is the uncertainty, part of it is the fear, part of it is a tactical concern for feeding my family. I still own the house in Indianna and though I am financially solvent there ain’t any flex in my budget. I know the grass isn’t always greener, and that things could go from bad to worse. There are some great universities out there to be sure.

I do think it is funny I applied for a DHS job and was told I didn’t qualify. I’m pretty sure the guy I would have been working for is one of my former students. The funniest thing is his boss is the one who asked me to apply. Government is funny to watch if in a kind of black humor. They say there are all these cyber jobs at all levels. Don’t believe it.

Lately Tate Watkins and Jerry Brito have been saying the threat of cyber warfare is over hyped in various places.  I would state the summary of their argument is that there is profit in continuing the problem rather than actually creating a solution, the problem is overstated without evidence, there has never been a cyber war, and they associate the issues with the current hype. My apologies to the authors if I over generalized their arguments.

First I must agree with the authors that the hype is over stated. That is people running around yelling “cyber war” then “give me money” are part of the problem. Those complaining that there is no evidence due to the event having not happened are also engaging a pro forma logical fallacy. You haven’t been shot by a gun yet, but do you really not want to protect yourself if you know an adversary is holding a gun? You don’t need the government to declassify threats or capabilities just go to BlackHat or DefCon and discover the myriad security issues. The contrarian argument also hinges on an amateurs understanding of war which is fairly normal. Regardless of the framework, the instruments of national power are significantly more than simply military kinetic assets. There is diplomacy, economic and information assets at the disposal of nation states.  A key to remember is that nation states have the ability to compel which gives them significant power over connections to other nations infrastructures.

I am more than aware that the Internet and the various technologies that the Internet supports help the cause of dictatorship as much as democracy. This is discussed much more eloquently by Evgeny Morozv.  Mikko Hypponen discusses this problem in a much more sideways allusion but still powerfully.  So  I will let the argument by Brito and Tate stand that in some cases nations are just trying to centralize power and control the Internet. The Balkanization of the Internet has been happening for a long time. Only fools think the logical nature of the network trumps the physical presence of the cables and infrastructure. The ability to compel when it comes to the network is a significant form of national power. You can argue whether nations do it well, but that is a matter of ability rather than capability.

What about evidence? It is interesting that Watkins and Brito published in Wired on the pages of Threat Level.  Wired through the FOIA process was able to get a copy of the FBI produced video detailing the events of “Solar Sunrise”. Regardless of the criticism of the video through the glasses of 15 years of experience you have some interesting evidence of the strategic consequence related to the intrusion. Situate yourself to the events of Solar Sunrise in 1998 by thinking about this:

1. The World Wide Web is relatively new, firewall technologies are infantile, network intrusion detection systems haven’t even been fully formed, and most systems are directly connected without any kind of perimeter defenses.
2. In 1997 in an exercise called Eligible Receiver 97 the NSA red team which is a signals intelligence group (not networking) was able to supposedly use common vulnerabilities to change, corrupt, deny, or degrade communications. This is well known to the military leadership.
3. The Defense Information Systems Agency (DISA) had only had data networks as a tasking since 1991 and most of its efforts were directed towards inwards capabilities rather than external protection.
4. In summary there was no “command authority” in charge of information technology systems and very little legislation or approval for these kinds of authorities.
   1. FISMA was signed in 2002.
   2. Clinger Cohen was signed in 1996 but was primarily acquisition related.
   3. The Computer Fraud and Abuse Act was enacted in 1984 and amended several times because it couldn’t keep up.
   4. The Internet Boom or Dot-Com Bubble didn’t really get started until 1995.

Look at Solar Sunrise through that lens and you have an intrusive technology, with very few people who understand it, being utilized for purposes that may not be aligned with the security principles of previous technologies. Though we might look back on Solar Sunrise, and giggle at the size of Scott Charney’s beard, this was an event of strategic consequence perpetrated by a non-state actor in a time of pending hostilities. What were the consequential elements?

Military command and control systems had been compromised giving a potential adversary significant advantage in preparation which equates to possibility of American lives lost.

1. Military transportation systems which are the “beans, bullets, and boots” of military power had been compromised possibly creating issues with the integrity of data and usefulness of that data.
2. Collaboration and coordination tools of the military could not be used degrading and disrupting command controls capacity.

