In December I asked the president of the Univesity I work at should I be looking for a job and she said yes. The chancellor has basically said the same thing. The problem is that in many circles these budget battles are considered to just be part of the normal social fabric. My department head is a great guy and he says don’t get scared it will all blow over. I took the job I have for some pretty specific reasons.

1. As a DHS/NSA fellow I was required to provide a year of service to the federal government. For that I got $60k in student loans paid off, but I had to leave my tenured job at Purdue Calumet. I don’t think they understand yet at PUC that in forcing me to get a PhD they forced me out the door.
2. I broke my back and neck in 1986 and was medically discharged from the Marines. At the time I owed three years to the United States and this new job is about as close as I’m going to get to paying that uniformed military service back.
3. There are four faculty at the university I have  really enjoy working with over the years and wanted to have more interaction. One quit and went to Mitre, two are retiring in the June time frame, but there are other awesome people to be sure I have met.
4. While at my new job I have briefed generals, congressman, foreign dignitaries and heads of state , and I have traveled extensively over seas. I knew this job would expose me to many people. Serving my country has been fun and an honor.

There are a lot of positives and negatives to balance out on a job like this. The new budget is pretty scary and my new university president is the same guy who dismantled large sections of his previous command. I have skills so I’m not so worried about me finding a job in this climate if bad things happen. I’m a PhD with extensive infosec and forensic skills, and about 30 years experience. December starts the academic hiring season so i have some notice to look around. After all in a fit of pique when Purdue Calumet messed with my wife I said who is hiring and this job came along.

I’m concerned for my new friends and colleagues. I had planned on staying three years or more to fulfill the debt I felt I owed. I don’t know if I will be allowed and how fast a tear down would take if it came. If you see me grousing part of it is the uncertainty, part of it is the fear, part of it is a tactical concern for feeding my family. I still own the house in Indianna and though I am financially solvent there ain’t any flex in my budget. I know the grass isn’t always greener, and that things could go from bad to worse. There are some great universities out there to be sure.

I do think it is funny I applied for a DHS job and was told I didn’t qualify. I’m pretty sure the guy I would have been working for is one of my former students. The funniest thing is his boss is the one who asked me to apply. Government is funny to watch if in a kind of black humor. They say there are all these cyber jobs at all levels. Don’t believe it.

Lately Tate Watkins and Jerry Brito have been saying the threat of cyber warfare is over hyped in various places.  I would state the summary of their argument is that there is profit in continuing the problem rather than actually creating a solution, the problem is overstated without evidence, there has never been a cyber war, and they associate the issues with the current hype. My apologies to the authors if I over generalized their arguments.

First I must agree with the authors that the hype is over stated. That is people running around yelling “cyber war” then “give me money” are part of the problem. Those complaining that there is no evidence due to the event having not happened are also engaging a pro forma logical fallacy. You haven’t been shot by a gun yet, but do you really not want to protect yourself if you know an adversary is holding a gun? You don’t need the government to declassify threats or capabilities just go to BlackHat or DefCon and discover the myriad security issues. The contrarian argument also hinges on an amateurs understanding of war which is fairly normal. Regardless of the framework, the instruments of national power are significantly more than simply military kinetic assets. There is diplomacy, economic and information assets at the disposal of nation states.  A key to remember is that nation states have the ability to compel which gives them significant power over connections to other nations infrastructures.

I am more than aware that the Internet and the various technologies that the Internet supports help the cause of dictatorship as much as democracy. This is discussed much more eloquently by Evgeny Morozv.  Mikko Hypponen discusses this problem in a much more sideways allusion but still powerfully.  So  I will let the argument by Brito and Tate stand that in some cases nations are just trying to centralize power and control the Internet. The Balkanization of the Internet has been happening for a long time. Only fools think the logical nature of the network trumps the physical presence of the cables and infrastructure. The ability to compel when it comes to the network is a significant form of national power. You can argue whether nations do it well, but that is a matter of ability rather than capability.

