Skip to content

Active Defense/Hack Back and "Complete Ignorance"

I recently read a post about “Active Defense” or as some call it, hack back. I won’t reveal the author or the title so as not to disparage anyone. Certainly this topic is very sexy right now and many like to write about it, but most of articles I have seen constitute fear mongering with comments not based in fact or even sound theory, but ignorance of the topic, the laws, and the technology and appear to be an attempt to sensationalize the topic.

Yes, there is a problem. Yes, companies are suffering. Some of the companies have a legitimate complaint. They have done all they can and the government has tied their hands by saying things like, “if you hack back you are no different than the hackers.” A lot of companies, though, have no right to complain because their security really sucks, is like Swiss cheese and they are not willing to spend the money to fix it.

The blog I read recently quoted a former DoJ attorney who stated that it is illegal to go outside of your network and hack back at your attacker. In the next paragraph the writer quotes a so-called security expert who says his company has the capability to determine who attackers are and collect intelligence on them, and this is not illegal but good practice. The expert provides the usual, “do not try this at home,” warning. I will leave it to you to decide whether this warning is good advice or simply self-serving.

So here’s my problem: These quotes claim on one hand it is illegal to attack your attacker but on the other hand not to take the steps necessary to determine who your attacker is? If determining who attackers are was really that easy and clearly lawful everyone would be doing it. Most would admit the greatest challenge with cyber crime is determining who the attacker is, e.g. Attribution. One of the great claims by those who believe “Active Defense” is illegal and immoral is that attribution is extremely difficult and if you can’t determine attribution then you may be, “attacking an innocent victim.”

As a side note to the above comment, and as I have said in previous blogs, if someone has been compromised and their server is being used to attack my company, that person is NOT innocent. A victim like me, yes, but innocent, no. If I have to disrupt his server to protect my company then so be it. Chances are that server owner does not want the other hundreds or thousands of companies who are victims of his server attacks to know that he is the patsy attacking them due to his crappy security

So, I would kindly ask those who like to write about “Active Defense” to please do some research, think the process through, stop confusing the issue and stop writing fear mongering comments like, “you might start a war with China.”

Posted in Security.

Tagged with , , , , , , , , , , , , , , .

No comments

By David Willson May 10, 2013

Active Defense: Attribution is just not that important

Imagine owning a company and realizing you have been hacked and the hackers are disrupting operations or stealing trade secrets, intellectual property, private information, or even money.  As best as you can determine this did not just happen but has been going on for a while.  You hired a company to do an incident response, clean up, patch the holes and get you back up and running.  They may or may not have claimed to have secured your network, but state in no uncertain terms that any action beyond what they have done would be illegal.  Within months you notice the same activity.  So, you call the company again.  More money, more time, and more meetings about how much is being lost.  Do you call law enforcement?  Do you continue with the cyber security company and keep paying them?  Do you have a data breach notice responsibility to shareholders, the board, and customers/clients? 

What you need is a clear and concise plan of action to follow in these situations.

When lecturing on “Active Defense” I often hear comments like, “hack back is illegal,” “without attribution you might hurt an innocent bystander,” or my favorite, “you might start a war with China.”  So what is “Active Defense”?  Many people equate it to hack back.  My definition of “Active Defense” is “a clear and concise process or plan for addressing a compromise to the security of your network and/or the loss or theft of data.”  The process begins with an incident response and could ultimately end with hack back.  It includes a series of predetermined check points requiring leadership/CEO involvement in making various decisions.  One of the first decisions is whether, based on the information available and/or gathered, the attack is a one-time occurrence or an ongoing intrusion/breach.  If it is determined to be a one-time occurrence the decision is easy, initiate an incident response plan, clean up, patch holes, and provide notifications required by law.  If the attack appears to be ongoing some of the follow-up on decisions may include: what end-state the company is seeking (find the hacker and prosecute, block the attack, get data back, etc.); what intelligence/information should be gathered; what tools/techniques should be developed and/or used and how; as information is gathered and options presented, which should be considered and pursued; and many more, most of which are all dependent on the facts, information available, best interests of the company, the fiduciary responsibility, etc.  At each stage and as each decision is made risk, liability and legal issues are discussed, evaluated, and factored into the decision process

Okay, so why is attribution not that important? 

