http://www.whitedust.net/article/16/

By Peter Prickett (Thu, 14 Apr 2005 10:57:40 +0100)

As perhaps the first information philosopher, Richard Thieme has become a figurehead among both the cloak and dagger intelligence community and the highly secretive hacker underground. Richard is an institution in the hacker/security conference circuit and his column ‘Islands in the Clickstream’ is syndicated to over 60 countries.

WD> CNN have called you ‘a member of the Cyber avant-garde’, Digital Delirium named you ‘one of the most creative minds of the digital generation’. How do you handle such praise?

You drop a zero.

When I joined the national speakers association, I was overwhelmed by a gale force wind of other speakers telling me how much they worked, how great they were, how highly paid they were. A friend told me, when they tell you their fee, just drop a zero.

Same thing. I take kind or generous statements like that to mean, “your work was meaningful for me” or “I like that” or “you made me think.”

You never believe your own press – good or bad.

WD> How did you initially get involved in technical commentary?

When I left the ordained (Episcopal/Anglican) ministry in 1993 it was to explore the transformational energies swirling around us then as a result of the information revolution. I was asked to write a column about the human side of technology for the Wisconsin Professional Engineers’ monthly magazine. After half a dozen had received a good response I offered them by email which was new then. As E.B. White said, it’s no wonder how complicated things get what with one thing leading to another. The columns became Islands in the Clickstream which are now a book (Syngress Publishing 2004) and I used the nascent world wide web to locate magazines and see if they wanted social or cultural commentary on the phenomenon. Within a few months I was writing for magazines in America, Canada, England, Australia, and South Africa. I wrote every month for South Africa Computer Magazine for three years. Islands now goes to at least sixty countries.

As I said, one thing leading to another.

WD> What has been your sons influence upon your work and your approach to it?

My dialogue with my son, who was 12 when I bought him an Apple 2 and who has never looked back – has been invaluable. It’s the dialogue. I learned to bring to him what I later brought to some of the young technophiles in hacker cons – absolute respect. He was so much brighter than I was about technical matters and saw things so clearly that our dialogue became an important learning space for me. That continues today, and he’ll be 35 this year.

Of course that’s true of ALL of our seven children and step-children! But Aaron, the first born son, is the one with the most geeky gifts in relationship to all this.

WD> How have your ministerial experiences affected your approach to information technology?

Absolutely. And my immersion in, teaching of, and writing literature the decade before that. I learned to relate the context of our encounters and conversations to ultimate values. They may be implicit rather than stated, but that was always the deeper context. Information technology like print text before it is a transformational engine for human identity and activity. We think and behave differently as a result of the ways new technologies of information and communication frame our possibilities. I learned to do that in a world of writing and text. I saw that electronic communication was changing us and in fact already had changed us (the telegraph started all this in 1820, after all) in significant ways.

Ministry was ultimately about using symbols, particularly powerful archetypal symbols, as transformational leverage on behalf of people who were searching for solutions, resolutions, higher states, different spiritual and emotional goal states. Preaching was like doing a Tarot reading, if you think about it, using symbols of deliverance, healing, and transformation. It stands to reason that new kinds of symbol manipulating machines would create a different kind of psychic or spiritual space into which to grow.

WD> You have been described as an information philosopher. What does that phrase mean to you?

Marshall McLuhan said “Nothing is inevitable so long as we are willing to contemplate what is happening.” The phrase, to me, means, thinking about what is happening.

WD> How did you get in touch with intelligence agencies officials? How did you get them to openly speak to you?

You meet lots of people at different conferences and inevitably security conferences have everybody at them, people from all of the many sides of this game. Like any friendship, you find interests in common and go from there. We generally share an interest in the deeper implications of how intelligence is practiced, what technology enables, how it eliminates walls. Naturally no one ever shares anything classified nor do I probe inappropriately. It’s a lot like being a priest, being in intelligence, in some ways, with similar burdens. There’s a lot of shared understanding among my real friends from that domain of the deeper burdens of the commitments of a life lived with secrets. And a live lived with the burden of knowing.

By the way, lots of the people at “hacker cons” are of course from various intelligence agencies or police organizations. That’s been true from the beginning. I mean, why do lions go to the water hole? Because that’s where the antelope go.

WD> How long have you been lecturing at universities? During your last tour what where the burning issues?

I taught English literature and writing in my twenties at the University of Illinois. Next week I will visit the senior seminar at Alverno College in Milwaukee, an all-star liberal arts university that pioneers new educational experiences, because they’ve used my book, Islands in the Clickstream, as a text this year. Then I’ll do a speech at the University of Wisconsin in Waukesha on the future for students. The issues are the ones you’d expect – privacy, intellectual property, war, management of perception, hackers, security.

WD> How has the internet climate changed since you first began commentating?

There is often a movement from myth to metaphor to engineering or science and we’re in the last stage. At first we believed a lot of the myths of cyberspace. Then we saw they were metaphors and began reflecting on them which signifies a major change. When you believe a myth, you don’t know it’s a myth. Now we analyse it and it is part of the known universe. It’s ubiquitous now. Like radio. Television. Automobiles.

That was fast, wasn’t it?

WD> Why did you feel the need to release ‘Islands In The Clickstream?’ Do you feel your writings gain credibility as a physically bound volume as opposed to being free floating selections in cyber space?

Good question. I like books! I loved seeing my prose poems or secular sermons or whatever they are bound by a publisher in a well-designed book. Some people take books more seriously. Now I’m an author. Before I was a guy who put stuff up on the web. Of course the intrinsic value of the columns or whatever you want to call them is the same. But the form seems to matter to people. Some people love to listen to them in audio streams from my web site. Same words, different media. They will always be available free on the internet. The publisher agreed to that.

But of course, people do actually pay for the book. As Hemingway said, there is the problem of sustenance, you know. My writing generally serves as a platform for my professional speaking and sometime consulting which pays the bills.

WD> If you had to put a definition into Webster’s for the word ‘hacker’, what would it be?

That effort is all through my writings. Hackers pursue unconventional structures which they create out of what’s at hand whereas non-hackers see only what they’re told something is. They take it at face value and mistake its one function for its essence. Hackers ask what something can be made to do. Non-hackers or “nackers” ask, what is it? as if the answer exhausts the possibilities of the thing. Hackers like all good scientists are characterized by passion, obsessiveness, and daring. They see the skull beneath the grin except its a machine skull and the grin is the explicit function of an appliance or object. They refuse to be taken in by the smile.

WD> In your opinion is true hacking about systems knowledge or, knowledge of the wet-wear that is using the system?

Yes.

WD> Do you think it is true to say that if it is possible to breach security without getting caught, someone will always try simply because they can?

Yes.

WD> You describe hacking as one of the means in which free people can retain freedom. What other, less controversial methodologies would you also consider as effective?

In a world of managed perception and sophisticated subtle propaganda that makes Brave New World look like a child’s book, which it is, freedom requires a refusal to accept stated realities at face value. It’s necessary to track back to the sources of statements and ask who profits from the way the statement has been framed. That applies to big and small statements, media events and macro events as well as simple utterances. Maybe journalism can do that too – who else has the time and expertise? – but not journalism as it usually practiced today. Most journalism today is part of the problem, not the solution. It would have to be journalism squared or “Jedi journalism.”

WD> What effect does hacking have on personal morality?

Properly understood and executed, hacking takes one into the heart of darkness where boundaries dissolve and simple verities and bumper-sticker kinds of morality go liquid. One discovers – well, pick your metaphor – “the horror, the horror” as Conrad put it in The Heart of Darkness. Or “Forget it, Jake—it’s Chinatown” as Jake Gittes learned in the magnificent movie of the same name. Hacking properly understood, not just mucking about with wires and chips, but applied to structures of information at all levels and fundamental questions of identity (individual, organizational, global) takes you “beyond good and evil” in the Niezschean sense of the term. It takes you into a domain of supra-morality. It compels you to ask questions in the face of a deeper knowledge of things.

Obviously I’m not talking about breaking into things as if that’s the end of hacking. I’m talking about taking things apart and seeing the different and often arbitrary ways they can be put back together.

If you have not gone there, then what I am saying sounds like nonsense or it sounds threatening or immoral or iconoclastic. If you have gone there, you know what I mean.

WD> What do you think of the currant climate of world internet security?

Too big a question. There are fences and gates. Which ones? What’s behind them? How important is it to get through or in? Once you get there, what’s the point? What can you do now? What is the value of what you know or have?

Those questions contextualize your question and require a sharper focus.

