Can hackers sway public opinion with DNC and NSA leaks?

"'The first entree into cyberconflict isn’t physical destruction,' says Matthew Devost, President of FusionX, a cybersecurity and risk management company. 'If an airplane with 200 people falls out of the sky, it’s very easy to determine our response. But with the DNC hack, the impact isn’t as tangible.'"

Source: Can hackers sway public opinion with DNC and NSA leaks? -

HfS #CyberChat w Accenture's Matt Devost

"In this edition of #CyberChat, Fred McClimans of HfS Research sits down with Matt Devost, Managing Director of Accenture's Vulnerability and Threat Intelligence Practice to discuss the state of Cyber Security and the trends moving enterprise security forward."

Source: HfS #CyberChat w Accenture's Matt Devost - YouTube

Hacking Mr. Robot, week 7.

"Slate and Future Tense are discussing Mr. Robot and the technological world it portrays throughout the show’s second season. You can follow this conversation on Future Tense, and Slate Plus members can also listen to Hacking Mr. Robot, a members-only podcast series featuring Lily Newman and Fred Kaplan.

In this episode of Hacking Mr. Robot, Fred and Lily discuss Episode 8: ‘eps2.6succ3ss0r.p12.’ They’re joined by special guest Matt Devost, a cybersecurity expert and the CEO of FusionX."

Source: Hacking Mr. Robot, week 7.

Startup investors are looking to hackers for help on smart bets

"‘I’d say we have really seen a growth in that particular market over the last five years,’ said FusionX CEO Matthew Devost, referring to an uptick in revenue for his business from services purchased by investors. Devost’s company, which was acquired by Accenture in August 2015, leverages offensive cyber capabilities to test clients' digital defenses. 

FusionX is traditionally employed by investors to conduct tests during a pre-funding stage or in preparation of a merger, acquisition or initial public offering, said Devost. In the past, FusionX has worked closely with clean-tech, biotech and several large software companies to improve cybersecurity on behalf of their investors. Currently, the Reston, Va.-based cybersecurity company is working with a cohort of prominent, well-funded private equity firms that use its services to understand the strengths and weakness of their portfolio companies. Devost, once a senior adviser to the Department of Defense, declined to discuss clients by name."

Source: Startup investors are looking to hackers for help on smart bets

What a real cyber war would look like

"In a hot cyber war, the first line of attack would not be like on Star Trek, with spectacular bursts of sparks flying out of computers. Instead it would be a stealth attack on the enemy’s military command and control infrastructure, to keep it from being able to strike, said Matt Devost, managing director of Accenture Security and a special government advisor to the U.S. Department of Defense.

The problem is that much like nuclear attacks, no one wants to let the genie officially out of the bottle. Certainly the United States and Europe benefit the most from a free and open Internet, so weaponizing it is not a step taken lightly."

Source: What a real cyber war would look like

Every Cyber Attacker is an Insider

"What enterprise executives need to realize is that in today’s environment, every cyber attacker is a potential insider. Given the prevalence of BYOD (bring your own device), supply chain integrity issues, foreign travel, and the plethora of successful spearphishing campaigns, executive leadership needs to operate on a presumption of breach basis and work on reducing their attack surface through red teaming, early detection of attacks, thwarting lateral movement through the enclaving of critical systems, and having robust incident management plans in place before the breach occurs."

Source: OODA Loop - Every Cyber Attacker is an Insider

10 Red Teaming Lessons Learned Over 20 Years

I've written a few popular blog posts over at OODA Loop. Here is one I did on red teaming lessons learned.

"I often get asked what lessons I’ve learned over the past twenty years, so I started putting together this list of 10 lessons learned over 20 years of red teaming a few years ago. Given that I’ve officially hit the twenty year mark, I figured it was time to hit the publish button. While many of these feel like concepts, vice lessons learned, I hope the reader finds them thought provoking as they formulate and execute red teams of their own. As always, feedback and comments are welcome. This article is also posted at Red Team Journal if you’d like to discuss it there."

Source: OODA Loop - 10 Red Teaming Lessons Learned Over 20 Years

Virtual Reality paper from 1993

Before Neo awakened to the existence of the Matrix and before Mark Zuckerberg donned his first Oculus Rift VR goggles, I was writing about the relationship between immersive virtual reality, philosophy, and human behavior (adopting a position of do no harm). I've mentioned this essay several times over the past couple of decades and finally located a copy to preserve here for easy linking. I don't recall what the title was and it wasn't captured in my Word Perfect file with this text, nor was the bibliography for the paper.