Certainly, being able to identify your attacker makes life much easier for you and your company.  Even if you can’t identify the attacker, being able to identify who owns the server being used to attack you makes life simpler.  You can simply call the owner of the company whose server has been compromised and is attacking your network and work together to block the hacker.  If, for some reason, the owner of the compromised server will not work with you then you can proceed as if he is the hacker.  You might contact law enforcement or if for some reason that decision has been ruled out or, law enforcement for some reason is not able to assist, then you might decide to take action to block the attacks.  At this point the leverage you can garner against the server owner is pretty great.  Chances are his server is not only being used to attack you but many other companies as well.  The server owner will likely not want all of the other companies to know his compromised server is responsible for their pain, assuming they are aware of it.  When this fact is revealed to him he may suddenly be more than ready to negotiate and assist

In many cases though, you will not be able to determine the identity and/or whereabouts of the server owner. 

In that case, if you strike back and inspect the server attacking you, have you lashed out at an innocent bystander?  Many people claim just that.  I would argue this person is a victim like you, but innocent bystander, not even close.  Consider the 2006 movie “Firewall” with Harrison Ford.  His wife and daughter were kidnapped and the kidnappers, using this leverage, forced him to hack into a bank he was hired to protect and steal millions of dollars for them.  Now, granted, I like Harrison Ford, but, if he is stealing my money he’s not an innocent bystander.  He is a victim, but, if it is me or him, choices must be made.  Equally, if it is my company losing thousands or millions of dollars, then attacking the server being used to attack me seems like a pretty good option and it is “game on!”  This is where, depending on how you accomplish blocking the attack against your network, self-defense becomes a factor and part of the decision-making process.  I will leave self-defense for the next installment in this series of blogs entries.

Posted in Security.

Tagged with , , , , , , , , , , , , , , , , , , .

No comments

By David Willson May 1, 2013

Legal Issues of Cloud Forensics

Ever wonder how you would do digital forensics if the data you have placed in the Cloud was hacked or compromised?  Well, thinking about it before it happens is your first step and your best step. Read the white paper here

Posted in Security.

Tagged with , , , , , , , .

No comments

By David Willson May 1, 2013

Active Defense/Hack Back/Attribution – The Saga Continues

I have noticed, at least amongst lawyers, there does not seem to be much middle ground when it comes to "Active Defense" or hack back and the right of self-defense.  Those who comment on it either agree self-defense exists in cyberspace, with very few in this camp, or it doesn't, which is where the majority stand.  All I ask of most is don't simply jump to the conclusion that self-defense does not exist and "Active Defense" or hack back is illegal, but instead look at the arguments, potential fact scenarios, and definitions.

"Active Defense," has many definitions and should not be strictly equated to hack back.  Hack back, instead may be considered a subset of "Active Defense," which does include cyber self-defense or cyber self-help.  Whether or not a company can utilize these theories depends entirely on the given facts of a situation.  For instance, if a company has suffered a cyber attack and cannot show the attack continues or is persistent, they will not likely be able to make a case for the use of self-defense.  My draft definition of "Active Defense" (still a work in progress) is as follows: "a meticulous and escalated approach to a persistent cyber attack wherein the company leadership makes a decision whether or not to progress at pre-determined decision-points, evaluating risk, liability and legal issues."  Each decision-point will include all of the intelligence gathered, all potential options, tools, techniques, possible scenarios, potential risks, liability, and legal issues.  Depending on the facts and the confidence of the decision-maker there can be few decision points or many.  The number of decision-points is also a factor to consider in the scenario and the actual amount of liability, if any, may depend on how meticulous and cautious the decision-maker acted.  For example, the first decision-point may be whether the attack(s) is or are persistent.  "Active Defense" is very fact dependent.