WD> In previous interviews and articles you have talked about ‘unconventional thinkers working across boundaries of fixed discipline’. Your past as a minister suggests a realm dominated by conventional thinking and fixed disciplines. How do those two worlds interact?

Some ministerial realms are fixed and rigid but as you might guess, mine wasn’t. That’s not how I understood the transformative process and the great deep spiritual adventures of my life. The institutional life, yes, became suffocating for me, and if I had accepted the jobs on the table at the end, I would have died, I think, I would have shrivelled up. Many bishops do, after all, they gain fifty pounds or hit the bottle the first year, when the reality of it hits them. But I am the same person as the one who led parishes pretty fearlessly in Utah, Hawaii, and Milwaukee, Wisconsin. I created a 12-hour intensive event called New Life, for example, they took people through the six segments of the church year in a powerful existential way and showed them that those symbols are real, they point toward a powerful transformation, the most we can ask of ourselves in our most authentic moments. Teaching, preaching, counselling, to me those activities took you to the liminal domains of people’s lives. It was very much, to me, as I describe hacking, an adventure on the edges of boundaries where everyday reality is constantly called into question and the bumper-sticker answers to profound questions dissolved. That’s the demand of ministry – in the middle of the night at the side of parents whose child died suddenly or in the midst of a wedding celebration. You’re in a batting cage, existentially speaking, and better learn to hit every kind of pitch, including ones that come out of nowhere. Authentic ministry was a constant challenge.

So don’t confuse the most rigid, least life-giving, most life-denying structures of a creaking hidebound institutional Christendom with the power of the spirit when it leaps into flame. In the same way, most security practitioners are not real hackers, real experts, are they? They want to check the boxes marked compliance or risk management. That’s true of all domains, isn’t it? The bell curve distribution? The best CEOs are like astronauts and the worst are like corrupt dictators.

WD> If you could impart one piece of advice to everyone, what would it be?

Accept nothing at face value, live boldly, passionately, spend the gift of life as if this is it. Churn through your life like an earthworm devouring all the dirt in the garden. Most of it may be dirt but only by eating it all will you get the goodies. In other words … live, live, live, live, live.

ShmooCon 1.0 a Big Success

by

Richard Thieme (rthieme@thiemeworks.com), author of Richard Thieme’s Islands in the Clickstream

The first ShmooCon worked.

Sponsored by the Shmoo Group, known to hackers and security professionals from presentations at Def Con, Toor Con, and other security forums,  ShmooCon was held at the Wardman Park Marriott Hotel in Washington DC February 4-6.

“The con scene is shifting to smaller regional cons,” was frequently said but it became clear that ShmooCon is complementary, not competitive, with larger established franchise cons like Def Con and the Black Hat Briefings and Trainings.

ShmooCon successfully straddled the multiple worlds of the-security-industry-in-transition and all lived together happily at the spacious hotel. Attendees did not put cement in toilets, hijack security frequencies to give false orders, or plant fake bombs under cars. Bruce Potter, who with his wife Heidi led the planning, set the tone with opening remarks that established clear guidelines. Don Bailey (aka Beetle) is also one of the original planners.

Bruce Potter, Don Bailey (aka Beetle), and Heidi Potter

A Senior Associate with Booz Allen Hamilton and founder of the Shmoo Group, Potter made clear that the con was meant to be fun – he identified entertainment venues from the Saturday night DJ party to hacking and halo contests in the hotel ballroom – but also made clear that professional standards were expected to be met.

The Party at FUR Nightclub.

That mindset was amplified by a well-received keynote address from Riley “Caezar” Eller.

Riley (Caezar) Eller’s Keynote.

Widely respected in security and hacking circles for his technical achievements and creativity (Caezar and his cohorts, the Ghetto Hackers, made the Capture the Flag contest at Def Con an elite technical challenge) called for hackers to forego the kinds of narrow niche-dwelling exploits that give props to their buddies in a piece of code that most folks just don’t need. Instead, he called on hackers to use their skills to deliver applications to a population hungry for the fruits of their real expertise.

“People want Bonzi Buddy. Yes, I know,” he said, sharing the crowd’s obvious disgust at the dumb memory-hogging animated talking parrot, “But we have to pay attention to what people want and need.”

Lest that emphasis on the marketplace imply that creative larceny has been expunged from the hacker heart, it should be noted that the most popular presentations indicate a precarious yin-yang balance in the security world. Mark Loveless (Simple Nomad) continued his con-by-con illumination of the necessity for a stealthy online life, outlining the need for piracy and anonymity on the web while explaining what it really takes to achieve it. Nomad spoke from experience directly to the heart of a community that knows who is out there and what they do.

The beating of a hacker heart that’s alive and well was also indicated by the crowd overflowing into the hallways from Deviant Ollams “Lockpicking 101” BOF. Crossing boundaries with passion and stealth still infuses the obsessive hacker spirit.

At the same time, Johnny Long’s Google Hacking (his book of the same name is a powerful treatise on how to hack information) was packed.

j0hnny Long’s Google Hacking Presentation.

Long articulates creative ways to use the popular search engine for sophisticated research and information hacking, showing how the real power of pursuit comes from knowing who’s doing what and with who. Long’s painstaking work discloses techniques for solid online research and intelligence gathering and also moves traditional hacking of machines and systems up a notch to the level at which information has real significance. Long’s presentation  amplified Caezar’s call to a higher purpose with a practical demonstration of one way to do it.

There were plenty of other good technical talks – panels including the likes of Novell’s security director, Ed Reed; the sly sophisticated mechanics of DNS hacking by Dan Kaminsky; and the wisdom of Crispin Cowan, founder and CTO of Immunix, who did justice to complex problems of application security. But perhaps the mellow vibe of the con was best seen in the size of the crowd staying to hear Bruce Potter’s final remarks.  Leaving early is typical of cons like this, but most folks didn’t want to leave. That was due to a first-time con going off with nary a serious glitch, the value of most presentations (hey, nobody bats a thousand) and the supportive context of a well-timed winter reunion. The location of the hotel, just off Connecticut across the Taft Bridge from Dupont Circle, meant lots of restaurants a few minutes away and easy access to the pleasures of a sunny mild weekend in DC. And for those who love social engineering, the National Defense Industrial Association, loaded with beltway bandits and Colonels doing business, was also on site for a while, offering tempting tasty targets.

Dan Kaminsky’s Black Ops of DNS” Presentation

The Potters began planning ShmooCon 2.0 as soon as the con ended. They built the first one from scratch and, to their surprise, had to stop registrations when they reached 440. As Jeff Moss noted, the time was right, the location was right, the setting was right, and a “small regional con” quickly became a bigger one. The Shmooikins brought an obvious  love of the game and high professional standards to the scene and next year looks to be even better.

Richard Thieme is a speaker and writer focused on creative and effective responses to technology-driven change. A collection of his work, “Richard Thieme’s Islands in the Clickstream,” was published by Syngress in 2004.

Interview with Richard Thieme

By Mick Bauer on Mon, 2004-12-27

http://www.linuxjournal.com/article/7934

Discussing technology, the human experience, homeland security and the future with the author of Islands in the Clickstream.

In the field of information security, there are many useful occupations: firewall engineer, policy analyst, auditor and security architect all are popular choices. But what about information technology philosopher? There’s plenty of value in describing the intersections between technology and the human experience, but I know of only one person who makes a living doing so–Richard Thieme.

Richard is an institution on the hacker convention circuit, and he is much in demand as a public speaker, business consultant and writer. He and I recently had a wide-ranging conversation about hacker culture, computer security, competitive intelligence, homeland security and Richard’s singular career.

If you find this chat as fascinating as I did, and I think you will, be sure to check out Thieme’s new book, Islands in the Clickstream, which I review in the February 2005 issue of Linux Journal.

Linux Journal: Your theological and ministerial background has made an obvious impact on your speaking and writing, but how technology entered into it is less obvious. When and how did you start moving in geek circles?

Richard Thieme: I began writing about the impact of technology on religious organizations and institutions, images and ideas and, inevitably, human identity in the 1980s. I intuitively realized the scope and scale of the transformational engine we now call the digital world while playing interactive fiction games from Infocom with my oldest son. Because my previous work–teaching literature and writing at the University of Illinois-Chicago, as well as sixteen years of ministry–had taught me how printed text works, hermeneutics (how meaning is derived from text) and how we are framed by the experience of reading text, I could see by contrast that interacting with text on computers created a different experience, shifted how we thought about our possibilities, our work, meaning, ourselves–everything.

