Wednesday, December 23, 2009


Earlier today, J from Armchair Generalist pointed out a story on IT hiring at the Washington Post here.

It's worth reading because it explicitly shows what happens when the government loses control of oversight of cybersecurity functions to the corporate sector.

"The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication," write the Post's reporters.

"Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality, industry officials said.

"The crunch hits as the Pentagon is attempting to staff a new Cyber Command to fuse offensive and defensive computer-security missions and the Department of Homeland Security plans to expand its own 'cyber' force by up to 1,000 people in the next three years."

A few weeks ago DD talked about the phenomenon in which the corporate security industry had embarked on a push which involved filling the news media with stories on cyberthreats, most obviously using 60 Minutes and the public face of Booz Allen Hamilton's computer security business to notify the country that the financial sector was at risk.

One of the most famous salesmen-in-chiefs. Committed to hiring computer security specialists from the clutches of the government then leasing them back at premium rates.

The basic message is: Buy and lease our staffers, services, tactical and strategic advice. So the money supply isn't stolen and you're made poor and jobless, the economy destroyed.

In November, Northrop-Grumman, Raytheon and Lockheed-Martin all issued press releases related to the excellence of their cybersecurity business arms. And the need for employing them to protect the nation's infrastructure.

Those companies and others have moved aggressively to expand their leased services and employees into the US government. And what has happened, and what will continue to happen, is what it discussed in the Post article.

It is good business for these companies to snatch up as many candidates for computer security work within the government as possible. They can be offered a much better rate of pay than the government would offer indigenously and it's all written off on the taxpayer's back, anyway.

It's a predatory business model and it is just that simple.

"Even President Obama struggled to fill one critical position: Seven months after Obama pledged to name a national cyber-adviser, the White House announced Tuesday that Howard Schmidt, a former Bush administration official and Microsoft chief security officer, will lead the nation's efforts to better protect its critical computer networks," continued the Post.

And here's where DD departs from the gravity and import of the Post piece.

"The lack of trained defenders for these networks is leading to serious gaps in protection and significant losses of intelligence, national security experts said," added the Post.


From the perspective of what matters to average Americans in terms of national security, that's rubbish. In the computer security arena there has never been an ability to measure how much intelligence/national treasure is lost or even how to properly and critically evaluate such things. There is no metric for it. It's all anecdotal and apocryphal myth-making.

However, one thing has been a constant over the past decade. When consulting national security experts with regards to cyberintrusions, the story is ALWAYS the same: Huge amounts of intelligence are always being 'lost.'

To see one older example on how repetitive this received wisdom is, see here and scroll down until you see the entries on 'Moonlight Maze.'

"One evening in May 2006, a U.S. embassy employee in East Asia clicked on an innocent-looking e-mail attachment that opened the door to the most significant cyberattack the State Department has yet faced, allowing attackers operating through computers in China to send malicious computer code into the department's networks in the region," the Post's journalists continue.

"State's cyber-emergency response team immediately went into action, working round-the-clock for two weeks to isolate the harmful code and craft a temporary patch that officials said prevented a massive data theft.

The department's response to the attack highlights how skills matter, experts said."

Yes, they do. But the assessment could just as easily be handled another way, as just another incident in which part of a spybot landed on a government computer.

For example, DD removed a copy of one of the Zeus/Zbot pieces of malware after it floated through his anti-virus software on Saturday. This took about ten minutes, not only to squash but also to upload to the vendor so that it might be detected at some point in the future. Yesterday, the software was finally updated to flag my test files.

The purpose of Zeus/Zbot is fundamentally the same as what was alleged to have happened to State computers. It steals banking credentials, credit cards, logons and installs hooks which allow the attacker to manipulate the infected PC remotely.

A rather homespun, if somewhat patience-trying, description of what Zbot can and has done is here on YouTube.

Typically, though, big or splashy news of government intrusions -- the best scare stories -- are now furnished almost entirely by vendors because vendors control the business of computer security in the US government.

" .... [Department]t technicians in 2006 were able to contain the attack quickly, said Alan Paller of the SANS Institute, who has analyzed the case for the Center for Strategic and International Studies," reported the Post, using a vendor of computer security services and seller of skills.

"Unlike State, most government agencies and private companies lack the skills and resources to muster a robust containment effort."

The underlying text is that Booz Allen Hamilton, SANS Institute, Raytheon, the McAfee's of the country, do have these capabilities.

