You are currently browsing the monthly archive for October 2015.

Someone today asked me about CISA.  The truth is, I’ve stopped paying attention. Everyone, just shut up and pass something so we can move on.  But, I do have perspective that might be relevant: I’ve spent the past 12 years in infosec, including doing threat analysis, have spend the past 8-ish years in Critical Infrastructure, have been a government operational incident responder to the private sector with access to super secret info sauce, have helped build a strategic government pubic/private partnership program, worked with a number of ISACS, and have worked in a non-profit ISAO-like environment.  Here’s what I think:

A long time ago, in a galaxy far too close to here, a bunch of techies, not in sufficient control of the business and other environmental factors to influence the cybersecurity exposure business was creating or suffering from,  said: “We need better, actionable information to succeed!”.  This was both sexy-tech driven and a last-resort.  If the business was leaving the doors and windows open, the “defenders” (heh) needed to know as much about their adversary as they could.

At the same time, businesses, finding they were becoming more and more on the hook for serious adversary conflict  (as opposed to automated worms) tried to offload their responsibilities to the government.  Lack of “Information Sharing” was a really convenient roadblock to partnership. “Hey, look, gov, we’d really like to help, but you’ve got all this awesome intel that you won’t share, how can WE do anything? YOU should!”.

Government, having its own interests, was also looking for more data because, essentially, most of theirs was limited or sucked or wasn’t useable.  At the end of the day, cyber conflict is occurring on private infrastructure – the government infrastructure either being tangential to the discussion at hand, handled internally, or a peer infrastructure the private critical infrastructure (i.e: The internet is the internet is the internet and its all a common geography of conflict).   So they said (and, for what it’s worth, largely truthfully): “We can’t send you information if you don’t send US information! How can we know what’s actionable for you?” The fact that they might have their own uses for the information was tangential to this roadblock/truth.

This was *exactly* what industry hoped would happen!  Industry, having done this in the past with other non-cyber information sharing, knew this would stymie everyone for awhile: Competitive disadvantages, risk of prosecution for what they shared, inability of government to release classified information effectively, and the biggie – risk of regulation!

So at this point, we had:

Techies going: “Mmmm..Info Share! Sexy! We want more info! Wait, actually reduce exposure? That’s no fun, and besides, that’s really out of our control – business people suck at making decisions”

Industry: “Sweeeeet. This techie cry for Info Sharing is cool! It’s something that looks like low hanging fruit that we can use to block cyber interaction with the government indefinitely”

Gov: “Hmm. Cyber is scary and we have little to no visibility and we’re on the hook to help without (for the most part) regulation, we need information to better conduct conflict and apply game theory to international relations! We need to get industry to trust us and give us all their bits!”

Given the long history of the government ROYALLY screwing up trust relations with industry, this stood for years as a happy-medium-quagmire with everyone taking pot shots at each other from across entrenched positions.

But wait!  Suddenly it actually got serious – the MEDIA started running away with cyber? Can those Chinese kids take out the power grid? OMG! (Note: I actually think the risks from cyber conflict are potentially VERY severe, but these are not the SAME risks as the ones Media got hold of).  And suddenly, congress, who KNOWS where it’s risks come from – bad political coverage by the media forcing uneducated people to vote or clamor for some MEME-OF-THE-DAY – got involved.

Congress: “Gov, Industry, Techies? What do we need to do CYBER better?!!?!?”

All: “Informaaaatttiion Shaaaarrrriiinnnnggg…”

And now, Congress has it, and everyone has lost COMPLETE sight of the fact that, at best, information sharing is a MATURE and DIFFICULT capability that results from mature organizational awareness and decision making and will, again at best, help catch the EXCEPTIONS that are not handled by mature organizational decision making, and will do little to NOTHING to reduce cybersecurity risk exposure or to reduce the escalating cost and complexity of the problem over the time.  Instead, it will help better execute/conduct conflict in cyberspace, satisfy techies who want to play more complicated games and solve more interesting problems, and leave the governments involved without any real position change in their ability to apply game theory strategically to cyberspace.

(NOTE ABOUT THE BELOW: This post was more about the history of information sharing driving these types of bills. My comments below are much less informed)

Does CISA trample on rights and privacy? Maaaaayyybee – Probably not…this is an old discussion that wasn’t completely initiated by government.  It may have secondary cascading effects, but I don’t believe that’s the primary motivation for it (or even A motivation).

