Comments: The failure of cyber defence - the mindset is against it

I periodically tell this story about realizing in the 80s there was three kinds of crypto 1) the kind they don't care about, 2) the kind that you can't do, 3) the kind that you can only do for them. There would be periodic news about prohibited crypto (type #2).

I had HSDT project with T1 and faster links. All the links on the internal network were required to have link encryptors (some comment that in the mid-80s that the internal network had more than half of all link encryptors in the world).

T1 link encryptors were really expensive and it was almost impossible to get anything faster than T1. I got involved in project where the objective was to have hardware encryptors that could handle LAN speed, cost less than $100 and be able to change key on every packet.

The crypto products group reviewed it and claimed that it significantly reduced the crypto strength compared to standard DES. It took me three months to figure out how to convince them that it was actually much stronger than standard DES. However, it was hollow victory ... I then got told we could build as many as we wanted ... but there would be only one customer ... all would be shipped to location on the east cost (aka type #3).

Old email about benchmarking software DES where it would take a dedicated mainframe processor to handle sustained 1.5mbits/sec and two dedicated mainframe processors to handle full-duplex T1.
http://www.garlic.com/~lynn/2006n.html#email841115

old email about proposal for pgp-like implementation for the internal network
http://www.garlic.com/~lynn/2007d.html#email810506 ..
http://www.garlic.com/~lynn/2006w.html#email810515

Posted by Lynn Wheeler at July 11, 2013 08:21 AM

"Secondly, due to a mindset of offense, the spooks in the aggregate will be unsuited to any mission to assist the defence side."

I would proffer this is actually true. To use a physical security example, a guy who knows how to blow up a building doesn't necessarily known how to design one resist it being blown up. I can't tell you how many "attackers" eye's have glazed over when I talk to them about defense fundamentals (change/configuration/patch management, asset inventories, personnel HR security, etc).

In the private sector we used to always talk about (and seen it when we hired) about how 1337 zero day hackers only have to be good at single issue items whereas defense has to be good at everything. Sure there is some crossover but lots of it either doesn't or run into mindset problems. A guy who get his rocks off evading IDS's isn't going to enjoy spending 8x5 staring at IDS logs trying to find somebody evading IDS's.

Posted by Peter at July 11, 2013 12:34 PM

from a different perspective, posted recently a number of times

How Edward Snowden Snuck Through
http://nation.time.com/2013/06/26/how-edward-snowden-snuck-through/

a lot of this seems to misdirect from the mechanics of being able to obtain all the information at all. 20yrs ago, open security literature had gov. agency state-of-the-art was not only strict access controls but also behavior based monitoring that would catch employee atypical activity. all of that appears to have gone by the wayside as part of privatizing the intelligence community and transition to for-profit operation. It appears that they not only aren't doing monitoring but don't appear to even have any idea what may have been taken. References to super administrative privileges imply that provisions requiring multiple individuals have also gone by the wayside.

NSA Networks Might Have Been Missing Anti-Leak Technology
http://www.nextgov.com/cybersecurity/2013/06/nsa-networks-might-have-been-missing-anti-leak-technology/65708/

Would appear to be regression from 20yrs ago ...possibly associated with transition to for-profit operation. Also possibly more technology monitor public than internal security. In the financial industry in the past, open security literature claims that as much as 70-80% of breaches have involved insiders ... although it might be more ... in the financial services presidential critical infrastructure protection meetings, a major concern was making sure that the exploit information sharing ISAC not be subject to FOIA.

... also not exactly unexpected given the stories about classified details of major weapons systems leaking out over the internet for years.

reference to growing "Success of Failure" culture
http://www.govexec.com/excellence/management-matters/2007/04/the-success-of-failure/24107/

Booz Allen, the World's Most Profitable Spy Organization
http://www.businessweek.com/articles/2013-06-20/booz-allen-the-worlds-most-profitable-spy-organization
Spies Like Us
http://www.investingdaily.com/17693/spies-like-us/

Private contractors like Booz Allen now reportedly garner 70 percent of the annual $80 billion intelligence budget and supply more than half of the available manpower.

... snip ...

the whistleblower in the "Success of Failure": case was treated very badly. The scenario is for-profit operations have discovered that a series of failures is a lot more revenue than an immediate success (sort of natural evolution of the beltway bandits "leave no money on the table" paradigm). The congressional investigation put the agency on probation for five years (but did little for the whistleblower) and not able to manage its own projects. However, that may have been just a ploy ... further privatizing the gov. (solution to the problem of for-profit companies in projects is to have more for-profit involvement ... of course, some quarters claim that there is guaranteed 5% kickback to congress on appropriated funds to for-profit companies ... which doesn't happen if it is straight gov. agency)

oh and a little IBM connection.

Louis V. Gerstner Jr. lays out his post-IBM life
http://articles.washingtonpost.com/2013-06-07/business/39803388_1_computer-giant-ibm-gerstner-jr-life

more detailed histories talk about him being in competition to be the next CEO of AMEX ... the looser then leaves ... and eventually does take over some other companies and eventually citibank ... in violation of glass-steagall ... greenspan gives him an exemption while he lobbies congress for repeal of glass-steagall ... originating too-big-to-fail and major factor in the financial mess.

AMEX and KKR are in competition for private-equity take-over of RJR ... KKR wins ... but runs into trouble with RJR and hires Gerstner away to turn it around ... before the IBM board hires Gerstner away to resurrect IBM. Gerstner then leaves to be chairman of another major private equity company.

RJR
http://en.wikipedia.org/wiki/RJR_Nabisco
KKR
https://en.wikipedia.org/wiki/Kohlberg_Kravis_Roberts

It mentions that private equity leveraged buyout of RJR had been the largest buyout up until that point.

wiki
http://en.wikipedia.org/wiki/Louis_V._Gerstner,_Jr .
after IBM, becomes Chairman of
http://en.wikipedia.org/wiki/Carlyle_Group
which then does private equity buyout of ... guess who?
http://en.wikipedia.org/wiki/Booz_Allen_Hamilton

Posted by Lynn Wheeler at July 11, 2013 02:56 PM

a little more on privatizing gov. by for-profit companies and economic espionage

Penalties Are Weak for Misbehaving Contractors
http://www.pogo.org/blog/2013/07/weak-penalties-for-misbehaving-contractors.html
Snowden case not the first embarrassment for Booz Allen, or D.C. contracting industry
http://www.washingtonpost.com/politics/snowden-case-not-the-first-embarassment-for-booz-allen--or-washingtons-burgeoning-contracting-industry/2013/07/08/30440b0a-d9b3-11e2-a9f2-42ee3912ae0e_story.html

Posted by Lynn Wheeler at July 12, 2013 04:53 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55fdf02ebbc0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.