Daniel E. Geer

Cybersecurity as Realpolitik: Black Hat USA Conference Keynote Address

delivered 6 August 2014, Mandalay Bay, Las Vegas, Nevada

 

Glasses have become a necessity. Of course, you begin with "Good morning" and "Thank you for the invitation to speak with you." Of course you say that. But you can also say that with feeling -- and I am doing that: "Good morning, thank you for the invitation to speak with you."

The plaintext of this talk has been made available to the organizers and I trust it will be in due course available to you.

I won't be taking questions here this morning, but you're welcome to contact me later and I will do what I can to reply. I'm very close to not being able to handle the number of emails and the like that I get. Those of you who know Larry Lessig will know what I mean when I say I'm close to declaring bankruptcy in this regard. But, nevertheless, I will endeavor to do it and I invite you to do so.

For simple clarity, I'm going to reread the abstract that went with this talk:

Power exists to be used. Some wish for cyber safety, which they will not get. [Others] wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.

There are three professions that beat their practitioners into a state of humility: farming, weather forecasting, and cyber security. I practice two of those, and, as such, let me assure you that the recommendations which follow are presented in all humility. Humility does not mean timidity. Rather, it means that when a strongly held belief is proven wrong, that the humble person changes their mind. I expect that my proposals will result in considerable push-back, and changing my mind may well follow. Though I will say it again later, this speech is me talking for myself.

As if it needed saying, cyber security is now a riveting concern, a top issue in many venues more important than this one. This is not to insult Black Hat; rather it is to note that every speaker, every writer, every practitioner in the field of cyber security who has wished that its topic, and us with it, were taken seriously has gotten their wish. Cyber security *is* being taken seriously, which, as you well know is not the same as being taken usefully, coherently, or lastingly. Whether we are talking about laws like the Digital Millennium Copyright Act or the Computer Fraud and Abuse Act, or the non-lawmaking but perhaps even more significant actions that the Executive agencies are undertaking, "we" and the cyber security issue have never been more at the forefront of policy. And you ain't seen nothing yet.

I wish that I could tell you that it is still possible for one person to hold the big picture firmly in their mind's eye, to track everything important that is going on in our field, to make few if any sins of omission. It is not possible; that phase passed some time in the last six years. I have certainly tried to keep up but I would be less than candid if I were not to say that I know that I am not keeping up, not even keeping up with what is going on in my own country much less all countries. Not only has cybersecurity reached the highest levels of attention, it has spread into nearly every corner. If area is the product of height and width, then the footprint of cybersecurity has surpassed the grasp of any one of us.

The rate of technological change is certainly a part of it. When younger people ask my advice on what they should do or study to make a career in cyber security, I can only advise specialization. Those of us who were in the game early enough and who have managed to retain an over-arching generalist knowledge can't be replaced very easily because while absorbing most new information most of the time may have been possible when we began practice, no person starting from scratch can do that now. Serial specialization is now all that can be done in any practical way. Just looking at the Black Hat program will confirm that being really good at any one of the many topics presented here all but requires shutting out the demands of being good at any others.

Why does that matter? Speaking for myself, I am not interested in the advantages or disadvantages of some bit of technology unless I can grasp how it is that that technology works. Whenever I see marketing material that tells me all the good things that adopting this or that technology makes possible, I remember what George Santayana said, that "Scepticism is the chastity of the intellect; it is shameful to give it up too soon, or to the first comer." I suspect that a majority of you have similar skepticism -- "It's magic!" is not the answer a security person will ever accept. By and large, I can tell *what* something is good for once I know *how* it works. Tell me how it works and then, but only then, tell me why you have chosen to use those particular mechanisms for the things you have chosen to use them for.

