More and more often I see those experienced in technology address issues of political science. A malware reverser will speculate on terrorist motives. An expert with network traffic analysis will make guesses about organized crime operations.
When a journalist asks an expert in information security to explain the human science of an attack, such as groups and influences involved, the answers usually are quips and jabs instead of being based on science or study.
This is unfortunate because I suspect with a little reading or discussion things would improve dramatically. My impression is there is no clear guide, however, and when I raise the issue I’ve been asked to put something together. So, since I spent my undergraduate and graduate degrees on political philosophy (ethics of humanitarian intervention), perhaps I can help here in the ways that I was taught.
Let me give a clear example, which recently fell on my desk.
Say Silent Chollima One More Time
About two years ago a private company created by a wealthy businessman, using strong ties to the US government, was launched with ambitious goals to influence the world of information security investigations.
When 2013 kicked off CrowdStrike was barely known outside of inner-sanctum security circles. The stealth startup–founded by former Foundstone CEO, McAfee CTO, and co-author of the vaunted Hacking Exposed books George Kurtz–was essentially unveiled to the world at large at the RSA Security Conference in February.
Just two years after being formed, note how they describe the length of their projects, slyly claiming a start six years before existence.
Interviewer: What do you make of the FBI finding — and the president referred to it — that North Korea and North Korea alone was behind this attack?
CrowdStrike: At CrowdStrike, we absolutely agree with that. We have actually been tracking this actor. We actually call them Silent Chollima. That’s our name for this group based that is out of North Korea.
Interviewer: Say the name again.
Crowdstrike: Silent Chollima. Chollima is actually a national animal of North Korea. It’s a mythical flying horse. And we have been tracking this group since 2006.
Hold on to that mythical flying horse for a minute.
To be fair, CrowdStrike may have internally blended their own identity so much with the US government they do not realize those of us outside cringe when they blur the line between a CrowdStrike altar and our state. I think hiring many people away from the US government still does not excuse such casual use of “we” when speaking about intelligence from before the 2013 company launch.
Word use and definitions matter greatly to political scientists. I will dig in to explain why. Take a closer look at that reference to a mythological flying horse. CrowdStrike adds heavy emphasis where none is required. They want everyone to take note of what “we actually call” suspects without any sense of irony for propagandist methods.
Some of it may be just examples in insensitive or silly labeling for convenience, rather than outright propaganda designed to change minds. Here’s their “meet the adversaries” page.
Anyone else find it strange that the country of Tiger is an India? What is an India? Ok, seriously though, only Chollima gets defined? I have to look up what kind of animal an India is?
Iran (Persia) being called a Kitten and India the Tiger is surely meant as some light-hearted back-slapping comedy to lighten up the mood in CrowdStrike offices. Long nights poring over forensic material, might as well start filing with pejorative names for foreign indicators because, duh, adversaries.
Political scientists say the words used to describe a suspect before a trial heavily influence everyone’s views. An election also has this effect. Pakistan has some very interesting long-term studies of voting results from ballots for the illiterate, where candidates are assigned an icon.
Imagine a ballot where you have to choose between a chair and a kitten.
CrowdStrike makes no bones about the fact they believe someone they suspect will be considered guilty until proven innocent by others. This unsavory political philosophy comes through clearly in another interview (where they also take a moment to mention Chollima):
We haven’t seen the skeptics produce any evidence that it wasn’t North Korea, because there is pretty good technical attribution here. […] North Korea is one of the few countries that doesn’t have a real animal as a national animal. […] Which, I think, tells you a lot about the country itself.
I’ll leave the “pretty good technical attribution” statement alone here because I want to deal with that in a separate post. Let’s break the rest into two parts.
Skeptics Haven’t Produced Evidence
First, to the challenge for skeptics to produce counter-evidence, Bertrand Russell eloquently and completely destroyed such reasoning long ago. His simple celestial teapot analogy speaks for itself.
