Defense _is_ sexy

Violet Blue begins a post reviewing a recent RAND study: Cyber-defense must change course, or else, with an apt summary of the report:

Defense isn't sexy.  We mythologize being the hacker, not the hacked.

The RAND study depicts network and system defenders as a hapless, hopeless, dispirited, confused lot. Defenders, it seems, have accepted the sum of disparaging or condemning remarks from journalists to bureaucrats and even their purportedly security practitioner peers and have raised the white flag.

Steve Werby (@stevewerby), Jerry Gamblin (@jgamblin) and I discussed this lamentable state of affairs in a thread on Twitter this morning. Jerry aptly summarized our shared perspective:

DefenseplayedwellPeople who say defense isn't sexy are not playing it correctly 

I'm not questioning Rand's results. Given the carnage we've witnessed, the smell of defeat is palpable.  Steve, Jerry, and I are more interested both motivating deflated defenders and debunking the myth that defense isn't sexy.

We're using the wrong analogs. We're living in the past, describing defense in what is not only antiquated language but misguiding and constraining imagery as well. I'm as guilty as anyone, having used castles and the Maginot Line as analogs when describing firewalls or defense in depth.

"It should & can be sexy if we change how it's done"

Steve Werby  instigated a discussion about change. We've traditionally characterized defense using military terms and static defenses. While useful at the time, these terms put us in a Helm's Deep mindset: standing on the parapets waiting for the Urukai onslaught and inevitable defeat. It's time to modernize analogs. 

Defend with an attitude

Organizations who have had their ineffective defenses overrun make headlines. Organizations that, as Jerry says, "play defense correctly", don't make headlines. They defend with a "Not in my house" attitude. They're confident but not arrogant. 

Roll your eyes all you wish, but let's experiment with sports analogs to give defenders a more positive outlook. Werby laments that "The state of our analogies are so bad that almost anything is better." He's right.

It's time to bolster defenders' attitudes by making defense Sexy. Virile. Spirited. Indomitable. 

Defense in depth? Perimeter defense? Out. Hereafter, convince your defenders to play shot-blocking, ball-trapping, in-your-face-man-to-man, grind-you-down-I-own-you defense. If you prefer football analog, forego the zone, play man up gang-tackling, blitz-your-brains-out D. 

You want better security? Replace what Rand tells us is a culture of "awaiting annihilation" with a culture of relentless pursuit. It's long overdue. If your defenders aren't up to the task, find or make defenders who hate losing, hate being embarrassed by unskilled little shites who've downloaded or purchased an attack tool, criminal conspirators or state actors. Gather your defenders and quote from the 1976 movie, Network: "I'm as mad as hell and I'm not going to take this anymore!" 

A Hacker Personality Quadrant

Science Daily reports that associate professor Kevin Steinmetz of Kansas State University has published a research article in which he attempts to answer the questions: "What is a hacker and what does it mean to hack?" According to Science Daily, Steinmetz, who conducted an ethnographic study to find his answer, "Hacking is a late-modern transgressive craft."

This characterization reinforces the current and dominantly held definition of hacker. Steinmetz's might be an appropriate characterization for the purposes of criminology; however, characterizing all hacking as transgressive is incorrect. My observations after more than 40 years of working with hacking nee software development nee computer programming lead me to a different assertion, one I first attempted to describe an article, Security Hats: black or white, there is no grayscale:

All of the activities Steinmetz attributes are as readily applied to ethical hacking as transgressional.

The populist views of hacking - from pimply little social misfits who live in garages or basements and wreck havoc on governments or corporations for notoriety's sake, to Bondesque evil geniuses - portray only one segment of the hacker population. Another is recorded in Brian Harvey's, What is a Hacker?, where he describes hackers as asethete hobbyists. Harvey explores both hacker aesthetic and ethic and asserts, "To embrace the aesthetic life is not to embrace evil; hackers need not be enemies of society". 

Let's review how Steinmetz compares hacking to craftwork. He uses eight analogs:

  1. A particular mentality
  2. An emphasis on skill
  3. A sense of ownership over tools and objects of labor
  4. Guild-like social and learning structures
  5. A deep sense of commitment.
  6. An emphasis on process over result
  7. A common phenomenological experience
  8. Tendencies toward transgression

Let's juxtapose several of Steinmetz' transgressional craftsman's characteristics against Harvey's ethical hacker. For this, I'm primarily using the characteristics I see among information security, security operations, and security research colleagues for comparison against the criminal characteristics I come to understand from my work with security communities.

A particular mentality. In my experience, the transgressional hacker is biased towards notoriety, self-interest or financial reward: some hackers may be transgressors because they hack to protest suppression of rights and their activities violate laws. The ethical hacker is biased towards fun, innovation, satisfaction. Where transgressional hackers may work grudgingly with others or by necessity, ethical hackers often seek others (particularly to share information) and work well in groups or teams. 

A sense of ownership over tools and objects of labor. The nature and character of underground markets for trading tools and objects of labor supports Steinmetz' notion that transgressional hackers are possessive. But some protest- or resistance transgressors share their hacks, and ethical hackers are more generous: security or investigative software or web portals are quite commonly made available as open source, or free of charge, by individuals and security companies with commercial interest. 

Guild-like social and learning structures. In my experience, criminal-transgressional hackers are not guild-like in the truest definition of guild, but rather a collection of conspirators. Ethical hackers are more characteristically guild-like, especially where such communities not only expect mutual respect and common purpose but require members to be vetted and adhere to strict acceptable use practices.

A deep sense of commitment. It's arguable that both transgressional and ethical hackers can be deeply committed, at the very least, the most talented hackers are aesthetes.

HackerpersonalityquadrantBased on these juxtapositions, I would alternatively propose to depict hackers along two axes: transgressional versus moral and public, and interest versus self-beneficial. For my purposes, public interest encompasses principles of "do no harm", "common good", and protest or "(civil) disobedience". Self-beneficial encompasses notoriety or financial gain, personal or corporately commercial.

In the figure to the right, I place a sampling of "guilds" in these quadrants, one man's attempt to fold aesthetic and ethic into the study.

Does this depict what a hacker is and what does it mean to hack more correctly than Steinmetz? 

Share your opinion with me on Twitter @securityskeptic.  Thanks!