Part of my feeling stems from a long-held and well-substantiated belief that all cyber security technology is dual use. Perhaps dual use is a truism for any and all tools from the scalpel to the hammer to the gas can -- they can be used for good or ill -- but I know that dual use is inherent in cyber security tools. If your definition of "tool" is wide enough, I suggest that the cyber security tool-set favors offense these days. Chris Inglis, recently retired NSA Deputy Director, remarked that if we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, [CI] i.e., all offense. I will take his comment as confirming at the highest level not only the dual use nature of cybersecurity but also confirming that offense is where the innovations that only States can afford is going on.

Nevertheless, this essay is an outgrowth from, an extension of, that increasing importance of cybersecurity. With the humility of which I spoke, I do not claim that I have the last word. What I do claim is that when we speak about cybersecurity policy we are no longer engaging in some sort of parlor game. I claim that policy matters are now the most important matters, that once a topic area, like cybersecurity, becomes interlaced with nearly every aspect of life for nearly everybody, the outcome differential between good policies and bad policies broadens, and the ease of finding answers falls. As H.L. Mencken so trenchantly put it, "For every complex problem there is a solution that is clear, simple, and wrong."

The four verities of government are these:
 - Most important ideas are unappealing.
 - Most appealing ideas are unimportant.
 - Not every problem has a good solution.
 - Every solution comes with side effects.

This quartet of verities certainly applies to the interplay between cybersecurity and the affairs of daily living. Over my lifetime the public expectation of what government can and should do has spectacularly broadened from guaranteeing that you may engage in the "pursuit of happiness" to guaranteeing happiness in and of itself. The central dynamic internal to government is, and always has been, that the only way for either the Executive or the Legislature to control the many sub-units of government is by way of how much money they can hand out. Guaranteeing happiness has the same dynamic -- that the only tool government really has to achieve the outcome of everyone happy or everyone healthy or everyone safe at all times from things that go bump in the night is through the dispensing of money. This is true in foreign policy; one can reasonably argue that the United States' 2007 troop "surge" in Iraq did provide an improvement in safety. One can also argue that the work of those troops, some of whom gave what Abraham Lincoln called "the last full measure of devotion," was materially aided by the less publicized arrival of C-130s full of $100 bills with which to buy off potential combatants. Why should cybersecurity be any different?

Suppose, however, that surveillance becomes too cheap to meter, that is to say too cheap to limit through budgetary processes. Does that lessen the power of the Legislature more, or the power of the Executive more? I think that ever-cheaper surveillance substantially changes the balance of power in favor of the Executive and away from the Legislature. While President Obama was referring to something else when he said "I've Got A Pen And I've Got A Phone," he was speaking to exactly this idea -- things that need no appropriations are outside the system of checks and balances. Is the ever-wider deployment of sensors in the name of cybersecurity actually contributing to our safety? Or is it destroying our safety in order to save it.

To be entirely clear by way of repetition, this essay is written by someone as his own opinion and not on behalf of anyone else. It is written without the supposed benefits of insider information; I hold no Clearance but am instead informed solely by way of open source intelligence. This path may be poised to grow easier; if the chief benefit of having a Clearance is to be able to see into the future a little further than those without one, then it must follow that as the pace of change accelerates the difference between how far can you see with a Clearance versus how far can you see without one will shrink.

There are, in other words, parallels between cybersecurity and the intelligence functions insofar as predicting the future has a strong role to play in preparing your defenses for probable attacks. As Dave Aitel has repeatedly pointed out, the hardest part of crafting good attack tools is testing them before deployment. Knowing what your tool will find, and how to cope with that, is surely harder than finding an exploitable flaw in and of itself. This, too, may grow in importance if the rigor of testing causes attackers to use some portion of the Internet at large as their test platform rather than whatever rig they can afford to set up in their own shop. If that is the case, then full scale traffic logs become an indispensable intelligence tool insofar as when an attack appears to be de novo those with full scale traffic logs may be in a position to answer the question "How long has this been going on?" The company Net Witness, now part of EMC, is one player who comes to mind in this regard, and there are others. This idea of looking backward for evidence that you didn't previously know enough to look for does certainly have intelligence value both for the Nation State and for the enterprise.

