Previous month:
April 2013
Next month:
June 2013

May 2013

Stop Saying Cybersecurity When You Mean Infosec (and vice-versa)

There is perhaps no term more overhyped, overused, overloaded and misunderstood in infosec and politics today than cybersecurity. Infosec and cybersecurity are often used interchangeably, and recent tweet thread begun by Chris Wysopal (@WeldPond) convinces me that each time we treat these as the same, we're conflating issues, and that there is considerable value in distinguishing one from the other.


In the thread, Chris Wysopal begins the thread by lamenting yet another plan to protect critical infrastructure, this time involving the use of secret IPS. He takes issue with the implication that the US can either secure the infrastructure or  fix actual security defects, but not both. Chris believes, as I do, that we must protect the infrastructure, but in doing so we must not make the infrastructure brittle.

Why? Because Internet-based infrastructures must always strive to be resilient and adaptive, not brittle. As Chris explained, we want both protection and resiliency, and (implicitly) there's no need to sacrifice the latter for the former.

As the conversation unfolded, I commented that the term protection is as overloaded as cybersecurity. Cybersecurity plans of the sort Chris refers to often create opportunities to implement surveillance, offensive or retaliatory capabilities. This military-minded thinking is pervasive when cybersecurity is mentioned.

While we may need to have national security dialogs of the "we need advanced, persistent surveillance to eliminate the advanced persistent threat" kind, these are fundamentally different from dialogs of the kind "we need to improve how we develop software, how we configure systems, or how we manage mobile devices so that they are resistant to attack". Dialogs of these latter kinds are better discussed in the contexts of national health and wellness than national security.

The dichotomy - security as a military doctrine versus security as health care (wellness and hygiene) -  is often blurred to indistinction because the knowledge base, tools, and expertise that we use to fight crime, terror, and wage war overlap with those used to improve health. The practices, however, are dissimilar in at least one critically important respect: the former is one element of a broad national security strategy while the latter seeks to fix actual security defects and is more accurately, global in scope.

In meatspace, we generally have no problem appreciating that a laser can be used to guide missile systems and that a laser can alternatively be used to perform precise surgery. The notion of prepending cyber to both use cases seems preposterous. Chris Wysopal's example - bioweapon research funded distinctly from vaccine research - similarly illustrates that we are capable of compartmentalizing military from medical research in funding, policy and practice.

Let's do the same with security in cyberspace. Label as infosec activities that seek to fix actual security defects (i.e., cure, manage or improve health). This would include categories like secure code development, best practices and technology to identify or mitigage suboptimal (vulnerable) configuration, SIEM, identity and data/privacy protection. Label as cybersecurity activities that are offensive, reliatory or surveillance (military intelligence).   

The United States and other countries are struggling to enact comprehensive cybersecurity legislation. When SOPA, CISPA, and similar legislations are proposed throughout the world, they encounter strong opposition to language that sacrifices or violates (Constitutional) rights in favor of making a nation more secure, in part because politicians are choosing national security at the expense of national (global) health for the cyber world. Honestly, would comprehensive legislation of this kind play out any differently in a meatspace scenario; for example, if legislators were to propose a bill that perimitted gun club owners (or bank presidents) to forego subpoenas and share the contents of a member's locker (safe deposit box) "voluntarily"? 

Rather than comprehensive legislation, perhaps it's time to consider legislation that is incremental, granular in scope, and that focuses either on matters of national security or on fixing actual security defects. Cybersecurity legislation can tag along with meatspace military legislation. Develop Internet health and wellness legislation, i.e., bills that seek to fix actual security defects, separately. Not only  might these encounter less opposition, but such legislation might also have the collateral benefit of protecting critical infrastructures. 

In case it is not obvious, the opinions in this post are mine and I've extrapolated or speculated based on Chris Wysopal's tweets. 


Brian Krebs recently wrote articles about a disturbing trend: legitimized Denial of Service. The first story, DDoS Services Advertise Openly, Take PayPal,  exposes the emerging industry. The second story, Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?, relates an interview with Justin Poland, who admits to operating this DDoS Service and who claims that the site "includes a hidden backdoor that lets the FBI monitor customer activity." (This admission, if corroborated, partly answers my question, "if denials of service are not illegal, then why the hell not!")

I read Brian's articles, then found a referrral article at Sophos, DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney. Running a business based on disrupting other businesses is anethema to me, but for whatever reason, the image of  "a guy with an attorney" gnawed at my imagination and I could not help but construct and post a DDoS joke to Twitter.  Transcribing it here:

A guy with an attorney DDoSs a bar.

The bartender asks "Is this legal?"

Guy says "Pour me a beer and I'll tell you".

Bartender replies "I reserve the right to deny you service."

Attorney says "Are you one of my clients?"

It was either this or return to bed sobbing...