Monday, November 7, 2011

Why DARPA Is Clueless About Securing Cyberspace

If DARPA's Director Regina Dugan hadn't already admitted that the agency is clueless about how to secure cyberspace, the choice of Richard Clarke as a speaker certainly made that clear. Of all the experts out there, Mr. Clarke has provided some of the worst advice that I've ever heard when it comes to specific cyber-based threats and remediations.

Director Dugan won't find a solution to her problem by speaking to more of the same people that the agency always speaks with. Einstein's oft-repeated definition of insanity is doing the same thing over and over again and expecting different results. The director should stop speaking to hackers, crackers, grey hats, black hats, white hats, and the cyber industrial complex in general. DARPA has done that for years without success. If the director wants a different result, she needs to approach the problem in a completely different way. In fact, I recommend that this problem be completely re-framed. Just like money problems are never about money, and obesity problems are never about food (they both stem from negative belief systems that we've learned as children and reinforced as adults), protecting data is not about cyber security. It's about understanding how we take care of our valuable possessions in the physical world and transferring that understanding to comparable models in the virtual world.

Instead of inviting hackers, Director Dugan should invite experts in personal security like Gavin De Becker or my friend Roderick Jones who understand how to protect high value individuals against multiple unknown attackers. She should invite farmers who have to defend their crops against an unpredictable weather system. Or corner a few MDs at the Centers for Disease Control to learn how virulent bacteria consistently beat the body's immune system. The bottom line here is that we must MUST find a way to break free of the grip that the information security industry has on all things cyber because it is a failure from top to bottom.

I doubt that anyone from DARPA will take this post to heart but I'm convinced that it's the right way to proceed. We're planning a second Suits and Spooks conference for Washington DC this Spring. Perhaps that will be the time to bring farmers, doctors, and personal security specialists together to find some common sense solutions and apply an entirely different mindset to the current cyber-security insanity.


  1. You're going in *exactly* the wrong direction here: "It's about understanding how we take care of our valuable possessions in the physical world and transferring that understanding to comparable models in the virtual world."

    We're doing this right now:
    + firewall - barricade
    + IDS - well, intrusion detection systems
    + honeypots - fake jewels
    + regular patching - immunization/booster shots
    + encryption - hot wax/ciphers
    etc etc.

    Continuing to try to apply flesh and bones defensive concepts will only continue to result in measures which do more to make us feel safe than they do to actually provide security. Whether people like it or not, the networked cyber-world is significantly different than our physical world. Defensive strategies developed for the physical world can only apply in situations where the two worlds are the same. That's not nearly as often as most people would like.

    You don't stop seeing doctors because one of them's a complete idiot, you don't destroy all your crops because one farmer failed to defend his, and you don't reject all of modern physics because they failed to predict the latest quantum-insanity properly.

    With all that said, there are vastly more quack "cyber security experts" than there are individuals who actually understand that world. Thus, what I would recommend DARPA et al focus on is not "finding some other kind of expert" but rather finding an actual cyber security expert in the first place.

  2. Thanks for the comment, Rob, however the examples which you provided are examples of failed cybersecurity processes. None of them relate to what I tried to convey in my post; that the present cybersecurity model is hopelessly flawed; that cyberspace is intrinsically tied to physical space; and that we need to start talking to people with completely different but relate-able skill sets in physical space in the hope of finding inspiration for a new security model that can transfer over. Or as an InfoSec Twitter friend named it - an "integrated multi-disciplinary approach".

  3. An "integrated multi-disciplinary approach" sounds way too much like "quick! Throw spheres on that venn diagram - we've got to cover this cyber-thing!"

    Different points of view are valuable and can be incredibly helpful. However, you can no more expect a farmer, doctor, sailor, ship-builder, and hunter team to come up with intel's next chipset than you can the same group come up with a valuable cyber-defense strategy. That team can add value by chatting with intel's engineers and suggesting enough oddly useless stuff that a piece of it triggers a new approach in one of the engineer's minds. But what's lacking right now is the equivalent of intel's team of engineers, not the multiple viewpoints.

    As a somewhat related aside, thoughts that cyberspace is intrinsically tied to physical space are inaccurate at best. Before you answer with talk of servers and such, think on two things: quantum entanglement, and the fact that you can go and "get" a file which does not exist anywhere except on your hard drive after you've "gotten" it.