It is the small-minded person that looks at that and says, “Well we shouldn’t have been preparing for war in the first place..”, or that “…the military over reacted.” The fact that it was a foreign national running juvenile actors as assets against a nation state should be a pattern of behavior that warns us even more of the consequence of this event. What is missing in most people’s calculus as they focus on the technical aspects of the intrusion is the consequence to strategic military power projection. The evidence after the investigation informs of how trivial the attacks against the network were. The evidence as seen through the decision focus of military commanders as details unfolded are crystal clear and exceptionally well restrained.

The use of war as a term of conflict has been over used and restraint would be nice to see within the media. I hear the term “cyber war” used by others and myself within the discussions of the topic rarely. We’re talking about conflict and information assurance and security. In a time of shrinking capacity and budgets few people are looking to take on new tasks. To make things worse “war” actually has legal and treaty implications that few people seem to realize.

What I do see is a thread of the impacts of espionage, missing capacity and capability to resist active intrusions, and clearly contrarian incentives of information technology owners. The architectures and expectations of those architectures dealing with information assets and intrusion sets are changing. I see the flexibility to resist intrusions by some corporations as significant leaps forward. The evidence I see in mass media through my focus shows a significant pattern of espionage and evidence of significant sophistication. I have no doubt I will look back in 15 years and wish my problems were so simple as the ones of today. I’ve been around long enough to see the cycles of media attention wane and return a few times.

Since network intrusions are technological incursions there are no sexy pictures of smoking holes or scattered body parts. That begs the question of cyberspace being a conflict domain. Yet nation state and non-state actors can exhibit conflict across a much larger spectrum than kinetics alone.

We are only talking about something that happened in 1998. If you expected me to disclose current threats (as if I know any) you’re sadly mistaken. I do worry about the current critical infrastructures though and have examined a few events so I could situate myself around their failure modes.

Unfortunately I have a lot of detail about one that happened in 1999 that I could reflect on because I was there. Luckily I could just watch and I was not the one who created the problem.

I saw in post 1999 Y2K ramp down a lot of stories that the whole Y2K vulnerability had been over blown. Much like we see the hysteria starting to rise about cyber threats being over blown. Yet proving the negative is very hard and most people don’t understand the absurdity. If you do your job nothing bad happens, but if you screw up well obviously it is a good investment. This is a logical paradigm that information assurance and security professionals have to live with every day. So, if I’m doing my job I’m not needed, but if I screw up you need me? Y2K discussion is filled with that kind of logic.

What could have happened in 1999 on the turn of the clock? We actually have a pretty good case study to work from. There was an actual Y2K outage that we can examine and see what would have possibly occurred had we not taken Y2K seriously. On August 5^th 1999 a Lucent Engineer working for MCIWorldcom testing patches uploaded software mistakenly to the production network of The Chicago Board of Trade network.  By 9:21 PM trading was halted. The software patch had propagated through the frame network of MCIWorldcom causing routers and network traffic to halt of be seriously degraded.  Trading did not resume until August 11^th but was sporadic for weeks. A ComEd transformer interrupted the Chicago Board of Trade again on August 12^th but the fix in that situation was to install a SCADA device to make it easier to manage. So what was the strategic consequence of this event?

1. Financial trading was halted or severely degraded for a period approaching two weeks. The cost to traders was incalculable but cost MCIWorldcom in excess of $200 million.
2. Over one third of the total frame network of MCIWorldcom was degraded or ceased functioning.
3. Though stories of the event are starting to evaporate from the Internet numerous ISPs were harmed as they were customers of the backbone provider.
4. It was suggested at the time if the same configuration error mechanism had been done to other areas of the backbone routing system it could have taken months to rehabilitate. Regardless the actual impacts were significant.

We have numerous events that we can analyze for possible scenarios of what an event might look like. We don’t have to actually run around shooting people to know the effect. We can blow away some watermelons or ballistic gelatin to get a pretty good idea. We have had some pretty traumatic events already and nobody really wants to light the fuse on purpose. Like the Doctor Strangelove Doomsday Machine this may be a button we simply don’t want to push.  To make things even stranger I am fully aware that Dr. Strangelove is satire of the hysteria of the cold war. I am also fully aware that Wired Magazine in 2009 did a great story on Dead Hand showing that satire might unfortunately be prescient.

