Podcast: Play in new window | Download

Twenty years ago, when I was writing Accidental Empires, my book about the PC industry, I included near the beginning a little rant about how good engineers were incapable of lying, because their work relied on Terminal A being positive and not negative and if they lied about such things then nothing would ever work. That was before I learned much about data security, where apparently lying is part of the game. Well, based on recent events at RSA, Lockheed Martin, and other places, I think lying should not be part of the game.

Was there a break-in? Was data stolen? Was there an unencrypted database of SecureID seeds and serial numbers? All we can say at best is that we don’t really know. And in some quarters that is supposed to make us feel more secure because it means the bad guys are equally clueless. Except they aren’t, because they broke-in, they stole data, they knew what the data was good for while we — including SecureID customers it seems — are still mainly in the dark.

A lot of this is marketing — a combination of “we are invincible” and “be afraid, be very afraid.” But a lot of it is intended also to keep us locked-in to certain technologies. To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered. Why should such architectural secrecy even be required if those 1024- or 2048-bit codes really would take a thousand years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough?

Good question.

Alas, the answer is “no.” There are several reasons for this but the largest  by far is that the U.S. government does not want us to have really secure networks. The government is more interested in snooping in on the rest of the world’s insecure networks. The U.S. consumer can take the occasional security hit, our spy chiefs rationalize, if it means our government can snoop global traffic.

This is National Security, remember, which means ethical and common sense rules are suspended without question.

RSA, Cisco, Microsoft and many other companies have allowed the U.S. government to breach their designs. Don’t blame the companies, though: if they didn’t play along in the U.S. they would go to jail. Build a really good 4096-bit AES key service and watch the Justice Department introduce themselves to you, too.

The feds are so comfortable in this ethically-challenged landscape in large part because they are also the largest single employer… on both sides. One in four U.S. hackers is an FBI informer, according to The Guardian. The FBI and Secret Service have used the threat of prison to create an army of informers among online criminals.

While security dudes tend to speak in terms of black or white hats, it seems to me that nearly all hats are in varying shades of gray.

Yet there is good news, too, because IPv6 and Open Source are beginning to close some of those security doors that have been improperly propped open. The Open Source community is building business models that may finally put some security in data security.

The U.S. government is a big supporter of IPv6, yet the National Security Agency isn’t.  Cisco best practices for three-letter agencies, I’m told, include disabling IPv6 services. From the government’s perspective, their need to “manage” (their term, not mine — I would have said “control”) is greater than their need to engineer clean solutions. IPv6 is messy because it violates many existing management models.

The key winners are going to be those companies that embrace IPv6 as a competitive advantage. IPv6-ready outfits in the U.S. include Google, AT&T, and Verizon. Yahoo and Comcast still have work to do. Apple has been ready for years.

Some readers will question why I appear to be promoting the undermining of U.S. intelligence interests. Why would I promote real data security if what we have now is working so well for our spy agencies?

I’m not a spy, for one thing, but if I was a spy and trying to keep my secrets secret I wouldn’t buy any of these products. I’d roll my own, which is what I think most governments have long done. So the really deep dark secrets were probably always out of reach, meaning most low-hanging fruit is simple commercial data like the 125+ million credit card numbers stolen so far this year from Sony, alone.

If the NSA needs my credit card information let them show me why. I think they don’t need it.

We’ve created a culture of self-perpetuating paranoia in military-industrial data security by building systems that are deliberately compromised then arguing that draconian measures are required to defend these holes we’ve made ourselves. This helps the unquestioned three-letter agencies maintain political power, doing little or nothing to increase national security, while at the same time compromising personal security for all of us.

There is no excuse for bad engineering.

Podcast: Play in new window | Download

Billy Mitchell was an iconoclastic American military airman from the early 20th century.  He was a firm believer in military air power and was ordered court-martialed in 1925 by President Calvin Coolidge for criticizing his military superiors over the issue.  My kind of guy. Gary Cooper played Mitchell in a 1955 movie, by which time everyone knew he had been right all along.  My fear is that when it comes to cyber warfare there is no Billy Mitchell today in Washington.

Cyber warfare was big news last week.  President Obama said he would name a cyber warfare czar to be a single point of contact on the issue for his Administration and that person would have direct access to the President.

If only that were true, but it isn’t, and the U.S. will be endangered as a result.

Billy Mitchell’s argument was that aircraft would come to play a huge role in modern warfare, supplanting battleships at sea and artillery on the ground. Air power was so important, Mitchell argued, that there should be a single air service to develop and deploy aircraft as needed in any war.  This still hasn’t fully happened, of course, though Mitchell’s work did directly lead to the creation of the U.S. Air Force in 1947 — 22 years and one world war after his court-martial for suggesting it in the first place.

The problem with Obama’s cyber czar is that the Administration is CALLING the position a priority but not MAKING it one.  The position has in some accounts been called a “member” of the National Security Council, but the czar is also said to “report” to both the Director of National Intelligence and to the President’s Senior Economic Adviser.  Well you can’t be ON the council and also REPORT to those guys — one of whom is on the council and the other is allowed to drop in if he feels like it.

In short, this is an NSC staff job.

Obama said the czar would have “direct access” to him, but didn’t say how.  At best I think they’ll pass in the corridor.

This is no czar.  That’s literally the case, of course, because nobody has yet been hired for the job.  But it is also the case that the job will — as the NSC is organized — not have the power needed to do what must be done.  Czars are dictators; this guy can only recommend and even then he’ll be recommending to people who may not then bother to inform the President.

If the cyber warfare czar is, in fact, a czar, the first thing he or she should do is give himself a promotion, which won’t happen.

In the meantime there are competing interests at the Department of Defense, the National Security Agency, the CIA, the Department of Homeland Security, the Department of Justice, and possibly elsewhere.  Each of these agencies is building its own cyber warfare capability, each with a different agenda both stated and real.  The stated agendas are to play either cyber defense or offense.  The actual agendas are to protect departmental turf from the new cyber warfare czar, to undermine him or her.

Let’s go back to Billy Mitchell for a moment and think about how the technology of aerial warfare came to be in his era.  Most of the military services developed their own air capability as lip service to the idea while actually protecting major — and antiquated — weapon systems.  The U.S. Navy bought some planes and built some aircraft carriers, but not at the expense of battleships.  Even when naval air power came to the fore during World War II it was almost an accident, since the only surviving capital ships in the Pacific after the attack on Pearl Harbor were aircraft carriers, the battleships having for the most part been destroyed.  So the Navy had to rely on air power since that’s the only power it still had.

They weren’t smart at all, just lucky.

It is rare in U.S. military history for a technological innovation to come down on our side.  That’s because as self-designated good guys we are generally playing defense and defense doesn’t usually get the cool new toys.  It’s only in the U.S. development of nuclear weapons that we got a jump on the rest of the world — a jump that put us firmly in control for half a century (now past).

We are woefully unprepared for cyber warfare mainly because the military doesn’t want to lose funding for its other weapons — weapons that are likely to be rendered unusable or, worse still, actually used against us in a cyber attack.

Yes, it is that bad.

The best position here is to make cyber warfare a real priority, give the cyber czar some actual authority, and have him or her report to the President.  Otherwise the lessons of Billy Mitchell will have been forgotten and our first cyber war could be our last.