What about evidence? It is interesting that Watkins and Brito published in Wired on the pages of Threat Level.  Wired through the FOIA process was able to get a copy of the FBI produced video detailing the events of “Solar Sunrise”. Regardless of the criticism of the video through the glasses of 15 years of experience you have some interesting evidence of the strategic consequence related to the intrusion. Situate yourself to the events of Solar Sunrise in 1998 by thinking about this:

1. The World Wide Web is relatively new, firewall technologies are infantile, network intrusion detection systems haven’t even been fully formed, and most systems are directly connected without any kind of perimeter defenses.
2. In 1997 in an exercise called Eligible Receiver 97 the NSA red team which is a signals intelligence group (not networking) was able to supposedly use common vulnerabilities to change, corrupt, deny, or degrade communications. This is well known to the military leadership.
3. The Defense Information Systems Agency (DISA) had only had data networks as a tasking since 1991 and most of its efforts were directed towards inwards capabilities rather than external protection.
4. In summary there was no “command authority” in charge of information technology systems and very little legislation or approval for these kinds of authorities.
   1. FISMA was signed in 2002.
   2. Clinger Cohen was signed in 1996 but was primarily acquisition related.
   3. The Computer Fraud and Abuse Act was enacted in 1984 and amended several times because it couldn’t keep up.
   4. The Internet Boom or Dot-Com Bubble didn’t really get started until 1995.

Look at Solar Sunrise through that lens and you have an intrusive technology, with very few people who understand it, being utilized for purposes that may not be aligned with the security principles of previous technologies. Though we might look back on Solar Sunrise, and giggle at the size of Scott Charney’s beard, this was an event of strategic consequence perpetrated by a non-state actor in a time of pending hostilities. What were the consequential elements?

Military command and control systems had been compromised giving a potential adversary significant advantage in preparation which equates to possibility of American lives lost.

1. Military transportation systems which are the “beans, bullets, and boots” of military power had been compromised possibly creating issues with the integrity of data and usefulness of that data.
2. Collaboration and coordination tools of the military could not be used degrading and disrupting command controls capacity.

It is the small-minded person that looks at that and says, “Well we shouldn’t have been preparing for war in the first place..”, or that “…the military over reacted.” The fact that it was a foreign national running juvenile actors as assets against a nation state should be a pattern of behavior that warns us even more of the consequence of this event. What is missing in most people’s calculus as they focus on the technical aspects of the intrusion is the consequence to strategic military power projection. The evidence after the investigation informs of how trivial the attacks against the network were. The evidence as seen through the decision focus of military commanders as details unfolded are crystal clear and exceptionally well restrained.

The use of war as a term of conflict has been over used and restraint would be nice to see within the media. I hear the term “cyber war” used by others and myself within the discussions of the topic rarely. We’re talking about conflict and information assurance and security. In a time of shrinking capacity and budgets few people are looking to take on new tasks. To make things worse “war” actually has legal and treaty implications that few people seem to realize.

What I do see is a thread of the impacts of espionage, missing capacity and capability to resist active intrusions, and clearly contrarian incentives of information technology owners. The architectures and expectations of those architectures dealing with information assets and intrusion sets are changing. I see the flexibility to resist intrusions by some corporations as significant leaps forward. The evidence I see in mass media through my focus shows a significant pattern of espionage and evidence of significant sophistication. I have no doubt I will look back in 15 years and wish my problems were so simple as the ones of today. I’ve been around long enough to see the cycles of media attention wane and return a few times.

Since network intrusions are technological incursions there are no sexy pictures of smoking holes or scattered body parts. That begs the question of cyberspace being a conflict domain. Yet nation state and non-state actors can exhibit conflict across a much larger spectrum than kinetics alone.

We are only talking about something that happened in 1998. If you expected me to disclose current threats (as if I know any) you’re sadly mistaken. I do worry about the current critical infrastructures though and have examined a few events so I could situate myself around their failure modes.

