Tuesday, July 24, 2012

Business Ramifications of the Internet's Unclean Conflicts (and other updates)

So, the schedule has been crazy lately and I have been cherishing what little downtime I have with the the family. And the golf course. Hence, no blog post since March. I finally finished the sunroom bar cabinets and installed them just in time for our annual summer party, which was spectacular, BTW - the pulled pork we smoked for 12+ hours was like butter and the ribs were to die for. Ended up kicking out the last dedicated professionals around 2:30AM, so AFAIC it was a total success. Look for invites next year, DM me, etc.

Onto actual infosec/risk items. I put together a talk on the Business Ramifications of the Internet's Unclean Conflicts for Cleveland B-Sides that I gave on July 13th (you can see it here, special thanks to @securid and @adc_irongeek). It wasn't my best performance, but admittedly I wasn't 100% confident that I was able to connect all of my dots in 45 minutes. Plus, I had added several slides during some breaks between earlier B-Sides talks so no practice for the talk as a whole. Regardless, it went over well, with excellent crowd source feedback and criticism, which was most welcome. Safe talks are boring and I went in with this one expecting some pretty vocal feedback on the topics I brought up. I was not disappointed.

So one of my "agenda" items was "WTF are you talking about?" Which is a fair question. Some examples of the United States' Unclean Conflicts include Korea, Vietnam, Grenada, Somalia, Panama and even our current "Wars" in afghanistan and Iraq. Let's not forget what is happening in Yemen and Pakistan. The last official declaration of war was in 1942 against Bulgaria, Romania and Hungary, allies of the Germans during WWII. Post WWII we became very familiar with unclean conflicts, both pre and post the fall of the Soviet Union. But that event marked a significant change in our (the United States) international attitude. Who would realistically enagege us in open, clean conflicts? This lack of (in our minds) a realistic adversary even furthered our big-headed notions that the rest of the world should act and behave as we think they should. This mindset filtered down into our Business DNA, and our innovative corporations that were and are pivotal in building up our national economy began thinking the same way. We are now finding ourselves lashing out with legislation in vain attempts to enforce levels of security controls to protect our national infrastructure. Which will most likely lead to attempts to enforce levels of controls over manufacturing, science, research, medical and other verticals. Will any of these succeed? It is too early to tell. But the simple fact is this. If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the economy and nation as a whole, you have completely missed what was wrong to begin with.

The term "Organizational Entropy" is defined as the natural result of assuming you are smarter than your adversaries. Which is exactly what we, both internationally as well as business-wise, have done. And (gasp) we are quickly finding that a) we are not as smart as our adversaries and b) they have not been playing according to our rules. For years. Why spend billions of dollars (pick your currency) developing new technology when you can spend a million dollars purchasing the stolen technology? Why not halve number of years your weapons program is behind the US's by stealing that top secret data?

Our adversaries have become specailists at executing "Unclean Conflicts" against our business and defense infrastructure.

Our pig-headedness has lead to societal ramifications where policy is now defining society, which naturally does not happen. Society should define policy. And since this is completely unnatural, and basically driven by power, greed and profit, naturally it is failing.

Joel Brenner's recent book "America the Vulnerable", while bordering on being fodder for the security hardware vendors of the world to scare the daylights out of business decision makers, does make one excellent point - "Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time." i.e. Design for, and assume the breach.

Throwing more and more technology at these problems only makes our systems that much more complicated, and therfore less secure. That is not natural adaptation. Nature (including everything from promordial bacteria in volcanoes to us as a species) has survived over millions of years by adpating to situations and problems. Without the need for policies and politics. Our government and corporate frameworks need to learn to begin to adapt to what effectively is a new paradigm.

Every #infosec and #businessrisk practitioner should read the book Learning from the Octopus by Rafe Sagarin. Do this now.

We inherently know what issues matter and what issues do not. "Morals" and religion have no place in this argument, they do not matter. This is about adaptation and being able to apply pressure to the wounds we have sustained due to our arrogance. Vote out anyone, regardless of which "side" they are on, who does not actively convey this understanding.

Feedback is actively welcome.

(note: I am not this smart, shout outs to Josh Corman, Joel Brenner and Rafe Sagarin as a sampling of many influencers)