It’s basically a 6-page FAQ I put together introducing some of the main concepts involved in national critical infrastructure cyber security. I wrote it because, sitting on a panel about CIKR tomorrow at B-Sides DC, I realized most normal security or hacker folks are probably completely unaware of the space!
As I look
from this god’s eye view
I can feel the tides that pull at you
that tease your skin
the way they make you run
and crawl a million years
Angles fraught in silence
kisses on the edge of violence
weeping copper tears
delicate wrought past tense
I can feel the tides that pull at you
that break your bones
the way they leave you jagged
sharp to cut men open
As we fall
From this god’s eye view
-Me (Written on the way to Defcon/Vegas flying over the desert)
Please find, linked here, a VERY preliminary draft of the “Model” component of my “MVC Approach Based Cyber Security Framework” (informally and with tongue firmly in cheek titled “#NISTCSF-BSIDES” as well).
Everyone, I’ve been working on these ideas for a very long time, but I have not yet had time to write up the possible 50 pages of the justifications, explanations, and experience which has driven this or the many ways it provides specific values and solves specific real world problems I’ve encountered.
But, in the interest of time – and to keep perfection from getting in the way of good – I thought it was worth throwing out to you all to see what you think without all of that supporting material. It’s worth noting that I’m intending here to provide a base model for a complete framework and that there are at least two levels (equivalent coding concepts of controllers and views) that should be based on this that would actually be what end-users of the framework see and use.
Frankly, I’m almost relieved to finally have something this coherent on paper, even if it might never be finished. I hope it ends up being useful, though. I only ask that if you find it so, please engage me so that (at least) I can convey much of the other support concepts that are not yet represented.
Take a look and let me know? Even if you think it’s dumb. :)
(In this post, I make many assertions which may or may not be correct according to the strict letter of the law or history – I am neither a lawyer nor a historian. However, I believe what I’m saying is true based on observation and in actual effect.)
Over the past few months I’ve had something on my mind that I think is *critical* to our nation and our community: “the applicability of our second amendment to cybersecurity and the need to protect our associated rights”.
My initial thought process was kicked-off by recent community churn around topics such as….
- Foreign repressive regimes and the use of cybersecurity and hacking tools to protect speech, and those governments’ physical response
- The increasing role of dDos tools in interrupting actual business operations
- Cyber War
- Hacking Back
- The roles and responsibility conflict between government, industry, and citizens for cyber security
…in combination with recent mass shootings, the subsequent push for gun control, and the resulting increased debates around the second amendment.
I’ve been forced to ask myself “Wait, cyber tools are *clearly* weapons too. What are the implications of the intersection between “gun control” and “cyber security?”
After a lot of thought, I’ve come to the conclusion that the implications are *many* and timely. However, even so, I’ve had several discussions with people I trust about my feelings here and I didn’t generally get much traction on the subject.
Now, though, with the recent NSA news alongside an announcement that some air force tools are being classified as “weapons”, the topic has come up again – specifically in the form of a tweet from @Jack Daniel:
The Second Amendment should apply to cyber arms, for the same reasons it protects guns.
I started this blog post a couple of weeks ago but didn’t finish it. Given JD’s tweet and recent events, it’s time to finish it:
APPLICABILITY OF SECOND AMENDMENT TO CYBER SECURITY?
The Second Amendment says arms, not guns. Look up “arms” and the definition is basically “weapons”. The two pertinent definitions of weapons are “A means used to defend against or defeat another.” and “An instrument of attack or defense in combat”. Hmm. I don’t know what the legal definitions are, but I would have to be trying *really* hard to *not* classify some cyber security tools as weapons using these definitions. So let’s substitute words:
“A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear CYBER SECURITY TOOLS, shall not be infringed.”
(As an aside, is Anonymous a militia? Obviously not a well-regulated one, but as we go down this path, what IS a militia? It should be answered)
SECOND AMENDMENT ROLE – OPINION
First, my opinion is that the entire Bill of Rights, taken together, creates the necessary liberties for a free state to operate effectively. They are not arbitrary rights declared to make us feel better. Instead, they allow us as citizens to operate our government – which *is* a machine in that it’s a system with discrete inputs, outputs, rules, interfaces, and behaviors – most effectively. The government should not operate itself – it’s not designed to and will eventually, as a machine, devolve into chaos if it’s left to operate itself. We, the people, operate it and we must have certain freedoms to do so. If you do not believe this, please talk to me offline – the entire treatment of my opinion on this is too long for this post.
Given that, in my opinion one of the “roles in effect” of the second amendment is to protect the other amendments and the first in particular. The idea that citizens – the people – are in charge of the government rapidly becomes a fiction if they do not have the right to defend those rights – specifically defending the idea of a government “by for and of the people”. In other words, the second amendment codifies the idea that we are the nexus of power in the U.S., not our government. Whether or not times have changed enough that this is no longer true in effect when it comes to “guns”, the point has not changed and our move to a significantly online culture has given the meaning a completely new but valid context.