Like I said earlier the critics of the industrial military cyber complex have a few good points in how the hysteria has unfolded. I am likely not helping that hysteria cool as I try and look at the issues. I am in no way comparing nuclear war with cyber war, but the hysteria and historical records are similar products. Most of the people looking at cyber war are technical aficionados who focus on the network aspects. A few political scientists piece out the strategic and social issues. I wish I could help set the record on the actual cyber issues, but much like a foot soldier in World War 1 looking at airplanes I’m not exactly sure what the risk is currently. Somewhere is the cyber Billy Mitchell who likely isn’t working for government, is not on anybody’s RADAR, fully understands the tactical and strategic impacts, and is going to be pilloried by the current establishment.

If there is anything to leave a reader with it is this. War is a political process between people. A technical construct or mechanism can be used to inhibit an adversary’s action or increase the lethality of action. When used appropriately for defense or offense such technical constructs can be force multipliers. The global information sphere is a tool, a terrain, and nothing more than another aspect of conflict between humans. It is only news today because people have noticed it. When it is no longer news it will still be vector for threats to operate against vulnerabilities.  The capacity for damage is only bounded by the adversary’s imagination and the defenders capabilities. This is much the same as in any other form of conflict.

Key Issues

I do find that there are a few key issues involved in this dealing with information technologists. I keep seeing self professed hacker types declaring that the low barrier to entry, the distributed nature of the attack surface, and such allow them to wage war on nation states. That leaves me looking at senior leadership in the military and government who actually believe that and at the neophyte hacker types thinking taking down a website is an act of war. That is rubbish. The low barrier to entry and the substantial capacity to disrupt and degrade command and control has been proven.

There is something there that an unsophisticated adversary could disrupt society significantly. What most people don’t realize is that regardless of the Al Qaeda or other terrorist organizations whims to create chaos the noise level of security vulnerabilities and active attacks is so high it is hard to get noticed. We saw a version of this when Amazon was attacked by Anonymous/LulzSec and was apparently unaffected.

There is a substantial difference between information security and cyber warfare/defense. Most government agency and corporate information organizations might like to look “sexy” engaging in cyber warfare but what they do and are defending against is simply information security issues. It isn’t war and if it were war their defenses would melt like butter in the Texas summer sun. Though self-described cyber adversaries can create havoc they are missing one element of the equation to wage war. Nation states can compel corporations and private entities to assist and prepare an environment for operations. We’ve seen this with telephone companies, search engine companies, and run of the mill Internet service providers.

Government and the rule of law

The PATRIOT act and other laws are filled with provisions to allow for this kind of legally mandated compel and assist.  When you look away from the United States many of the countries around the world own their telephone company completely.

A friend that served in the Pentagon once said that the difference between a hacker denial of service and a government denial of service is scope and speed. A letter of cessation of activities served on the big four or five telephone companies would cripple a hacker organization. We have seen the federal government as a law enforcement action take a site off the Internet in minutes.  It is a matter of debate whether the solution would be worse than the problem. It isn’t just government though. We’ve seen when telephone companies have accidently black holed (taken of the network) organizations or groups primary communication conduits. There is a big difference between a nation state and an individual going to cyber war.

The narrative though isn’t reasoned or considered in this debate and there is a lot of political purpose in keeping the cyber hype higher. Espionage and exfiltration of information from a network has a gloss of being the defending entities fault. Much of what appears to be the current hacker ethos is proving that systems are insecure and then determining that poor coding practices or configuration controls mean the system administrators are idiots.  This is a juvenile and immature position to take if any evidence-based analysis is attempted.  There are over 50K vulnerabilities in the MITRE CVE, the Open Source Vulnerability Database has more like 70K vulnerabilities. Software on any sufficiently large system is likely to require specific versions, types, configurations, and may not allow for patching against those vulnerabilities. Large amounts of software are legacy code and updating or creating new versions is cost prohibitive. So exploiting a system that serves society, business, or peoples needs is going to be likely trivial at best. Defending though is incredibly hard. There is a lot of discussion about responsible disclosure, but I haven’t seen anywhere that kicking somebody’s door down or even going through it if unlocked is an appropriate practice. The “they suck” form of blaming the victim is neither ethical nor practical.