Unfortunately most jump immediately to the conclusion that Active Defense, or hack back are illegal.  In my opinion this is a very shortsighted view.  If you are a company losing a lot of money, can show you have implemented good or better security, and have taken an escalated approach collecting intel and evaluating risk, liability and legal issues along the way, then I believe you do have a right to defend yourself.  Again, it is very fact specific.  This is where most people then pull out the "attribution" card and claim you will impact an innocent bystander.

If someone drugs and hypnotizes an innocent bystander and convinces him to shoot at you, don't you have the right to shoot back in self-defense? This is similarly fact dependent.  For instance, if you know the person is an innocent bystander you would likely try and run away and get help, maybe call the police.  You might even attempt an escalated approach causing as little harm as possible to the innocent drugged and hypnotized bystander.  In the end if it is you or him most will likely opt to save their own lives.  Now remember, self-defense applies to person or property.  So, in the end most will opt to save their own property over the property of the innocent bystander.

So, if a server is compromised and being used to attack my company, don't I have the right to defend against that server? In this scenario I am assuming I cannot identify who owns the server.  If I could I would simply call that person or company and ask that the server be shut down or the malware removed. Also, is the owner of the compromised used to attack me truly an innocent bystander? Is there contributory negligence on the part of that server owner for not having adequate security and allowing his system to be compromised? In a perfect world you could say no, but today many if not most compromises occur because companies have not used due diligence in keeping systems patched and implementing basic security.  Enough for now, comments?

Posted in Security.

Tagged with , , , , , , , , , , , , , , , .

2 comments

By David Willson February 10, 2013

Active Defense: Is it time to test in court? Correcting the Record!

by David Willson

On 16 January I did two webinars with Bright Talk.  One titled, “Active Defense: It is Legal and Will It Actually Improve your Security?,” and the other a panel entitled, “The single greatest security challenges for 2013.” 

Quick side note, due to my zeal for this topic I babbled on too long in the Active Defense webinar and ran out of time before getting to the meat of the issue.  But I am going to do another on 13 March and will manage my time better.  Anyway, Peter Judge moderated the panel for the other webinar and Active Defense was my portion. 

We had a great discussion and I would encourage you to listen if you are interested.  It can be found here: https://www.brighttalk.com/webcast/288/64057

On 22 January Peter wrote an article for Tech Week Europe entitled, “Its Time to Test Active Defence in Court,” found here: http://www.techweekeurope.co.uk/comment/2013-time-to-test-active-defence-in-court-105048

Although he got the facts correct and most of what I said in the webinar correct, the tone in which he portrays my comments I feel needs some clarifying.  This is not me trying to pull myself out of the fire, since I have not seen any feedback from his article, but simply my clarification.  So, now that I am done with my overly wordy intro, here we go.

To his first point, I agree that cyber crime victims are within their right to retaliate, but would preface this as any good attorney would with “it depends!”  It depends on the facts and circumstances.  For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. 

Similar to when someone robs your house.  If they are gone you have no right to pursue the burglar on your own.  On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.

Okay, next comment, “Itching to test this in court.”  Well, personally yes, but I did not say this, and other than my passion for trial work and arguing in court, no one likes to find themselves dragged into court.  But, if the situation dictates that you must do something to protect your company, you have tried all other options and are interested in moving to the next level, then you have options.

Next: “. . . instead of putting in a “huge hodgepodge of security measures” to stop any threat.”  Security is a MUST.  Anti-virus, despite what Josh Corman says, is a MUST.  Anything that can help protect your network and valuable information is a MUST.  If you are going to move into Active Defense you MUST show that you have taken the high ground, done all you can, within reason, and taken an incremental approach slowly escalating as you collect the needed intel.

Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.”  Yes, they should.  If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.

In the interest of time I will make this my last point.  Peter claims that I said those whose networks have been hacked and are being used to attack others are not necessarily innocent victims.  I agree, although this sounds rather ugly. 

