Winn Writes & Wrants

The DHS announced it wants to hire 1,000 security experts to defend the critical infrastructure of the U.S.  Then a number of criticisms appeared saying, “there aren’t 1,000 security experts in the whole wide world!”

Oops!

Security is a Wide Area and there are all sorts of experts – not one master set of skills that you can find on any single resume.

A few years ago ~1994 I was at dinner with Mr. Ex. (Don’t want to embarrass him cause he still claims he is the smartest of us all.)  I had only been in the field about 10 years and was learning… as we all still are every day. He told me, “I know everything there is about security….” ad nauseum.  NONE OF US DO! (I choked on my Ratatouille but kept PC-ish and moved my plate to another table.)

The error here is with DHS PR. Some wonk used the media term “security expert” (sans definition) and off we go in the wrong perception-description; just as we have allowed the media to blame every security incident on ‘hackers’ – clearly a massive nom-de-guerre error by any standard.

Once we allow them to lock in the term “security expert” as a catch all for anyone who can find the ‘on’ button or push Defrag or even do slick coding hacks, we are in trouble. No more than a company (or kinetic force projection outfit) can run on one set of expert skill sets, security itself (like any vertical technical discipline) is a highly granulated suite of skills that must be integrated.

A CND/CNA (Computer Network Defense/Attack) suite of expertise includes (at a broad stroke) many skills needed to deploy and Information Army

- Mapping People

- Cracking People

- Coding (CNA & CND)

- Reverse Engineering

- Social Engineering

- C3I

- Sniffers

- Readers

- Research

- Moles (yeah, C****, I****, P****** has none of those in our CIs)  (Note: the way the national letters come out…

- Analysts/Synthesizers

- Manufacturing (CNA)

- Distribution (CND/CNA)

- PR (!! Techy and accurate, not PC)

- Education

- Awareness

- Perception Management & PsyOps

- Failure Modeling

- Process Control

- Reconstitution

- DR

- Layered Technical Management.

- The interdisciplinary expertise needed from psychology, neural behavior, etc. etc. (Security is not technical, solely, not is it?)

- Yeah… and more good PR people who speak geek. (Not the usual wonks)

No one can do it all. No one has all of these skills. Period.

I worry much less about DHS acquiring 1,000 people with skills than them being able to find the right management who understand security, the temperament of the geek community and can last more than a handful of months in a culture designed to fail.

There are millions of people with the varied skills a well-organized Information Army (CND/A) needs. There are decidedly fewer people who know how to, or have even ever thought about to taxonomize the skills and organize them (skills and people) like a true business.

Get a free download of ‘Information Warfare’ at:  http://www.winnschwartau.com/downloads.html and take a look at Chapter 16.

Winn

France announced a big party. They called it Nuit Blanche.

My daughter and I are in Paris and she said she went to one when she lived here and it was one hell of a party.

“Let’s go!” It begins around dark with a half dozen key ‘party zones’.

We had dinner and bought a couple of bottles of wine (awesome red at $4) and off to the chaos. The streets were riotous in a good way. Gendarmes everywhere. Machine guns, too, in a good EU sort of way.

People carousing, drinking, open liquor everywhere… partay! But Ashley and I keep our wine in her “Hackers Are People Too” tote bag. The line to get into Luxembourg Gardens (a huge gorgeous public park) is eternal. Partay! Crazy music. Noise. Shouting. Honking. Traffic like… why the hell are you even driving?

I am thoroughly prepared for a French pat-down. Uzis around. So, yeah, I expect security. Aha! We’re at the gate. And what do the police want? OUR FRICKIN’ WINE!

No drinking in the public park… vin rouge is cascading down the streets… Uzis are everywhere… what are they trying to protect against?