If I were to suggest that between the Earth and Mars there is a china teapot revolving about the sun in an elliptical orbit, nobody would be able to disprove my assertion provided I were careful to add that the teapot is too small to be revealed even by our most powerful telescopes. But if I were to go on to say that, since my assertion cannot be disproved, it is intolerable presumption on the part of human reason to doubt it, I should rightly be thought to be talking nonsense.
This is the danger of ignoring lessons from basic political science, let alone its deeper philosophical underpinnings; you end up an information security “thought leader” talking absolute nonsense. CrowdStrike may as well tell skeptics to produce evidence attacks aren’t from a flying horse.
The burden of proof logically and obviously remains with those who sit upon an unfalsifiable belief. As long as investigators offer statements like “we see evidence and you can’t” or “if only you could see what we see” then the burden can not easily and so negligently shift away.
Perhaps I also should bring in the proper, and sadly ironic, context to those who dismiss or silence skepticism.
Studies of North Korean politics emphasize their leaders often justify total control while denying information to the public, silencing dissent and making skepticism punishable. In an RT documentary, for example, North Korean officers happily say they must do as they are told and they would not question authority because they have only a poor and partial view; they say only their dear leader can see all the evidence.
Skepticism should not be rebuked by investigators if they desire, as scientists tend to, for challenges to help them find truth. Perhaps it is fair to say CrowdStrike takes the very opposite approach of what we often call crowd source?
Analysts within the crowd who speak out as skeptics tend to be most practiced in the art of accurate thought, precisely because caution and doubt are not dismissed. Incompleteness is embraced and examined. This is explained with recent studies. Read, for example, a new study called “Psychology of Intelligence Analysis: Drivers of Prediction Accuracy in World Politics” that highlights how and why politics alter analyst conclusions.
Analysts also operate under bureaucratic-political pressure and are tempted to respond to previous mistakes by shifting their response thresholds. They are likelier to say “signal” when recently accused of underconnecting the dots (i.e., 9/11) and to say “noise” when recently accused of overconnecting the dots (i.e., weapons of mass destruction in Iraq). Tetlock and Mellers (2011) describe this process as accountability ping-pong.
Then consider an earlier study regarding what makes people into and “superforecasters” when they are accountable to a non-political measurement.
…accountability encourages careful thinking and reduces self-serving cognitive biases. Journalists, media dons and other pundits do not face such pressures. Today’s newsprint is, famously, tomorrow’s fish-and-chip wrapping, which means that columnists—despite their big audiences—are rarely grilled about their predictions after the fact. Indeed, Dr Tetlock found that the more famous his pundits were, the worse they did.
CrowdStrike is as famous as they get, as designed from launch. Do they have any non-political, measured accountability?
Along with being skeptical, analysts sometimes are faulted for being grouchy. It turns out in other studies that people in bad moods remember more detail in investigations and provide more accurate facts, because they are skeptical. The next time you want to tell an analyst to brighten up, think about the harm to the quality of their work.
Be skeptical if you want to find the right answers in complex problems.
A Country Without a Real Animal
Second, going back to the interview statement by CrowdStrike, “one of the few countries” without “a real animal as a national animal” is factually easy to confirm. It seems most obviously false.
With a touch of my finger I find mythical national animals used in England, Scotland, Bhutan, China, Greece, Hungary, Indonesia, Iran, Portugal, Russia, Turkey, Vietnam…and the list goes on.
Even if I try to put myself in the shoes of someone making this claim I find it impossible to see how use of national mythology could seem distinctly North Korean to anyone from anywhere else. It almost makes me laugh when I think this is a North Korean argument for false pride: “only we have a mythological national animal”.
The reverse also is awkward. Does anyone really vouch for a lack of a national animal for this territory? In those mythical eight years of CrowdStrike surveillance (or in real time, two years) did anyone notice, for example, some Plestiodon coreensis stamps or the animation starring Sciurus vulgaris and Martes zibellina?
And then, right off the top of my head I think of national mythology frequently used in Russia (two-headed monster) and England (monster being killed):
And then the Houston Astros playing the Colorado Rockies pop into my head. Are we really supposed to cheer for a mythical mountain beast, some kind of anthropomorphic purple triceratops, or is it better to follow the commands of a green space alien with antennae? But I digress.