I literally followed my 12-year-old son into the world of bulletin boards, on-line life (an Apple 2, Ascii Express and a 300 baud modem) and continued to explore both the technological machinery as it came on-line through the 1980s and 90s. I offered to do a keynote for Def Con 4 and have been at Def Con and Black Hat every year since.

I also had started speaking about different things–change, leadership, diversity–when I left the ministry and it became clear that all of it derived from technological change. It was natural to follow that up. Literally, I followed the dots into new learning. I joke that I made sure I always was the dumbest one on the room so I always could be learning from the conferences I attended and usually spoke at, but it was true. Hacker cons led to intel people and security professionals, and I learned from every conference and conversation, integrating what I was learning on the cutting edge with ferocious amounts of reading–two-three non-fiction books a week, plus constant on-line learning and attending many seminars and workshops at conferences at which I spoke. My focus always was to translate the implications of what I was hearing about the technologies and what they enabled into human terms. My background and propensities gave me a unique opportunity to do that.

Eleven years later, what with immersion in all that, it began to sound as if I had a clue. Of course, I know better. I am still the dumbest one in the room, and all that wisdom comes to me downhill.

LJ: I was really struck, in your book, by your assertion that computer technology defines our reality in the same ways that language itself does. It led me to the realization that computer security is all about preserving a desired reality–”my system behaves the way I want it to”–against attackers wishing to impose different realities–”j00 ar3 0wn3d!”. Is that the sort of train of thought that got you involved with the intelligence and security communities? Or was it the other way around?

RT: As you perceive, it was give and take. Every interaction with these smart, experienced people taught me more. I became a friend to many, and our quiet conversations (never, of course, betraying anything classified) helped me to see exactly what you’re describing. I am delighted that you see the implications for security of my ways of thinking. I think I’ll quote you!

LJ: You refer to some pretty amazing but credible anecdotes and revelations made by intelligence agency insiders. How do you get those guys to open up to you? Do you ever worry about being used as a conduit of misinformation?

RT: To the last question, I am aware of it but don’t worry about it. The implications are the same for all sources of information these days; that is, how much of any of our consensus realities is designed? How much is intentional? How much is off the cuff, and how much simply aligned with the habitual sowing of seeds of malignant design?

I don’t think I am that important or a sufficient conduit for anyone to worry about influencing me that way.

To my deep satisfaction, I can’t stop being a priest. Leaving the ordained ministry did not change how I learned to relate to people. Of course, I brought that with me into the ministry, but training and practice made it much more likely that I can cultivate relationships I value with the people I love. I have been careful if I ever thought something slipped over the line into confidentiality not to share it or to distort or disguise it. I function as a friend and confidant, in other words, much as I functioned as a priest. I was told by an intelligence-community friend that the evidence was in, after some years, that I handled confidentiality with integrity and could be trusted. My proudest moment came when I was asked to moderate a panel of feds, including the Assistant Secretary of Defense, at Def Con 2000 as they literally feared for their safety when they faced thousands of hackers. I was asked, I was told, because “you’re the only one in the room trusted and respected by both hackers and feds.”

So my vocation, commitments and deeper intentions–although outside the lines of how conventional people color–have remained intact.

That same guy said last year that after nine years of hearing me, he realized what it was I did when I spoke: “You articulate things we all know in our bones are true but don’t know how to say.” That thrilled me, of course. Because that, as you know, is the essence of ministry–to see the subtext and give it voice so people can become more powerful.

LJ: Back in the mid 90s, when Linux was beginning to catch on, you already were talking about open-source software and free software fundamentally changing the software market paradigm. You asserted that [the change in the paradigm] and the Internet, which makes it so fast and easy to distribute code, would make the notion of intellectual property obsolete. But the powers-that-be still have a strong vested interest in intellectual property–do you still think IP’s days are numbered?

RT: A good question. In the short term, we always overstate the effects of new technologies. But in the long run, we always understate them. In addition, new info-technologies do not so much eliminate as recontextualize what has come before. I could go on and on about that. An example is MS making available more source code than ever before as a result of the influence of open source. A case could be made that MS would never have done that, absent that influence.

But, there are problems with open source: many eyes make for many exploits as well as few bugs or more secure code, some people have a disproportionate influence on decisions, and there is no customer orientation because programmers work on what they like without regard to customer input. Yet, as Linux migrates into the commercial space, it comes to share many properties of commercial software. The marketplace shapes the forms we can and do bring into it. So maybe right now we can see the dialogue between different models and vectors of energy pointing to possible scenarios for the future. But we can’t say which will win out.

LJ: The open-source software development model, in which sometimes large numbers of coders contribute their efforts with minimal centralized coordination, always has reminded me of Bakuninist anarchy. (Yes, my friends usually tell me to get a life when I say that!) Do you see the same or different precedents, or is the OSS phenomenon fundamentally new?

RT: Ken Coar and I spoke at Los Alamos, and I also keynoted Apache Con, and I paid close attention to what he said were problems, some already mentioned above. Developers work on scratching itches they have, not what the marketplace demands. As the e-mail conversation goes around the world, early contributors have a disproportionate influence on decisions, and by the time it reaches the land of the rising sun, the die is cast. Linux has what, more than 30,000,000 lines of code, and a recent study said Linux was the focus of more discrete attacks than MS server software. The same problems due to complexity, inscrutability and unforeseen interaction with applications and appliances from third parties apply as much as to Linux as they do to Windows.

Linux is not inherently more secure, nor does the process by which it is evolving inherently generate more secure coding practices. The cry for secure coding at the outset of applications and OS applies to all domains, and Microsoft does respond to what customers want. Say what you will, they have an immense efficient machine for soliciting and responding to customer feedback. Bloatware was a response to a demand for more features and indifference to security. Greater security is a response to that demand from government, corporate and individual users. The context does determine the content, as I am fond of saying.

The factors that ultimately determine success or failure of technological processes are complex and ambiguous until hindsight enables us to say what happened. Chains of causality are clear only in retrospect, and then we make the mistake of thinking that [specific] historical trajectory was the only one that could have happened instead of one of many that happened to occur as a result of choices, accidents and unknown factors. That fine study The Closed World, about the mindspace that emerged from cybernetics and AI and DARPA and generated the simulated worlds we inhabit today, does a great job of illuminating that process.

LJ: You’ve talked about video games being mediated realities, with the potential to become the ultimate interactive art medium. But it seems like a huge percentage of the most popular commercial games are mindless and nihilistic. Do you think the game-developing community is living up to its potential?

RT: Absolutely not. Not yet. It will take time, and I don’t know the ultimate form. I used to think it was interactive fiction, then MOOs and MUSHES, and now it’s vast multiplayer global game spaces. What has happened for sure is that those spaces profoundly influence how we think about and formulate responses to everything. The convergence of technologies often is invisible soon after it happens, and the interlocking of television, music, radio, hard-drive platforms for downloading (for example, Tivo) television programs and software programs–and then saying, “wait, they’re all the same”–that becomes the ubiquitous context that people cease to see or understand. It takes a McLuhan to illuminate how the medium is the message and what the medium, now invisible, in fact is.

That said, hey, it’s early yet. Also true is the extraordinary speed with which these things have happened as compared to prior technologies. The demographics determine the content of the marketplace, and one true thing is that more niches are enabled in the digital world than ever before. More exploration takes place, more new art and music and sound and interactive gamespace is generated, and it is seldom what current media spotlights, such as HALO 2, that ultimately are the important determinants of the future.

The fastest growing online segment is seniors. Their games are bridge and hearts and checkers. But the chat rooms that accompany their games fuel the popularity, the social interaction. Sure, young testosterone-driven males dominate the public media coverage, but get the statistics on romance novels versus shoot-em-up games, and I bet you’d be surprised which is higher.

Time, it takes time.

LJ: Are you still a gamer? What games do you confess to having on your hard drive?

RT: I usually cycle through games looking for how new tendencies might affect the kinds of things we have been discussing. I particularly am interested in narratives, poetic images and text, new ways of addressing human complexity. Games I have played with from that point of view include Republic: The Revolution, Syberia, BladeRunner, many of the MYST series, checking out how the SIMs have evolved. I observe the XBox and PlayStation games my kids play, kids of all ages. I played with Everquest but found the time demands to be too great for me to invest. I look at games such as Quake, Doom, HALO and Grand Theft Auto to see how they’re evolving. I still go back frequently to the world of interactive fiction, which is a thriving small niche. I think INFOCOM games, including Trinity, The Hitchhiker’s Guide to the Galaxy and A Mind Forever Voyaging are spectacular works of interactive literature and will last. Creative people still explore that genre and do some fascinating things with it. I continue to follow the work of Michael Joyce, who pioneered Afternoon and other hypertext fiction, a medium that has not figured out yet how to provide boundaries or bounded narrative space to contain possibilities. I also have learned a ton from my son Aaron Ximm (quietamerican.org), who has won awards for his “found sound”, another medium that would not exist absent digital tools.