The world is your exercise book,

the pages on which you do your sums.

It is not reality,

although you can express reality there if you wish.

You are also free to write nonsense,

or lies,

or to tear the pages.

-Richard Bach

There is a new concept floating around the computer industry these days, appropriately dubbed 'virtual reality'. Virtual reality entails the creation of a simulated environment on a computer system, which the human subject is allowed to experience through the use of special equipment such as body-sensory suits and 3D goggles. Though the virtual world exists as bits of information stored on the internal memory of a computer, to the person experiencing it, it is very realistic. Even though our power to create virtual reality worlds is somewhat limited at the present time, technological trends would indicate that it may not be long before virtual reality scenarios become indistinguishable from real life situations. Tony Deveaux explains:

“Virtual reality can be realistic or artificial, creating environments that could not otherwise exist, painting our wildest fantasies, or it can transpose reality into another scalable dimension, for example, simulating a human heart as big as a house, or conjuring a room-sized solar system...In these conceptualizations, you may not be able to tell a computer-generated hallucination from flesh and blood reality.”

Imagine having the power to create your own world, playing the role of the divine artist. It would be like being able to control the subject matter of your dreams. Now imagine that technology advances so much that the ultimate virtual reality machine is created. This machine would allow you to design a virtual world that incorporated all five senses, a full range of emotions, and objects to interact with. Some of these objects would be simple variables. You may create an object called a rose, which starts as a simple seed and over a projected amount of time grows into a beautiful flower, only to fade away again. You might design characters to interact with, and ultimately you would be able to connect your friends to share your virtual experiences with you.

Imagine the great adventures you would have, and the scenarios you could create, from Stephen King like horrors to Harlequin romances. Now imagine that a drug is developed that when taken in coordination with your virtual reality machine, allows you to forget you are engaged in an virtual reality experience. Imagine if once you started the program, this drug was injected into your body, and you forgot that a reality exists outside the machine.

You would perceive your virtual world as if it were real, forgetting that it is simple a world created by you, and that every variable is under your control.

This type of experience is exactly what Hindu philosophers say you are experiencing right now, and is the type of experience Richard Bach describes in the book Illusions. By using this analogy we can examine the nature of the ultimate reality, or Brahman as argued by the Vendatic philosopher Shankara. Shankara acknowledges that the empirical world, is an illusory experience of the ultimate reality, Brahman. Shankara argues that even though the objects of the empirical world appear real, they are simply illusions, shadowing the ultimate reality. Here we might substitute the empirical world with the virtual world we created above, and continue our examination of Brahman.

The person experiencing the virtual world actually believes they are experiencing reality. The drug that they take allows them to forget the ultimate reality, thus what they perceive in the virtual world is taken for the ultimate reality. The subject actually believes that they are seeing the true nature of the Brahman. As Shankara explains, they are ignorant to the true nature of the Brahman. What they are experiencing as reality is actually just electrical pulses within a machine that will cease to exist at the touch of a button. It appears to be real, just as Shankara's world of illusions appears to be real, just a dream appears to be real, but it is not. You are existing in a virtual world, dwelling on the electrical pulses of cyberspace. The ultimate reality, or Brahman is the world you wake up to.

Out of this ultimate reality you created a virtual reality. Once you wake up, you remember all that happened during your virtual experience was created out of a necessity to gain knowledge. Your virtual world is educational, programmed to repeat over and over until the final lesson is learned, until you achieve enlightenment.

According to Shankara, your enlightenment consists of simply overcoming the ignorance that allows you to believe the virtual reality is the ultimate reality.

In order to gain enlightenment you must realize that you created the virtual reality, that you have the power to manipulate it, that you are the ultimate reality. Tat Tvam Asi! With enlightenment comes the ability to manipulate the virtual world.

You might turn water into wine, walk on water or as Richard Bach describes in his tale of the reluctant messiah, you might chose to swim in the earth.

“He walked to the shore easily as walking on a painted lake. But when his feet touched the ground, the sand and grass at the edge, he began to sink, until with a few slow steps he was up to his shoulders in earth and grass. It was as though the pond had suddenly become an island, and the land about had turned to sea. He swam for a moment in the pasture, splashing it about him in dark loam drops, the floated on top of it, then rose and suddenly walked on it. It was suddenly miraculous to see a man walking on the ground!” (Bach pg 124)

You are also free to terminate the virtual world, or you may remain within it, a master it of instead of slave to it. You may chose to stay and help the people around you overcome their ignorance. Once again I turn to Richard Bach.

