Americas

  • United States

Asia

Oceania

michaeltanji
Contributor

The global ungoverned area

Opinion
Feb 09, 20185 mins
CyberattacksData and Information SecurityGovernment

Looking at the Internet through Westphalian-tinted glasses is not going to make us safer or more secure.

vulnerable security breach innocent attacked
Credit: Thinkstock

There are places on this planet where good, civilized people simply do not voluntarily go, or willingly stay. What elected governments do in safer and more developed parts of the world are carried out in these areas by despots and militias, often at terrible cost to those who have nowhere else to go and no means to go if they did.

Life online is not unlike life in these ungoverned areas: anyone with the skill and the will is a potential warlord governing their own illicit enterprise, basking in the spoils garnered from the misery of a mass of unfortunates. Who is to stop them? A relative handful of government entities, each with competing agendas, varying levels of knowledge, skills, and resources, none of whom can move fast enough, far enough, or with enough vigor to respond in-kind.

Reaping the whirlwind of apathy

Outside of the government, computer security is rarely something anyone asks for except in certain edge cases. Security is a burden, a cost center. Consumers want functionality. Functionality always trumps security. So much so that most people do not seem to care if security fails. People want an effective solution to their problem. If it happens to also not leak personal or financial data like a sieve, great, but neither is it a deal-breaker.

At the start of the PC age we couldn’t wait to put a computer on every desk. With the advent of the World Wide Web, we rushed headlong into putting anything and everything online. Today online you can play the most trivial game or fulfill your basic needs of food, shelter, and clothing, all at the push of a button. The down side to cyber-ing everything without adequate consideration to security? Epic security failures of all sorts.

Now we stand at the dawn of the age of the Internet of Things. Computers have gone from desktops to laptops to handhelds to wearables and now implantables. And again we can’t wait to employ technology, we also can’t be bothered to secure it.

How things are done

What is our response? Laws and treaties, or at least proposals for same, that decant old approaches into new digital bottles. We decided drugs and poverty were bad, so we declared “war” on them, with dismal results. This sort of thinking is how we get the Wassenaar Agreement applied to cybersecurity: because that’s what people who mean well and are trained in “how things are done” do. But there are a couple of problems with treating cyberspace like 17th century Europe:

  • Even when most people agree on most things, it only takes one issue to bring the whole thing crashing down.
  • The most well-intentioned efforts to deter bad behavior are useless if you cannot enforce the rules, and given the rate at which we incarcerate bad guys it is clear we cannot enforce the rules in any meaningful way at a scale that matters.
  • While all the diplomats of all the governments of the world may agree to follow certain rules, the world’s intelligence organs will continue to use all the tools at their disposal to accomplish their missions, and that includes cyber ones.

This is not to say that such efforts are entirely useless (if you happen to arrest someone you want to have a lot of books to throw at them), just that the level of effort put forth is disproportionate to the impact that it will have on life online. Who is invited to these sorts of discussions? Governments. Who causes the most trouble online? Non-state actors.

Roads less traveled

I am not entirely dismissive of political-diplomatic efforts to improve the security and safety of cyberspace, merely unenthusiastic. Just because “that’s how things are done” doesn’t mean that’s what’s going to get us where we need to be. What it shows is inflexible thinking, and an unwillingness to accept reality. If we’re going to expend time and energy on efforts to civilize cyberspace, let’s do things that might actually work in our lifetimes.

  • Practical diplomacy. We’re never going to get every nation on the same page. Not even for something as heinous as child porn. This means bilateral agreements. Yes, it is more work to both close and manage such agreement, but it beats hoping for some “universal” agreement on norms that will never come.
  • Soft(er) power. No one wants another 9/11, but what we put in place to reduce that risk, isn’t The private enterprises that supply us with the Internet – and computer technology in general – will fight regulation, but they will respond to economic incentives.
  • The human factor. It’s rare to see trash along a highway median, and our rivers don’t catch fire Why? In large part because of the crying Indian. A concerted effort to change public opinion can in fact change behavior (and let’s face it: people are the root of the problem).

Every week a new breach, a new “wake-up call,” yet there is simply not sufficient demand for a safer and more secure cyberspace. The impact of malicious activity online is greater than zero, but not catastrophic, which makes pursuing grandiose solutions a waste of cycles that could be put to better use achieving incremental gains (see ‘boil the ocean’).

Once we started selling pet food and porn online, it stopped being the “information superhighway” and became a demolition derby track. The sooner we recognize it for what it is the sooner we can start to come up with ideas and courses of action more likely to be effective.

michaeltanji
Contributor

Michael Tanji currently serves as Chief Operating Officer of Senrio, an IoT security start-up. He was co-founder and Chief Security Officer at Kyrus Tech, a computer security services company, one of the co-founders of the original Carbon Black, and the former CEO of Syndis.

Michael began his career as a member of the U.S. Army’s Military Intelligence Corps, working in a number of positions of increasing responsibility in signals intelligence, computer security and information security. He is a veteran of Operation Desert Storm and was stationed in various locations in the U.S. and overseas.

After leaving active duty Michael worked as a civilian for the U.S. Army’s Intelligence and Security Command, leading a team of analysts and programmers supporting intelligence missions in the Pacific theater. His service with INSCOM culminated as the Technical Director of the J6 in his command, responsible for evaluating, acquiring and deploying information technology in support of intelligence collection and analysis missions.

Michael left INSCOM to join the Defense Intelligence Agency, where he deployed in a counterintelligence/human intelligence role in support of Operation Allied Force. He later served as the lead of the Defense Indications and Warning System, Computer Network Operations, responsible for providing strategic warning of cyber threats to the DOD. He was one of the handful of intelligence officers selected by-name to provide intelligence support to the Joint Task Force – Computer Network Defense, the predecessor to what would eventually become U.S. Cyber Command. His expertise led to his selection as his agency’s representative to numerous joint-, inter-agency, and international efforts to deal with cyber security issues, including projects for the National Intelligence Council, National Security Council, and NATO. After September 11, 2001 Michael created the DOD’s first computer forensics and intelligence fusion team, which produced the first intelligence assessments based on computer-derived intelligence from the early days of the war on terror.

After leaving government service in 2005 Michael worked in various computer security and intelligence roles in private industry. He spent several years as an adjunct lecturer at the George Washington University and was a Claremont Institute Lincoln Fellow.

Michael is the editor of and a contributor to Threats in the Age of Obama, a compendium of articles on wide-ranging national and international security issues. He has been interviewed by radio and print media on his experiences and expertise on security and intelligence issues, and had articles, interviews, and op-eds published in Tablet Magazine, Weekly Standard, INFOSEC Institute, SC Magazine and others.

Michael was awarded a bachelor’s degree in computer science from Hawaii Pacific University, a master’s degree in computer fraud and forensics from George Washington University, and earned the CISSP credential in 1999.

The opinions expressed in this blog are those of Michael Tanji and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.