You are currently browsing the category archive for the ‘Uncategorized’ category.

Today I saw an announcement for another cybersecurity leadership council filled with the usual suspects:

“When it comes to the cybersecurity of our networks, the private sector has the capabilities and the market has produced good solutions. Now we need to focus on mitigation of cyber risks through cross-sector information sharing efforts, public and private partnerships, and the improvement of cyber hygiene of businesses of all sizes,” said Howard Schmidt, a partner at Ridge-Schmidt Cyber, and chairman of the council.

Sigh. Let me give this to you all straight:

First, our cybersecurity exposure is fundamentally created by how businesses go about making money. It’s about corporate discipline, perception, culture, value chains, investment strategies, procurement, marketing, communication, trust, operational quality, etc. Cybersecurity state is NOT primarily a function of anything that happens in a CISO’s office, It has very little to do with Information Sharing (as typically defined in this conversation), and Public Private Partnership success depends on having some sort of comprehensive problem space model which precedes conclusions (and the language provided starts with conclusions without a consensus problem space model anywhere).

CISO’s activities are done as a result of a business’s actual exposure – created OUTSIDE of the CISO’s office – business perception of its risk – created by its culture – and actual threat actors – which neither the business nor the CISO’s office directly controls.  Therefore any conversation or effort centered on how to do “Cybersecurity” better will, almost by definition, fail.  “Cybersecurity”, if defined as “activities centered around the CISO’s office and levers to enable the CISO’s office”, has little to no influence or control over the business risk level created by ICT (Internet Connected Technology) use  because it neither controls nor influences ANY of the primary environmental factors.

The problem is, since coordinating solutions on the non-CISO’s office problem space (exposure creation) requires dealing directly with how businesses make money, it’s a really tough nut to crack (legally, politically, financially, culturally, etc) and few are willing to do it. It’s MUCH easier to focus on the CISO’s office – even at the expense of success. And, besides, we have a whole security industry telling us that another box or service will solve the problem.  (For those not following along, what they mean by “solve the problem” is “hold the line until you slowly drown in the cascading consequences of rising complex conflict interactions online”)

Further, technically, even if we did move the conversation to “how we do business in general and how that creates exposure” – which NONE of the language around the new group even smells like it might be saying – the way we build IT and OT infrastructure is not securable to the level we desire it to be for the cost we wish to pay. Full stop.  This is not a “security” problem, this is a mathematical complexity problem that has to do with error rate and organizational competency across time and disciplines.  Moving further on “cybersecurity” without changing the surrounding technical environment – transformationally, not evolutionarily – is an abject waste of time.

Anyone telling you different is selling you something, ignorant, or has unfortunate perspective blinders on.


So, with what is quite interesting timing, (and thanks, in no small part to Twitter), I just found out a couple of days ago that I’ll be giving a talk at EnergySec This year.  The tentative title is: “A Technologist’s Admission of Inadequacy: The executive’s role in National Cyber Security”.
I’d really like to use this opportunity as a platform for some of my concerns, as a technologist, about how we’re treating cyber security as a technical problem – at an operational level, at a strategic business level, and at a legislative level. I’ve touched on these concerns before in this blog, but I’m really excited about the chance to do it in person in front of a lot of other smart people who are actively working cyber security problems.

Thinking out loud, I wrote this earlier:

One of my interests, part of my future role, and with a perspective grounded in building/designing ways to detect badness / working on ICS-CERT, is in combating our habit of defining security in technical terms or on relying on technologists to “fix it”without ever defining what “it” is.  A secure system is one that does no more and no less than the people who have ownership and stake in it wish it to do- and that’s a business rule/decision/appetite.  As a technologist, if you ask me to secure your systems and let me define what that means, I’ll fail.  (ie: There is no “evil” flag in TCP). I’d like to make a plea for organizations to define security through risks to interrelated cross-sector business and social requirements (and associated appetites) before spending so much effort to create technical security plans, standards, controls, laws. An army without a defined mission can be potent just based on size and power, but one that has a mission and defined goals is much, much better.

I’m sure I’ll evolve what I actually want to say between now and September, but that’s where my head is now.

Well, I’ve been waiting awhile to be able to write this (see future post).  Finally, I can:

It’s always interesting dealing with the somewhat schizophrenic nature of government messaging.  While I understand the constraints, the risks, and the realities of trying to run a free-for-the-private sector service that actually DOES something in the government, it was always a little disheartening to hear (or read) people suggest that the government wasn’t doing anything for some of our cyber security problems, that it didnt have the services available, or “Well, I heard DHS started ICS-CERT, but I think they shut it down?” And, with the media so often just not getting it – and people so often not doing basic research – this happened more frequently than it should.  So, now that I’m in the role of customer here (and not on the floor there), I can finally say:

If you’re an asset owner, a vendor, a service provider, a customer, or otherwise a stakeholder in private sector or government critical infrastructure / key resources, you should be aware of CSSP and ICS-CERT (ICS-CERT has been functioning, in its current form, since earlier this year).