Security Metaphor: Make noise in the East and take their wine in the West. (Sun Tzu) The massive presence of heavily armed police makes one feel reasonably protected (in a hit the ground quickly sort of way) and indeed, Nuit Blanche was 100% calm. There were no signs to indicate “intercict du vin” (no booze allowed) but that’s the beauty of Sun Tzu. An additional layer of unannounced security (that did p*** me off)  but completely understandable in retrospect. If an alcohol fueled riot had commenced inside Luxembourg Gardens, with only a handful of entrance/exits, the effects could have been most problematic. Nip it at the bud. Lessons to be learned.

Too many online scammers get away with what amounts to a wrist slap but a case if Las Vegas this week seems to be heading the right direction at least.

Internet scammer, Richard Neiswonger, sold “business opportunities” to unsuspecting victims through massive telemarketing efforts. Through extended court proceedings, the judge has had enough. His order: “Give us your $3.2 Million house…now… or go to jail.”

It’s about time.

But… let’s reconsider jail as the knee jerk reaction to cyber criminals.

“Send the punk to the slammer!” about a 15 year old kid who hacked the wrong company.

“She deserves 5 years in prison…” for being part of a bot net.

I have severe problems with the auto-American answer of jail for every miscreant act – especially of the cyber kind.

I firmly believe in alternative sentencing and think that the perpetrators should suffer in some way. But send them to the Group W bench with father rapers and murderers? I think not. The cost to society is like $50K+ per year to lock up the non-violent offender where he/she will fine-tune his criminal skills and contacts. Education courtesy of our Justice system.

We have the technology. Let’s use it.

GPS ankle-bracelets. Let’s use them.

Education: smart guys know their technology but got misdirected. Let’s put them back on track and utilize their expertise and truly behave like we believe in rehabilitation. How many cyber-acts are truly terrorist oriented? We fail to make much distinction from the ADD teen and Al Qaeda.

Can’t use a computer from home? Put the sensors in the ankle bracelet. If he/she really needs the Internet (who doesn’t?) let’s create a unique mandated path that all of their traffic must go through and monitor the hell out of it. How many thousands of cyber-criminals can be ‘controlled’ through one heavily restricted server farm? (Think China.)

The costs are a small percentage of what we experience now… and think of many more plea bargains will come about with reasonable sentences instead of the horrors of jail.

We have the technology. We know how to do it. But do we have the will? We can also send them back to jail if all else fails.

Sure… Let’s Shut Down the Net!

I’ve been traveling in Europe and didn’t have a chance to comment. Well, I really chose not to work so much.

Sure, why shouldn’t we shut down the Internet?

Of course, I am referring to the hoopla about various interpretations of whether the U.S. government should be able to turn off the Internet in case of severe cyber-attack. A few problems to consider:

• What is ‘Severe’? Who decides?
• Can the Internet – even the U.S. portion - actually be turned off?

I’ve seen various discussions on these points but for now, let’s pretend that they don’t exist. There are other issues.

1. We teach home and business users that if they think they are infected with malware to disconnect their Ethernet or wireless connection immediately to stop the propagation. No one has a problem with that. It makes sense.
2. On 9/11, we shut down all air traffic in a matter of hours. No one had a problem with that. (Being stuck in Fargo, though, might have been a hassle. Think the Steve Martin movie, ‘Planes, Trains and Automobiles.’

Unplugging from hostility is not a new concept. The fundamental question in this case is, which is worse? Disconnecting for a time and reconstituting with control, or allow an attack to continue while we try to combat it and use the Net at the same time.

This returns to the questions of ‘what is Severe?”

From my view, disconnecting is a must-have option that should be on the table at all times. It makes sound engineering sense. In complex systems, isolation, analysis, repair and reconstitution (reconnection) is the only way. How else can you figure out what’s really wrong and how much damage has been done? Power companies have done it for years. The tacos did it in 1991 when the SS7 switches collapsed. Lasted a few hours.

Should the feds decide to unplug the banks or should the collective wisdom of the Fed Reserve and leading financial institutions make that decision in a defensive step of self-preservation?

The problem I have with the majority of what I hear is the fear mongering of nationalization by technically ignorant politicos with media access and an agenda.

The question should be, “How do we properly plan” for such an eventuality instead of merely spreading unfounded fear.