Let’s use a physical world example.  Let’s say a bad guy has drugged and brainwashed your neighbor to believe he is a contract killer and his mission is to kill you.  Even if you know this is fact and your neighbor is an innocent unknowing pawn, if he tries to kill you wouldn’t you defend yourself?  You would likely try to diffuse the situation with the least amount of harm to your neighbor, but in the end if it is him or you unless you have a death wish it will be him. 

Active Defense entails escalation, taking the minimal approach at first and slowly escalating with the leadership of the company, not the IT department, making informed decisions based upon risk, liability and legal issues.  The nuclear weapon of cyber is your last resort if that is what the leadership decides to do.

So, there you have it.  Obviously there are many more issues none of them black and white, and this is a very difficult problem.  If it wasn’t there wouldn’t be so much debate about it. 

One last point.  Lately I have been reading a lot of articles, especially by attorneys saying things like, “it’s illegal, don’t do it, but, we are the experts and we can help you.”  Help you do what?  If they are not willing to explore the options then there is nothing for them to do.  Also many articles lately have claimed that “attribution” is impossible.  Stop it.  If it was impossible no one would ever be arrested and prosecuted for hacking.  It is difficult, but not impossible.  So, keep an open mind, think outside the box, and have a nice day ;- ).

Posted in Security.

Tagged with , , , , , , , , , .

No comments

By David Willson January 24, 2013

It's the Googles! North Korea Edition

Sophie Google's new blog post, ahem, whoops I mean to say Sophie Schmidt's new blog post on her trip to North Korea is a fantastic study in culture clash. What a great opportunity she had to travel into a country few Americans get to see.

"In the land of the blind, close one eye" — my Mother

As an aside, I don't understand why it's ok for everyone to refer to Sophie as Eric Schmidt's daughter. Must we put her in that shadow?

In comparison, have you noticed that NO ONE one ever mentions that Audax Health's CEO (Grant Verstandig), a 23 yr old given $21 million to socialize healthcare, is the well-heeled son of Republican politician (Lee Verstandig)?

Served in the Administration of President Ronald Reagan as Assistant Secretary for Government Affairs at the Dept. of Transportation; Acting Administrator of the Environment Protection Agency; Assistant to the President for Intergovernmental Affairs; Under Secretary at the Dept.of Housing and Urban Development; and Chief of Staff to the First Lady.

That Verstanding power and money connection seems more than just a little bit relevant yet NO ONE ever mentions it. However EVERYONE qualifies poor Sophie as the daughter of Eric.

The only Verstandig reference I have seen is this: "the son of two government employees".

Why the vague "son of two gov't employees" statement? I don't unverstandig.

Does the family have some reason to hide or downplay the rather obvious father-son link related to US national policy? You probably know where I'm going with this…

Son of a gov employee
Kim Jong-un, the "son of a government employee"

But back to the Googles…Sophie's perspective is totally fascinating to me. She starts off boldly telling us she is sorry that we may have problems and that she's not doing anything about it:

…blame Google Sites (and this two-column structure idea of mine) for limited functionality…Apologies to folks with f'd up layouts

I could just end my blog post right here. You probably know where I'm going with this…

Son of a gov employee
Kim Jong-un says "…blame my father…Apologies to folks with f'd up experiences"

That's the short version. But I can't just leave it there.

When Sophie apologies for Google I feel better about the "limited functionality" delivered to me. In fact, I feel downright lucky to have anything at all so I guess I will just put up with whatever I can get from them. Hey, after all it's cloud, right? You don't get to be picky…

And here really begins our journey together with her into North Korea.

While top information security professionals in the US rant about how unsafe it is to take anything into China, Sophie says she was advised to not only take her technology to China but to leave it there to keep it safe:

We left our phones and laptops behind in China, since we were warned they'd be confiscated in NK, and probably infected with lord knows what malware.

North Korea gets bashed for being so far behind, back in the dark ages, that Google is worrying about "lord knows what malware" being placed on the most advanced mobile devices? Nah, no way. More like the US would WANT the North Koreans to put some malware on a device so we can bring it home and study it.

