Kill with a borrowed sword - An Origins Story

If you've seen me speak in the past 15 years, you've seen a slide that looks something like this:

Screen Shot 2013-05-29 at 8.15.43 AM

It was my adaptation of an ancient Chinese stratagem for the information age in which an adversary would use our infrastructures as weapons against us. I originally used it as a reference for information operations, but it turns out it was a good model for the attacks on September 11, 2001 as well. AQ terrorists could never have built missiles that could be delivered with the precision and explosive and incendiary impact as they achieved by hijacking commercial airliners.

In 2001, I also used the concept to promote a capability I'd started advertising in 2000 as an "Information Outcomes Cell" which proposed to use commercial IO capabilities as a replacement for U.S. military Computer Network Attack when our national leaders did not want to reveal "black" attack technologies. The premise was that any infrastructure that could be targeted with a conventional attack could be "taken down" by the Information Outcomes Cell. This would allow for the mission objective to be accomplished, but without revealing secret tools and allowing for the infrastructure to be rapidly reconstituted once friendly forces had control of the land domain. This addressed two critical issues in my opinion; 1) It helped overcome the hesitancy to use CNA because the target "wasn't important enough" to reveal the equivalent of a zero day (e.g. shouldn't use it in Iraq, because we can't use it against more important targets later), and 2) it reduced the impact on the host country's civilian population. They could be without power and telecommunications for months instead of years which would allow them to focus on building societal infrastructure like schools and hospitals.

I even went so far as to put together a Powerpoint deck and shop it around. Here is the ugly circa 2001 cover page:

Screen Shot 2013-05-29 at 8.34.49 AM

Despite lots of vibrant discussion, the capability wasn't utilized back then and others have consistently echoed the need. For example, see Mike Tanji's Buccaneer.com. I won't comment on whether we are any further along today.

Recently, I was listening to the audio book version of Tom Clancy's most recent book "Threat Vector" and Clancy was describing the fictional office environment for the Chinese mastermind of the hacking attacks against the U.S. and other countries. What sign hangs on the wall as an inspiration for the Chinese attack team? The ancient Chinese stratagem "Kill with a borrowed sword".


I am Big Data and so are you

Bob Gourley, former CTO of DIA and current CTO of CrucialPoint LLC was guest lecturing at my Georgetown “Information Warfare and Security” class and was discussing mega technology trends when it occurred to me - the next revolution in big data is going to be about me and you.

We are sitting on a treasure trove of data about ourselves that will be aggregated into big data repositories and analyzed and mined to augment our lives. Quantified self data from your Nike Fuel band, input from your Google Glass, your email, schedule, events you have attended, foods that you ate, times you got sick, searches you conducted, games you played, movies, books, music, social network status, your social graph, news you’ve read, on and on and on....

All this data will be aggregated and mined for our own personal benefit. A few years ago I anticipated the rise of AugBots (software agents that would mine your personal data to predict how they can help you). Imagine that you always call your wife when you are on your way home from work and the AugBot starts anticipating this behavior and when your smart phone indicates you are on your way home (based on GPS data) it asks you whether you want to call your wife. Google Now is pretty close to this level of functionality today and it is only going to get better.

I'm concerned about privacy, but under also understand the advantages of mining this data moving forward. What I want to know is who takes the lead on allowing me to start dumping data into some sort of repository that gets mined for my Google Now results. I'm waiting for when my Google Glass takes a picture of Bob, performs a facial recognition search, identifies who he is, searches my personal big data, and tells me "that's Bob Gourley. You first met him at an event in 1996."

With all the quantified self data, this will be rich health data as well. Evaluate food patterns to identify allergies, diagnose a potential illness based upon proximity - you had dinner with Bob three nights ago, and he reported yesterday on Facebook that he has Strep throat - I noticed you just bought throat lozenges - shall I make an appointment to see the doctor about that sore throat?

Imagine a Nest thermostat that starts raising the temperature because it knows you are on your way home or starts cooling because it knows you are scheduled to be out for the day. A security camera that doesn't alert because it recognizes the faces in your home are from the cleaning service.

Who are the leaders right now? Google, Facebook, Amazon, Apple - in that order.

I expect we'll see start-ups emerge focused on personalized big data. Create your repository, decide who to share with (family, friends, etc), and then decide which APIs can query against it. There will likely be multiple repositories and interfaces between them.

Then we'll see a layer of augmented intelligence interfacing with the data at an application layer.