And there is a lot of traffic that we don't have a handle on. John Quarterman of Internet Perils makes a round number guess that 10% of Internet backbone traffic is unidentifiable as to protocol. [JQ] Whether he is off by a factor of two in either direction, that is still a lot of traffic. Arbor Networks estimates that perhaps 2% of all *identifiable* backbone traffic is, to use their term, "raw sewage." [AN] There are plenty of other estimates of this sort, of course. To my way of thinking, all such estimates continue to remind us that the end-to-end design of the Internet [SRC] was not some failure of design intellect but a brilliant avoidance of having to pick between the pitiful toy a completely safe Internet would have to be versus an Internet that was the ultimate tool of State control.

In nothing else is it more apt to say that our choices are Freedom, Security, Convenience -- Choose Two.

Let me now turn to some policy proposals on a suite of pressing current topics. None of these proposals are fully formed, but as you know, those who don't play the game don't make the rules. These proposals are not in priority order, though some are more at odds with current practice than others and might, therefore, be said to be more pressing. There are more where these came from, but this talk has a time limit, and there is a meta-analysis at the end.

The United States Centers for Disease Control are respected the world around. When you really get down to it, three capabilities describe the CDC and why they are as effective as they are: (1) mandatory reporting of communicable diseases, (2) stored data and the data analytic skill to distinguish a statistical anomaly from an outbreak, and (3) away teams to take charge of, say, the appearance of Ebola in Miami. Everything else is details. The most fundamental of these is the mandatory reporting of communicable diseases.

At the same time, we have well established rules about medical privacy. Those rules are helpful; when you check into the hospital there is a licensure-enforced, accountability-based, need-to-know regime that governs the handling of your data. [PHI]  Most days, that is, but if you check in with Bubonic Plague or Typhus or Anthrax, you will have zero privacy as those are the "mandatory reporting of communicable disease conditions" as variously mandated not just by the CDC but by public health law in all fifty States.

So let me ask you, would it make sense, in a public health of the Internet way, to have a mandatory reporting regime for cybersecurity failures? Do you favor having to report cyber penetrations of your firm or of your household to some branch of government or some non-government entity? Should you face criminal charges if you fail to make such a report? Forty-eight States vigorously penalize failure to report sexual molestation of children. [SMC] The (US) Computer Fraud and Abuse Act [CFAA] defines a number of felonies related to computer penetrations, and the U.S. Code says that it is a crime to fail to report a felony of which you have knowledge. [USC] Is cybersecurity event data the kind of data around which you want to enforce mandatory reporting? Forty-six States require mandatory reporting of one class of cyber failures in the form of their data breach laws, [CSB] while the Verizon Data Breach Investigations Report [VDB] found, and the Index of Cyber Security [ICS] confirmed, that 70-80% of data breaches are discovered by unrelated third parties, not by the victim, meaning that the victim might never know if those who do the discovering were to keep quiet. If you discover a cyber attack, do you have an ethical obligation to report it? Should the law mandate that you fulfill such an obligation?

My answer to this set of questions is to mirror the CDC, that is for the force of law to require reporting of cybersecurity failures that are above some severity threshold that we have yet to negotiate. Below that threshold, I endorse the suggestion made in a piece two weeks ago, "Surviving on a Diet of Poisoned Fruit," by Richard Danzig where he made this policy proposal: [RD]

Fund a data collection consortium that will illuminate the character and magnitude of cyber attacks against the U.S. private  sector, using the model of voluntary reporting of near-miss incidents in aviation. Use this enterprise as well to help develop common terminology and metrics about cybersecurity.

While regulatory requirements for aviation accident reporting are firmly established through the National Transportation Safety Board, there are no requirements for reporting the vastly more numerous and often no less informative near misses. Efforts to establish such requirements inevitably generate resistance: Airlines would not welcome more regulation and fear the reputational and perhaps legal consequences of data visibility; moreover, near accidents are intrinsically more ambiguous than accidents.