There is little you can really do with a mobile device in North Korea, right? No connectivity means it probably wouldn't get pulled out of its bag. Hopefully it doesn't have anything sensitive on it anyway. Other than writing a blog post about how much you hate it there…what would you use it for? So it's not really a risk of infection that leads one to leave behind mobile devices in this scenario. Confiscation and/or loss of IP are the true risk. Don't bring anything you do not want to be forced to leave behind in North Korea or expose to them.

On the flip side do not leave behind in China anything you do not want read by various spies from the Americas, Europe, Middle East, and Asia who float around. After all, China does not exactly protect you from being spied on by agents of foreign countries when you are in China.

I find few people realize the ironic reality-twist that US citizens in foreign countries are spied on by US agents because protection from surveillance is reduced compared to back home; it's something to seriously consider when you're a US citizen out for a non-sanctioned and very public jaunt into North Korea.

Those devices you left in China? Potentially bugged by agents of the US, for your own good of course.

Back to the story, Sophie gives us a quick summary of how things felt…well, in-authentic:

Our trip was a mixture of highly staged encounters, tightly-orchestrated viewings and what seemed like genuine human moments.

This, in a nutshell, is the ultimate insult by American standards. To be real, to be authentic is to achieve maximum value in our culture; an in-authentic experience is the opposite of what many of us want. That's why it's so easy to bash the hipster. How can you trust someone walking today in downtown Mountain View who dresses like a 1890s steam train engineer?

Google New Hires
New hires at orientation, Google 2013

When I read Sophie's summary of her trip I see a giant warning shot fired across our bow:

Prepare for fake. Prepare to be disappointed. North Korea trips are full of stuff that is not real. The horror.

It was only due to the instruction/vision/guidance of Our Marshall/the Respected Leader/ Awesome-O wunderkid Kim Jong Un that we were able to successfully __________ (insert achievement here: launch a ballistic rocket, build complicated computer software, negotiate around US sanctions, etc.). Reminded me of the "We're Not Worthy" bit from Wayne's World. Just another example of the reality distortion field we routinely encountered in North Korea, just frequently enough to remind us how irrational the whole system really is.

In other words you have to suspend belief if you are going to follow the story you supposed to be watching. You want rational? Come to America.

After all we have the Kardashian phenomenon, Disneyland, and the fact that the US leads the world in total cosmetic procedures performed. Yeah! Take that you North Korean distortion fielders.

Although we Americans are quick to look at others from the outside and criticise their foolish lack of authenticity, we also love to show off with our fake and highly staged encounters, tightly-orchestrated viewings…

American Reality Show
Nothing unusual here. Nothing staged or tightly-orchestrated. Not at all.

The difference in who can be most inauthentic and get away with it, of course, is relative to power.

Kim Jong-un, like Lance Armstrong, makes use of extraordinary power and direct influence to keep an inauthentic story running even after people stop believing and want to talk openly and express their doubts or challenge his story.

Power to shut down naysayers and disbelievers is a very real problem in political science, which I don't want to minimize here. My point is that if you realize America also has a lot of problems from inauthenticity relative to power, you are one step closer to finding the authenticity even in places that try hard to keep you from seeing it. It's a problem very, very familiar to auditors, let alone anthropologists.

Anthropologists!

Perhaps I'm being too indirect and this could go on forever, given the material Sophie provides, so let me cut to the chase.

Sophie displays a very strong cultural bias in her perspective but no awareness or caution of that bias.

Why do we need an alarm clock to wake up? Why do we need soft beds and rugs? Why do we need to heat every room of every building? What is wrong with empty spaces? Why do we need street lights? Seriously, street lights are stupid abominations of sailing codes (starboard and port, green and red) never meant for roads that give engines a wasteful and unfair advantage over other forms of transportation. We need a better system. Now tell me again how strange it is to see streets without signals for sailboats.