“Learning is finding out what you already know. Doing is demonstrating that you know it. Teaching is reminding others that they know just as well as you. You are all learners, doers, teachers.”

It would appear a beautiful process, but certain moral questions arise. For example, what value do you place on the virtual characters of your world? If they are not true reality, then it would appear that you could harm them without remorse. Or do these virtual characters have some value in relation to the ultimate reality? If you argue that the characters of the virtual world hold no value since they are not real, then you will have no difficulty with Krishna's teaching to Arjuna in the Bhagavad Gita that instructs him to kill without regret.

However, I would argue that we indeed do harm by hurting the virtual characters of our virtual reality. The virtual characters are indeed connected to the ultimate reality. To destroy these characters would be equivalent of depriving one of knowledge, stopping the lesson half way through, delaying the enlightenment process. Though it does no physical damage to the ultimate reality, the underlying motive is negative in its very existence. The underlying motive is to do harm, and this trait, along with those of greed, anger, hate, intolerance, and many others of similar nature are not traits I wish to associate with the ultimate reality. I would hope that in moving from the virtual reality to the ultimate reality, such traits evaporate into insignificance. However, I may be wrong.

One can smoothly re-substitute the empirical world for the virtual world. Might the empirical world be as illusory as the virtual world? Shankara and Richard Bach say yes. In that case, our enlightenment in this world is simply overcoming our ignorance that allows us to treat this world as the ultimate reality. We must remember that we are in charge and that the tools to program the world are at our fingertips. It is this realization that Hindu philosophers struggle to achieve. They desire to know the true nature of the ultimate reality, to overcome their ignorance and achieve enlightenment.

What Dan taught me

danOver 20 years ago, I was an unknown graduate student at the University of Vermont with an unpopular research idea.

I was convinced that our increasing dependence on inherently vulnerable critical infrastructure presented an emerging national security issue.

Few others were similarly convinced.

Then I somehow caught the attention of Dan Kuehl at the National Defense University and on a trip to Washington DC he invited me to visit his office. I ended up spending the entire afternoon with Dan who entertained all of my questions, walked me through the halls of NDU, introduced me to all his colleagues, and bought me lunch.

The most critical thing Dan did was encourage me to keep going with my research. Little did I know at the time, but Dan was privy to a classified dialogue at the Department of Defense surrounding DOD Directive TS3600.1 which was raising many of the same issues I was focusing on. Given I didn't have a clearance, he couldn't share the news with me, but instead stacked me up with papers on C3I and other relevant materials. You are on to something he told me. Keep going...

As the story goes I did keep going. My thesis topic rejection was eventually reversed and I published my thesis entitled "National Security in the Information Age". Dan was one of the most prolific distributors of my thesis. Copies wound up in the hands of officers going through his program, DOD leadership, local think tanks, and contractors. Dan even forwarded my thesis to one of the gentlemen that would eventually give me my first job.

When I moved to DC, Dan and I became friends. He continued to introduce me to his network and I started to occasionally lecture to his students at NDU. In 1996 he awarded myself and two colleagues the prestigious Sun Tzu research award for our paper "Information Terrorism: Can You Trust Your Toaster?". As recently as the past year, Dan was still cracking Internet of Things toaster jokes.

Over the past 20 years we've continued to see each other a few times per year. Every time I see Dan, his enthusiasm and energy puts a smile on my face. He is a friend I am always happy to see, even after the 500th time I heard him say "well, I'm a historian, but..."

Following Dan's lead, I've always taken the time to meet with students or folks early in their career to offer advice, encouragement, and even recommendations for employment. It has had a pay it forward butterfly effect that has resulted in hundreds of meetings over the past twenty years and continues to shape the world in important ways. Perhaps I would have taken the time out of my schedule for those meetings regardless, but I like to think it is what Dan taught me.

Virtual Tradecraft Paper outline from 2006

Capturing this here for posterity. A friend in the intelligence community got me interested in Second Life which lead to putting together some thoughts on the intelligence implications of virtual worlds. We were talking about this seven years ago...

Virtual Tradecraft 2006