"Two months after [an] intrusion, the Commerce Department detected a similar attack -- but only after a deputy undersecretary was unable to log on to his computer," continued the Post. "Contractor technicians were never able to identify the initial date of penetration into the computers of the Bureau of Industry and Security, which controls sensitive exports of technology that has both commercial and military uses.

"It took eight days once the attack was discovered for technicians to install a filter to prevent leaks, and then they installed the wrong kind of filter, said Paller [the vendor], sharing previously undisclosed findings about the incident ..."

When Howard Schmidt was appointed on Monday to be the Obama administration's new 'cybersecurity czar' he brought a lot of old history in such matters, none of it particularly impressive or wonderful. Most of it politely overlooked.

As noted by everyone in the mainstream media, including the Post, Schmidt used to be a face for Microsoft. Then he was joined at the hip to Richard Clarke in the Bush administration. Prior to 9/11 and his tell-all book on the war on terror, Richard Clarke was the face beside the gold-plated bullshit phrase "electronic Pearl Harbor" in Webster's dictionary.

This team, which included a few others, more or less 'produced' the National Strategy to Secure Cyberspace in 2002.

Basically, it was business-written rubbish. And during its initial draft unveiling, the name of Schmidt's old employer, Microsoft, was kept conspicuously out of the government conversation when that company was very aggressively being blamed for its entrenched computer security flaws. Windows, you see, was the problem which led to the quaint idea of a so-called National Strategy to Secure Cyberspace.

So the National Strategy to Secure Cyberspace accomplished nothing. It was filled with platitudes and weak suggestions about what ought to or should be done. The strategy, when it was being formulated, was seen as being potentially damaging to American big business and so it was made to be not so.

"The Information Technology Association of America (ITAA) praised the National Strategy to Secure Cyberspace released by the President's Critical Infrastructure Protection Board today," read one lobbyist's pr sheet back in 2002. The lobbyist, of course, liked it, as he contributed to its nothingness.

"ITAA President Harris N. Miller, representing the information technology industry at today's release ceremony in Palo Alto, Calif., said, 'We commend the Board for releasing the National Strategy to Secure Cyberspace and the work done to make sure that its recommendations are [politely ignored -- editor's addition] ..."

Miller -- as a key lobbyist -- was everpresent in the debate over what the National Strategy to Secure Cyberspace should be. And therefore he is granted some measure of credit for it being worthless.

Miller ran for political office in a primary campaign against Jim Webb in 2006 and lost, obviously.

His Wikipedia biography is pleasantly unflattering.

At this juncture, DD sees no reason why the Obama administration appointed Schmidt other than that no one else wanted the job, no one cared and he was in the Bush administration -- which might appease Republicans very slightly. It certainly is not because of the great achievement of the National Strategy to Secure Cyberspace, although it might be going out on a limb to totally rule out that that which was intelligence insulting and anile was repainted as fabulous.

It could be added that it might also be an indication the Obama administration really doesn't expect to do anything on the issue except infrequently emit some eyewash. Their appointee is a guy gamely used to very little, trusty enough not to bug business interests, very capable of putting on the good face at corporate security conventions and staying out of the way of the real political and policy battles the administration wishes to pursue in other areas, like energy/global warming, healthcare reform, re-regulating the financial sector, etc.

In such a vacuum it is fairly easy for corporate security vendors wishing to expand their leasing business to the US government to continue as usual. This means premium pricing for leased employees -- skills, advice which always benefits the business first, an always growing contracting presence, and the production and takeover of intelligence assessments for the benefit of the bottom line. It is the triumph of the market over, well, everything.

The buzzword -- you can tell -- is "skills." "Skills are much more important than hardware," the vendor whose business is selling "skills" told the Post.

The Post article concludes with another few examples of how the cybersecurity predator business model works. Don't worry, it's very American.

"[Some guy] earned a computer science masters degree in 2004 from Purdue University on an National Science Foundation scholarship," explained the newspaper. "In return, he spent two years at the National Security Agency, identifying novel security flaws in computer systems and software. Then Booz Allen Hamilton, a major intelligence contractor, hired him at a 45 percent pay raise.

"Today, [this guy] works for a small employee-owned firm that has federal government and private-sector contracts, and his pay is higher still. 'You can still do a lot of cool national-security-related work as a contractor,' said [the guy], chief security architect for [some security vendor] near the National Security Agency.

"The pay difference is so dramatic now ... you can't ignore it."


Related: An Amusing Comparison. Russian hackers steal from banksters, it's reported.

Cult of Cybersecurity -- from the archives.


Post a Comment

<< Home