Unfortunately I have a lot of detail about one that happened in 1999 that I could reflect on because I was there. Luckily I could just watch and I was not the one who created the problem.

I saw in post 1999 Y2K ramp down a lot of stories that the whole Y2K vulnerability had been over blown. Much like we see the hysteria starting to rise about cyber threats being over blown. Yet proving the negative is very hard and most people don’t understand the absurdity. If you do your job nothing bad happens, but if you screw up well obviously it is a good investment. This is a logical paradigm that information assurance and security professionals have to live with every day. So, if I’m doing my job I’m not needed, but if I screw up you need me? Y2K discussion is filled with that kind of logic.

What could have happened in 1999 on the turn of the clock? We actually have a pretty good case study to work from. There was an actual Y2K outage that we can examine and see what would have possibly occurred had we not taken Y2K seriously. On August 5^th 1999 a Lucent Engineer working for MCIWorldcom testing patches uploaded software mistakenly to the production network of The Chicago Board of Trade network.  By 9:21 PM trading was halted. The software patch had propagated through the frame network of MCIWorldcom causing routers and network traffic to halt of be seriously degraded.  Trading did not resume until August 11^th but was sporadic for weeks. A ComEd transformer interrupted the Chicago Board of Trade again on August 12^th but the fix in that situation was to install a SCADA device to make it easier to manage. So what was the strategic consequence of this event?

1. Financial trading was halted or severely degraded for a period approaching two weeks. The cost to traders was incalculable but cost MCIWorldcom in excess of $200 million.
2. Over one third of the total frame network of MCIWorldcom was degraded or ceased functioning.
3. Though stories of the event are starting to evaporate from the Internet numerous ISPs were harmed as they were customers of the backbone provider.
4. It was suggested at the time if the same configuration error mechanism had been done to other areas of the backbone routing system it could have taken months to rehabilitate. Regardless the actual impacts were significant.

We have numerous events that we can analyze for possible scenarios of what an event might look like. We don’t have to actually run around shooting people to know the effect. We can blow away some watermelons or ballistic gelatin to get a pretty good idea. We have had some pretty traumatic events already and nobody really wants to light the fuse on purpose. Like the Doctor Strangelove Doomsday Machine this may be a button we simply don’t want to push.  To make things even stranger I am fully aware that Dr. Strangelove is satire of the hysteria of the cold war. I am also fully aware that Wired Magazine in 2009 did a great story on Dead Hand showing that satire might unfortunately be prescient.

Like I said earlier the critics of the industrial military cyber complex have a few good points in how the hysteria has unfolded. I am likely not helping that hysteria cool as I try and look at the issues. I am in no way comparing nuclear war with cyber war, but the hysteria and historical records are similar products. Most of the people looking at cyber war are technical aficionados who focus on the network aspects. A few political scientists piece out the strategic and social issues. I wish I could help set the record on the actual cyber issues, but much like a foot soldier in World War 1 looking at airplanes I’m not exactly sure what the risk is currently. Somewhere is the cyber Billy Mitchell who likely isn’t working for government, is not on anybody’s RADAR, fully understands the tactical and strategic impacts, and is going to be pilloried by the current establishment.

If there is anything to leave a reader with it is this. War is a political process between people. A technical construct or mechanism can be used to inhibit an adversary’s action or increase the lethality of action. When used appropriately for defense or offense such technical constructs can be force multipliers. The global information sphere is a tool, a terrain, and nothing more than another aspect of conflict between humans. It is only news today because people have noticed it. When it is no longer news it will still be vector for threats to operate against vulnerabilities.  The capacity for damage is only bounded by the adversary’s imagination and the defenders capabilities. This is much the same as in any other form of conflict.

Key Issues

I do find that there are a few key issues involved in this dealing with information technologists. I keep seeing self professed hacker types declaring that the low barrier to entry, the distributed nature of the attack surface, and such allow them to wage war on nation states. That leaves me looking at senior leadership in the military and government who actually believe that and at the neophyte hacker types thinking taking down a website is an act of war. That is rubbish. The low barrier to entry and the substantial capacity to disrupt and degrade command and control has been proven.