Consider though this when you put that same scenario against the advanced capabilities of a nation state. You are even more likely to see a corporate or government agency fold before the onslaught of an attack.  Some would say that we haven’t had the first cyber war and I would be in that group. Though we see large-scale espionage actual use of the Internet to kill people and break things has been minimal or undetectable from other vectors of attack.

The blind spot

An element that needs to be understood by corporate, government, and political entities is the blind spot. As we focus on the Internet as the primary threat vector an entire set of systemic disruption points are being ignored.  When looking at the Internet as a threat vector it is a network centric or signals kind of worldview.  There are other vectors that can be exploited.

The supply chain from point of creation through updates and retirement of equipment is a vulnerability that a multitude of threats could act upon. We have seen over time counterfeit equipment, egregious software patches, and hardware that might have been tampered with (picture frames, etc.) in the supply chain.

Current architecture and engineering practices are filled with a significant number of operational threat vectors.   Basic assumptions and expectations of current networking engineering “state of the practice” is filled with errors and omissions based on vendor designed curriculums.

Sit down and look at a common networking engineering textbook and you’ll see terrible engineering principles. Resilient, hardened, prepared network instantiations are taught after students have made traffic flow. The standard is to make it “work” (pass traffic) and then layer security, which suggests security, is a state that “doesn’t work”. It is a fundamental bias found in all of the curriculums. Many network engineers will argue this is the way it should be and never understand the errors, omissions, and bias it injects into a security curriculum.

Software programming courses are no better and since the early to mid 1980s significant chunks of courses have been dropped and coding strategies abandoned. In the effort to push more students through programs and pack those curriculums with more material defensive coding has been allowed to languish.  The difficulty of programming languages like C++ have lead to interpreted languages, which obfuscate errors and problems. Wrapping these highly interpreted languages in compile time security wrappers is one step, but it fails to address the issues of logic and interface errors that are so frequent.

The technology stack most assuredly over a long time period is a risk and inherently effects security. Few if any are really ready to start addressing information security issues so new models and methods of operations need to be talked about. We’re starting to see that kind of discussion in concepts like “assumption of breach” or resiliency engineering. One thing we need to see is looking at the information security realm without all the “war” garbage and taking care of systems with well-engineered solutions. This is not something that happens quickly, and the organic growth of networks has been a barrier to upgrading towards secure systems. Some government agencies have tried the replace it all but basically only replaced it with the same faulty assumptions.

Policy is a risk too

Public policy is a set of incentives and disincentives that are in place to create certain types of behaviors. If you look at the narrative surrounding all things cyber it is a conflict narrative. Inherently conflict of civil and military type is a government owned and controlled behavior. In a country based on the rule of law the state is the arbiter of conflict. If the Internet is a conflict domain it no longer is a benign tool but a place where government has an inherent interest in control mechanisms. Every person who pushes that agenda forward is impacting negatively the future of the Internet.

Poor policy has reconstituted previously mitigated threats as laws and rules are put into place that instantiate poor security practices. Societal control mechanisms are not necesarily the best information security mechanisms. The suggestion from pundits is that the FISA and law enforcement APIs were used by China to “hack” Google is a good ezample of this in action. Other examples follow the trend of the supply chain discussed earlier. The federal rules of acquisition create a preponderance of homogenous network functions even though heterogeneous and resilient structures are much more secure. The principle of single sourcing to the lowest bidder has instantiated a significant vulnerability that can be associated to threats.

Conclusion

The mixture of information security and cyber warfare topics and the associated abandonment of actual security practices has created an onerous situation. To much security is about static compliance concepts bent towards creating stable secure enterprises in highly dynamic environments. Check list mentality you would think might be the first casualty of cyber warfare. The threat though is not well understood and conflict is really misunderstood. In mixing these two topics neither is served.

Pedestrian covered bridge (click to make larger)

1)   Higher education has had to stop doing education and implement training programs. The value of an education is not in a specific skill it is in the ability to think and add to the body of knowledge. People want jobs skills, and universities are the business of knowledge attainment. So, both efforts get short changed.

2)   Corporations have abandoned the education and apprenticeship models outsourcing their educational needs to university and then demanding higher education changes devaluing that same education. In the end the student bears the cost that a corporation should have been doing.