Here's an example of how things were said in Sophie's perspective:

My father's reaction to staying in a bugged luxury socialist guesthouse was to simply leave his door open.

And here is how they might be said if she had looked at it from a more North Korean view:

No need to lock your door. Simply leave it open. There's no crime risk.

Incidentally (pun not intended) if you've ever been to the Google campus headquarters you may know that they spent many years and a lot of money to cover the outside and inside with surveillance, and yet they STILL do not leave their doors open. Eric apparently feels safer in North Korea than within his own castle. (Full disclosure: I've been inside the Google SOC several times and it's very impressive. North Korea probably would be jealous.)

If we play her blog post from an outsiders view, in other words, it could be read like this:

America is great because it is crowded, polluted, wasteful, unhealthy, unsafe and people looked stressed/busy all the time.

Doesn't it sound strange when you use an inverse of her criticism of North Korea to describe America? With this different perspective in mind take another look at what she presents us with:

North Korea is empty, clean, efficient and people are fit, safe and have idle time.

Perhaps somewhere in-bewteen is a truly authentic experience and a hint as to why closing one eye in the land of the blind is sound advice.

Posted in Energy, Sailing, Security.

No comments

By Davi Ottenheimer January 21, 2013

This Day in History: 1781 Battle of Cowpens

The Battle of Cowpens on this day in 1781 is recorded as a turning point in the American Revolution.

Americans were planning cautiously, dispersing into smaller units and contemplating how to minimize direct confrontations with the British. America's Continential Brigadier General Morgan knew he was being chased by professional soldiers led by a young British Lieutenant Colonel Tarleton. The British leader had a reputation for aggressive and brutal tactics. Morgan then realized Tarleton was nearing them as the Americans approached a river in Cowpens, South Carolina. The Continental General decided it would be wiser to take a stand against the coming British there instead of being engaged as they tried to cross.

Several important factors were in play when Tarleton headed towards the resting American forces.

The British were exhausted and out of food from non-stop marching through the night and crossing rivers in the cold of winter while the Americans waited. The British were confident in their superior numbers, methods and training while the American General set an unsual trap that reduced Tarleton's advantage from aggression (it not only was a trap for the British but also for the Americans — no way out may have given volunteers and irregulars confidence to stand and fight).

It was in this context that Tarleton predictably and proudly herded his men straight into the American lines. When the Americans fired and withdrew, according to their plan, the British rushed ahead in expectation of an easy victory. However, instead the British ran into additional lines of Americans and flanking movements. These new lines had been obscured by the first line's retreat. The withering fire from men standing ahead was coupled with the fact that the retreating men stopped, turned, regrouped, opened fire and charged the exhausted British.

The trained British attackers were decimated and broken. Survivors fell into disarray in the face of Americans orchestrating rearward movements, obscure defensive lines, a double envelopment and bold re-engagement.

It appeared to the British, when Howard's line fell back, that victory was at hand, and so it would have been, had the line been composed of men less inured to battle than were the Continentals of Maryland and Delaware. There was no delay or hesitation when the order to halt, face the enemy, and fire, was given, and there then occurred in a moment a scene of dumbfounded surprise, confusion, and panic seldom witnessed in battle. The outcome resulted in one of the most gloriously unexpected victories of the Revolutionary War.

Unable to regain control of his men, who were disorganized and confused by the resistance and fast becoming unwilling to fight, Tarleton tried to rally. He failed and instead just managed to escape after shooting the horse out from under Colonel William Washington.

Tarleton and Washington
The encounter between Tarleton and Colonel Washington. by E. Benjamin Andrews in 1895, from the Florida Center for Instructional Technology

British General Charles Cornwallis soon after consoled Tarleton. The loss of nearly 80% of their men at Cowpens was given this assessment:

…total misbehavior of the troops could alone have deprived you of the glory which was so justly your due.

Just ten months later the Revolutionary War would end with Cornwallis' surrender.

Posted in History, Security.

No comments

By Davi Ottenheimer January 17, 2013

Are you ready for the data innovation boom?