LJ: You are a fixture at Def Con and have been for most of the last decade. What brought you there, and what keeps you coming back?

RT: You cannot overstate the way Jeff Moss, a.k.a. Dark Tangent, has built that space. Yes, he had a lot of help from willing collaborators, but the vision and ability to execute it with flexibility and canny awareness have made Def Con unique in the world of cons. I went to Def Con 4 to do a keynote because he created that opportunity. For me as for many, he said “Yes” instead of “No”. That’s the most powerful word in the language, as James Joyce said. I perceived that the real hackers in that space would be the thought leaders of the next decade; my first talk was “Hacking as Practice for Trans-planetary Life in the 21st Century”, which stands as validated by what is emerging now. I went there to learn from mentors who were one third my age, and it became clear that only if I provided something of real value to them as well would the reciprocity be genuine. I think the main attendees intuitively get that my respect and admiration for them is absolute. I have learned so much about how they have been socialized by interacting with networks and how that frames the way they hold themselves in the world as possibilities for meaningful action.

Over the years, I developed close friendships with hackers and evolving technocrats and people from the worlds of law enforcement and intelligence. As you know, they’re hard to distinguish now, right? I spoke at the Pentagon recently, and about one third of the people in the room were Def Con friends but with different haircuts and uniforms. They still play Spot the Fed at DC, but someone suggested, only half-kidding, that they ought to play Spot the Hacker. The worlds interpenetrate so much now and hacking, not cracking, has become so mainstream that was inevitable.

Now, the crossing of those streams at Def Con was not an accident. It’s a unique and still-fertile space, because Jeff straddled multiple worlds so well and realized from the beginning that the con would grow only if he continued to include everybody. That pragmatic approach reminds me of how I did ministry, really. Only if you included all the players in the process and minimized doctrines and dogmas that always excluded some and included others could you build a genuinely diverse community. But to do that, you had to have a tolerance of ambiguity and complexity that is irritating to purists on either side, whether hard-core hackers or law enforcement professionals.

I kept coming back because it really did become a kind of psychic home, where a lot of us understood one another’s unconventional and creative approaches to life straight up, whereas out here we often have to explain ourselves or just shut up and walk away a lot. Properly understood, hacking is a mindset that transcends any particular technology. It’s evident at Def Con to a large degree, although it has changed and evolved over the years. Every year a lot of us think, well, maybe this is the last year. And maybe it is. But so far it keeps coming back and so do we.

LJ: In 1996, if not earlier, you already were describing hacking correctly as being about truth and knowledge and not about breaking into other people’s computers. This was way before the mainstream media had begun to get even a clue on that point–they still don’t, really. Do you think hackers are doomed to be misunderstood? Is that an inevitable result of knowing how things really work?

RT: Yes. Unconventional thinkers who work across the boundaries of fixed disciplines do not fit in the molds or models of prior ways of thinking. First, they sound crazy. Then, they sound funny. Then, people attack them. Then, everybody believes that they always agreed with them all along. That’s when you know their way of seeing things has become the core of a new consensus reality, and already new truths that contradict that are arriving on the edges. That’s why I say that the truth, once everybody believes it, has become a lie, and new truths are out there on the edges. It’s also a way of saying that thought leaders who see the implications of the present describe the present as they experience it, not the future. But for those living in the past, it sounds like the future, and we sound like futurists. We’re not. We’re simply seeing the inevitable implications of what’s already there but which most people, because of habitual thinking or work that does not require them to make these connections, don’t see yet. Nietzsche said originality is merely seeing a little ahead of others what’s coming over the horizon and giving it a name. Same idea.

LJ: Based on your contact with the intelligence community, what do you think about the current state of homeland security in the US?

RT: Honestly, that’s like a blind man describing an elephant; the subject has come to mean so many different things. Has a lot been done to prevent or disrupt attacks? Yes. Can any single attack succeed? Yes. Do I believe the gloves are off, and we have stopped some very serious events? Yes. Are we still vulnerable? Of course.

LJ: What I actually had in mind was this: I recently met a federal agent who rolled his eyes when someone mentioned the Department of Homeland Security. I get the impression that many professionals consider the DHS to be window dressing.

RT: Oh, the Department. I agree with that. It required a person who could do little and be content with that. But in all of the many areas where people take it seriously, a lot of things have been done. You can’t confuse political rhetoric meant for perception management and public consumption for the real policies and actions taking place. Anyway, we all know there’s a big difference between making people feel safer so society does not implode and actually generating more security.

LJ: Exactly, just because DHS is window dressing doesn’t mean it can’t be useful window dressing.

RT: Perception management is absolutely necessary, right? It’s easy to snipe from the sidelines, but when you have responsibilities that impact society–we all read from the same script.

LJ: Your speech at Def Con 10, in which you basically chucked your speaker’s notes and riffed on the importance of hackers carrying on in the face of 9/11, the Patriot Act, John Ashcroft and so on, really was moving–it was the only standing ovation I’ve ever seen at Def Con. Do you see any improvement in the US’s prospects for civil liberties now, especially given the most recent election?

RT: The convergence of enabling technologies of intrusion, interception, and panoptic reach, combined with a sense of urgency about doing counter-terror and a clear mandate from the White House to do everything possible and seek forgiveness afterward rather than permission in advance has created a dire but often invisible set of threatening conditions. I asked an intelligence veteran recently if he thought we would ever get back the Bill of Rights. He said probably not; only if there is some explosive revelation, a la Watergate, that overwhelms the denial of the population, because they see what’s at stake and the consequences of what already has been done. It has been built into the framework of our bureaucracies that will relinquish those new ground rules reluctantly and only under great duress.

LJ: What’s really scary to me about that statement is the feeling that Watergate could happen again, but the American public still might not reassert its rights. We seem to have lost our ability to become outraged by much of anything that happens in Washington. Nobody’s suffered any consequences, for example, for the politically motivated blowing of CIA operative Valerie Plame’s cover. What does that say about us? Is that defeatism, naivete, cynicism or what?

RT: I agree. I spoke recently with a veteran journalist about a serious thing I was told. I asked him how we could get it into the public domain, and he said it would not do any good even if we did. We discussed, for example, Gary Webb and the CIA, Contras and crack. Gary lost his career and told me that could be expected, because when things are made public they are quickly managed, eclipsed, distorted and so on. As a friend who does cover and deception [work] said, “illusion, misdirection and ridicule are the methods, and they are done expertly at all levels of the game”. But, and this is a big but, there is a conscience in this country still, and a hopeful or idealistic heart would respond to something sufficiently egregious, I think. Watergate took a long time to ripen, and only when Nixon was directly implicated did the government fall. Remember the Pentagon Papers: it takes a whistleblower, someone whose conscience can’t stand it another minute, to document the data for us. It’s cumulative, yes?

LJ: Yes, it’s whether it culminates into something that matters.

RT: Yes, and what would it take, today? I don’t know what that would look like. Watergate was a wholesale appropriation of the law enforcement and intelligence worlds to commit crimes–it took a lot.

EarthLink: Security from the Inside

A dialogue with EarthLink’s Lisa Ekman and Lisa Hoyt

In a recent conversation with Lisa Ekman, Vice President

of Infrastructure Operations, and Lisa Hoyt, Director of

Information Security, Richard Thieme explored EarthLink’s

comprehensive long-term approach to security, including

the necessity of selling security internally to executives,

engineers, and the entire corporation.

How Security Evolved at EarthLink

In the “old days”— the sixties, seventies, and eighties —

information security was seldom perceived as integral to

business operations. The application area was king of the

information systems arena. Security positions were not

viable IS positions. Applications developers had all the

status and clout. The term “infrastructure” wasn’t even

used. Anything in the back-end was out of sight and

therefore out of mind. So long as things worked, no

one cared.

Times have changed. Security is a more integral part of

the development cycles of internal business applications

and network operations, and infrastructure is now

understood to be essential to a business.

Because EarthLink was always a tech-savvy company full

of technophiles who understood the network

infrastructure, there’s always been a certain level of

appreciation for the importance of good security.