Do I want them to pass it? Well, the government has shown it is PERFECTLY WILLING to try and get this information by other means, so….are we really losing anything? If nothing else, if we pass AN information sharing bill, at least there’s an increased possibility everyone will be able to finally share the Information that the Info Sharing Emperor Has No Clothes?


Since I first posted about my EnergySec class a year ago, it’s evolved quite a bit.  In that time the agenda and topics have evolved as well, so I thought I’d share the present content structure here.  Interested in coming? We only have one more this year, but more are coming next year and Im happy to do custom work in your town!  Check out the current outline here:


Theory, Application, and Frameworks

 Problem Space Definition

  • Cybersecurity Scope & Ecosystem
    • What is “Cyber”?
    • Broad Stroke Scoping of Cybersecurity
      • Risks-To vs. Risks-From
      • Technology vs. Humans
      • Risk Response vs. Quality Management
      • Tactics vs. Strategy
      • Protection vs. Enablement
      • Default Handling vs. Error Handling
      • Doing It Once vs. Doing It Consistently
      • Predictable vs. Emergent State
      • Defending vs. Improving
      • Compliance vs. Efficacy
      • Fact vs. Perception
      • Virtual vs. Physical Space
    • A Parasitic Model of Cybersecurity
      • Value Competition
      • Shared Infrastructure
    • Adversaries
      • Shared Attributes
      • Complex Goals
      • Adversary Classification
      • Attack Mechanics and Architecture
      • “Exploitation Opportunities” & Kill Chains
  • State of the World
    • The Bear Has Eaten Us All
    • Demonstrative Real Life Scenarios
    • Bottom Line and Regaining Control
  • A Problem Space Framework
    • The Forest
    • Thesis
    • History
    • Role of InfoSec
    • Problem Spaces
      • Global
      • Body Politic
      • Business
      • Organizational
      • Individual
      • Nature of Risk

Skills Development 

  • Effective Structured Communication
    • Purpose of Frameworks
    • What is Communication?
    • Perspectives
    • Contexts
    • Lenses
    • Inverse Perspectives
    • Using Intersectionality
    • A House Analogy
    • Conceptual Communication Tools (Summary)
  • Intentional Framework Design
    • What are “Frameworks”?
    • Structure vs. Content
    • Structural Framework Design Principles
      • Labels
      • Relationships (Ontologies)
      • Transformations
      • Modularization & Abstraction
      • Lensing
      • Life-cycles
  • Modeling Exposure
    • How is Exposure Generated?
    • New Concept: “Vulnerability Introduction Point Decisions” (VIP’s)
    • Modeling Vulnerability Introduction Point Decision Trees
    • Comprehensive Model of How Organizations can Introduce Vulnerability
    • Threat Modeling Using VIP’s
    • Technical Threat Modeling Translated to Full System Threat Modeling
  • Increasing Decision Making Capacity
    • REAL Defense in Depth
    • Creating a Defense in Depth Kill Zone
    • The Problem with Likelihood: Supply Chains
    • Kill Zone Management Concepts
      • Success Criteria help define
      • Metrics which apply
      • Levers to create
      • Control Specifications that use
      • Convergence of
      • Parenthetical levels of security to manage the
      • Dissonance of human systems 

Solution Approaches

  • A Framework for Organizing Solutions
    • Environment
    • “How Exposure is Created” & “How Exposure is Exploited”
    • Exposure Management Goals
    • “Exposure Management Approaches” & “Exploitation Handling Approaches”
    • “Exposure Mgt Efficacy Testing” & “Exploitation Mgt Efficacy Testing”
  • Integrating Existing Frameworks
    • Background Definitions
      • Risk Management
      • Capabilities
    • Existing Framework Information
      • NIST CSF
      • ES-C2M2
      • NERC CIP


  • Framework Structure Design
  • Framework Use for Control Specification
  • Pivoting between Risk and Compliance with an ICE

Ill have a longer discussion of SIRACon later, maybe, but for now, you can find my talk slides here:



Some of it is old material, but some of it is new. I really like how it’s fitted together and ordered here.

Follow me on Twitter

My Art / Misc. Photo Stream