Haft of the Spear

Couple pals have brought up TaoSecurity and its principal as a place to go/guy to know. Adding to the blogroll and noting an extract from this post since it is now 2009:

Expect at least one cloud security incident to affect something you value. This is not the great Cloud Security blog, but I know many of us are already depending on cloud services. In 2007 and 2008 we started suffering denial when services suffered problems of availability. Next will be disclosure and then degradation. For more on these terms read First They Came for Bandwidth…

Don’t have a lot of time to work on my own list, but let me say that I’ll go one further and say that this is the year that an incident/breach ruins a lot of people’s lives. I don’t mean “run of the mill” ID theft (not belittling it at all just saying it has stopped being special or ruinous) or an incident of any significant size (a’la TJ Maxx); simply that it will make the impact of what ID theft used to be seem quaint. Can I quantify it beyond that? Not in a tweet; suffice it to say that an outlier might feel compelled to follow this route.

While I applaud the effort, I don’t know that I share much enthusiasm for the recommendations.

That we are engaged in a very rigorous competition is spot-on, but we’re not competing effectively. Pockets of expertise and world-class capabilities notwithstanding, you don’t win games on special teams alone. Just suiting up for the game isn’t sufficient; you need to have the skills and prepared as well.

The call for resilience is well heeded, but the trend is to become more dependent on IT, not less. You can’t learn how to navigate by the stars in the Navy anymore; when FCS reaches FOC how soon before commanders forget how to fight ‘the old fashioned way?’ Attacking our dependence on tech, if our next adversaries are smart, be the path used to bring about our defeat but you don’t see many think tanks advocating a return to basic map reading skills.

Frankly, I think we’ve seen enough of what Goldwater-Nicholization of things does, and outside of actual warfighting, it isn’t pretty. The IC has retooled its own effort along these lines at least twice to nominal effect. The fact of the matter is, real or paper qualifications means less in this town than a Juris Doctor with connections (or just connections, JD optional). I would much rather see a revitalization of gov’t-industry rotation programs or expanding who can participate in IPAs because those programs put real, current expertise on-board now and in perpetuity.

A less-well-known CSIS report on what makes an online collaborative network work (or not). My own research (admittedly less rigorous) drew the same conclusions. Done properly - for conditions, people, mission - this mode of operation is the future.

I’ve got one!

As I’ve stated previously, there are better ways to get solid, original, innovative thinking into … whatever it is you are undertaking. That’s what makes this news so disturbing:

The Republican National Committee is building a new, in-house think tank aimed at reviving the party’s policy heft.

The think tank will be called the Center for Republican Renewal, and it has been mentioned as part of RNC Chairman Mike Duncan’s platform for reelection, but was begun shortly after the election as a new RNC office, separate from the campaign, a Republican official said.

Though Washington has many conservative think tanks, many inside the party and the conservative movement viewed November’s failures as, in part, a product of stale ideas, and like the Democrats after 2000, some in the GOP have called for a revival of the conservative intellectual infrastructure.

• Appoint a manager who is comfortable operating a distributed/virtual organization to provide strategy and guidance. He should appear quarterly to change the oil and gap the plugs.
• Appoint issue area managers who know from their subjects to build platform outlines, provide more granular guidance and management, and shepherd the work of contributors (wait for it). They should appear weekly to adjust GPS settings.
• Open up platform development to all interested and qualified contributors. “Interested” in this case being code for ‘people who want the party to succeed’ and “qualified” meaning people who, over time or through their effort, demonstrate that they have the intellectual chops (regardless of how they got them) and that they’re not kooks, crazies or mischief-makers.

Besides “hope” and “change” the most common refrain heard the last two years was “the base.” Gotta listen to the base, gotta appease the base, that’s not going to be popular with the base. Well, if that’s more than just talk - or code for “the popular conservatives” - then its time to demonstrate if the base has true value. Can you crowd-source a platform? Well, elite-sourcing it hasn’t exactly proven to be a winning strategy, and in case you haven’t been paying attention, providing a framework with some adult supervision and letting people have at it is actually pretty successful.

Let me know when they start hiring the nat’l security manager …

As I outfit, catalog and stock my new home office I came across some gems …

Exhibit One - a story from Federal Computer Week titled “Hackers storm DOD nets”:

Hackers penetrated DOD computers supporting a number of sensitive functions and programs.