Of course, security will be a concern, but I'm not sure if security winds up being essential or irrelevant.

And all of this will start happening in the next five years.


State Sponsored Cyber Threats - The Long View

"Thinking about state-sponsored cyber threats over the long term doesn't come easy to Western strategists. This essay takes a look at at the strategic implications of thinking only in the short-term."

Source: OODA Loop - State Sponsored Cyber Threats - The Long View


Tim Cook's Freshman Year: The Apple CEO Speaks

"We want diversity of thought. We want diversity of style. We want people to be themselves. It’s this great thing about Apple. You don’t have to be somebody else. You don’t have to put on a face when you go to work and be something different. But the thing that ties us all is we’re brought together by values. We want to do the right thing. We want to be honest and straightforward. We admit when we’re wrong and have the courage to change."

Source: Tim Cook's Freshman Year: The Apple CEO Speaks - Businessweek


Chinese IW - 1996

Digging through some old files and found this from 1996:

:::::::::::::::::::::

May 10, 1996, Friday

SECTION: Part 3 Asia-Pacific; CHINA; MILITARY; EE/D2609/S2

LENGTH: 308 words

HEADLINE: INFORMATION WARFARE;
China: characteristics of information warfare explored

SOURCE: Source: Jiefangjun Bao', Beijing, in Chinese 16 Apr 96 p6

BODY:
[6] Text of report by Chinese army newspaper Jiefangjun Bao'

At present, information warfare remains a very abstract concept. In order
to clearly understand and master information warfare, we have to conduct a
more detailed analysis of information warfare by dissecting it into a number
of combat forms, each with a unique content, including an all-frequency
electromagnetic war, a computer virus war, a precision war, a small-scale war,
a non-destructive war, a geophysical war, and so on. After categorizing these
combat forms, we can divide information warfare into two major types: the
"visible" information war and the "invisible" information war. Only by
conducting such a detailed analysis of information warfare will we be able to
know clearly about human conceptual and behavioural changes wrought by
information warfare.

Owing to the increasing internationalization of information technology
development and the integration of social, political and economic development,
people now have to employ stealthier, more indirect and more "surplus" combat
means when applying war means to resolve bilateral political contradictions.
This means that along with the development of information technology and the
constant perfection of information warfare, "visible" information wars are
going to be reduced in scale so that it will be more difficult to predict when
and where a "visible" information war will break out and what type of a threat a
"visible information war will create. As " invisible" information wars are going
to be waged like "the water and the sky blended in one colour" , it will be
especially hard to know their "true faces" . Thus we should reach this
conclusion: Information wars in an information era are going to be small-scale,
difficult to locate, short and quick wars known for multiple and tremendous
threats.


Siri – the Augmented Intelligence Agent

My latest thinking about Siri over at TechGrid…

"Siri does not represent a foray into the realm of artificial intelligence, but rather a necessary stutter-step in that direction which can be more accurately referred to as Augmented Intelligence. Despite an ability to engage in limited natural language processing, Siri is only capable of augmenting the capabilities of an iPhone in ways that were pre-defined by her programmers. This augmentation will only be improved upon with future iterations of Siri and some day soon, she may become more context aware.

For example, ask Siri to play a game and she’ll trigger on the word “play” and look for a song or playlist that match the remainder of the interpreted words “play a game”. Tell her you really want to get drunk and she’ll offer to call you a cab, not find you a bar. As an augmented intelligence, Siri can be pretty helpful, but here are some ways we expect her to improve in the near-term.
"

Source: Siri – the Augmented Intelligence Agent | TechGrid


Dronegate: The First Casualty is our Cybersecurity Paradigm

Out of respect to the original blog, my comments on this article can be found by following the link below the excerpt. These are important issues and we should be examining and debating them in detail.

"As of yet, there is no definitive narrative of the virus that hit the U.S. drone fleet at Creech Air Force Base in Nevada this September. Original reports stated that drone cockpits had been infected with a keylogger virus and, while there was no indication that classified information had been stolen or that missions had been compromised, the virus has proven tenacious, resisting efforts to disinfect machines and forcing the Air Force to wipe entire hard drives. Sources said that officials at Creech never informed the 24th Air Force, the central authority on cyber for the Air Force, about the breach until the 24th read about it online. Yesterday, however, in its first official statement on the infection, the Air Force explained that the virus was actually credential stealer and insisted that the virus was only a nuisance that was easily contained. It claimed that the 24th AF had known about the breach since the 15 September. The Air Force also disputed that cockpits were affected, stating that only ground control systems were breached."