There is something there that an unsophisticated adversary could disrupt society significantly. What most people don’t realize is that regardless of the Al Qaeda or other terrorist organizations whims to create chaos the noise level of security vulnerabilities and active attacks is so high it is hard to get noticed. We saw a version of this when Amazon was attacked by Anonymous/LulzSec and was apparently unaffected.

There is a substantial difference between information security and cyber warfare/defense. Most government agency and corporate information organizations might like to look “sexy” engaging in cyber warfare but what they do and are defending against is simply information security issues. It isn’t war and if it were war their defenses would melt like butter in the Texas summer sun. Though self-described cyber adversaries can create havoc they are missing one element of the equation to wage war. Nation states can compel corporations and private entities to assist and prepare an environment for operations. We’ve seen this with telephone companies, search engine companies, and run of the mill Internet service providers.

Government and the rule of law

The PATRIOT act and other laws are filled with provisions to allow for this kind of legally mandated compel and assist.  When you look away from the United States many of the countries around the world own their telephone company completely.

A friend that served in the Pentagon once said that the difference between a hacker denial of service and a government denial of service is scope and speed. A letter of cessation of activities served on the big four or five telephone companies would cripple a hacker organization. We have seen the federal government as a law enforcement action take a site off the Internet in minutes.  It is a matter of debate whether the solution would be worse than the problem. It isn’t just government though. We’ve seen when telephone companies have accidently black holed (taken of the network) organizations or groups primary communication conduits. There is a big difference between a nation state and an individual going to cyber war.

The narrative though isn’t reasoned or considered in this debate and there is a lot of political purpose in keeping the cyber hype higher. Espionage and exfiltration of information from a network has a gloss of being the defending entities fault. Much of what appears to be the current hacker ethos is proving that systems are insecure and then determining that poor coding practices or configuration controls mean the system administrators are idiots.  This is a juvenile and immature position to take if any evidence-based analysis is attempted.  There are over 50K vulnerabilities in the MITRE CVE, the Open Source Vulnerability Database has more like 70K vulnerabilities. Software on any sufficiently large system is likely to require specific versions, types, configurations, and may not allow for patching against those vulnerabilities. Large amounts of software are legacy code and updating or creating new versions is cost prohibitive. So exploiting a system that serves society, business, or peoples needs is going to be likely trivial at best. Defending though is incredibly hard. There is a lot of discussion about responsible disclosure, but I haven’t seen anywhere that kicking somebody’s door down or even going through it if unlocked is an appropriate practice. The “they suck” form of blaming the victim is neither ethical nor practical.

Consider though this when you put that same scenario against the advanced capabilities of a nation state. You are even more likely to see a corporate or government agency fold before the onslaught of an attack.  Some would say that we haven’t had the first cyber war and I would be in that group. Though we see large-scale espionage actual use of the Internet to kill people and break things has been minimal or undetectable from other vectors of attack.

The blind spot

An element that needs to be understood by corporate, government, and political entities is the blind spot. As we focus on the Internet as the primary threat vector an entire set of systemic disruption points are being ignored.  When looking at the Internet as a threat vector it is a network centric or signals kind of worldview.  There are other vectors that can be exploited.

The supply chain from point of creation through updates and retirement of equipment is a vulnerability that a multitude of threats could act upon. We have seen over time counterfeit equipment, egregious software patches, and hardware that might have been tampered with (picture frames, etc.) in the supply chain.

Current architecture and engineering practices are filled with a significant number of operational threat vectors.   Basic assumptions and expectations of current networking engineering “state of the practice” is filled with errors and omissions based on vendor designed curriculums.

Sit down and look at a common networking engineering textbook and you’ll see terrible engineering principles. Resilient, hardened, prepared network instantiations are taught after students have made traffic flow. The standard is to make it “work” (pass traffic) and then layer security, which suggests security, is a state that “doesn’t work”. It is a fundamental bias found in all of the curriculums. Many network engineers will argue this is the way it should be and never understand the errors, omissions, and bias it injects into a security curriculum.