At this point I am unsure whether to go on to the second half of the CrowdStrke statement. Someone who says national mythical animals are unique to North Korea is in no position to assert it “tells you a lot about the country itself”.
Putting myself again in their shoes, CrowdStrike may think they convey “fools in North Korea have false aspirations; people there should be more skeptical”.
Unfortunately the false uniqueness claim makes it hard to unravel who the fools really are. A little skepticism would have helped CrowdStrike realize mythology is universal, even at the national level. So what do we really learn when a nation has evidence of mythology?
In my 2012 Big Data Security presentations I touched on this briefly. I spoke to risks of over-confidence and belief in data that may undermine further analytic integrity. My example was the Griffin, a mythological animal (used by the Republic of Genoa, not to mention Greece and England).
Recent work by an archeologist suggests these legendary monsters were a creative interpretation by Gobi nomads of Protocerotops bones. Found during gold prospecting the unfamiliar bones turned into stories told to those they traded with, which spread further until many people were using Griffins in their architecture and crests.
Ok, so really mythology tells us that people everywhere are creative and imaginative with minds open to possibilities. People are dreamers and have aspirations. People stretch the truth and often make mistakes. The question is whether at some point a legend becomes hard or impossible to disprove.
A flying horse could symbolize North Koreans are fooled by shadows, or believe in legends, but who among us is not guilty of creativity to some degree? Creativity is the balance to skepticism and helps open the mind to possibilities not yet known or seen. It is not unique to any state but rather essential to the human pursuit of truth.
Be creative if you want to find the right answers in complex problems.
Intelligence and expertise in security, as you can see, does not automatically transfer to a foundation for sound political scientific thought. Scientists often barb each other about who has more difficult challenges to overcome, yet there are real challenges in everything.
I think it important to emphasize here that understanding human behavior is very different skill. Not a lessor skill, a different one. XKCD illustrates how a false or reverse-confidence test is often administered:
Being the best brain surgeon does not automatically make someone an expert in writing laws any more than a political scientist would be an expert at cutting into your skull.
Basic skills in everything can be used to test for fraud (imposter exams) while the patience in more nebulous and open advanced thinking in every field can be abused. Multiplication tables for math need not be memorized because you can look them up to find true/false. So too with facts in political science, as I illustrated with mythology and symbolism for states. Quick, what’s your state animal?
Perhaps it is best said there are two modes to everything: things that are trivial and things that are not yet understood. The latter is what people mean when they say they have found something “sophisticated”.
There really are many good reasons for technical experts to quickly bone up on the long and detailed history of human science. Not least of them is to cut down propaganda and shadows, move beyond the flying horses, and uncover the best answers.
The examples I used above are very specific to current events in order to clarify what a problem looks like. Hopefully you see a problem to be solved and now are wondering how to avoid a similar mistake. If so, now I will try to briefly suggest ways to approach questions of political science: be skeptical, be creative. Some might say leave it to the professionals, the counter-intelligence experts. I say never stop trying. Do what you love and keep doing it.
Achieving a baseline to parse how power is handled should be an immediate measurable goal. Can you take an environment, parse who the actors are, what groups they affiliate with and their relationships? Perhaps you see already the convenient parallels to role based access or key distribution projects.
Aside from just being a well-rounded thinker, learning political science means developing powerful analytic tools that quickly and accurately capture and explain how power works.
Power is the essence of political thought. The science of politics deals with understanding systems of governing, regulating power, of groups. Political thinking is everywhere, and has been forever, from the smallest group to the largest. Many different forms are possible. Both the framework of the organization and leadership can vary greatly.
Some teach mainly about relationships between states, because states historically have been a foundation to generation of power. This is problematic as old concepts grow older, especially in IT, given that no single agreed-upon definition of “state” yet exists.
Could users of a service ever be considered a state? Google might be the most vociferously and openly opposed to our old definitions of state. While some corporations engage with states and believe in collaboration with public services, Google appears to define state as an irrelevant localized tax hindering their global ambitions.