The unprecedented scale of these attacks, according to sources familiar with network security, should prompt concern not only about the integrity of DOD computer systems but also of commercial systems handling financial transactions.”

[DISA INFOSEC Deputy Director] said the hackers have been “destroying data, modifying data and stealing data … they could have shut down hosts/networks and destroyed software.”

If you are waiting for the punch line its that the publication date was July 1994.

Exhibit Two - The National Strategy to Secure Cyberspace, dated February 2003. Its main priorities; a national response system, a threat and vulnerability reduction program, awareness and training program, securing gov’t cyberspace (whatever that is today), and national-international cooperation.

Exhibit Three - A report from the President’s IT Advisory Committee: Cyber Security: A Crisis of Prioritization dated February 2005. Recommendations; funding cyber security R&D, coordination, cooperation, etc.

Exhibit Four - The latest CSIS report Security Cyberspace for the 44th Presidency. Among its recommendations; create a strategy (presumably exhibit two above was found lacking), coordination and cooperation, etc., etc.

I’m sure as I dig deeper I’ll find even earlier iterations of these same reports, all of which will say more or less the same thing (interesting fodder for a more comprehensive research project perhaps).

Question: If INFOSEC today is like terrorism circa 2000, what in the world is it going to take for the former to get the juice necessary to take action like the latter?

Sacre bleu!

When I got to my assignment in the Balkans and actually went out on missions and logged 12+ hour days my (largely allied) colleagues were shocked.

Me: “Well, what did the last American do all day?”
John Bull: “Cooked, cleaned, did the shopping, took care of the team house.”
Me: “An intelligence officer?”
John Bull: “Right. Well, he said he had a heart condition, and going on meets could trigger a heart attack and he didn’t want to die out here in the hinterlands.”
Me: “Why didn’t you send him back?”
Froggy: “Eh, ‘ee was a good cook.”

As I think I’ve said before, there are people for whom this sort of work is just a job. Avoid them. Marginalize them. Sack them when you get the chance. There is work and there is not work and when you are deployed its all dangerous.

I would say “for shame” but I know that sort doesn’t have any.

If this show lasts longer than one season I’ll drink a martini filtered through Secretary Chertoff’s jock.

“Homeland Security USA” debuts Jan. 6 on ABC. The show’s producer, Arnold Shapiro (creator of the CBS reality hit “Big Brother”) recently told the Hollywood Reporter, “I love investigative journalism, but that’s not what we’re doing. This show is heartening. It makes you feel good about these people who are doing their best to protect us.”

There is a reason why E-Ring was canceled: It was only entertaining to Pentagon dorks who got the largely unintentional inside jokes. Bottom line: border security, customs, even intelligence work, 99.9% of the time its boring as all get-out. Filming something that might get your pulse up a’la 24 would be like filming a fishing show: you’ve got lot get a couple days worth of footage to fill 30 minutes. People don’t log time with shows about bureaucracy, or if they do its because its turned into comedy.

From Inside the Ring:

Defense officials say Islamic extremists are increasing their presence on the Internet despite U.S. efforts to use “soft power” to counter radical ideologies.

According to the officials, there are about 40,000 Internet sites used by Islamists to recruit and inform jihadists seeking to attack non-Muslims as part of a grand scheme to create a Muslim caliphate.

By contrast, in 2001, there were about 800 identified jihadist Web sites, the officials said.

In the fall/winter of 2001 or from January? Its important because, to paraphrase the immortal words of Donald Rumsfeld, ‘we didn’t know what we didn’t know.’ How do we know our IO efforts are working? Well, you would have had to have baselined the information environment before you started bombing and shooting for your measures of effectiveness to have any meaning. So, I wouldn’t hang my hat on that 800 number and I wouldn’t draw a straight-line conclusion from a jump in sites by any measure.

40,000? Really? Serious actors recruiting serious candidates who actually get indoctrinated and trained? Maybe US military recruiters should pay attention. Seriously though, web sites themselves are a numbers game. Makes for a great briefing slide; where is the meat? What do the results of site content reveal? Which ones are backed by players and which ones are full of posers? 40,000 sites you can find from Google or does that include deep web and darknet results as well? For those who don’t know: there is a huge difference.

Nice confluence of buzz words and slipshod analysis, but then they drove away all the adults in the IO business, so what do you expect?