EarthLink’s rapid growth over the past six years has

caused the company to confront business decisions that

required reevaluating the intrinsic importance of security

and the necessity to be agile in response to rapid growth

— facing questions like: How are we going to scale? How

will we sustain and secure our current business and at the

same time grow to where we want to grow? How can we

use the best, most current technology to our advantage?

How can we do all of this while being cost-conscious?

In addition, although awareness of security has always

been at the forefront at EarthLink, that doesn’t mean

that everyone understood the issues, which sometimes

created a challenging work environment. Security

professionals had to educate all levels of the corporation

to ask the right questions. Is it a security issue? A network

problem? A server problem? An application problem?

As a result of these efforts, non-security departments are

now more cognizant of the fact that security

professionals are partners working with them as team

players, rather than adversaries trying to stop them from

doing things.

Security isn’t just how a company defends against attacks.

Lisa Hoyt emphasizes that security is an enabling

technology in an acquisition-and-merger type

environment. (EarthLink has acquired other companies

and is often mentioned as a takeover target itself.)

Having predictable, repeatable, secure ways to connect

databases, applications, companies, and sites enhances

both perceived and real value.

Security is also increasingly going to be a marketplace

requirement. For example, if you want to accept a

Visa® credit card in the future, you will need to have an

information security infrastructure in place, or they

won’t do business with you. Hoyt believes that the SEC

will soon exert similar pressure on companies to have

information security solidly in place. Like auto

manufacturers providing seat belts and air bags once

consumers demanded a higher level of safety, the

marketplace will demand that networks be secure,

and businesses will have no option but to comply with

those demands.

Selling Security Internally

Leaders like Hoyt and Ekman, while responsible for

security and infrastructure, also have to make sure that

everyone — including leaders with hierarchical authority

beyond theirs — buys into it. Employees must perceive —

not merely believe — that security is in their own best

interest. In figuring out how to win people over, Ekman

and Hoyt found that one particular selling strategy,

“FUD” (fear, uncertainty, and doubt), doesn’t work at all.

“Luckily, we do not need that kind of tactic to get support

at EarthLink,” says Hoyt. “Crying wolf may get the first

firewall, but over the long run, you need a more wellrounded

perspective. If you cry that the sky is falling and

then there isn’t a catastrophe, it’s a one-trick pony. In

addition, you need to discuss how security enables the

business model. If you’re just talking about the guy

outside with the gun, it’s a limited worldview.”

Even if it does work, it doesn’t work well enough, adds

Ekman. “FUD only buys you a little bit. It never gives you

the whole enchilada.”

And besides, Hoyt adds, EarthLink is a young, tech-savvy

company. You can’t frighten them about the Internet.

So how, then, do you sell this product called computer

security to the company as a whole? Some solid numbers

would help. Unfortunately, they’re pretty hard to come

by. The metrics just aren’t there yet to demonstrate the

return on security investment.

“We would prefer to have more data to use as a selling

point,” Hoyt says. “We looked at things like the CSI/FBI

crime survey to try to get some per-incident cost statistics,

so if we had a breach we would know what we were

looking at, but there is really not a lot of firsthand ROI

information. Those that have it seldom share it in the

public domain.”

Risk analysis for information security is more qualitative

than quantitative. But that’s not fatal. Ekman and Hoyt

believe that there is enough factual information available

so that they can make their case even without hard

numbers — by sketching out the Big Picture.

Those who exclusively insist on hard numbers to make this

analysis miss the Big Picture. Companies that employ this

approach tend to value data on a granular level, Hoyt

says. If a single credit card number represents a penny’s

worth of risk to reputation, and you have a million of

them, then you know how much control to apply.

If a company really wants to generate numbers for their

own business case, first they must assign value to their

data, then run it through a risk analysis. But then they

have to consider the intangible risk analysis questions:

How much is a two-dollar drop in your stock worth?

Evaluating security risk today, Hoyt concludes, is more

wizardry than accounting.

From a risk management point of view, companies

benefit from a small amount of ROI in the form of

reduced premiums for security insurance. Over time that

will grow, particularly after insurance companies pay out

large settlements, but in the meantime insurance

companies will need to adhere to high standards for

security audits.

Working with the Culture

EarthLink is admittedly a “geek culture.” Geeks tend to

resist authority. They prefer to be left alone to solve

technical problems in their own way. In Hoyt’s six years at

EarthLink, she has developed a good working relationship

with both administration and the engineering team

because she approaches them on an equal footing,

asking: How can we provide security to support whatever

you’re trying to do? “Negotiation and education breaks

down that wall of ‘I’m a geek and I know everything so

leave me alone,’” says Hoyt, “and replaces it with, ‘We’re

all EarthLink employees trying to provide the best services

we can provide.’”

None of that works, however, Ekman emphasizes, unless

you have full understanding and support from higherups.

If the CEO, the president, or the CFO does not have a

clear understanding of the benefits of security or why this

intangible expense is needed, then whatever you do is

futile. “If you don’t have that buy-in and don’t educate

senior management so you can get the help you need or

pay for the expenses you will incur, you cannot begin to

accomplish your goals,” says Ekman.

More CEOs recognize that security is intrinsic to

organizational effectiveness, but there’s still a long way

to go. CEOs and CFOs think about the world in different

terms than security professionals do. That’s why effective

communication is essential.

Ekman says that when senior executives think about

security, they tend to jump to analogies of disaster

recovery and forensic investigations. Executives often

want to get down to the bottom line, but in security, the

bottom line is always a shade of gray. Because it’s difficult

to evaluate a benchmark and get key metrics per area or

per industry, the kind of facts that executives want to hear

are often not available — and so they compare the

possibility of a network security breach to that of a

natural disaster like an earthquake. But security, Ekman

says, is totally different. Security is online, instantaneous,

24/7. It’s never just after the fact.

The best conversations about security result in

measurable goals or objectives for which people can be

held accountable — the nuts and bolts: how to do it, who

is going to do it, and by what date. “Awareness” is

transformed into deliverable action items, making the

security initiative discrete — and doable.

Executives need to understand that information security

is a daily process, not a Big Bang. It is about educating the

workforce and consistently reevaluating exposure to risk.

Security is a strategic conversation that should be

apparent in all areas of business development.

EarthLink’s Security Infrastructure

So what specific security tools and techniques does

EarthLink employ? They use multiple levels of firewalls

and intrusion detection systems. They do extensive host

hardening and use the secure gateway model for access

control to eliminate security events that happen by

“accident” or through default. And they use a lot of open

source and custom tools, rather than follow a specific

product line, to ensure that the security enterprise is

aligned, to the finest level of detail, with their own

security standards.

Protecting sensitive customer billing information from

misuse and disclosure is a top priority. Because EarthLink is

an Internet company with multiple Internet access

points, internal and business applications must be

separated from external services. EarthLink has several

layers of isolation between how customers connect to

Web servers, how Web servers store files, and how

credit card information is stored in databases and in file

servers. Administration access is severely restricted and

tightly controlled.

For all the emphasis on external connectivity, however,

EarthLink is very aware that intrusions and disruptions

can come from inside the network. Policies and

procedures that protect the company from itself are

inseparable from enterprise-wide expectations of a high

level of responsibility and accountability.

“Our core values and beliefs are alive and well at

EarthLink,” Ekman says. “They’re based on common sense

as to what constitutes responsible, mature adult behavior.

We trust and respect our employees, and they live up to

the level of responsibility implied by that trust.”

EarthLink restricts access to critical sets of information on

a need-to-know basis. Access controls and physical

security controls support limited visibility into key systems

— credit card information is not visible, for example, to an

application updating someone’s billing information. And

notifications on servers state that monitoring may be

conducted during an investigation or during regular use

of a system. But it is essential that internal security does

not create an antagonistic relationship between security

architects and the user base. Here is where the company’s

ethic of collective accountability is critical, because it

means that employees recognize that these practices

serve the end of creating a secure working environment.

Employees are not the enemy, but if they want to work at

EarthLink, they must accept the safeguards.

How Do You Start?

What advice do Ekman and Hoyt have for companies

planning their security investment strategies? Start early.

If you can only get one firewall on your network, start

with that. Build on that foundation rather than trying to

implement everything after the fact.

“You have to stay focused,” Ekman says. “You have to be

aggressive. You have to stay earnest. There is a fine line

between getting the job done and not making enemies.

The bottom line is, stick to the facts, stick to the mission,

and stick to accountability.

“To do this right,” she concludes, “is an art.”

Lisa Ekman is Vice President of Infrastructure Operations

at EarthLink.

