Josh Corman (@joshcorman) asked if he could share an important piece of writing with our readership. As one of our few IT security philosophers, Josh almost always makes you think. His current bully pulpit is at The 451 Group as the Research Director for Enterprise Security leading a pretty atypical motley crew of anti-analysts with street cred. This may be his day job, but Josh has been on a personal mission for years to challenge and improve the way we approach security.
IT security has intensified and accelerated. The velocity of change has reached ludicrous speed "we've gone plaid." I kid, but 2011's more than a breach-a-week and events on the street are becoming harder to follow or understand (and more disturbing with each turn). In my 7-minute speed talk at the 2011 RSA Conference "Why Zombies Love PCI", I asserted that our myopic focus on highly replaceable card data came at the neglect of protecting what's in our brains (less replaceable intellectual property and corporate secrets). With security providers large (EMC/RSA losing some of SecurID) and small (HBGary Federal, Comodo Group, Barracuda), suffering public breaches, more than a few vendors wonder, "will we be next?"
Do you know how you would fare if your mail spool was posted to the Internet for all to see? Many Fortune 100 companies that conflated compliance with best practices for all security have now suffered public breaches of corporate secrets and intellectual property. As part of a series of 451 Group spotlights, I've introduced specific insights and lenses to help end users and vendors navigate these uncertain times.
In this piece, I focus on the overlooked class of chaotic actors. From the leaks of classified materials on WikiLeaks to the rise of the hacktivist group Anonymous to the toppling of Middle East regimes to the revelations of potentially unlawful and gray area activities from security vendors -- we're a long way from Kansas.
More about Wikileaks
- A Wikileaks timeline
- 12/8/2010MasterCard, PayPal see Wikileaks revenge attacks
- 12/7/2010Assange arrested in London
- 12/3/2010Wikileaks downed by DDoS attack
Effective discussions seem stymied by incomplete models of how to grapple with our cognitive dissonance as events unfold. Self-awareness and deliberate choices become paramount as one moves forward. What is your alignment? Of those who you hire? And of those vendors you depend on?
The age old Black Hat vs. White Hat (and Gray Hats) Adaptive Persistent Adversaries coming to light, these over-simplistic categorizations simply are not supportive enough to informed risk modeling and prioritization. Many of us struggle to come to grips with how to categorize groups like Anonymous or where to draw our bright lines as security vendors, or how to conduct ourselves as researchers in the industry. Confronted by such examples, the White Hat-Black Hat model is not sufficiently MECE (mutually exclusive, comprehensively exhaustive), and so we offer another way to look at the issue. I hope to drive more fruitful discussion, less snap-judgements, next order questions and, as a consequence, more optimal outcomes.
IT security has tried to differentiate 'good guys' from 'bad guys' with the mantles of White Hats (fighting for good) and Black Hats (fighting for evil). While this nomenclature was marginally useful in changing the tone that not all 'hackers' and 'researchers' were bad, it was never this simple. Like most things, the world is full of shades of gray. With increased escalation in the number, sophistication and type of APTs or
A better model -- an alignment chart starfish (vs. spider) hacker group known as Anonymous. Many security professionals and citizens at large are conflicted. The over-simplistic notions of good and bad don't seem complete enough. Regardless of good or evil, the group was instinctually different than other actors, in that it was more chaotic. Dusting off the old alignment charts from Advanced Dungeons & Dragons (AD&D) proved to be an apt and useful device for the dialogue. If we introduce the additional continuum of "those seeking order" (Lawful) through "those seeking disorder" (Chaotic), the conversation advances. Below we can see the fuller three-by-three Punnett square, with which to discuss the various actors in the field of IT security.
When confronted by current events, it has been interesting to watch the debates over groups like WikiLeaks or the decentralized
Chaos vs. order How do you see them? This is not meant to be a distinction without a difference. There are tactical and strategic implications of these different types of actors.
It is regrettable that the original AD&D folks used the word Lawful -- since this loaded term begs comparison to "the law" or laws of governments. Ignore that impulse. A more useful way to leverage this model is to think of those seeking order versus those seeking disorder. Immediately, we realized the more chaotic nature of those who liked Anonymous-like activity, and the more orderly nature of those who were uncomfortable with it. Some view Anonymous like a modern day Robin Hood -- as a force for good, working outside of the system on behalf of the people. Others see Anonymous as a dangerous and disconcerting development toward the Joker (a la "The Dark Knight") -- wreaking havoc, driving toward anarchy and doing irreparable damage.
