My Expensive "Expert" Advise for the U.K. Government On Cyber Warfare

I was going to name this post 'My Free 'Expert' Advice ..." but we all know that free advice is ignored so once I hit the 'publish' key on this blog, I'll send an invoice to 10 Downing Street requesting payment. I'll make sure that the invoice is in 7 figures since they're obviously quite willing to throw extravagant amounts of money at companies with the word "expert" in their marketing materials (hence my use of the word "expert" in the title).

The reality is that there are no experts in this field. I wrote a well-received book on the subject, have spoken at dozens of conferences, had papers published, regularly consult for U.S. and foreign government agencies, and have engaged in incident response for very large corporations and I don't call myself an expert. In fact, authentic experts never bestow themselves with that title. If its used at all, it's given to them by others who have experienced their work first-hand. I know many people who I would call experts in different fields but none in the area of cyber warfare. The field is too new, too undefined and we're all still finding our way.

The British government appears to have bought into the marketing materials of prime contractors like Lockheed Martin, BAE, Ratheon, General Dynamics, RSA, McAfee, Mantech and who knows who else. Big mistake. They not only cannot protect the British government, they've been unable to protect the U.S. government. The director of the NSA along with the director of DARPA have both admitted that the current security framework we use is broken. Who implements that framework? Prime contractors like the ones I mentioned above and their sub-contractors with some help by government employees.

So here's my "expensive expert advise" for whoever is in charge of the British government's purse strings:

  1. You can't keep China, Russia, France, or any other State out of your network. They're already there and they aren't leaving.
  2. You can't secure what you don't own so if you want to secure your power grid, buy it back from the Chinese company that owns it.
  3. If anyone tells you that they can do 1 or 2 above, grab your checkbook and run the other way.
  4. While you can't keep bad guys out, you can raise the cost to mount a successful attack. Or - you don't have to out run the bear, you just have to out-run the other countries who are being chased by that bear (or dragon).
  5. While you can't keep a dedicated adversary out of your network, you can keep your data from leaving. That's in large part where you need to focus your resources and where you'll get the best return-on-investment.
  6. You have serious supply chain problems and need to start testing firmware updates for all those servers that you own which were made in China for backdoors.
  7. You have serious software issues and need to investigate any code written by Russian firms for backdoors.
  8. Cancel your contracts with Chinese telecommunications companies if they are providing products that would give them access to sensitive data.

My bill is in the mail.

Britain Has Already Lost A Future Cyber War