Lisa Hoyt is Director of Information Security at EarthLink.

Richard Thieme, a freelance writer who speaks and

consults on the human dimensions of technology,

facilitated this dialogue.

Copyright Secure Business Quarterly, an @stake publication, 2001. All Rights Reserved

Reprinted by permission.

An Interview with Whit Diffie by Richard Thieme

The Complete Transcript

RT: I want to emphasize the deeper context. The world looks differently than it did 30 years ago. So much is located around you in the seventies when public key cryptography was brought forward. The fact that you are now CSO for SUN indicates some differences. I want to explore the context of your life as well as the content.

You have a unique psyche and spirit in terms of creating a space of possibility. Breakthroughs into new ways of thinking, plus affecting public policy and public and private life but you are not who you were 25 years ago. How does life look to you now?

The biographies that others write and that we write can constrain us but you continue to create a persona and use it to do good work. I am interested in the deeper self that creates the personas.

Whit: A whole bunch of people, particular the Germans or German-Swiss that did that infinite interview that is on the web, asked about events from childhood through 1980. That’s all well recorded.

I perceive several shifts in my life. I do not see a vivid shift between the seventies and the eighties. I went form being a nominal graduate system to managing secure systems research at North Telecom but continued to do intellectual engineering work. I viewed my world analogous to classical university jobs – your day job was teaching you students and if you did that competently, you kept your job, If you wanted to be a star, you had to do that in addition. The day job was talking to customers, consulting internally, etc and grazing around for what was interesting. I did several good pieces of work. One nice piece of work, not well remembered, was on securing TCP. The criticism is that I merged the security with the protocol itself so the result was large and complicated which speaks against certification. What is said about functionality was very nice. North Telecom did a secure ISDN telephone and my design was a good piece of work, and the one thing that is remembered is the concept called – rather poorly, I didn’t name it – perfect forward secretly.

So I continued basically to do what I had done for a long time, routine technical work and episodically to do something worth taking note of. After I came to Sun that did not change as much as it might have.  I found to my surprise that I had gained dramatically in formal status, I had up two major ranks in the industrial world, and as director I had a special job at Sun and a strong select group, a lot of formal status, but that turned out not to offset the loss of informal status as much as it might have. The first year or two with Sun I floundered around, not finding myself very effective, wanting to think about things. Then the government did one of its periodic favors and delivered the Clipper Chip and I found myself moving into politics and working almost entirely on technology and society policy issues for the next decade.

RT: Did that make explicit a lot of the underlying presuppositions of your prior work?

To the degree that they were about social objectives, the answer is yes. On the other hand, if you follow not interviews mostly given late, but the things I read, you’ll realize that I went through a not-so-surprising transformation form a technically centered and individually centered view of things to a much better understanding of society. If you look at the predictions I made about written in 1979 that runs to the late nineties, many of the technical predictions such as when we would go to triple DES and things like are correct but my whole understanding of what society would be like in the nineties were incorrect. I imagined for example that the falling cost of electronics would give rise to a growth SigInt industry and everyone would have to be protecting themselves, not recognizing the role of law and the way in which state power differs so vastly from industrial power. My whole political vision has – to put it sympathetically – matured or – to put it less sympathetically – been co-opted or corrupted over these thirty years.

RT: It looks like maturity from the inside, though.

Whit: I am not sure that it always does. There is a line from a poem, “I Remember I Remember,” and the last lines are “It is little joy/to know I am further off from heaven/than when I was a boy.” Things become more complicated and less clear. You become compromised, but at the same time, you don’t regret becoming compromised, because you learned interesting things, you were involved with interesting people, you hold more complex views that you once would have considered essentially criminal.

RT: I call that more grounded in reality.

That’s correct, but I am not absolutely sure that it always feels like maturity form the inside.

RT As I have grown older, I have found literally have no clue about any of the things about which I used to be more certain…

I like the old line from Saturday Night Live, you ignorant slut.

RT: But you feel it, you feel the complexity of issues and ideas and see how you formed those ideas when we were younger in a particular context, and that context has changed so much over our lifetimes. When you put that into historical continuity, you have to realize how little you grasp of the big picture.

Whit: What I was thinking was, I spent a lot of time –my new job interferes with this – at the Center for International Security and Cooperation at Stanford. That’s a place with a whole bunch of ex-govvies. I heard discussions of issues that were already of interest to me in sixties. Let me give you an amusing example. Driving to work one morning a few months ago, I listened driving to work in the morning to the head of Physicians for Social Responsibility doing her anti-nuclear rant and that noon I listened to a seminar about whether or not a new compiler construction project  actually has chance to be licensed in the US in the next three years in such a time as to be online by 2011 when the power needs would be such and such – a very down to earth discussion. The contrast between the kinds of views to which I would have once been sympathetic – although I was never particularly anti-nuclear – this sort of broad brush moral assessment of things by comparison with this detailed assessment of whether pebble reactors had promise and what difficulties they had etc. – a lot of the people I would have once discarded as criminals, now I can see how carefully they think, what good scholars they are.

RT: I understand. I know.

Whit: I have often said that I started out thinking of myself as NSA’s opponent, but within a few years, as a result of meeting people and studying their technologies and activities, I developed a great deal more sympathy for intelligence overall. In the context of the Cold War, the  worst possible thing was to imagine two blind men in a room with machine guns and intelligence was a stabilizing phenomena in international relations in a way that I thought the liberals were blinded to, but in fact, they were anti-secrecy per se and on the face of it the intelligence agencies were so secretive.

RT: You and Clint Brooks, the father of Clipper, gained a great deal of respect for one another.

Whit: Respect, yes, but not intimacy. I don’t feel I know him particularly well compared to some of the other agency people.

RT: Given the aggressive efforts of law enforcement since 9/11 to get access to whatever systems of information they would like, do you think some application along the lines of Clipper would be more attractive now, in part as a safeguard?

Whit: I think the issue of key escrow can not possibly go away because we are moving – I hate to use buzzwords, but we are moving into an information society, and at the same time I want you to take me seriously about that. That’s not always easy when you use buzzwords but in this case I mean them. I want to state this clearly for a limited case. We have a lot of things like, say, personal computers which I think of as a manufacturing object like a factory. It mostly manufactures services or sometimes code with its compilers or documents or something but it’s a standardized unit of production. All that distinguishes one from another is what information it has about what to produce. For example, an orchestra is a standardized piece of machinery that manufactures music and you feed it scores and it manufactures music. It was a great achievement in the musical world to standardize orchestras. Machines shops are a little less well-codified but are also an example. We’re moving toward a world in which we can easily imagine, say, chip compilers in the future or biological compilers that manufacture drugs. This will be a world in which small units of society whether individual families or corporations or cities or states have standardized means of production and what goes on is a function of what information they have to feed into their means of production to turn it into more information or goods or matter. In such a society the flows of information are the description of what social control is, what social interaction is.

If you look at things like the nuclear command and control system, you find things that are more complex than classic information protection systems where you have simple models like link security or end-to-end security. You have circumstances of prepositioning information, concepts like signing authorities, things like that, within this sort of society defined by information flows. What would you expect other than to have mechanisms like that someone has the authorized right to inspect something? What is the machinery that supports that? My view is, the issue of key escrow will definitely not go away, because to the authoritarian mind, the natural view is, of course a court has the right to issue a subpoena for this information, therefore it has the right to have the machinery built in that will execute the subpoena for it an give it the information. The anti-authoritarian mind would think as I do that the important thing about a free society is the distinction between being held to account for your actions and being just plain forced to do what society wants. So it’s important when reporters are faced with subpoenas and say no, I am going to sit in jail for six weeks rather than give you my notes on this case because freedom of the press is more important that you getting a conviction in some particular case. The court naturally thinks otherwise, that it can just go in and grab the information it wants.

Going back to a more tactical issue, I think it is interesting that there has been so little anti-cryptography sentiment since 9/11. Rudd sponsored a bill that went nowhere and the agency people said they had made up their minds about a set of issues a few years ago and have not seen good reasons to revisit their decisions. The Advanced Encryption Standard was hung up for about two months this way. It was supposed to appear about the end of September and was finally signed with very little fanfare on November 26. The cryptographic community would have been happy to hold a big party for that signing but it didn’t happen. To my view that was a great achievement for the deployment of cryptography because of the apparent strength of this algorithm, the international process by which it was developed, and the fact that US standard is a Belgian-designed algorithm. All of that gives it a much better chance of fostering a wider international compatible, interoperable, etc. use of cryptography.

