US discusses authorizing cyber attacks outside “war zone”

In a nutshell, traditional definitions of war linked to kinetic action and physical space are being framed as overly restrictive given a desire by some to engage in offensive attacks online. The head of NSA is asking whether reducing that link and authorizing cyber attack within a new definition of “war” would affect the “comfort” of those holding responsibility.

“[On offense] the area where I think we still need to get a little more speed and agility — and as Mr. Rapuano indicated it is an area that is currently under review right now — what is the level of comfort in applying those capabilities outside designated areas of hostility,” Rogers asked out loud.

“I don’t believe anyone should grant Cyber Command or Adm. Rogers a blank ticket to do whatever you want, that is not appropriate. The part I am trying to figure out is what is the appropriate balance to ensure the broader set of stakeholders have a voice.”

Rapuano also referenced challenges associated with defining “war” in the context of cyber, which can be borderless due to the interconnected nature of the internet.

“In a domain that is so novel in many respects, and for which we do not have the empirical data and experience associated with military operations per say particularly outside areas of conflict, there are some relatively ambiguous areas around ‘well what constitutes traditional military activities,'” said Rapuano. “This is something that we are looking at within the administration and we’ve had a number of discussions with members and your staffs; so that’s an area we’re looking at to understand the trades and implications of changing the current definition.”

While I enjoy people characterizing the cyber domain as novel and border-less, let’s not kid ourselves too much. The Internet has far more borders and controls established, let alone a capability to deploy more at speed, given they are primarily software based. I can deploy over 40,000 new domains with high walls in 24 hours and there’s simply no way to leverage borders as effectively in a physical world.

Even more to the point I can distribute keys to access in such a way that it spans authorities and bureaucratically slows any attempts to break in, thus raising a far stronger multi-jurisdictional border to entry than any physical crossing.

We do ourselves no favors pretending technology is always weaker, disallowing for the prospect of a shift to stronger boundaries of less cost, and forgetting that Internet engineering is not so much truly novel as a revision of prior attempts in history (e.g. evolution of transit systems).

My recent talk at AppSecCali for example points out how barbed wire combined with repeating rifles established borders faster and more effectively than the far more “physical” barriers that came before. Now imagine someone in the 1800s calling a giant field with barbed wire border-less because it was harder for them to see in the same context as a river or mountain…

Lessons in Secrets Management from a Navy SEAL

Good insights from these two paragraphs about the retired Rear Admiral Losey saga:

Speaking under oath inside the Naval Base San Diego courtroom, Little said that Losey was so scared of being recorded or followed that when the session wrapped up, the SEAL told the Navy investigator to leave first, so he couldn’t identify the car he drove or trace a path back to his home.

[…]

…he retaliated against subordinates during a crusade to find the person who turned him in for minor travel expense violations.

Holding Facebook Executives Responsible for Crimes

Interesting write-up on Vox about the political science of Facebook, and how it has been designed to avoid governance and accountability:

…Zuckerberg claims that precisely because he’s not responsible to shareholders, he is able instead to answer his higher responsibility to “the community.”

And he’s very clear, as he says in interview after interview and hearing after hearing, that he takes this responsibility very seriously and is very sorry for having violated it. Just as he’s been sorry ever since he was a first-year college student. But he’s never actually been held responsible.

I touched on this in my RSA presentation about driverless cars several years ago. My take was the Facebook management is a regression of many centuries (pre-Magna Carta). Their primitive risk control concepts, and executive team opposition to modern governance, puts us all on a path of global catastrophe from automation systems, akin to the Cuban Missile Crisis.

I called it “Dar-Win or Lose: The Anthropology of Security Evolution

It is not one of my most watched videos, that’s for certain.

It seems like talks over the years where I frame code as poetry, with AI security failures like an ugly performance, I garner far more attention. If the language all programmers know best is profanity, who will teach their machines manners?

Meanwhile, my references to human behavior science to describe machine learning security, such as this one about anthropology, fly below radar (pun intended).

Supply Chain Accountability: Will There Be a Cyber Toyota War?

