Securosis

Research

Inherent Role Conflicts In National Cybersecurity

I spent a lot of time debating with myself if I should wade into this topic. Early in my analyst career I loved to talk about national cybersecurity issues, but I eventually realized that, as an outsider, all I was doing was expending ink and oxygen, and I wasn’t actually contributing anything. That’s why you’ve probably noticed we spend more time on this blog talking about pragmatic security issues and dispensing practical advice than waxing poetic about who should get the Presidential CISO job or dispensing advice to President Obama (who, we hate to admit, probably doesn’t read the blog). Unless or until I, or someone I know, gets “the job”, I harbor no illusions that what I write and say reaches the right ears. But as a student of history, I’m fascinated by the transition we, of all nations, face due to our continuing reliance the Internet to run everything from our social lives, to the global economy, to national defense. Rather than laying out my 5 Point Plan for Solving Global Cyber-Hunger and Protecting Our Children, I’m going to talk about some more generic issues that I personally find compelling. One of the more interesting problems, and one that all nations face, is the inherent conflicts between the traditional roles of those that safeguard society. Most nations rely on two institutions to protect them- the military and the police. The military serves two roles: to protect the institution of the nation state from force, and to project power (protecting national assets, including lines of commerce, that extend outside national boundaries). Militaries are typically focused externally, even in fascist states, but do play a variable domestic role, even in the most liberal of democratic societies. Militaries are externally focused entities, who only turn internally when domestic institutions don’t have the capacity to manage situations. The police also hold dual roles: to enforce the law, and ensure public safety. Of course the law and public safety overlap to different degrees in different political systems. Seems simple enough, and fundamentally these institutions have existed since nearly the dawn of society. Even when it appears that the institutions are one and the same, that’s typically in name only since the skills sets involved don’t completely overlap, especially in the past few hundred years. Cops deal with crime, soldiers with war. The Internet is blasting those barriers, and we have yet to figure out how to structure the roles and responsibilities to deal with Internet-based threats. The Internet doesn’t respect physical boundaries, and its anonymity disguises actors. The exact same attack by the exact same threat actor could be either a crime, or an act of war, depending on the perspective. One of the core problems we face in cybersecurity today is structuring the roles and responsibilities for those institutions that defend and protect us. With no easy lines, we see ongoing turf battles and uncoordinated actions. The offensive role is still relatively well defined- it’s a responsibility of the military, should be coordinated with physical power projection capacity, and the key issue is over which specific department has responsibility. There’s a clear turf battle over offensive cyber operations here in the U.S., but that’s normal (explaining why every service branch has their own Air Force, for example). I do hope we get our *%$& together at some point, but that’s mere politics. The defensive role is a mess. Under normal circumstances the military protects us from external threats, and law enforcement from internal threats (yes, I know there are grey areas, but roll with me here). Many/most cyberattacks are criminal acts, but that same criminal act is maybe national security threat. We can usually classify a threat by action, intent, and actor. Is the intent financial gain? Odds are it’s a crime. Is the actor a nation state? Odds are it’s a national security issue. Does the action involve tanks or planes crossing a border? It’s usually war. (Terrorism is one of the grey areas- some say it’s war, others crime, and others a bit of both depending on who is involved). But a cyberattack? Even if it’s from China it might not be China acting. Even if it’s theft of intellectual property, it might not be a mere crime. And just who the heck is responsible for protecting us? Through all of history the military responds through use of force, but you don’t need me to point out how sticky a situation that is when we’re talking cyberspace. Law enforcement’s job is to catch the bad guys, but they aren’t really designed to protect national borders, never mind non-existent national borders. Intelligence services? It isn’t like they are any better aligned. And through all this I’m again shirking the issues of which agencies/branches/departments should have which responsibilities. This we need to start thinking a little differently, and we may find that we need to develop new roles and responsibilities and we drive deeper into the information age. Cybersecurity isn’t only a national security problem or a law enforcement problem, it’s both. We need some means to protect ourselves from external attacks of different degrees at the national level, since just telling every business to follow best practices isn’t exactly working out. We need a means of projecting power that’s short of war, since playing defense only is a sure way to lose. And right now, most countries can’t figure out who should be in charge or what they should be doing. I highly suspect we’ll see new roles develop, especially in the area of counter-intelligence style activity to disrupt offensive operations ranging from taking out botnets, to disrupting cybercrime economies, to counterespionage issues relating to private business. As I said in the beginning, this is a fascinating problem, and one I wish I was in a position to contribute towards, but Phoenix is a bit outside the Beltway, and no one will give me the President’s new Blackberry address. Even after I promised to stop sending all those LOLCatz forwards. Share:

Share:
Read Post

The Network Security Podcast, Episode 136

I managed to constrain my rants this week, staying focused on the issue as Martin and I covered our usual range of material. I think we were in top form in the first part of the show where we focus on the economics of breaches and discussed loss numbers, vs. breach notification statistics. Here are the show notes, and as usual the episode is here: Network Security Podcast, Episode 136, January 27, 2009 Time: 27:43 Show Notes: Maine surveys banks to determine some of the losses associated with major data breaches. It isn’t a small number. Monster.com loses some data. They don’t tell us who’s data they loss, or how or why, but they definitely lost some stuff. The White House homeland security agenda. There’s a cyber section. Which is cool, because someone can at least spell cyber. Phishers change URLs. We’re not sure why this is news, but we use it as an excuse to talk about other, more important things. A man buys a used MP3 player in New Zealand, with personal info on US soldiers in Iraq. WTF? Maybe it was a Zune? Tonight’s Music: Mexicolas with Big in Japan Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.