Software programming courses are no better and since the early to mid 1980s significant chunks of courses have been dropped and coding strategies abandoned. In the effort to push more students through programs and pack those curriculums with more material defensive coding has been allowed to languish.  The difficulty of programming languages like C++ have lead to interpreted languages, which obfuscate errors and problems. Wrapping these highly interpreted languages in compile time security wrappers is one step, but it fails to address the issues of logic and interface errors that are so frequent.

The technology stack most assuredly over a long time period is a risk and inherently effects security. Few if any are really ready to start addressing information security issues so new models and methods of operations need to be talked about. We’re starting to see that kind of discussion in concepts like “assumption of breach” or resiliency engineering. One thing we need to see is looking at the information security realm without all the “war” garbage and taking care of systems with well-engineered solutions. This is not something that happens quickly, and the organic growth of networks has been a barrier to upgrading towards secure systems. Some government agencies have tried the replace it all but basically only replaced it with the same faulty assumptions.

Policy is a risk too

Public policy is a set of incentives and disincentives that are in place to create certain types of behaviors. If you look at the narrative surrounding all things cyber it is a conflict narrative. Inherently conflict of civil and military type is a government owned and controlled behavior. In a country based on the rule of law the state is the arbiter of conflict. If the Internet is a conflict domain it no longer is a benign tool but a place where government has an inherent interest in control mechanisms. Every person who pushes that agenda forward is impacting negatively the future of the Internet.

Poor policy has reconstituted previously mitigated threats as laws and rules are put into place that instantiate poor security practices. Societal control mechanisms are not necesarily the best information security mechanisms. The suggestion from pundits is that the FISA and law enforcement APIs were used by China to “hack” Google is a good ezample of this in action. Other examples follow the trend of the supply chain discussed earlier. The federal rules of acquisition create a preponderance of homogenous network functions even though heterogeneous and resilient structures are much more secure. The principle of single sourcing to the lowest bidder has instantiated a significant vulnerability that can be associated to threats.

Conclusion

The mixture of information security and cyber warfare topics and the associated abandonment of actual security practices has created an onerous situation. To much security is about static compliance concepts bent towards creating stable secure enterprises in highly dynamic environments. Check list mentality you would think might be the first casualty of cyber warfare. The threat though is not well understood and conflict is really misunderstood. In mixing these two topics neither is served.

Pedestrian covered bridge (click to make larger)

1)   Higher education has had to stop doing education and implement training programs. The value of an education is not in a specific skill it is in the ability to think and add to the body of knowledge. People want jobs skills, and universities are the business of knowledge attainment. So, both efforts get short changed.

2)   Corporations have abandoned the education and apprenticeship models outsourcing their educational needs to university and then demanding higher education changes devaluing that same education. In the end the student bears the cost that a corporation should have been doing.

3)   Tuition cost increases can be tied directly to the market mechanisms and in about every other capitalistic environment we would say let the market dictate the cost, but in higher education we’re not happy with that answer. It is mildly ironic to here a republican who is all about deregulation and market forces arguing against allowing that in higher education.  Even more interesting is the trimming of state sponsorship of higher education, but then increased attempts to regulate, and the expectation costs will not change. For every dollar a state takes away tuition costs rise by $2. It doesn’t seem fair but those are the breaks kid.

4)   There used to be one school in the University. The school of liberal arts. Along about the time medicine exited the dark ages the school of sciences was added. Now universities have a dozen schools or sometimes more it seems. There are hundreds of majors and the overlap is immense. That is all overhead, but it is driven by the hiring market. You have to have a degree in this highly specific discipline that may be one class different than this other discipline but the wage difference could be literally tens of thousands of dollars.

5)   Human resources is a good place to pin a lot of these problems. Credentialism and a failure to understand what resumes actually show have led to pushes for degrees as attainment of skills. Universities do the knowledge pieces and vocational schools do the skills piece. This is a critical difference in goals and roles.