The Economist has an interesting write-up on predicting innovation. They see things heating up specifically in manufacturing and user interfaces.

Across the board, innovations fuelled by cheap processing power are taking off. Computers are beginning to understand natural language. People are controlling video games through body movement alone—a technology that may soon find application in much of the business world. Three-dimensional printing is capable of churning out an increasingly complex array of objects, and may soon move on to human tissues and other organic material.

This analysis seems to support my guesses on why Kurzweil would join Google. Removing antiquated and disabling interfaces like the keyboard will enable more people to use more technology. Comparing the productivity of humans required to learn the qwerty keyboard with the potential of those who can use free voice and touch is a no brainer (pun not intended).

As I thought about the Economist's analysis I started to wonder about an important element that I didn't see them mention. They focus in a usual way at present IT trends in relation to historic trends. They offer electrification as an example.

…the idea that technology-led growth must either continue unabated or steadily decline, rather than ebbing and flowing, is at odds with history. Chad Syverson of the University of Chicago points out that productivity growth during the age of electrification was lumpy. Growth was slow during a period of important electrical innovations in the late 19th and early 20th centuries; then it surged. The information-age trajectory looks pretty similar…

echoing electrification

With that in mind, the Economist then takes their analysis down the well-worn path of productivity worries in relation to obsolescence and redundancy.

…the main risk to advanced economies may not be that the pace of innovation is too slow, but that institutions have become too rigid to accommodate truly revolutionary changes.

Fair enough, technology has a disruptive force when innovation replaces labor. That brings risk and resistance. I've experienced this many times. The voice-recognition project I worked on in 1997 for a hospital was overtly said by the administration to be a way to put their transcriptionists out of work. No surprises there.

But once we move beyond a focus on the balance of labor risk what other risks lurk ahead? I mean it is fascinating to look at how the lightbulb put American whalers (e.g. oil for lamps) out of business. It is even more interesting, however, to think about how inexpensive light transformed our abilities. We can see further and go faster with power.

Back to consideration of today's tech innovation boom, the part to me missing in the Economist analysis is the sunshine effect of electrification. Electrification was really about innovative ways to create and use power. It shone a light, if you will, into dark areas and remote corners of opportunity. A coming boom in tech innovation led by user interfaces and manufacturing, if we pivot the Economist theory, could in fact be a boom in innovative ways to reach, create and use data. Yet the Economist analysis doesn't mention data at all!

Here is a simple example of what I mean by a pivot:

Industrialized countries are like the urban areas of electrification that saw power first and saw productivity boom at a large scale. Power eventually reached a wider area on smaller scale and created a boom in productivity and markets. Non-industrialized countries are thus like the rural areas that increasingly were able to create and use power.

More people in more areas making more data and using that data is what may really be the fuel for a boom ahead. The innovation is not only in the interfaces, although that's a crucial piece of enablement, but what so many more people will produce with those interfaces. Big data is a common phrase to capture what seems to be ahead but we could just as well call it a sunshine-like effect of datafication.

Now if I ask "are your headlights on" hopefully you might think about risk in terms of billions of people shining a bright light into darkness because they now have access to powerful data. Reduction of corruption using better data tools is the kind of innovation that really should excite economists.

Of course this puts immense pressure on the security industry. Access to vast amounts of data becomes "a one-click matter," as a GoodData developer suggested. How safe will a clicker need to be? And this new level of visibility, like brighter lights we flip on with a switch, can shift our definition of "exposure" and privacy. Recently a "near-global view of the universe of public keys" was used to easily uncover weak random number generators. Should we plan for more risk or less as we push away darkness?

Thus, to extend the Economist analysis that suggests innovation will bring better interfaces and better manufacturing tools, the real boom may come from datafication — the process of making it easier than ever to create, access and use data.

Posted in Energy, Security.