Source: Dronegate: The First Casualty is our Cybersecurity Paradigm


Facebook devours Twitter - a simple strategy...

Facebook is about to eat Twitter for lunch. I'm slowly recognizing that more and more of my activity is migrating from Twitter to Facebook. I've also been wondering if Apples upcoming IOS 5 integration with Twitter is a strategic mistake on Apple's part? What will it take for Facebook to finish Twitter off? Here's my lists of recommendations of what to do and not do.

Give me a separate "subscribed" news feed - I want to be able to toggle back and forth between people I am subscribed to and people I am friends with in my newsfeed. An integrated view is nice, but sometimes I just want to see my friends and vice versa.

Public Subscribe Button - I already have a button for follow me on Twitter and a button to friend me on Facebook. What we need now is a Subscribe to my public Facebook feed button. It should allow folks to easily subscribe vid Facebook.

Default responses to site discussions via Facebook to "public" - Imagine the community engagement when people bring their subscribers to the discussion via promotion through their public feed.

Stop Auto-generating friend lists - I like the ability to generate custom lists to categorize my friends, but honestly I really only feel the need right now to have two lists. Friends and subscribers. That said, I'm overwhelmed at all the lists Facebook has auto-generated for me. I want to shut that feature off. I don't need lists for where I live, where I went to school, where I've worked. It is almost like getting flogged for having too diverse a social graph.

Search baby, search - Real-time and historic search of my newsfeed and the overall public stream equals absolute killer feature. Facebook will have Twitter (which has never managed search well) and Google trembling.

Integrate subscribe concept into Pages - I'd like a more discreet ability to add page content to my newsfeed. Currently, you can "like" a page and it will show up in your stream, but it also shows up in your profile. It would be nice to have an ability so subscribe to a page without public disclosure or (implied) endorsement of the page.


Using hackers as a national resource

Misha Glenny's TED talk entitled "Hire the Hackers" was sent to me about a dozen times today.

I was reminded of the excerpt below taken from my 1995 thesis. Reviewing it after all these years, it is not perfect, but does raise some important points and the central theme still rings true.

Step Seven: Use Hackers as a National Resource

The digital underground should be viewed as an asset to the United States.
They use illegal means to satisfy their curiosity about the workings of computer
technology because the system has denied them other means of accessing the
digital realm they love. Harvard Law professor Laurence H. Tribe even suggests
that access to technology may be a required goal of democratic society. He
states:

It’s true that certain technologies may become socially indispensable –
so that equal or at least minimal access to basic computer power, for example,
might be as significant a constitutional goal as equal or minimal access to the
franchise, or to dispute resolution through the judicial system, or to
elementary and secondary education. But all this means (or should mean) is that
the Constitution’s constraints on government must at times take the form of
imposing "affirmative duties": to assure access rather than merely
enforcing "negative prohibitions" against designated sorts of invasion
or intrusion.(133)

Some hackers are loyal to the ideals of their nation. For example, when
news of Stoll’s German hacker selling U.S. secrets to the KGB hit the
underground many hackers responded with hatred towards the guy who had
associated their movement with national espionage and threats to national
security. They were willing to use their abilities to combat this problem, and
were even willing to target Soviet computers for the Central Intelligence
Agency. One case of a hacker making a contribution to society is the story of
Michael Synergy and his quest for presidential credit information. Synergy
decided one day that it would be interesting to look at the credit history of
then President Ronald Reagan. He easily found the information he was looking
for and noticed that 63 other people had requested the same information that
day. In his explorations he also noticed that a group of about 700 Americans
all appeared to hold one credit card, even though they had no personal credit
history. Synergy soon realized that he had stumbled upon the names and
addresses of people in the U.S. government’s Witness Protection Program. A good
citizen, he informed the FBI of his discoveries and the breach of security in
the Witness Protection Program.(134)

One of the basic benefits to United States national security is the lack of
a coherent movement among the members of the digital underground. Hackers are
by nature individualistic. They lack a common bond that allows them to focus
their energies on one target. If there is a common target among hackers, it is
corporate America, especially the telephone companies. These corporations have
become targets because hackers rely on their service to access cyberspace, which
can be a very expensive proposition. The United States government has a vested
interest in not providing them with another target, especially if that target is
the government itself. The United States should utilize hackers, and give them
recognition in exchange for the service they provide by finding security holes
in computer systems.

