woensdag 29 juli 2015

8 reasons why you are not a cyber soldier

Most recently I entered a twitter "debate" that wasn't really a debate at all. While the person that initiated the debate seemed to be looking to get consensus on the definition a certain term, their goal turned out to be getting confirmation of their definition of the term. Where their definition was firmly rooted in the military and CI world. I generally get annoyed by debates that are not debates but I get more annoyed by military jargon in our industry.

In recent years the security industry has started to use more and more military terms in its jargon. To a point where it really is becoming ridiculous, if not dangerous. While there certainly is state-level hacking activity going on. However, for many people in our industry that have a responsibility to solve hard security problems for organizations that shit is not relevant.

I'll repeat : "THAT SHIT IS NOT RELEVANT!"

I get it. As kids we already liked to play soldier, with wooden sticks being our automatic rifles and our friends being the willing enemy that we blew to smithereens while yelling PEW PEW PEW. The internet is our playground and we still like to be soldiers.

Personally, I like to refer to James Mickens' excellent column in USENIX' ;login:logout of January 2014

The “threat model” section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler. Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN’T REAL.
So this post could be about threat models again but I feel that is way too much work a week before Security Summer Camp (pro-tip : bring a Nerf gun and shoot at everyone that uses military terms in their narrative!). Instead I hereby provide 8 reasons why you are a security professional instead of a cyber soldier. Here goes!


  1. Your business card does not mention your military rank and you do not measure your status by the number of stripes you have on your shoulder. 
  2. You do not have to salute a superior when you pass by them in the hallway. 
  3. Whenever a security requirement is requested, you do not reply with "SIR YES SIR!"
  4. You wear A&F t-shirts, button-up shirts, or a polo to work instead of a military uniform.
  5. Instead of living on (or near) a military base, you are living in a suburb with neighbors that have ordinary jobs. You probably drive a SUV and you worry about what kind of meat you'll throw on the BBQ next weekend.  
  6. Your family does not live in fear of a sudden deployment where their beloved family member (you) may very well never return from.
  7. On your way to work you do not have to worry about IEDs of any sort. Neither do you have to be concerned about a bunch of insurgents barging into the SOC where your comfortable office chair is located and where the scarf in the team colors of your favorite football (or soccer) team indicates "your" spot.
  8. You do not have to regularly clean your (cyber)weapons and train with them. Neither do you have to get up at 4am without notice to run a course around the data center in full gear.
All jest aside, being in the military is serious business. I have nothing but respect for people that have taken the responsibility to defend their country. The truth is that being a security professional is also very serious business these days. We don't get anywhere if we keep throwing around war-related terms, hollowing them out in the process. 

Our industry is young. Especially when we compare it to other industries. Military terms, without doubt, carry a meaning of urgency that is often not needed in day to day conversations and operations. Do we want to make ourselves a laughing stock or do we want to keep the seat at the business table that we have earned in the past few years? I don't think we'll make it by turning into our own Big Green Weenie.

Edit

I almost forgot that my good friend Kyrah wrote an excellent Master's Thesis titled "Wargames in the fifth domain" which is worth a read if you desire to go beyond the marketing value of "cyber".
The majority of cyber attacks that we have seen do not qualify as acts of war. Why then should we deal with them using a military framework? A military response is unlikely to solve any of the actual problems. What is needed is a civilian approach.