Which type of adversary is easier/harder to combat? OODA Loop -- narrowing options from all to likely -- and so forth. Actors within such a lawful camp are likely to act within at least semi-consistent boundaries.
Let's take evil for a moment. (NOTE: good and evil are often loaded terms, so please refrain from digressing into relativistic debate, at least for now). Why would it matter if an evil adversary was lawful evil versus chaotic evil? Some argue the Russian Business Network is a form of organized crime and therefore lawful evil. Others have argued the Chinese Military and Espionage campaigns are also lawful evil. In both cases, there is an organizational structure, a chain of command and an operational framework. When military and private 'cyber warriors' are seeking forensic evidence and attribution, one reason is so they can leverage the knowledge of which adversary they are engaging. Such knowledge can assist in the chess match and inform the
Conversely, chaotic individuals or loose collectives are likely to be less structured, less organized and less bound. Depending on where they land on the continuum, lasting formal structures may be anathema to them. Strategic constraint may also be less likely. Team-ups may be more ad hoc and more like flash mobs. Depending upon the ideological constitution and maturity of chaotic actors, activities may be more erratic and be taken further than expected. Coming back for a moment to the example of the Joker, a defining characteristic was his deliberate lack of 'the plan,' making it incredibly difficult for the police, the mob or the Batman to know how to deal with him. As Michael Cain's character put so well:
Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn.
It was these more openly chaotic expressions and instances that provoked the most concern of late. In some ways, these flash mobs could do more damage (or have greater impact) than more lawful adversaries. Financially driven criminals know not to threaten the revenue streams. Nation states may plan more in their execution and/or seek to avoid attention. A truly wild dog (and points in between) may be more brazen, more emboldened over time, more reckless, more capricious, more unrestrained, and therefore more dangerous. For example, in the attacks on HBGary Federal and its then-CEO Aaron Barr, Anonymous proved to be more ruthless, intense and extensive in its punishment than many of us in the industry had seen before.
Loose collectives may operate more like starfish cells than like crime families. A mob can be taken down, but an ideological movement might live forever. This isn't meant to suggest that centralized/decentralized organizational models are isolated to one camp or the other, but it seems thus far that the chaotic end is more starfish than spider. However, this also means chaotic adversaries may disband, splinter or move on -- whereas lawful evil adversaries may be more longstanding. Hopefully, you can see how this attribute can open up the field of understanding and discussion.
Know thyself? (Which are you? Both as an individual -- and as a security professional or vendor? Many security professionals qualified their answers with things like: "I used to be an XY early in my career, but I've put that behind me and am trending more YY these days." More than a few said something like "There is still a 17-year-old anarchist in me that wants to join Anonymous, but on the whole, I see them as a dangerous, criminal menace." What is less interesting is the individual judgments. What is more interesting is the cognitive dissonance toward many of these recent public developments. There is evidence that security vendors may be migrating into darker and less 'lawful' places (literally and figuratively). Such an alignment chart may be more timely than we realize. As one CSO said to me, "Don't forget, how you place yourself on this alignment chart may be less important (or accurate) than how others place you. Worse, how will the media or the court of public opinion see you?" Do you know where you stand?
Nosce te ipsum
The 'Three Ps' and beyond
There many are other factors like sophistication, intensity, maturity and an increasing number of adversary motives. In 2004, I suggested we were leaving the era of glory- and ego-based adversaries (or Prestige) to an era of three Ps: Profit, Politics and Prestige. While everyone seemed to understand the shift to profit, very few understood what I meant by the political motives. Now technology growth and automation at Moore's Law is increasingly fueled by ideological motives. "The Personal Power Curve" is allowing few to asymmetrically affect global events. While this has been demonstrated to enable rapid destabilization, are we sure the inverse is possible?
Technology is a powerful double-edged sword, which may help liberate oppressed peoples when wielded for good, and destroy individuals, corporations and order when wielded by others. What let many of us sleep at night was the belief that no one would be shortsighted or reckless enough to take things too far. The more we see the rise of chaotic actors and alternative motivations, can we be so certain that we're not one or two ideologically driven misanthropes away from some very bad places? It is time to challenge past assumptions about what adversaries, allies, and even employees wouldn't do.