A major setback to this definition came when an intruder was detected moving about Google’s state-less global flat network to perpetrate IP theft. Google believed China was to blame and went to the US government for services; only too late the heads of Google realized state-level protection without a state affiliation could prove impossible. Here is a perfect example of Google engineering anti-state theory full of dangerous presumptions that court security disaster
A state is arguably made up of people, who govern through representation of their wants and needs. Google sees benefits in taking all the power and owing nothing in return, doing as they please because they know best. An engineer that studied political science might quickly realize that removing ability for people to represent themselves as a state, forced to bend at the whim of a corporation, would be a reversal in fortune rather than progress.
It is thus very exciting to think how today technology can impact definitions for group membership and the boundaries of power. Take a look at an old dichotomy between nomadic and pastoral groups. Some travel often, others stay put. Now we look around and see basic technology concepts like remote management and virtual environments forcing a rethink of who belongs to what and where they really are at any moment in time.
Perhaps you remember how Amazon wanted to provide cloud services to the US government under ITAR requirements?
Amazon Web Services’ GovCloud puts federal data behind remote lock and key
The question of maintaining “state” information was raised because ITAR protects US secrets by requiring only citizens have access. Rather than fix the inability for their cloud to provide security at the required level, a dedicated private datacenter was created where only US citizens had keys. Physical separation. A more forward-thinking solution would have been to develop encryption and identity management solutions that avoided breaking up the cloud, while still complying with requirements.
This problem came up again in reverse when Microsoft was told by the US government to hand over data in Ireland. Had Microsoft built a private-key solution, linked to the national identity of users, they could have demonstrated an actual lack of access to that data. Instead you find Microsoft boasting to the public that state boundaries have been erased, your data moves with you wherever you go, while telling the US government that data in Ireland can’t be accessed.
Being stateful is not just a firewall concern, it really has roots in political science.
An Ominous Test
Does the idea of someone moving freely scare you more or a person who digs in for the long haul and claims proof of boundary violations where you see none?
Whereas territory used to be an essential characteristic of a state, today we wonder what membership and presence means when someone can remain always connected, not to mention their ability to roam within overlapping groups. Boundaries may form around nomads who carry their farms with them (i.e. playing FarmVille) and of course pastoralism changes when it moves freely without losing control (i.e. remote management of a Data Center).
Technology is fundamentally altering the things we used to rely upon to manage power. On the one hand this is of course a good thing. Survivability is an aim of security, reducing the impact of disaster by making our data more easily spread around and preserved. On the other hand this great benefit also poses a challenge to security. Confidentiality is another aim of security, controlling the spread of data and limiting preservation to reduce exposure. If I can move 31TB/hr (recent estimate) to protect data from being destroyed it also becomes harder to stop giant ex-filtration of data.
From an information security professional’s view the two sides tend to be played out in different types of power and groups. We rarely, if ever, see a backup expert in the same room as a web application security expert. Yet really it’s a sort of complicated balance that rests on top of trust and relationships, the sort of thing political scientists love to study.
With that in mind, notice how Listverse plays to popular fears with a top ten “Ominous State-Sponsored Hacker Group” article. See if you now, thinking about a balance of power between groups, can find flaws in their representation of security threats.
It is a great study. Here are a few questions that may help:
- Why would someone use “ominous” to qualify “state-sponsored” unless there also exist non-ominous state-sponsored hacker groups?
- Are there ominous hacker groups that lack state support? If so, could they out-compete state-sponsored ones? Why or why not? Could there be multiple-affiliations, such that hackers could be sponsored across states or switch states without detection?
- What is the political relationship, the power balance, between those with a target surface that gives them power (potentially running insecure systems) and those who can more efficiently generate power to point out flaws?
- How do our own political views affect our definitions and what we study?
I would love to keep going yet I fear this would strain too far the TL;DR intent of the post. Hopefully I have helped introduce someone, anyone (hi mom!), to the increasing need for combined practice in political science and information security. This is a massive topic and perhaps if there is interest I will build a more formal presentation with greater detail and examples.
Updated 19 January: added “The Psychology of Intelligence Analysis” citation and excerpt.