Americas

  • United States

Asia

Oceania

michaeltanji
Contributor

Cyberwar: Silicon Valley’s new bright, shiny thing

Opinion
May 02, 20185 mins
CyberattacksCybercrimeData and Information Security

Tech companies are hoping you forget history and ignore their culpability.

hunting and monitoring security threats
Credit: Thinkstock

The Cybersecurity Tech Accord is the latest public relations effort by the private sector to show that they’re serious about making cyberspace a safer and more secure environment.

For real this time.

The accord comes on the heels of Google employees demanding that their company not be “in the business of war,” and earlier statements by the president of Microsoft calling for a digital Geneva Convention. In the immortal words of the bard: it is a tale of sound and fury, signifying nothing.

Between citrus and cyberwar

Silicon Valley is only the place is it today because of war, both hot and cold. It is easy to forget that the place now building Uber for dirty underwear, and streaming video of other people playing video games was also the home of Liberty Ships, the Polaris missile, and the armored personnel carrier among other martial technologies. Defense contracts funded early tech companies, including one of the biggest defense contractors in the world. Palatiar, which made Total Information Awareness a reality, is a child of the valley. Like it or not, the valley has played a key role in our nation’s ability to wage war since before transistors replaced fruit trees.

Perpetuating legacy futures

Good wishes and aspirations captured on paper isn’t going to lead to progress. The tech accord is yet another attempt by people trained to think and act in the approved way to force legacy futures on a world that does not fit the old models. We have an actual Geneva convention that gets violated all the time. More countries have nuclear weapons today than had them before the non-proliferation treaty was in effect. Systems and methods built to deal with physical weapons will not work when applied to code, but it is far easier to go with what you know, regardless of whether that will get us where we want to be, or if it even makes sense.

The distraction

The most amusing part of this entire exercise is the idea that the signatories are going to do anything of substance to bring about change. What are these firms pledging to do?

  • Mount a stronger defense against cyberattacks. An admirable goal. Should we start with hardening your source code? What is the backlog of reported bugs for Windows, Oracle, Cisco, anyway?
  • Not help governments launch cyberattacks. A useless gesture, considering the decision to launch cyberattacks is entirely in governmental hands. No corporate assistance or approval needed.
  • Do more to…improve developer and user ability to protecting themselves. The NSA just released Unfetter for public use: what are the signatories offering the world that doesn’t come with licensing and maintenance fees?
  • Build on existing relationships and establish new…partnerships with industry, civil society and security researchers. We know what major tech companies think of researchers, and we already have InfraGard, ISACs, ISAOs, the things like the Cyber Threat Alliance. If everyone is at a meeting, who is doing what needs to be done?

When given the opportunity to reduce the risk of cyberattacks, most companies balk. The cybersecurity community makes a big deal out of the NSA losing some of its offensive tools, and rightfully so, but Microsoft would rather you forget that when their database of Windows bugs was hacked, timely disclosure wasn’t on the to-do list. The anti-virus industry, which loves to tout their ability to combat APT, would prefer you never hear that they helped fertilize those very threat actors.

There is cyberwar because of Windows. There are targeting packages because of Facebook and LinkedIn. There are pathways into targets (and targets themselves) because of Cisco and Juniper. The best way these firms – all signatories to the Accord – can help defend cyberspace is to not make facilitating offense a feature.

All thrust, no vector

We all want to do something to improve the state of cybersecurity, but at what point do we stop being Heracles and start being Sisyphus? The amount and type of bad things that are happening in cyberspace on a regular basis is only growing in scope and scale, but there is no corresponding public outcry to do anything about it. You can’t get people to do the minimum it takes to influence policy after children are massacred in real life: do you think people are willing to do more or less when it comes to malicious activity online?

We know what to do to counter threats, block attack vectors, and mitigate risk. We’ve known for decades. Every time we look at the problems we come up with the same solutions because the people responsible for the problems aren’t responding at scale and in a meaningful timeframe. Governments are only warring online because industry has built the environment for and provided the tools to wage it. Saying you’re against such activities absent some serious self-reflection is self-delusion.

Accords and declarations and proclamations make people feel good, but they’re aimless motion, not forward progress. They’re what you do in the hopes that, if things get bad enough the powers that be – under the guise of leadership – will call on you to implement your politically familiar and acceptable solution. But until that day comes, what are you doing to make a difference now?

michaeltanji
Contributor

Michael Tanji currently serves as Chief Operating Officer of Senrio, an IoT security start-up. He was co-founder and Chief Security Officer at Kyrus Tech, a computer security services company, one of the co-founders of the original Carbon Black, and the former CEO of Syndis.

Michael began his career as a member of the U.S. Army’s Military Intelligence Corps, working in a number of positions of increasing responsibility in signals intelligence, computer security and information security. He is a veteran of Operation Desert Storm and was stationed in various locations in the U.S. and overseas.

After leaving active duty Michael worked as a civilian for the U.S. Army’s Intelligence and Security Command, leading a team of analysts and programmers supporting intelligence missions in the Pacific theater. His service with INSCOM culminated as the Technical Director of the J6 in his command, responsible for evaluating, acquiring and deploying information technology in support of intelligence collection and analysis missions.

Michael left INSCOM to join the Defense Intelligence Agency, where he deployed in a counterintelligence/human intelligence role in support of Operation Allied Force. He later served as the lead of the Defense Indications and Warning System, Computer Network Operations, responsible for providing strategic warning of cyber threats to the DOD. He was one of the handful of intelligence officers selected by-name to provide intelligence support to the Joint Task Force – Computer Network Defense, the predecessor to what would eventually become U.S. Cyber Command. His expertise led to his selection as his agency’s representative to numerous joint-, inter-agency, and international efforts to deal with cyber security issues, including projects for the National Intelligence Council, National Security Council, and NATO. After September 11, 2001 Michael created the DOD’s first computer forensics and intelligence fusion team, which produced the first intelligence assessments based on computer-derived intelligence from the early days of the war on terror.

After leaving government service in 2005 Michael worked in various computer security and intelligence roles in private industry. He spent several years as an adjunct lecturer at the George Washington University and was a Claremont Institute Lincoln Fellow.

Michael is the editor of and a contributor to Threats in the Age of Obama, a compendium of articles on wide-ranging national and international security issues. He has been interviewed by radio and print media on his experiences and expertise on security and intelligence issues, and had articles, interviews, and op-eds published in Tablet Magazine, Weekly Standard, INFOSEC Institute, SC Magazine and others.

Michael was awarded a bachelor’s degree in computer science from Hawaii Pacific University, a master’s degree in computer fraud and forensics from George Washington University, and earned the CISSP credential in 1999.

The opinions expressed in this blog are those of Michael Tanji and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.