My Expensive "Expert" Advise for the U.K. Government On Cyber Warfare

I was going to name this post 'My Free 'Expert' Advice ..." but we all know that free advice is ignored so once I hit the 'publish' key on this blog, I'll send an invoice to 10 Downing Street requesting payment. I'll make sure that the invoice is in 7 figures since they're obviously quite willing to throw extravagant amounts of money at companies with the word "expert" in their marketing materials (hence my use of the word "expert" in the title).

The reality is that there are no experts in this field. I wrote a well-received book on the subject, have spoken at dozens of conferences, had papers published, regularly consult for U.S. and foreign government agencies, and have engaged in incident response for very large corporations and I don't call myself an expert. In fact, authentic experts never bestow themselves with that title. If its used at all, it's given to them by others who have experienced their work first-hand. I know many people who I would call experts in different fields but none in the area of cyber warfare. The field is too new, too undefined and we're all still finding our way.

The British government appears to have bought into the marketing materials of prime contractors like Lockheed Martin, BAE, Ratheon, General Dynamics, RSA, McAfee, Mantech and who knows who else. Big mistake. They not only cannot protect the British government, they've been unable to protect the U.S. government. The director of the NSA along with the director of DARPA have both admitted that the current security framework we use is broken. Who implements that framework? Prime contractors like the ones I mentioned above and their sub-contractors with some help by government employees.

So here's my "expensive expert advise" for whoever is in charge of the British government's purse strings:

1. You can't keep China, Russia, France, or any other State out of your network. They're already there and they aren't leaving.
2. You can't secure what you don't own so if you want to secure your power grid, buy it back from the Chinese company that owns it.
3. If anyone tells you that they can do 1 or 2 above, grab your checkbook and run the other way.
4. While you can't keep bad guys out, you can raise the cost to mount a successful attack. Or - you don't have to out run the bear, you just have to out-run the other countries who are being chased by that bear (or dragon).
5. While you can't keep a dedicated adversary out of your network, you can keep your data from leaving. That's in large part where you need to focus your resources and where you'll get the best return-on-investment.
6. You have serious supply chain problems and need to start testing firmware updates for all those servers that you own which were made in China for backdoors.
7. You have serious software issues and need to investigate any code written by Russian firms for backdoors.
8. Cancel your contracts with Chinese telecommunications companies if they are providing products that would give them access to sensitive data.

My bill is in the mail.

Related:
Britain Has Already Lost A Future Cyber War

Add to Cart View detail

U.K. Man Arrested for his Facebook Postings

This is a dangerous precedent for a Western nation to set. One of the key differences between the West and states like the Russian Federation and the Peoples Republic of China is the right to free speech. I don't see how the British government can now complain about China or any other country's censorship or persecution practices after an outrageous act like this.

The article didn't mention if Facebook cooperated with the British government or was in any way involved. It would be interesting to know if they were.

Add to Cart View detail

Britain Has Already Lost A Future Cyberwar

Britain's Foreign Secretary William Hague decided it was a good idea to announce in The Sun that Britain 1) will strike first against an adversary planning to attack Britain and 2) doesn't have the money to adequately defend itself from a future act of cyber warfare.  He also said that he couldn't guarantee the safety of Britain's critical infrastructure "including water works, power plants, and air traffic control systems". For some reason Secretary Hague thought these pronouncements would be a good idea in light of an upcoming conference that he's hosting in London on Nov 1-2.

I haven't been invited to participate in that conference but if I were, here's the guidance that I'd provide to the Foreign Secretary - in brief:

Two Things You Don't Want To Do:
1. Don't threaten retaliation or preemption when you have no way of knowing who the attacker is. It gives away the fact that you don't have a clue about the environment which means that in any given war in that environment - you lose.
2. Don't acknowledge that you can't afford to defend your networks; even if it's true. It makes you a more attractive target and reveals a key vulnerability that's sure to be exploited.

Two Things You Do Want To Do:
1. Stop spending your limited funds on offensive cyber weapons and spend it on resilience.
2. Buy back your critical infrastructure from the foreign companies who currently own it; especially the Chinese. You can't defend what you don't own.

I have a few friends in Britian's intelligence community so I don't mean for this post to sound snarky or cruel. The fact is that you have some serious internal conflicts in your government and Ministry of Defense about how to allocate resources and identify threats in cyber-space-time. If you're seriously looking to defend Britain from a future act of cyber-war, please take my above guidance to heart.

Related:
Why the U.S. Will Lose A War In Cyberspace

Add to Cart View detail

28 Nation States With Cyber Warfare Capabilities

The 2nd edition of Inside Cyber Warfare: Mapping The Cyber Underworld will contain 4 new chapters plus a new Forward by former DHS Secretary Michael Chertoff and an Afterward by Professor Catherine Lotrionte of Georgetown University. One of those chapters is entitled "Cyber Warfare Capabilities By Nation State". For those of you who can't wait for the 2nd edition to come out, here are the 27 28* States:

1. Australia
2. Brazil
3. Canada
4. Czech Republic
5. Democratic People's Republic of Korea
6. Estonia
7. France
8. Germany
9. India
10. Iran
11. Israel
12. Italy
13. Kenya
14. Myanmar
15. Netherlands
16. Nigeria
17. Pakistan
18. Peoples Republic of China
19. Poland
20. Republic of China (Taiwan)
21. Republic of Korea
22. Russian Federation
23. Singapore
24. South Africa
25. Sweden
26. Turkey
27. United Kingdom
28. United States*

This is not a complete list, but it's a start. We may roll it over into an up-datable website and add the states that we missed for the book (e.g., all of the members of the Commonwealth of Independent States, additional states from Africa and South America, etc.)

* UPDATE: (29 Sep 2011) I left the U.S. off the original list because it's covered under one of the other new chapters! Sorry, everyone. :-D

Add to Cart View detail