The United States should not discontinue efforts to stop credit fraud and
other computer activities that are unquestionably criminal. But, the United
States should allow the hackers to conditionally roam the realm of cyberspace.
These conditions would include the following: (1) If computer access is gained,
the security hole should be immediately reported to the government or
centralized agency and should not be given to anyone else, and (2) information
files should not be examined, modified or stolen from the site. In return the
United States acknowledges the hackers’ accomplishments, thus feeding their
competitive egos.

Why should the United States government trust hackers? No trust is
necessary. The United States is not offering the hackers anything that they
don’t already have, except recognition for their ability to discover security
flaws. The hackers will remain on the networks regardless of what policy the
United States follows concerning their activity. It is simply giving them the
forum they need to meet people with similar interests on a legitimate basis,
rather than a secret one. Robert Steele argues, "If someone gets into a
system, that is not a violation of law, it is poor engineering. When we catch a
hacker, rather than learn from him, we kick him in the teeth. When the Israelis
catch a hacker, they give him a job working for the Mossad."(135)

Many U.S. corporations already allow the hackers to identify security
weaknesses in their computer systems. The Legion of Doom, the most notorious
group of hackers in the U.S., briefly entered the computer security business
with the formation of their company called Comsec Security. Bruce Sterling
reports, "The Legion boys are now digital guns for hire. If you’re a
well-heeled company, and you can cough up enough per diem and air-fare, the most
notorious computer hackers in America will show up right on your doorstep and
put your digital house in order – guaranteed."(136) Some argue that this
is simply extortion, but individuals are not saying "pay up or else we
will enter your system." They are offering their skills to secure
vulnerable computer systems from possible electronic intrusion.

Hackers can be used to secure the United States’ digital interests. Every
effort should be made not to alienate them from the newly emerging digital
infrastructure. In the same Congressional hearing where his publication was
branded as manual for computer crime, Emmanuel Goldstein made the following
remarks about access to technology and computer crime:

This represents a fundamental change in our society’s outlook.
Technology as a way of life, not just another way to make money. After all, we
encourage people to read books even if they can’t pay for them because to our
society literacy is a very important goal. I believe technological literacy is
becoming increasingly important. But you cannot have literacy of any kind
without having access…. If we continue to make access to technology
difficult, bureaucratic, and illogical, then there will also be more computer
crime. The reason being that if you treat someone like a criminal they will
begin to act like one.(137)

It is ridiculous to assume that the entire hacker subculture is motivated by
criminal intentions. Hackers, like all other groups or subcultures, contain a
diverse array of individuals. Every group has a criminal element and the
hackers’ criminal element is no different than the criminal element that exists
within the law enforcement community. A General Accounting Office report on
threats to the nations National Crime Information Center, found that the
greatest threat to this centralized criminal database was not from outside
hackers but from corrupt insiders.(138)

Most hackers are still young and have not formulated complete ideologies
regarding right and wrong behavior. Bob Stratton, a former hacker who now works
as a highly trusted security expert, argues that "These people (hackers)
haven’t decided in some cases, to be good or evil yet and it is up to us to
decide which way we want to point them."(139) Mr. Stratton argues that we
can mentor these individuals and thereby utilize their technological skills.

Mitch Kapor, founder of one of America’s most successful software companies
notes that "the image of hackers as malevolent is purchased at the price of
ignoring the underlying reality – the typical teenage hacker is simply tempted
by the prospect of exploring forbidden territory…A system in which an
exploratory hacker receives more time in jail than a defendant convicted of
assault violates our sense of justice."(140)

There does seem to be a trend in the past year to utilize hacker
capabilities, both in the public and private sectors. This needs to increase,
and perhaps some evaluation of our own laws might be necessary if we wish to
continue knowing where the holes in the United States’ information
infrastructure are.


Realizing the Metaverse

I've got some thoughts on virtual worlds just posted on TechGrid:

"In reading the book, it really makes one wonder why we haven’t created better instances of virtual worlds in today’s technology environment. The closest thing to the OASIS of Cline’s novel is Second Life, but it still has a lot of shortcomings. It got me wondering what are some of the minimal requirements that could improve upon the virtual world we already have that would make it more valuable in a social and business context. The goal is to make it the type of environment a virtual worker would be logged into in conducting their daily business (coding, writing blog posts, etc). Here are some ideas…"

Source: Realizing the Metaverse — TechGrid