I wrote earlier about Deputy Defense Secretary William Lynn’s political posturing for influence or control of CyberCommand in the US. I was brought back to this thought after I read an excellent opinion article in The Daily Star called “An obsession with cybersecurity is not what the US needs“
Lynn’s proposals are provocative. But the strategy could be costly and perhaps cumbersome, and it involves threats that aren’t well understood by the public – even by many of the companies that could be targets of attacks.
Talking with Lynn, I was struck by the gap between the way defense experts see cyberspace – as a source of potentially crippling assault – and the public’s view of an internet that is a generally benign companion. Although Lynn speaks of cyberspace as a “domain” that can be protected, such as airspace, it may be closer to the oxygen we breathe.
Anyone who has been in a country ruled by a military junta knows the downsides. A perfect example of this was when I was walking down a quiet street one day and noticed a little building surrounded by plants next to a river. It was an interesting scene and I pulled out my camera to take a picture.
No more than a brief moment after my finger pressed on the shutter control three heavily armed men in camoflage emerged from the bushes yelling at me in a foreign language. I stepped back into the pedestrian traffic behind me but I very quickly noticed they were headed right for me, guns now in their hands at their waist. Fortunately the crowd surrounded me and a yelling match ensued with the civilians telling the three men to stay back.
The soldiers saw me as a threat perhaps in the same way that Lynn is going to train his staff and tell everyone about the threats facing America. I was using digital equipment so I showed the photo to the soldiers. I did not let go of my camera. They at first said they would have to confiscate my camera and worse but the crowd and I managed to convince them that there was no harm, no threat and no need to waste any more time arguing in the street, blocking everyone’s day. Resolution came when I deleted the photo so the soldiers could see they had made their influence felt. They walked away with guns back over their shoulders and the crowd dispersed.
My experience in this country was overshadowed by the fact that they had been through several military coups. Power was influenced heavily by the presence of domestic and foreign military, both of whom had used force to instate control over the political landscape.
This is just one of many examples you will find that show a disparity can easily form between perceptions of risk by civilians and the military. This is not to discount the value of a military presence but rather to say it needs to be something in perspective, especially given the recent record of US military threat analysis. I agree completely with the writer in the Daily Star when he says this.
In the debate about cyberstrategy, I hope officials will recognize the dangers of militarizing the global highway for commerce and communication.
All that being said, I also remember when I crossed the border from Mexico into the United States. It was a small town border on a dustry stretch of desert. I sauntered through a small gate with my camera out in front of me. A yellow school bus was parked along a line of yellow posts in the distance. I raised the camera and pressed the button…a second later I had a U.S. Border Patrol officer jump out of a box fifty feet ahead and yell that I was breaking a Federal law of 1920 that prohibits blah, blah, blah.
I was familiar enough with US laws, unlike the example above, to know this was nonsense and I had done nothing wrong. Nonetheless, here was a man with a gun again telling me that my tourist photo was a clear and present threat to national security. I showed the photo but did not offer to delete it. He said delete it or he was going to seize the camera, which indicated to me this was a kind of process for him. Perhaps it was how he passed the time. I hope you can see where the story goes. This is not the mentality the US needs in an office meant to protect the country from harm. Real threats should be handled. False positives can do more harm than good. Where is the emphasis to prevent false positives?
A secure network is one that operates without interruption, just like a secure neighborhood is one that has no need for military roadblocks. It is possible that the US military will consider civilian values of efficiency and freedom when they work on their new domain of “potential warfare” but so far I have seen little evidence. Instead I see a lot of military speakers being given open forums to scare civilian crowds with threats (bad guys are at the door, don’t you want to hand over control to the military now?) and Lynn has fit the rule not the exception.
The Wired report on Operation Buckshot Yankee supports my earlier assertion that it is more hype about threat than reality. No clear harm, no clear link to a clear threat; just a vulnerability — apparently weak security controls in the US military.
But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.
Although I remain wary, at the very least I have to thank Lynn and the State Department for giving me excellent and somewhat contradictory material to add to my Top Ten Breaches presentation this October at the RSA Conference in Europe. The analysis feels very similar to my history studies when I had to make sense of the UK Foreign Office, Colonial Office and War Office fighting for control of resources at the end of WWII.
The Cathode Corner site has a nice writeup of the design considerations for the Nixie Watch