RT: You are on record consistently saying things like, “people have the right to make any effort they wish to keep conversations private.” You speak of people in the seventeenth century, say, being able to go behind a tree and presume their conversation was private. I want to approach the relationship of content to context. The printing press helped to create the notion of individuals. Identity is a function of boundaries and the boundaries define different levels of complexity. Now, those boundaries are being subverted by the technologies we are discussing, so is identity, and so, therefore, is the notion of privacy. What does privacy mean when our vocabulary is a result of social realities generated by printing and text? When not only “intellectual property” came to be defined by the notion of an “individual,” which did not exist before then, not in the way we use the word?

Whit: Authorship, OK, but “nobody thinking of themselves as an individual” – that’s a stretch.

RT: Well, the rights of humankind evolved in the sixteen and seventeen hundreds. An individual was defined as a different kind of construction.

In a networked world, corporate identity may well come to supplant individual identity.

Whit: There are two different questions. One is the broader one on the impact of information technology. The second is whether or not corporate identity will supplant individual identity, which may or may not turn out to be true. The one solid thing I see in that direction is that information technology makes it possible to maintain a larger organization. This benefits not only corporations but nation states as well. I had a conversation with Bob Gaskins, later the creator of PowerPoint, and was bemoaning the rash of mergers and the centralization of power and he said oh, don’t worry about it. We’ve had that sort of thing before and these larger organizations always develop phony economics internally and after a while they break up. I have not in fact seen that in twenty years. We are still overall in an era of consolidation. I have concluded tentatively that the reason is that better information technology makes it feasible to have an organization of so many workers all over the world in a way that was not feasible in 1980.

RT: That’s what I mean by the morphing of boundaries. Now we talk naturally about transnational or meta-national entities – the boundaries around national states that emerged in the past few hundred years was at a level of hierarchical structuring appropriate to the political, social, and economic complexity of society.

Whit: Yes. There are other implications. Airports, for example, have different a legal difficulty that ports don’t. Someone sails into a port, you can keep a person on the ship, the ship is different than the land, you can legally detain the ship, you don’t have the same kind of visa problem that you have if Germany, say, refuses to let you fly to Frankfurt unless you are qualified to enter Germany even though you have no intention of staying in Germany but intend to pass through. You have the increased growth of travel since the steam engine. You have a change in the dimensionality of the world from a planer graph to a more fully connected graph. Once you can fly directly from New York to Paris, the whole things looks more like a full graph, and that’s important for analyzing a lot of issues for cyberwar and the flows of information on the web.

The introduction of cables challenged national boundaries because customs offices did not know how to look at information. The radio. Now we’re back to a very complicated situation in which nations have a sort of overall control of the flow of information in and out of themselves but not much retail control. The events of 9/11 panic them  because they cannot really have confidence that they can prevent that kind of thing without a degree of retail control that is antagonistic to a lot of other things they are trying to promote such as free societies, free flow of business, free trade, etc.

RT: So how do you see that evolving?

Whit: I have more questions than answers. My top-level question about 9/11 and about the question of whether or not it was an intelligence failure is, do we really want to live in a world in which US intelligence can detect every half million dollar, twenty person, two year activity. I am very concerned that a number of things from the rise and power of the intellectual property purveyors to the hard-to-resist concerns for life and limb that has given new life and new power to police institutions are going to lead us toward a much more rule-bound and controlled society.

RT: David Brin said in a sci-fi novel “The Transparent Society”,” that the rich and powerful would always have privacy and the only solution was to “watch the watchers,” making sure that those who have the authority to intrude have accountability to some point of reference other than themselves.

Whit: Do you take Brin’s books very seriously?

RT: The concept, perhaps, rather than the novel. A recent “mistaken identity” case, for example, revealed how a similar name caused an older woman to be listed as a potential terrorist and denied access to a flight.

Whit: On balance indeed, more transparency on the part of government machinery is desirable. In particular, police agencies have been very effective lobbyists for the an agenda that sounds like “what’s good for the police is good for society.” It is really, making the work of the police easier, rather than making the work of the police more effective. Anyone who lobbies for secrecy does so to have as few masters as necessary to whom to be accountable. They can say the want their “watch list” secret for security reasons, but simultaneously prevent scrutiny of the “watch list” for errors.

Brin’s notion of watching the people watching the cameras is only vaguely applicable in a transition society such as ours at the moment, in which there is some physical presence and some telepresence.

One POV about cameras in the court room is to provide coverage without having to go to courtroom. But at the same time, you should not be able to sit at home watching people’s lives hung out for your entertainment. May you should have to go to City Hall to sit in a room to watch but not record court proceedings. My point is that it’s a short term solution, regardless of its merits, because sooner rather than later, say., no later than 2100, a much larger fraction of society will consist entirely of telecommunications. So how you might apply automation to voting booths versus how to vote from your laptop securely – one is a short term issue and the other a medium to long term issue.

RT: Let’s now relate this to your work at Sun and to your past. Edward Wilson in Consiliance said that all great scientists – like great information security people – show a passion for knowledge, obsessiveness, and daring.   Now that you are Chief Security Office of Sun Microsystems, how do you maintain your edge? Robert Galvin of Motorola said that all great revolutionary work begins life as a minority opinion, which certainly applies to public key cryptography as you and Marty Hellman brought it to life. Now you look like the consummate insider. How do you keep your eye on the truth that only an outcast can know?

Whit: This relates back to our discussion of being compromised. I have felt compromised in that sense from very early on. The more successful I was at learning things from NSA people, the more I came to recognize – getting an NSA clearance would destroy me because I would be overwhelmed by the exposure to that vast culture and its knowledge. Even the amount I have learned from NSA people over the first decade, let alone the last three,  about their work, led me more and more to thinking about their problems and thinking about them the way they thought. James Ellis is much more remarkable than I in that in 1969 he was steeped in that community and still managed to think of public key cryptography.

RT: You were picked by the brine.

Whit: Yes! Marinated in corruption, as it were. Now, this is where I refuse to answer your question and do so as tactfully as possible. There is a hidden assumption that the objective overall and for any particular period of my life is to triumph by means of creativity. By making myself available to be CSO, I recognized that I was trading – when I came to Sun, I was told that the mandate for a “distinguished engineer” was to work on whatever was in the scope of the corporation’s activities that were considered interesting or where he could make the greatest contribution. I was able to cherry pick what was of concern to me. In the spring of 1993, for example, policy issues seemed to me to be the most important threat to secure communications and I turned my attention entirely to that. I recognized that I was trading a circumstance where I get to decide what is most important and get to work on it like the Supreme Court for one in which I have to work on things that occur to themselves or have a good reason not to. What I hope to accomplish – I have a sense that we are positioned and have been for some time – we have enough primitives or components, if you will – to give us a big welding job here to get all this stuff together correctly. The advantages of having me as CSO because my name is well known were sufficient to make it necessary for me to do that. What was needed was a rallying point in terms of personalities as well as the fact that there are some clear rallying points like the Advanced Encryption Standard presenting themselves by the world around which a homogenous security technology can be formed.

RT: How will use your persona as “whit Diffie” as leverage for this work?

Whit: Using one’s reputation is such a ubiquitous phenomena that this does not seem to invite that more than anything else.

RT: McNeeley did say after Microsoft’s announcement that security was now going to be a priority that Sun did not need to send out a letter in order to make that point. But that was followed quickly by your appointment as an advocate for Sun’s security offerings. What do you intend to do for Sun or on behalf of Sun as opposed to helping the internet’s fragmented security environment to grow more integrated?

Whit: I intend to do that in the context of Sun’s products. “Easy enough for ecommerce, secure enough for homeland defense” is the slogan. I am convinced we can make a major breakthrough against the reputation that security has that it isn’t nay good unless it’s terribly burdensome. I believe I bring to this job in addition to my reputation a certain judgement acquired in thirty years in working in and studying security very broadly and being interested in everything from penetrating safes to cryptanalysis. I hope to bring judgement as to where we will get the most bang for the buck. My prejudices in these directions are so far only prejudices. There is a standard rift exemplified perfectly between me and Scott Chaney in that Scott is a policeman and the police think in terms of diagnosing things and retaliating. Security people think in terms of preventing things. Neither viewpoint is comprehensive. It’s foolish to say that either alone can be entirely adequate. One of the great disservices of cryptography to the world is that cryptography is a case in which that seems to have been decided narrowly – suppose you have a cryptographic algorithm and all the opponent have access to is the ciphertext and that algorithm -–we believe we have gotten so good at that so it looks as if a pure security measure is entirely adequate. The reason that case looked so hard for much of the 20^th century is that once you broadcast a message on a radio there is virtually no control on what people intercepting the message do with it. In that respect, it’s very different from almost all of the cases that concern us most of the time on the Internet day to day which are interactive phenomena. My prejudice is in favor of security mechanisms, denial of objective mechanisms, as far as possible and intrusion detection and diagnosis and response mechanisms wherever necessary.