6)   There is a tendency to mix a lot of the higher education problems, from class size, to the role of professors as researchers and teachers, to the role of administration and government in the higher education process. You can NOT teach innovation to students you can only expose them to the process. Involving students in research is not innovation. We in the United States have abandoned as policy the practice of large leap innovative research. Which leads to…

7)   We pay professors a salary but then tell them to go get grants or contracts if they want promotion. It is a rare situation that teaching is at the forefront of administrators minds. This is what economists like to call a perverse incentive. If we want the nation to be successful we have to decouple promotion from grants and determine a strategy for using students in the research process. Merging research, teaching, and innovation emergence in the classroom put me at odds with my administration when it came to addressing learning objectives and organizational accreditation.

8)   Organizational accreditation nationwide needs to be addressed. This is what we like to call South Eastern or North Central or Pacific or whatever as regional accrediting agencies. Having sat through their seminars I would say there is a lot of room for improvement and the cronyism has to be addressed. A frequently overlooked problem in the whole higher education debate is the fact that THIS IS THE FREAKING MECHANISM for fixing higher education and what created all of the stupid stuff going on currently when the veterans GI Bill was originally signed. Don’t expect the actual problem here to be addressed.

Here is the problem. It is easy to beat up on higher education because it doesn’t really have a voice. You can beat up on the organ that provided most of the innovation over the last few centuries and continues to be about the only place that innovation occurs but for what purpose. It is not without note that most of the examples of innovation that supposedly happened outside of university actually occurred in the University setting but the thread of the narrative is lost in the fact the entity didn’t finish. Bill Gates was in Harvard, Bill Joy as at Berkley, and good ol’ Steve Jobs well we’ll leave it at that.

Meanwhile we continue to devolve the higher education institutions into erstwhile industrial devolution practices of push em’ in and push em’ out.  Knowledge workers watch as companies call for higher numbers of visas for foreign workers while the number of unemployed workers climb in advanced skill markets. We continue to reward financial management people who develop nothing and software engineers and developers become little more than software practice adjuncts similar to university adjuncts scrambling for jobs.

Then there is the simple industrial practice of transitioning tenure positions at universities to lecturer positions eroding the pay scale (which was already poor) and further denuding the landscape of innovative research inquiry. The landscape is even more barren as the paltry research dollars are foisted off into industry labs and academia is pushed out the door. Industry labs hide their research and rarely does something explosive or innovative make it out the door unless it is evaluated as positive. This process would have killed many innovations that were trials and never expected to succeed. Kind of like early Apple 1’s and Altair computers which led to a revolution.

The result of all of this is the number one threat to American national security that has ever occurred in the history of the country. When I heard a group of leading research graduate students had taken research jobs in academia I wasn’t surprised. When I heard that it was in China I was perplexed. You have to remember a colloquialism. The country with the best soldiers will lose to the country with the smartest geeks. One atom bomb is a lot more deadly than an entire division of soldiers. Understanding that geek power is national power has been lost as the higher education system that produced the heart of American innovation and is slowly being taken apart. What we need is to strengthen higher education and return to the natural goals of education and realize that companies are in it for profit. Not the student. The student is there to learn not define what they want to be entertained by, and finally there is value in structure of the University.

Zone 6 (click to make larger)

Lots of significant people helped me get this far, and lots of friends made sure I stayed on the right path.

The lake with hidden treasure (click to make larger)

But there is good news. You can be a vegetarian and not eat any meat substitute. The trick is to find really satisfying recipes that focus on vegetables, beans, rice, and quinoa. This has been my quest. I have found some outstanding recipes that have quickly become family favorites. And we don’t miss the meat. Shepherd’s Pie is one of those recipes. I love Shepherd’s Pie in the winter. It is warm and comforting and a great excuse to eat mashed potatoes. Here is my version.