Without this principle – that individuals are the source of government power – and the ability to back it up, the people in a “democractic” society become, over time, subject to the benevolence of those they vote into office… This is a factual statement and has nothing to do with the intent of those voted in.
Further, over time the benevolence, not being enforced by any real rules, becomes one of circumstantial convention, subject to change depending on the external environment. This is where the U.S. government (ie, “us” through our voting habits) seems to be going.
We see more and more, particularly in the recent news, that the U.S. government is deciding what to do, but not asking us directly.
Maybe what’s going on lately is legal, but there are real questions as to whether
- These changes meet the spirit and intent of the bill of rights or if they’re only legal by technicality
- These changes erode the self-supporting structure of rights that keeps our society legally – vs. only benevolently – free.
Perhaps, in the end, we do need to live with a less freedom, but I think that at the very least, we, the people, should be invited to participate in a discussion on matters of such weight instead of simply being told “it’s for our own good”.
CYBER SECURITY TOOLS IN PARTICULAR
This brings me to my core assertion: As we move to an online culture, the 2nd amendment is as important or more than it has ever been to our way of life.
Why? Well, in terms of “guns”, many have rightfully pointed out that armed conflict with the U.S. government is neither legal, nor needed, nor desired, nor even practical. I obviously agree. I am no revolutionary.
The framers of the constitution made freedom of speech the first amendment – not the 2nd, 5th, or 10th. Why? Because all of the others depend on it. Look around the world. What happens first in repressive dictatorial regimes? Speech is restricted. Why? By restricting freedom to speak and freedom to assemble, those governments deal significant blows to their people’s ability to be a coherent force for any kind of change – whether peaceful or otherwise. Even here, any politician or marketing expert will tell you – control the message.
Let’s ask ourselves some questions:
- In today’s world, where do we communicate? Online.
- If we lose our freedom to communicate, where will it be restricted? Online.
- How do we protect our ability to communicate freely online? Encryption & Other Security Tools
- Is the government creating backdoors and collecting massive communications of everyone in the country online? Yes
- Have they asked us? No.
- Have they asked to backdoor encryption? Yes
- Has the government tried to argue that in some cases, encryption may constitute munitions? Yes
- Have other cyber tools been classified arms? Apparently, yes. (See Jack Daniels’ post)
- Is there the widespread (if not universal) belief that “arms” is a general right of “the people” assigned to organized government-run militias and not individuals and so can be controlled? Yes
- Has the government, the media, and industry been talking up cyber war? Yes
- Have Anonymous and other organizations within the U.S. created an environment of conflict online within the U.S.? Yes
Seriously, do I need to ask more questions or spell out what the answers mean together? It doesn’t take a rocket scientist, a crazy right wing nutcase, or a naive college progressive to see where this is going.
In my opinion, if you are in cyber security, if you are a hacker, or if you are a communicator, you are one of a small cadre of people who can see what’s going on and intelligently respond – through education, campaigning, or finding other peaceful ways to assure that our ability to communicate online safely and securely is not taken away passively through our own inaction.
If we are unhappy with the way the world looks in 10 years, it will be our own fault.
(This post is significantly “Draft”. I’m just out of time to edit it more and I figured “sooner” was better than “later”)
As many of you know, I attended NIST’s first “working” workshop to develop a National Cyber Security Framework (CSF) last week. This post is more of my own critique/comments on the process than a summary, but I’ve included some structural commentary as well below.
So, first thing first: thank you NIST, Facilitators, Participants, and the White House. This is a huge opportunity for us all to get our “stuff” together on a very short timeline in a process that has more than it’s fair share of detractors. The fact that so many(400+? What was the final total?) came together to work is impressive and encouraging. I’m happy and honored to be able to provide my $0.02 (Ok, I do keep hijacking the #nistcsf hashtag, so maybe $0.04).
NIST: National Institute of Standards and Technology, part of the Department of Commerce; A solid organization that does good work. One experienced with their products can see why the White House tasked them with facilitating the development of a National Cyber Security Framework (CSF). They are good at getting people together, soliciting input, and putting it all together nicely. Unfortunately, what I am not sure they are good at is what is needed most – the ability to break new ground. (Although I’m happy to be wrong here, I haven’t seen it myself. Correct me if I’m mistaken?). It’s built into the name…the word “Standards” implies something proven, known, and defensible. The (collective) cyber security disciplines, however, are still the antithesis of those. We have yet to regularly build secure systems and so I fear that an organization looking for *effective* “standards” in this area at this time may be set up for failure. Still, there is time.