Back in 2015 there was some serious consideration of why Toyota were so often used by terrorist groups that the US considered their enemy. Here’s some manufacturers-gonna’-manufacture rationalization:

All of this is to show that any sort of dark alliance between Toyota and the Islamic State is completely specious. The Toyota happens to be the vehicle with the greatest utility; the color of the pickup truck is driven by Asian tastes and the fact that desert heat dictates that white cars are simply more comfortable than black ones; and that Toyota trucks are driven by ISIS is dictated more by the sheer numbers produced and a reputation for quality than some nefarious plot by a well-respected Japanese automaker to supply a terroristic organization.

Simply put: It’s practically guaranteed that any paramilitary force in the Middle East will standardize on white Toyota pickup trucks.

It’s not an unreasonable argument to make. My main quibble with that article is it says nothing about Chad. If you’re going to talk about Toyota at war, you have to at least make mention of the US role with Toyota pickups sent into battle January 2, 1987:

…no one would have ever guessed that the Toyota pickup truck would come to play an important role in warfare history. This is the little-known story of how an army comprising 400 Toyota pickups outgunned, outsmarted, and outmaneuvered a superior force equipped with tanks and aircraft.

[…]

In the brutal engagement with 1,200 Libyan soldiers and 400 members of the Democratic Revolutionary Council militia, the Chadian army and its Toyota pickups made mincemeat of the Libyan stronghold in Fada. At the end of the day, the Libyan armored brigade in Fada had lost 784 soldiers, 92 T-55 battle tanks, and 33 BMP-1 infantry fighting vehicles.

Chadian losses, on the other hand, were minimal: 18 soldiers and 3 Toyota pickup trucks. January 3 and 4 saw the Libyan Air Force try to annihilate the Chadian soldiers and their trucks, but all bombing attempts failed thanks to the outstanding mobility of the Toyota Hilux.

Ok so let’s be frank. It is preposterous to say no one would have ever guessed superior technology would come to play an important role in warfare history. That is literally what happens in every major conflict. Warriors don’t ignore advantages. So there’s a very good argument against that perspective up top, which is that Toyota have for many decades been supplying exactly the technology desired in warfare, and watching the global purchases turn into military purposes.

“Don’t worry about morality or transport my tyrannical friend Habre, we’re flying Toyotas in tonight on a C-130 so you can commit crimes against humanity”.

Whether Toyota can or should stop product flow somewhere along the route is another story. Consider for example that their pickup trucks get assembled in San Antonio, Texas and Baja California, Mexico. Hyundai converted into VBIED were said to have been the result of a local manufacturing plant simply overrun by military forces. The difficulty controlling Toyota’s supply chain is further demonstrated by American companies who lately have been boasting of re-directing Toyota machines straight into warfare:

Battelle, an applied sciences and technology company based in Columbus, Ohio has put out a video explaining how it turns ordinary vehicles into extraordinary ones. According to the company, it’s been creating what it calls “non-standard commercial vehicles” since 2004. Battelle sources Toyota HiLux pickup trucks and Land Cruiser sport utility vehicles, as well as Ford Ranger pickups as a baseline to create their “non-standard” vehicles.

Non-standard sounds far better than dark alliance or nefarious plot, I have to admit. Ultimately, though, it comes backs to Toyota being on top of its total supply chain and helping investigate use cases of their supply that violates law or its values.

On the one hand releasing product into the wild (e.g. right to repair) creates freedom from corporate control, on the other hand corporations have duty to reduce harms that result from their creations. Balance between those two ends is best, as history tells us it’s never going to be perfect on either end of the spectrum.

See also: “[Recipient of President Reagan’s product shipments] sentenced to life for war crimes

“As a country committed to the respect for human rights and the pursuit of justice, this is also an opportunity for the United States to reflect on, and learn from, our own connection with past events in Chad,” [Secretary of State Kerry] said, apparently referring to U.S. support for Habre in the 1980s to help assuage the influence of Libya’s Moammar Gadhafi.