Shepherd’s Pie

Ingredients:
5 medium potatoes
1/4 cup milk (or non-dairy milk substitute if you prefer)
4 tablespoons butter (or non-dairy butter)
1 can chickpeas, drained and rinsed
1 can kidney beans, drained and rinsed
2 tablespoons olive oil
1 small yellow onion, chopped
5 cloves garlic, minced
1 cup baby carrots, sliced
1/2 teaspoon dried thyme
salt and pepper to taste
1 cup cashews
8 ounces frozen peas
8 ounces frozen corn
1/4 cup tomato paste
paprika for sprinkling

Method:

Preheat oven to broil.

Peel, cube and boil the potatoes until the potatoes are very soft. Once the potatoes are very soft, drain and then mash with the milk and butter. I use a hand masher so these are mashed rather than whipped and they have a little more texture.

While the potatoes are boiling mash the chickpeas and kidney beans together, I use a fork for this mashing and I don’t mash them too finely – leave a few whole beans.

Heat the olive oil over medium heat and add the onions, garlic, and carrots. Cook until the carrots start to get tender and the onion is translucent. When almost done add the cashews, peas, corn, tomato paste, and mashed beans. Mix it all together and cook for about 10 minutes to warm everything through.

Smooth it all out and top with the mashed potatoes. Sprinkle the top with paprika. Broil for 10-15 minutes just until the potatoes start to brown.

This recipe is hearty and warm. It is a fantastic comfort food. And you won’t miss the meat.

Motorcycle in the shade (click to make larger)

I recently received an excellent call for papers Learning from Authoritative Security Experiment Results from Matt Bishop. The principle of the conference is to talk about research where the results were nothing new, or not statistically significant. As the call for papers discusses sometimes these are the most interesting results of all. Well I get excited about them, but I happen to be sitting on a dissertation that though scientifically valid and significant for a variety of reasons has a hypothesis that was not proven (poor Popper would shudder). Why? Because knowing what you don’t know is more important than what you do know. Personally I believe that is the absolute principle of research that makes it work. If I know the answer why would I research it? I really like great questions much more than right answers.

I run across people all the time that do not know the difference between information security and systems security. Most academic programs are about the securing of systems with the expectation that information will be secured. Most hacking curriculums are about overcoming the technical controls of systems to insure that the information confidentiality, integrity and availability is breached. Systems hacking towards information breach is always a two stage process. To most people that is revolutionary if somewhat of a duh moment.

To me the worst thing is modern information theory was produced by guys like Claude Shannon, David Bell, John von Neuman, and Alan Turing.  Basically three dead guys and one still kicking. And, we don’t have guys like this around today adding to the body of knowledge is significant ways. There are dozens of awesome authors to go along with these guys like Saltzer and various authors like Boehm. I won’t mention Spafford because it looks like I’m sucking up, but his book on Unix security is still one of my favorites. Back to Matt Bishop: His big book on infosec is a compendium of these authors ideas (see I’m not totally whacked off track yet).

We have lots of alchemy within the discipline. I see lots of people talking about things like defense in depth thinking that 2+2+2+2=8 where 2 elements of security layered 4 times equates to 8 elements of security. A pretty simple way of looking at things. Unfortunately in most instances defense in depth is (2+2+2+2)/4=2 or 2 elements of security added “n” times is divided by the “n” or is a simple average of the security not additive. The first strategy is usually fine for a logical design, but the real result of the security is found in the latter formulation. It becomes more apparent if you think about the information flows rather than the system interconnections. For me to put it in a blog post is pretty simple, and there has been a lot of stuff published on this using empirical methods (see previous blog posts on defense in depth for a deep literature review).

This comes back to the fact I can’t find a modern day Claude Shannon. Maybe he/she is hiding in a laboratory somewhere kicking out research, but even Shannon didn’t publish nearly as much as a current professor would be expected. Anybody wanting to buy me his collected works should do so soon. Maybe the modern day Claude Shannon can be found among his award participants but though they are all excellent scholars I don’t think they’re advancing the theory nearly as fast as the person the award is named after.