To start with: The Control Systems Security Program (CSSP) is an offering out of Homeland Security which:

“attempts to…reduce industrial control system risks within and across all critical infrastructure and key resource sectors by coordinating efforts among federal, state, local, and tribal governments, as well as industrial control systems owners, operators and vendors. The CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk-mitigation activities.”

This includes providing a FREE cyber security assessment tool, onsite assessment visits, and the well-run Industrial Control Systems Joint Working Group (ICSJWG) and its associated conferences. CSSP also provides a variety of free-training in Control Systems Security, both locally in DC as well as, for it’s hands-on Red/Blue Team training,  in Idaho Falls.

Then, providing a tactical operational arm to the more strategic CSSP, ICS-CERT is a fully functioning free CERT service for your CIKR organizations. ICS-CERT will, as part of its mission:

  1. Provide onsite fly-away technical incident response
  2. Perform digital media analysis on media potentially affected by an incident
  3. Coordinate the responsible release of vulnerabilities (involving third party researchers, vendors, etc.)
  4. Provide timely situational awareness
  5. Coordinate national response, via its seats in the National Cybersecurity Communications and Integration Center (NCCIC), with US-CERT, NCC, Law Enforcement, and other organizations.

All you have to do, basically, is ask.  They’ve assisted, during my tenure, quite a few organizations – large and small – and continue to do so.

(Importantly, ICS-CERT has neither a law-enforcement NOR a regulatory function. Their mission is to assist you in defending yourselves and responding to incidents. Your data is, and remains, yours, in any interaction with them. )

And you thought the government doesn’t do anything for cyber security :)

To contact ICS-CERT:

  • Call the ICS-CERT Watch Floor: 1-877-776-7585
  • Email regarding ICS related cyber activity:

Their website is:

Say you want to buy a car to take your 5 kids and spouse around town. Now, suppose you start looking for a good, safe van with low gas mileage that fits the whole family and is relatively cheap. $20k? sure.  Ok, now what if you go out to buy this van….but oh no! All you can find are corvette dealers selling $100,000 cars!!!

Would you buy a corvette? Hells no. You’d wait until you found something that met your minimum requirements: Moving the family around. If you got the vette, you would have gotten something that, even if it fit “some” of your requirements (moving some people around), doesn’t  fit enough of them to actually solve the problem. Furthermore, if you did get the vette, you probably wouldnt be able to afford the van so your problem would go on even longer than if you hadnt gotten the corvette.

Welcome to the kind of security that says “we should do more of what we’ve been doing, even though we know the architectures don’t work…because something is better than nothing.”  We can’t continue to add on layer after layer of security at ever increasing cost when no number of those layers, as modeled today, will ever get us to a comfortable place.  Getting owned by X% fewer people is still getting owned and doesn’t really change your risk profile unless X is a much bigger number than today’s most common best practices get us.

Nothing is ever perfect, so I’m not suggesting no one should take action until they find a perfect solution. Rather, I’m suggesting we all take a close look at our solution sets and look at how good they’re ever going to get at the end of the day and make decisions appropriately. When selecting a “50%” solution architecture for $Y, dont get caught thinking $Yx2 will get you a 100% solution with the same architecture:)

I normally don’t have much to say here about my day job (partly why you’ve seen more of a focus on art), but I thought (since I’d been previously linking to the DHS Control Systems Security Program pages) that it was worth mentioning that ICS-CERT has its own website these days:

Take a look at it if you’re in the control systems / SCADA and security/emergency space (particularly with regard, but not limited, to cyber).

Edit/Update: Now that I’m no longer there, I do have a brief take on the subject and a summary of information HERE

EDIT: THIS HAS BEEN CANCELED DUE TO SNOW. Not sure what to do after shmoocon Friday night? Not going to the con but need something to do? Come over to the HacDC Hacker’s Lounge event for a little while (runs 8pm-2am). I’ve been putting some fun NEW interactive Quartz video projections together for the event (link goes to early older work – need to show up to see newer stuff) and Daniel Packer will be doing some audio with supercollider. Oh yeah, and I hear there will be booze.

I can’t tell you if there will be 10 people or 100 there, but if you take a chance and show up, that’s 1 closer to 100 :)

Follow me on Twitter

My Art / Misc. Photo Stream