3)   Tuition cost increases can be tied directly to the market mechanisms and in about every other capitalistic environment we would say let the market dictate the cost, but in higher education we’re not happy with that answer. It is mildly ironic to here a republican who is all about deregulation and market forces arguing against allowing that in higher education.  Even more interesting is the trimming of state sponsorship of higher education, but then increased attempts to regulate, and the expectation costs will not change. For every dollar a state takes away tuition costs rise by $2. It doesn’t seem fair but those are the breaks kid.

4)   There used to be one school in the University. The school of liberal arts. Along about the time medicine exited the dark ages the school of sciences was added. Now universities have a dozen schools or sometimes more it seems. There are hundreds of majors and the overlap is immense. That is all overhead, but it is driven by the hiring market. You have to have a degree in this highly specific discipline that may be one class different than this other discipline but the wage difference could be literally tens of thousands of dollars.

5)   Human resources is a good place to pin a lot of these problems. Credentialism and a failure to understand what resumes actually show have led to pushes for degrees as attainment of skills. Universities do the knowledge pieces and vocational schools do the skills piece. This is a critical difference in goals and roles.

6)   There is a tendency to mix a lot of the higher education problems, from class size, to the role of professors as researchers and teachers, to the role of administration and government in the higher education process. You can NOT teach innovation to students you can only expose them to the process. Involving students in research is not innovation. We in the United States have abandoned as policy the practice of large leap innovative research. Which leads to…

7)   We pay professors a salary but then tell them to go get grants or contracts if they want promotion. It is a rare situation that teaching is at the forefront of administrators minds. This is what economists like to call a perverse incentive. If we want the nation to be successful we have to decouple promotion from grants and determine a strategy for using students in the research process. Merging research, teaching, and innovation emergence in the classroom put me at odds with my administration when it came to addressing learning objectives and organizational accreditation.

8)   Organizational accreditation nationwide needs to be addressed. This is what we like to call South Eastern or North Central or Pacific or whatever as regional accrediting agencies. Having sat through their seminars I would say there is a lot of room for improvement and the cronyism has to be addressed. A frequently overlooked problem in the whole higher education debate is the fact that THIS IS THE FREAKING MECHANISM for fixing higher education and what created all of the stupid stuff going on currently when the veterans GI Bill was originally signed. Don’t expect the actual problem here to be addressed.

Here is the problem. It is easy to beat up on higher education because it doesn’t really have a voice. You can beat up on the organ that provided most of the innovation over the last few centuries and continues to be about the only place that innovation occurs but for what purpose. It is not without note that most of the examples of innovation that supposedly happened outside of university actually occurred in the University setting but the thread of the narrative is lost in the fact the entity didn’t finish. Bill Gates was in Harvard, Bill Joy as at Berkley, and good ol’ Steve Jobs well we’ll leave it at that.

Meanwhile we continue to devolve the higher education institutions into erstwhile industrial devolution practices of push em’ in and push em’ out.  Knowledge workers watch as companies call for higher numbers of visas for foreign workers while the number of unemployed workers climb in advanced skill markets. We continue to reward financial management people who develop nothing and software engineers and developers become little more than software practice adjuncts similar to university adjuncts scrambling for jobs.

Then there is the simple industrial practice of transitioning tenure positions at universities to lecturer positions eroding the pay scale (which was already poor) and further denuding the landscape of innovative research inquiry. The landscape is even more barren as the paltry research dollars are foisted off into industry labs and academia is pushed out the door. Industry labs hide their research and rarely does something explosive or innovative make it out the door unless it is evaluated as positive. This process would have killed many innovations that were trials and never expected to succeed. Kind of like early Apple 1’s and Altair computers which led to a revolution.

The result of all of this is the number one threat to American national security that has ever occurred in the history of the country. When I heard a group of leading research graduate students had taken research jobs in academia I wasn’t surprised. When I heard that it was in China I was perplexed. You have to remember a colloquialism. The country with the best soldiers will lose to the country with the smartest geeks. One atom bomb is a lot more deadly than an entire division of soldiers. Understanding that geek power is national power has been lost as the higher education system that produced the heart of American innovation and is slowly being taken apart. What we need is to strengthen higher education and return to the natural goals of education and realize that companies are in it for profit. Not the student. The student is there to learn not define what they want to be entertained by, and finally there is value in structure of the University.