No comments

By Davi Ottenheimer January 16, 2013

Rosasolis

by Penguin Café Orchestra

In 1972 I was in the south of France. I had eaten some bad fish and was in consequence rather ill. As I lay in bed I had a strange recurring vision, there, before me, was a concrete building like a hotel or council block. I could see into the rooms, each of which was continually scanned by an electronic eye. In the rooms were people, everyone of them preoccupied. In one room a person was looking into a mirror and in another a couple were making love but lovelessly, in a third a composer was listening to music through earphones. Around him there were banks of electronic equipment. But all was silence. Like everyone in his place he had been neutralized, made gray and anonymous. The scene was for me one of ordered desolation. It was as if I were looking into a place which had no heart. Next day when I felt better, I went to the beach. As I sat there a poem came to me. It began 'I am the proprietor of the Penguin Cafe. I will tell you things at random.'

Posted in Food, Poetry, Security.

No comments

By Davi Ottenheimer January 13, 2013

Does your company actually need a security department?

Gunnar Peterson prompted us yesterday in Dark Reading with this provocative question:

Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no

It's easy to agree with Gunnar when you read his analysis. He offers a false dichotomy fallacy.

Standing up a choice between only awful pointless policy wonks in management and brilliant diamonds found in engineering, it's easy to make the choice he wants you to make. Choose diamonds, duh.

However, he does not explain why we should see security management as any more of a bureaucratic roadblock than any/all management, including the CEO. Review has value. Strategy has value. Sometimes.

The issue he really raises is one of business management. Reviewers have to listen to staff and work together with builders to make themselves (and therefore overall product/output) valuable. This is not a simple, let alone binary decision, and Gunnar doesn't explain how to get the best of both worlds.

A similar line of thinking can be found by looking across all lines of management. I found recent discussion of the JAL recovery for example, addressing such issues, very insightful.

Note the title of the BBC article "Beer with boss Kazuo Inamori helps Japan Airlines revival"

My simple philosophy is to make all the staff happy….not to make shareholders happy

Imagine grabbing a six-pack of beer, sitting down with engineering and talking about security strategy, performing a review together to make engineers happy. That probably would solve Gunnar's concerns, right? Mix diamonds with beer and imagine the possbilities…

Inamori had interesting things to say about management's hand in the financial crisis and risk failures in 2009, before he started the turnaround of JAL

Top executives should manage their companies by earning reasonable profits through modesty, not arrogance, and taking care of employees, customers, business partners and all other stakeholders with a caring heart. I think it's time for corporate CEOs of the capitalist society to be seriously questioned on whether they have these necessary qualities of leadership.

Gunnar says hold infosec managers accountable. Inamori says hold all managers accountable.

Only a few years later JAL under the lead of Inamori surged ahead in profit and is now close to leading the airline industry. What did Inamori build? He reviewed, nay audited, everything in order to help others build a better company.

An interesting tangent to this issue is a shift in IT management practices precipitated by cloud. Infrastructure as a Service (IaaS) options will force some to question whether they really need administrators within their IT department. Software as a Service (SaaS) may make some ask the same of developers. Once administrators and developers are gone, where is security?

Those who choose a public cloud model, and transition away from in-house resources, now also face a question of whether they should pursue a similar option for their security department. Technical staff often wear multiple hats but that option diminishes as cloud grows in influence.

In fact, once admin and dev technical staff are augmented or supplanted by cloud, the need for a security department to manage trust may be more necessary than ever. This is how the discrete need for a security department could in fact increase where none was perceived before — security as a service is becoming an interesting new development in cloud.

Bottom line: if you care about trust, whether you use shared staff or dedicated services, dedicated staff or shared services, you most likely need security. At the same time I agree with Gunnar that bad management is bad, so perhaps a simple solution is to build the budget to allow for a "beer" method of good security management.

Audit AleI recommend an Audit Ale

This style had all but disappeared by the 1970s, but originated in the 1400s to be consumed when grades were handed out at Oxford and Cambridge universities…. At 8 percent ABV, it has helped celebrate many a good "audit" or soften the blow of a bad one.

Posted in Food, History, Security.

1 comment

By Davi Ottenheimer January 9, 2013