Why all this discussion about a long dead guy? Information assurance and security is a discipline that is welded to several other disciplines. Information assurance and security is completely a multi-disciplinary problem. Much like computer science there is a spiderweb of intersecting interests and stakeholders tugging the information component back and forth. Networking, computing, programming, content creation, social interaction and controls, human computer interaction, databases and warehousing of data, and so much more make up the information flows and understanding the principles across such a wide swath is difficult at best and horrific in principle. A lot of effort dealing with information theory is put into cryptography, but that is frosting on a cake. Computer science has become a system oriented science and information technology has limited itself to processor based systems.

So what do we get if we identify the next Claude Shannon? The person who will define computing for the next fifty years. The person who will understand the inherent conceptual pieces of computing and define it for the rest of us long before it is sexy or fancy accepted practice. Somewhere out there is a person looking at what we’re doing and I’d like to think preparing to explain that to the rest of us. I’m betting they don’t publish very often and are working for a corporation that really doesn’t understand what they have going for them. Almost unfairly, the primary work of advancing the computing era we’ve enjoyed over the last 50 years came out of corporate laboratory environments. Even today 50 or so video games development is orders of magnitude more in expenditure than the  NSF total computer science funded research. It’s a rough comparison but put another way the total NSF computer science research budget is about one f35.

So, somewhere out there is the person who is going to define the future. We have really gotten into celebrating the tiny little advancements we’ve made in the past few decades and instantiated a religion of computing fairly well. Somewhere though is the Thomas Kuhn derived paradigm shift agent for computing that will explain the way forward. I’m looking but you should be too.

Sorry it’s a rough post but it’ll do.

Here is my problem with this. Language is important. Words have meanings. Every time we co-opt a word for our over the top marketing we diminish the word.

Think about this: the word revolutionary is defined as (from google)

rev·o·lu·tion·ar·y/?rev??lo?oSH??ner?/

Adjective: Engaged in or promoting political revolution.

Noun: A person engaged in political revolution.

rev·o·lu·tion/?rev??lo?oSH?n/

Noun:  A forcible overthrow of a government or social order for a new system.

(in Marxism) The class struggle that is expected to lead to political change and the triumph of communism.

Now think about the last product you saw advertised as “revolutionary”. Was it engaged in or promote a revolution? Did it involve the forcible overthrow of a government system? Or any system? Even if it is a really cool new product, chances are it was not revolutionary.

Our use of the word war is actually worse. We have declared war (officially or unofficially) on everything. If we have a war on drugs, a war on obesity, a war on Christmas (and this list goes on and on), what does it do to our sense of urgency when there is a real war – one with guns, bullets, bombs, injuries and death? It means that we no longer believe that war is that serious. We just do our patriot duty and return to our shopping. When we entered WWII we rationed critical supplies, we retooled industry to build war machines, we recruited women to work in the factories and we bought war bonds. The whole country mobilized in a war effort. War had meaning. It was serious and we took it seriously.  Now that we have wars on everything, how do we communicate the seriousness of an actual war? How do we talk about bombs and bullets and the true sacrifice of our soldiers? How do we mobilize the country?

When we were attacked on September 11^th I was ready for the mobilization. I was ready to hear the call to manufacturing to build up for war? I was ready to buy war bonds and to make sacrifices and plant victory gardens. And none of that happened. We were told to go shopping. I don’t know about you, but going shopping didn’t make me feel safer.  And it didn’t feel like a war effort.

So let’s stop the over the top marketing language. Let’s call really cool products what they are – really cool. Let’s rename all those wars on all those other things. Make we can take a stand against obesity and drugs. We can make a pledge to keep the meaning in Christmas if that is what is important to us.

And let’s reach for a dictionary and find a more appropriate word the next time we want to use a great adjective. Because words matter.

Self portrait (click to make larger)

Gotcha your goat (click to make larger)

A little more avante gard, wood texture (click to make larger)