An alternative path was forged in 2007 when MITRE, a government contractor, established an Aviation Safety Information Analysis and Sharing (ASIAS) system receiving near-miss data and providing anonymized safety, benchmarking and proposed improvement reports to a small number of initially participating airlines and the Federal Aviation Administration (FAA).

Today, 44 airlines participate in that program voluntarily. The combination of a mandatory CDC model for above-threshold cyber events and a voluntary ASIAS model for below-threshold events is what I recommend. This leaves a great deal of thinking still to be done; diseases are treated by professionals, but malware infections are treated by amateurs. Diseases spread within jurisdictions before they become global, but malware is global from the get-go.

Diseases have predictable behaviors, but malware comes from sentient opponents. Don't think this proposal is an easy one or one without side effects.

There is considerable irony in the Federal Communications Commission classifying the Internet as an information service and not as a communications service insofar as while that may have been a gambit to relieve ISPs of telephone-era regulation, the value of the Internet is ever more the bits it carries, not the carriage of those bits. The FCC decisions are both several and now old, the FCC classified cable as an information service in 2002, classified DSL as an information service in 2005, classified wireless broadband as an information service in 2007, and classified broadband over power lines as an information service in 2008. A decision by the D.C. Circuit Court of Appeals on this very point appeared earlier this year, [VZF] but settled little. The question remains, is the Internet a telecommunications service or an information service?

I've nothing new to say to you about the facts, the near-facts, nor the lying distortions inherent in the debate regarding network neutrality so far or still to come. What I can say is that network neutrality is no panacea nor is it anathema; peoples' tastes vary and so do corporations'. What I can say is that the varied tastes need to be reflected in constrained choice rather than the idea that the FTC or some other agency can assure happiness if and only if it, rather than corporations or individuals, does the choosing. Channeling for Doctor Seuss, if I ran the zoo I'd call up the ISPs and say this:

Hello, Uncle Sam here.

You can charge whatever you like based on the contents of what  you are carrying, but you are responsible for that content if it is hurtful; inspecting brings with it a responsibility for what you learn.

-or-

You can enjoy common carrier protections at all times, but you can neither inspect nor act on the contents of what you are carrying and can only charge for carriage itself. Bits are bits. Choose wisely. No refunds or exchanges at this window.

In other words, ISPs get the one or the other; they do not get both. The FCC gets some heartache but also a natural experiment in whether those who choose common carrier status turn out differently than those who choose multi-tiered service grades with liability exposure. We already have a lot of precedent and law in this space. The United States Postal Service's term of art, "sealed against inspection," is reserved for items on which the highest postage rates are charged; is that also worth stirring into the mix?

As a side comment, I might add that it was in Seuss' book _If I Ran the Zoo_ that the word "nerd" first appeared in English. If Black Hat doesn't yet have an official book, I'd suggest this one.

Nat Howard said that "Security will always be exactly as bad as it can possibly be while allowing everything to still function," [NH] but with each passing day, that "and still function" clause requires a higher standard. As Ken Thompson told us in his Turing Award lecture, there is no technical escape; [KT] in strict mathematical terms you neither trust a program nor a house unless you created it 100% yourself, but in reality most of us will trust a house built by a suitably skilled professional, usually we will trust it more than one we had built ourselves, and this even if we have never met the builder, or even if he is long since dead.

The reason for this trust is that shoddy building work has had that crucial "or else ..." clause for more than 3700 years:

If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death. -- Code of Hammurabi, approx 1750 B.C.

Today the relevant legal concept is "product liability" and the fundamental formula is "If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes." For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer. Poul-Henning Kamp and I have a strawman proposal for how software liability regulation could be structured.

Original Text Source: http://geer.tinho.net/pubs

Original Images Source: YouTube Screenshots

U.S Copyright Status: Text = Used with kind permission from Mr. Geer. Images = Fair Use.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Top 100 American Speeches

Online Speech Bank

Movie Speeches

© Copyright 2001-Present.
American Rhetoric.