Tuesday, June 24, 2014

PR will be first up against the wall when the revolution comes

Forbes.com interviews leaders on "10 Ways to Fix Cybersecurity". It's useless -- in fact (as I'll demonstrate below) worse than useless.

The problem is that these leaders aren't experts, they are fluff; their technical competence extends only as far as knowing who to call in IT to turn on their computer (at least, as far as the executives go). You wouldn't ask them how to fix cybersecurity anymore than you'd ask basketball fans, or even owners, how to fix the team. Instead, you ask the experts, like coaches. Steve Ballmer was the CEO of Microsoft for the last decade, but you wouldn't ask him how to fix cybersecurity any more than you'd ask him to coach the LA Clippers.

The corporate executives in this list do as media training taught them: bridge whatever question is asked to the answer you want to give.

Microsoft's big emphasis right now is on the "cloud". For $99 a year, you get a license of Microsoft Office (Word, Excel, PowerPoint, Access) for 5 members of your family, plus access to the cloud version of Office, plus 5 terabytes of cloud storage (that's right, I said terabytes). Things like their Surface tablet are designed specifically as an extension to the cloud rather than a stand alone device.

Thus, when asking Scott Charney, Microsoft's VP, on how to fix cybersecurity, his answer starts with "In the world of cloud services and big data, ...". At this point in the discussion,. he hasn't even finished listening to the question before he starts in with this answer. It's the same answer he gives to everything, including "would you like fries with that" or "how's my hair look?".

Likewise,  the senior VP of Cisco starts his answer "Each connection in the Internet of Things...". I'll give you one guess what Cisco is pimping right now. If you guessed "Internet of Things" (IoT), then you'd be right.

I don't even know what The Chertoff Group really does, other than sell access to the government. But CEO's answer starts with "Corporate America rarely grows 100% organically anymore. M&A is almost always involved." What? They sell cybersecurity for mergers and acquisitions? That sounds odd. Well, that's indeed what they do, front and center on their webpage.

Google has it's fingers in lots of pies, of course. One of their big things is competing against Microsoft with cloud-based office applications. An enormous number of organizations tired of managing Exchange have moved to GMail as their cloud-based email solution. Thus, the answer to the question from Google is "we should have users work with a single interface, like a browser, through which they can do multiple things". In other words, stop using Microsoft Office installed on your Surface table, just use Google cloud-only solution instead, using Chrome.

The Forbes post asked this question of non-corporate people as well, such as the Chair of the Federal Trade Commission. Her answer was, of course, focused on laws/regulation: "Online security for children’s information is of particular concern. The Children’s Online Privacy Protection Act gives parents the right to control the collection of personal information from their kids." She is, of course, defending COPA, a draconian law that was mostly struck down by the Supreme Court for infringing on civil rights, because children.

One of the sillier answers was from Daniel Suarez, the author of cyberpunk thrillers. His answer is "What we need is an Apollo-like national project to build a new, secure network for critical infrastructure that would use a separate protocol, proprietary hardware, dedicated fiber-optic lines and powerful encryption to eliminate all but the most elite interlopers." Of course, it's in the nature of scifi authors to think big, but the point I want to make is his use of the phrase "powerful encryption". There is no such thing. There's only two types of encryption, that which works and that which doesn't. When encryption doesn't work, your neighbor's pre-teen can break it, such as when she breaks into your WEP WiFi home router. When encryption works, not even the NSA can break it with their billions of dollars invested in supercomputers, which means Edward Snowden is safe sending email with PGP encryption. Phrases like "military grade encryption" or "powerful encryption" are just tropes you see in fiction, they don't exist in the real world. I point this out to communicate the degree of fluff in Suarez's answer.

The final example is that of Christopher Soghoian of the ACLU. You'd expect him to stand up for civil rights but he doesn't. He's less a defender of civil rights and more a garden variety left-winger, so his solution to cybersecurity is to regulate evil corporations and defend the poor consumer with a "powerful privacy and data-security regulator that can set data security rules for companies and enforce them". We are headed rapidly toward a cyber-police-state, with the right-wing exploiting fear of cyberterrorists to pass laws, and the left-wing exploiting trumped up fears of evil corporations to likewise pass even more laws restricting freedom.

The point I'm trying to show is that none of these were honest answers to Kashmir's question. All were answers designed to exploit the question in order to further their agendas.

And that's the problem with with cybersecurity. The solution is stop asking these sorts of people, and start listening to technical people.

One example is this post from Meredith Patterson, a techie, where she answers essentially the same question. Her answer is "Follow the OWASP best practices and focus on your responsibility to your customers". That's a vastly better answer than any of the above 10 answers.

But nobody is going to listen, because for one things it's technical, and for another thing, Meredith isn't a VP or Chairwoman or a sci-fi author or a member of the ACLU. Instead, she's just a run of the mill techie who knows stuff.

If the journalists want to do anything other than help public figures further their agendas, then instead of quoting those fluffs, they should be talking to techies like Meredith.

(...with apologies to Kashmir Hill, she does great stuff .. it's just this particular post was appalling).

Update: Chris Soghoian has solid technical chops. I can personally attest to some of them, he's also worked in computer science, so probably has even more than I've seen. I don't mean to imply that, unlike the executives I trash, that's he's lacking in skill. I only mean to imply he's left-wing, and that his answer serves his political agenda.

Also, Brian Krebs, while a journalist, has direct first hand experience worth listening to in the realm of cybersecurity.


Unknown said...

I love this post very much.please keep sharing of knowledges with us.
Instant Annuity Rates

DarkIye said...

This is the one blog I started following off the back of a HN post that actually keeps on giving. Good stuff, esp.:

"It's the same answer he gives to everything, including "would you like fries with that" or "how's my hair look?"."

Unknown said...

Didn't see you mention Brian Krebs I kinda agree that people need to educate themselves on being more defensive online.

Anyways love the blog found you because you were scanning my servers for heartbleed a few days ago(IPS blocked it) and I wanted to see who was knocking.

Keep up the good work.

Unknown said...

Nice takedown - commented on the original article - there were a few that got it, Krebs and Singer - I think most of our security issues spring from those driving the assumption that because we build the tech, it's just a deterministic machine to us. They just can't handle the fact we just don't have a clue what it will do next.

Unknown said...

Great post! I think the problem is, other than guys like Dave Kennedy, there are very few of us making public appearances on major news outlets. Just like getting more of us in the board room, we have to get more of us out in the public eye. But then those we might want have other things preventing them from doing this (company NDAs, government restrictions, etc...). Much of what we do in InfoSec may be directly related to what we do in our companies. So how do you make the decision to leave the trenches and become a spokesperson for the cause? Then again I do hear a number of CISO types that appear on podcasts and talk about what they did to improve things for their organization. So maybe we need to start getting the media to turn the spotlight a little. Take those who are already there and get them to name drop some other folks. Dave comes from the pen testing world but maybe he can say "hey that guy over there is an expert at securing 'The Cloud', give him a call to find out how you can keep all your i-Stuff and Surfaces secure!"

I do try to remain optimistic and maybe that is because I still consider myself new to the InfoSec world, but before all this I built networks and servers. With this current position, I have put that hat back on but now have a new outlook on how things need to be.