A Conversation in Zurich


Florian smiled around the edge of his beer and said, wryly, “We Swiss are not pacifists because we are weak; it’s because we were rental soldiers in the dark age and renaissance. Fighting for your own selfish reasons is bad marketing.”

Zeughauskeller (picture stolen off of google image search)

Zeughauskeller (picture stolen off of google image search)

We were sitting in a restaurant made out of an old military armory, the Zeughauskellar, in Zurich, after a busy day spent arguing about computer security stuff and a trip to a shooting range for some friendly pistol competition that I lost, but not embarrassingly. This was around the time of Gulf War II, so we were discussing strategy over beer and sausages and potatoes: carbs piled on carbs. Florian is Swiss, I’m post-nationalist, the other people at the table were another American fellow-traveller, and a German who used to work for BND, now a consultant.

Florian continued, “You can tell a lot about the purpose of a military by how it’s structured, by its logistics. Now that Switzerland doesn’t send its armies out to fight for pay, we don’t need a standing army, we rely on terrain, emplaced weapons, cleared fields-of-fire, defense. Our strategy is that if we are invaded we will cost the invader a ridiculous amount of pain for every foot they go.”

That all made sense, but what stuck in my mind was the first bit:
You can tell a lot about the purpose of a military by how it’s structured, by its logistics.

I said, “That first bit. That’s profound. When you look at the US military, we call it ‘defense’ but there is no actual attempt to defend anything: it’s all ‘force projection’ all the time.”

Florian nodded, “Yes, see, force projection is a logistical problem. If, tomorrow, my government decided we were going to war with Monaco – we’d probably win – but I’d have to ask, ‘Sir? How should we get there? Should we book plane tickets on Lufthansa?” The guy from BND made happy chucklings at that mental picture, and the conversation continued.

divider

When we look at the US’ strategic orientation regarding cyberwar, it’s pretty much 100% offensive. What does that tell us?

The US intelligence community has shown over and over again that it’s incompetent at secret-keeping. For years I have been referring to the US IC as “The Department Of Glass Houses” which keeps contracting for stone-throwing technology. I think I understand why: defending is hard. I’ve been hoeing that row for my entire professional career and if there’s any progress being made, it’s retrograde. The US IC has had disaster after disaster after disaster and apparently has decided that if they can’t be good at what they’re supposed to be doing, they’ll be good at something else. Besides, the food-trough looks mighty yummy and om nom nom nom contractor dollars nom nom black budget…*

Office of Personnel Management had been breached for over a year before they detected it. In fact, they’re not really sure when the breach started (because, if they knew that, they wouldn’t suck so much)  When you read about how it was discovered, “accidentally” is the only word that comes to mind: someone installed some application white-listing on a system and noticed that all kinds of horrible things were running around in the network, when the software began pinging with warnings. That’s basic “unzip before you pee” defensive security. Meanwhile, the relatively sparse defensive efforts by the US Government look like US CERT’s “Einstein” project – which is a fairly basic intrusion detection system (nothing wrong with that) based on pattern-detection (nothing wrong with that) and backhauling lots of log data to look for patterns (nothing wrong with that) and blacklisting command/control sites for malware (nothing wrong with that). But systems like Einstein are detect/react systems: they predicate that you’re going to get owned. In fact, they only have value after you’ve been owned. The US Government’s strategy in cyber defense is “get owned, then figure it out.” Sun Tzu doesn’t even have a name for that strategy. If he did, it would be unprintable.

divider2

US CERT Einstein program

NSA’s Einstein 3 program repels threats in real time –  I love government lies about cybersecurity. If you read the article, it clearly says that the system isn’t operational and isn’t expected to be operational for another 2 years. So if it’s repelling attacks, it’s only doing it on a whiteboard somewhere. More to the point, it’s nothing that commercial entities don’t already have – Akamai, Amazon, Google – they all do centralized detection and connectivity management. Besides, at this point, the NSA coming around and saying “we’re from the NSA and we’re here to help! just plug this black box into your network where it can ingest all your data – for security reasons…”  that’s hard to swallow.

(* The role of secrecy in covering incompetence is a really interesting topic for me. Unfortunately, secrecy makes it impossible to discover how often secrecy is used to cover incompetence. Funny, that.)

Comments

  1. secondtofirstworld says

    I have to say, I’m in a complete agreement with you.

    As for defense, as a purpose, it really is funny as you put it, how human intelligence can fail, which I want to demonstrate on 2 examples, none I had mentioned in our previous discussion in a different topic.

    In 1991, there was a security fraud scandal with the BCCI and Centrust, and ever since 1992, the FBI and Interpol has outstanding warrants for all members who couldn’t be caught back then. Now, one particular person made the news in America for the last time in 2008, when the Pentagon’s subcontractor bought oil from the Attock Corporation based in Pakistan. The “small” problem is, it’s the same guy the FBI tried to arrest 2 years prior off the coast of Sicily. As the story goes, he enjoys the diplomatic protection of both Pakistan and Saudi Arabia, and it’s very likely he has a diplomatic passport going along with differing birth certificates, because he could enter the Schengen Zone without the system buzzing off (as it’s supposed to, whenever an internationally wanted person enters) and buy property through shell companies. Now, one of these governments still claims the guy, whose picture was taken, and totally is the guy, might not be the same person… except the same government does business with Attock Oil, which is under the guy’s name, who is wanted, whose picture on their website is the same guy as the picture taken last year. As Oliver North put it best: “I don’t recall”.

    The other example is Khalid Kelly, who ironically died on the same day as Guy Fawkes Day, one day before you posted that. The suspicious isn’t that he was an Irish born radical Muslim, rather… he died during the Battle of Mosul, which started last year. So, this guy had used the Common Travel Area to go to London to learn as a trained nurse, went to Saudi Arabia, got caught making alcohol, converted to Islam in jail, after the release got back to the UK, got fired from his job for supporting the Taliban (this was back in 2002), took his family to Pakistan (to the very valley Yusufzai Malalah had to flee), expressed his wish to get military training and kill British soldiers, got back to Europe, was questioned again (he was in connection with a radical imam in the UK), released, put under surveillance again, demanded some non famous Muslim kills Obama when he visited Ireland in 2011, and disseminated militant propaganda in Dublin. For the life of me, I can’t understand, even if the Garda hasn’t found anything that stuck, how could he retain his passport, how could he leave Ireland and end up in Mosul after the EU countries issued a decree last year to anyone not to travel to war zones and adjacent areas unless they have family. Yet, he did reach Mosul and on orders of the IS he blew himself up.

    It seems to me, we could employ Glados, or the Machine from Person of interest, they still can only see as far, as “random selective searches” at airports let them. Speaking of the BND, that’s the other thing. Back in the ’70s they employed psychologists, sociologists and criminologists to separate sympathizers from actual RAF terrorists, and it worked. It’s beyond me why other agencies can’t apply this technique, because though we might have advanced technologically, emotionally we’re still triggered by the same impulses. Heck, I’m not a security expert, but even I know, that the common thread between all terrorist foot soldiers is, that they’re under 30, more likely male, has spent time in prison for at least one violent crime, and to an extent seclude themselves from others, and when those people suddenly start to blend in, and discard antisocial behavior, that’s when things get worth looked into.

    So, the military and intelligence lags behind because they train for traditional attacks from well defined enemies, something I find a luxury.