Workshop Mechanics: NIST handled the mechanics of gathering input nicely. We were organized into 8 groups of people who rotated (in the same groups in order to encourage consistent dialogue) through 4 different topical tracks (derived from RFI responses)over the course of three days. The tracks were (and I’m summarizing): Threat Management & Info Sharing, Maturing Cyber Security, the Business of Cyber Security, and Cyber Security Dependencies & Resiliencies. The facilitators (including Bruce Potter from the Shmoo Group) by and large did a good job eliciting input from us, even though they had only been engaged a short time before the workshop and did not all have experience in the national critical infrastructure dialogue. The real limiting factor from a facilitation standpoint was not the facilitators, but NISTs philosophical process approach to meeting the executive order’s requirements.
Workshop Philosophy: Early on, I (and others) were previously critical of a “lack of rails” provided to participants to structure the dialogue (and I still am, but I’ll hit that later), but I spent some time time talking to both facilitators and NIST staff and feel more comfortable that I understand what they are doing and why. Their perspective is that they need to gather all the “pieces” of the puzzle from industry first without applying any inherent structure and then, in later workshops, analyze all of those pieces to find and useful underlying structure or concepts in the data, apply those to the framework, and then fill in the meat. In many situations, this is a good idea and I understand why they are doing it. The biggest takeaway here is that NIST thinks we shouldn’t get too bent out of shape by or read too much into the questions being (or not being) asked at this stage. The insight, creativity, and thinking will come later (according to them). In other words if you think (as Russ Thomas also does): “Clearly, most ppl running #NISTCSF process don’t see innovation as essential. Their focus is curating ‘best practice’”, then you are right at this moment in time…but perhaps also wrong in the long term.
Workshop Participants: Everyone-ish. Heavy on electric, industry association, academia, and vendor perspectives though. Low representation from other sectors. I’m wondering if (really, can someone answer this?) all the other sectors are busy supporting DHS Executive Order work like the CIIDWG (Critical Infrastructure Identification Working Group) instead of the NIST Framework process. I’m not sure why they would – the efforts are complementary – or why electric chose to show up – but there were clear biases in industry. Is NERC handling the other EO work on behalf of electric and so the only way for asset owners to get involved in the process is via the framework? I don’t know.
Suggestion for NIST: Add a “class” ahead of the next one so that everyone participating has the same background in what’s going on. Everyone came into this from wildly different backgrounds on “critical infrastructure protection” and it took a long time to normalize them (which never actually completely happened).
Process Observations: The process went “ok”. The main observations I have are related and center around dialogue maturity. First, the same issues were brought up in every single track – whatever the topic. This denotes the participants’ fundamental lack of a structured, coherent model of the problem space in their minds. The dialogue did *improve* over the three days as people (including myself) got their hot topics “off their chests” and began to really think about what they were being asked. But, in my mind, without appropriate structural/conceptual rails, it would take *months* of this before a group this large got past their pre-conceptions and tribal knowledge and actually got down to truly productive “thinking”. I understand why NIST did what they did, but I think time will show it to have been a mistake.
Observations On & Suggestions For Content: For the most part, responses hit a ton of different topics and I think it’s out of scope for me to comment too much on the actual discussions. Others – and obviously NIST – will do a better job of that than I would. However, I thought three items were of interest:
1. “Lensing”: For those of you who have seen my SOURCE Boston 2013 presentation from a month ago, you’ll be familiar with the concept of “lensing” cyber security into focus for different audiences. I had never heard of or used the term before until Ms. Jen Giroux and I talked about it. What I found interesting was that the term was used by NIST staff to describe how, at the end of the process, there would not be some final product as much as a bunch of information “lensed” for different audiences. Maybe it’s just coincidence, but maybe all my mouthing off has had some positive impacts. :) Hope so.
2. “Reasoning Tools vs Standards”: Is the framework going to just have static standards and controls, or will it provide reasoning tools (or be a reasoning tool) to help “make things better”? There was no clear answer and dialogue seemed to suggest a little of both.
3. “Defend vs Improve”: Few participants or facilitators seemed to talk much about about changing the strategic relationship between defenders and attackers. There was little acknowledgement that simply “defending” against the bad guys will result in ultimate failure – a) they will simply out-resource us and b) As we add complexity, unless we improve processes, we will make more and more mistakes implementing security.
That said, and in support of the lensing idea, I suggest something similar to the following diagram be used in the upcoming feedback evaluation process to help organize answers:
Short Topical Notes:
1.Several participants brought up ”Control Systems vs IT” and ask if “ICS will be covered”: Of course the NISTCSF will deal with control systems issues. :) It’s being developed (among other things) in support of the executive order’s outcome-based perspective on cybersecurity (which, also of course, would naturally consider control systems since their failure tends to create significantly bad outcomes). The level in the security stack at which both the EO and the CSF operate at is higher than the level at which the distinctions between IT/ICS happen and so are inclusive of both without the need to distinguish between the two in policy statements.