  4. Trans disciplinary approach rather than multi disciplinary, as you have mentioned on this blog few moths above. It is possible to exist real (i) in cyber world even square of -1 is not real in material world. I have been thinking on it for several years. Trust must be invented in cyber space. But, does states need it really? Every state want to control something (on west, it is property of any kind, on east it is ideological informations). But, vice versa can be to. Can you imagine, for example, situation if Iranian government would help or initiate new OWS movement in US, like US did it in Green revolution in 2007? There is new non govermental force in the Wold, too, people force. Soft or Smart power is not US property. Informations can be monitored effectively, and they will be, but ideas are much harder to control. One day machines will produce all software and protocols and there will not be malicious code like now, but what about thoughts, dissatisfaction or anger?

  5. Thanks for the comment, Dragan. The human factor has been the hardest one to calculate for and I don't see that changing. However that's what makes working on hard challenges so rewarding. :-)

  6. I've had similar thoughts on interdisciplinary approaches to the problem for quite some time now. That is why I am trying to develop SNA skills and I have returned to studying Wiener's Cybernetics and Turchin's "The Phenomenon Of Science". Maybe a Cybernetic approach will help, especially decison makers. And if we Google (and read) "How Complexx Systems Fail" we will find out that it was written by an MD. We try to build, operate, secure and defend complex systems. We must understand how they fail.

  7. Great point about the authorship of "How Complex Systems Fail"! Thanks for adding to the post, Adam.

  8. I don't want to be dull, but this talk here is interesting. Socio-technical systems are even more complex than social systems. They can not be maintained if we are not able to make an appropriate mathematical (technical) model. This is why we must use some kind of reductionism. And there is a catch, because it is almost impossible. Who can predict human behavior? So, we need to reduce principles, not processes. How? Russian TRIZ (or TIPS - Theory of inventive problem solving) maybe can be a good example. Another question is what you want to achieve. If DARPA announce they do not know how to do something, it doesn't mean they really do not know. Because of his budget. We know only that human ecosystem on Earth is developing more and faster, not how to predict it. Commentators from USA often make a big mistake. US usually do not defend itself but go about offense on others. Be honest, N. Korea, Libya, Syria, Afghanistan, Iraq, anonymous??!, even Iran, China, Russia are not real national treats to USA. Reverse is not true. Can we seriously talk about cyber struggle between USA and N.Korea? I was wondering is it possible to read Mr. Clarke book example how Akamai defends White House site from N. Korea attack and that was a cyber attack!? (If so, look at CIA Fact book about Korean cyber capacity. So, we can talk seriously only about global security, how to preserve Internet, or how to achieve US military goals against rest of the world. Look in history what destroyed all former empires. Lack of technology or social reasons? World needs new conflict approach which can manage highly asymmetric warfare (one nuke is danger as a thousand, one virus is danger as many, one good cyber attack is effective like a million).
    (I am sorry because of bad English)

  9. Interesting and great insights. A problem with talking with the usual tech folks is spiraling into a path, always seeing problems, not seeing real breakthroughs or new paths.

    While I like the talk-with-hacker approaches (maybe because I am somewhere in the hacker communities), a big problem is the limited scope of hackers in the conversations. It appears rather limited. Of course, the hackers are ones willing to talk with the industry and the Feds. Many aren't for a wide assortments of reasons. Also, the conversation with the suits, I perceive, alters what's said by some hackers. Part of human factors affecting communications across groups, especially when one of the group includes governmental authorities.

  10. I am glad that the post included a suggestion to get medical and microbiology specialists in the security discussions.

    Yes, microbes have fascinating defences and means of adapting to new threats, including antibiotics. Bacteria also have means of sharing their "lessons learned" via plasmid transfer. At the same time, organisms that can be affected by microbes develop their defences. Interesting thing about all this is that rarely one side totally wipes out the other. Bacterial impact upon behaviours, bioregulators, etc. Fascinating stuff that many people in the technology fields may miss.

  11. Jonathan, thanks for your comments. Can you think of anyone in the medical field whose research revolutionized the way that we treat illnesses (someone current)?