2. Several people also wanted to limit dialogue to “cyber only” and ignore “business” or other non-core cyber considerations completely. I think these suggestions show an unfortunately poor grasp on the problem space -pThere is no such thing as “cyber security only” and our core failings have been in the broader set of activities beyond core cyber.
3. Lots of people said “lexicon”. Lexicon is only a component of what we need: A class-level Ontology. Think of an ontology in this sense as a high level set of relationships between concepts that fit together to define what we mean by cyber security. A lexicon contains the words and definitions we use to implement that ontology in real life.
Summary: Good Process, Missing several key concepts (from participant input and facilitation), I hope they get included later.
Poor Problem Identification, A Boats vs Airplanes Parable: A community agrees that they need to travel across the ocean better than they have been. They’re experienced in building boats, but they feel they need to do better because many boats sink and there is an overall feeling that they’re too slow. So, they get all the boat builders together, lay out all of the best practices, and then try and figure out how to build the best boat possible. Unfortunately, at the outset, they did not identify “too slow” as being “more than 24 hours” – there’s no way a boat will *ever* cross an ocean that fast. Unfortunately, the best solution – heavier than air flight – is not well known. Few in the community are aware of the concept and all of the questions being asked center around boat-building any way. Their efforts are doomed to fail – no one will ever be happy with a boat – but they don’t know it. If instead, however, the community had realized that the existing models – no matter how well perfected – would never meet their requirements, perhaps they would have gotten the boat builders together and provided some rails: “A boat won’t work, we have to get people safely across the ocean in less than 24 hours, but here’s how flight works – apply the same problem solving skills you’ve developed as boat builders to the problem of building aircraft.” But they didn’t. This is how I feel the NIST Framework process is proceeding. We are strategically approaching cyber security “wrong” and continued use of current models will assure that the bad guys will continue to retain the advantage.
Parable Applied: Conceptually, I like the idea of gathering everyone’s thoughts, laying them out, seeing what the relationships are, and then identifying good framework components and structures. The problem here is that over and over again I’ve seen – while helping to shape government perspectives on cyber security, working with an entire sub-sector at once on cyber risk management as a fed and later as a facilitator, and trying to sort out industry confusion on other cyber topics – that our haphazard models for security are neither well understood nor particularly effective. Everyone knows what a saw does, a hammer does, a screwdriver does, but no one has *ever* defined what a boat is, and even then, what we really need is an airplane. The boats we’re building – even the best of them – keep sinking and are too slow. As NIST goes out and gathers data, I hope they realize that the patterns they’re looking for probably don’t exist yet and that any framework stemming from current best practices will only exacerbate the problem, not make it better. This is because if we spend all of our time, resources, and good will trying to build a better boat, there will be little left later for the airplane we need. Making boats flight-worthy (as opposed to airplanes sea-worthy) is very, very expensive and hard.
Parable Plus Scale: I’ve also noticed very little emphasis on the problem of “sustainability over time”, which is a large issue when dealing with current levels of scale and increasing complexity. What I mean here is that many (most?) folks (not all) seem to think in terms of “fixing things now”. Many seem to believe that we just need to get everyone up to a certain level of security *now* and we can go from there. The philosophy of “fixing it now”, though, is actually one of our most serious vulnerabilities. ”Fixing it now”, in our current environments, takes a *huge* amount of time, resources, marketing, commitment, thinking, etc. (for organizations or the nation, depending on scope) to get everyone together to figure out what “the best answers” are. Unfortunately, by the time we finish the process to anyone’s satisfaction, the world has changed and our solutions won’t work. What we need are not answers to how to secure ourselves now, but answers to how to make the process of deriving and implementing effective security concepts fast, accurate, and efficient enough to keep pace with the world in a way that a) won’t blow out all of our resources and b) will have a high level of quality in implementation. We need to create tools and cyber/non-cyber environments that will shorten the overall cyber security lifecycle, simplify the process, and reduce errors. The Framework must aim to aid the derivation of answers, not provide them. Better derivation tools will help us figure out what we really need and maybe we’ll learn to build air planes instead of boats. I really wish I had seen more of this perspective from the organizers and the participants.
Final Words: If we do not change our entire approach to cyber security, if we do not learn to dramatically adjust what we do based on failure, if we do not handle the issues of scale/complexity, the bad guys will continue to win. We will run out of money, time, and will if we keep walking down these same paths. I sincerely hope the next NIST Cyber Security Framework development workshops will take these realities into consideration as part of the process. Please read these two posts for further exploration of related topics:
Quick shout out to the people who made the workshop less dry with good conversation and good company: Lena Smart, Andy Bochman, Mike Dahn, Fowad Muneer, and the CMU REP Team. :) Was good seeing/meeting you all.