RT: Where do you see the financial incentives coming from to achieve this? It is difficult to present a quantifiable return on security investment to decision makers to justify that.

Whit: The intrinsic costs (you can now do high-grade cryptography in ordinary chips, for example) have dropped a long way. The extrinsic costs affect things like, why can’t you buy a secure phone for less? This is fundamental. As CSO of SUN, I know that if you can integrate things into the product line of a major manufacturer of equipment, you can get the overhead down to where the extrinsic costs will decline and cost-based resistance will decline.

RT: And Sun is the best context in which to do that commercially in this country?

Whit: I did not have to make that decision. I did not survey all the companies in the world and make a choice. If you believe in end-to-end phenomena as I did for most of my career, then getting control of the leaves might be better than getting control of the trunks. My decisions about what to do were not, however, so broad in spectrum as to invite me to try to rebuild my bridges with Microsoft who have a different point of view. It never occurred to me to try to do that.

My broad view was recently formulated like this: Information security is about a century old. It begins with the radio, the first major thing to make this field what it is, followed fifty years later by the computer. Here we are a century into this and here are the problems we have solved and here are the ones we have not solved.

RT: Broadly speaking, the problems are found in system architecture at its core, rather than in add-ons, right? Systems have not been designed to be intrinsically secure.

Whit: It’s worse than that. As an infosec engineer, typically, by the time they call you in on a problem, all the decisions you need to control have already been made in the wrong way.

One of the challenges is to get people to understand the importance of security so they are obliged to take it into account early in design.

RT: Your description of the security landscape  can sound pessimistic if one only reads your words. But you sound immensely energetic and optimistic still. What maintains your optimism in the face of daunting complexity and insoluble problems? What can you communicate to younger security practitioners about that?

Whit: I don’t expect younger people to see things as I do. One of the most important thing about the young is that they’re ignorant. When you’re older you realize that people thirty years younger have never heard of many of the things that define the context of our lives. We think of younger people as knowing a whole bunch of new stuff that we don’t but it’s at least as important that they are not burdened with the direct experience of the earlier culture. What people think of as fundamental is what we’re used to. The argument about caller ID a decade ago is an example. Where did the idea come from that you have the God-given right to make an anonymous telephone call? It’s an accident of the technology. Maybe sending a letter is an antecedent, but usually, to speak with someone, you had to go up to them face to face. Yet people were so indignant about the fact that they were going to be identified.

RT: Which is critical to how privacy issues impact on identity issues. How we’re socialized around the age of ten is how we think life ought to be forever. So if privacy as we experienced it growing up is over, as your boss has said, then the cat really is already out of the bag.

Whit: If you look at our childhood and what privacy meant as a practical matter, I think it is probably the wrong abstraction to emphasize. There were not video cameras watching everything then. There were a whole bunch of things that you could get away with then like throwing a rock through a window and running. Today they well recognize you and hunt you down. A lot of things like that may be useful or not. You may want to make use of evidence that you were threatened, for example, but may not be able to get any use of the fact that someone was recording the scene. Then little will change in the context of that social interaction.

What did we want privacy for as children? We probably have more sexual privacy now than we did then. Sexuality of teenagers is more open now. Then it was that you were not supposed to have a sex life so your margins were defined by the back seats of Fords. Through the seventies and eighties I had a very NSA-like uncompromising view of what communications security meant. It meant that individuals were guaranteed that their traffic could not be exploited. Not only is that not achievable for most people most of the time, it isn’t even necessary. I have a friend in her forties with a kinky sex life who communicates about it all the time in chat rooms. I would never have talked about all that with someone that way because there is a good chance that someone is recording it and it might come back to bite you. I was raised during the Red Scare and repeatedly heard warnings form polder people about not signing things because they came back to haunt you. I internalized that. I have been immensely careful about what I say on the telephone even though there is a negligible chance that someone will record it, down below one per cent.

Sometime after 1970 it became impossible to live underground. This is an ID society. Laws meant to control immigrant labor, for example, make it very hard to live as you could in the sixties under an assumed name without knowing intelligence-level tradecraft.

RT: The day will come when people who refuse to use digital or numerical or online identities will be judged sociopathic.

Whit: I think they will be. People born today will grow up in a world in which much of what you do is online.

I have had this vision for thirty years which I think is coming about. A marketing presentation which would have taken a month in 1980 can now be produced by one capable person in an afternoon. My original vision was that early kin this century one would be able to create a color movie with the ease formerly required to write a personal letter. We’re close to that. You and I grew up being creative because we lived largely within our own minds. Soon, the fantasies you can manage in your own mind unsupported will not be able to compete with the ones that can be manufactured using available machinery. What are the implications of that?

RT: Let me return to the context we defined at the beginning of our conversation – the isolation in which you worked, your passion for knowledge. You have said you had a kind of Gnostic approach in life and expected solutions to life’s deeper mysteries to be salvific. You have felt the lure of the mysterious to be a compelling motivation for your pursuits. Where today do you find that edge? What defines that mystery now that compels or attracts you? What is unknowable that compels hot pursuit?

Whit: That’s a very attractive question and I do not have a ready answer. I am fascinated with why people believe things. I do not understand why I believe things much less why others do.

Someone said that Germany lost the Second World War but fascism won it. I thought there was a lot of truth to that in terms of the freedoms available then and what various technologies including bureaucratic technologies have caused to be. Technologies of social control enable a degree of control which even in those which do not express it in the suppression of minorities, say,  is immense compared to that prior time. I tried to understand why I believed that, why others believe what they believe, and if I could investigate whatever I wanted, it might be what the proper set of rules or mechanisms for investigating the world and beliefs actually are.

RT: You want to study the telescope instead of the galaxy. Or the telescope as well as the galaxy.

edited for Information Security Magazine:

SUN’S SECURITY KING

Cryptography pioneer Whit Diffie offers illuminating views on his ascension to Sun Microsystems’ CSO.

interviewed by Richard Thieme

Whit Diffie

Sun Microsystems’ CSO

Yearbook

1975
CREATED public-key encryption, with Stanford University’s Martin Hellman.

1978 – 1991
SERVED as manager of secure systems research for Northern Telecom.

1979
HONORED with the IEEE Information Theory Society Best Paper Award.

1981
RECEIVED the Donald E. Fink Award for expository writing in an IEEE journal.

1991
APPOINTED “distinguished engineer” at Sun Microsystems.

1992
AWARDED an honorary doctorate in technical sciences by the Swiss Federal Institute of Technology for work in public-key cryptography.

1994
NAMED Pioneer Award winner by the Electronic Frontiers Foundation.

1996
BESTOWED National Computer Systems Security Award by NIST/NSA.

1997
NAMED Louis E. Levy Medal winner by Franklin Institute.

2002
NAMED chief security officer of Sun Microsystems.

Q: How do you reconcile the iconoclastic Whit Diffie of the ’70s with “Whit Diffie, chief security officer of Sun Microsystems?”

A: We are all compromised over time. I have felt compromised from very early on. I worked independently, in relative isolation, but my work naturally brought me into close contact with people at the National Security Agency (NSA), and the more successful I was at learning things from NSA people, the more I realized that getting an NSA clearance would destroy me, because I would be overwhelmed by exposure to its vast culture and knowledge. Even the amount I have learned from them about their work over the first 10 years, let alone the last 30, led me more and more to thinking about their problems and thinking about them the way they thought.

How has your work evolved over that time?

There have been several shifts in my life, but not between the ’70s and the ’80s. I went from being a nominal graduate student to managing secure systems research at Northern Telecom, but continued to do intellectual engineering work. My day job at Northern Telecom was talking to customers, consulting internally and grazing around for interesting things. I did several good pieces of work. One, securing TCP, isn’t well remembered. I was criticized for merging security with the protocol itself. That resulted in something large and complicated, which speaks against certification. What it said about functionality, however, was very nice.

So I continued to do routine technical work, and, episodically, I did something worth noticing. After I came to Sun [as distinguished engineer in 1991], that didn’t change as much as it might have. I gained dramatically in formal status. As director, I had a special job at Sun, a strong, select group and formal status, but that didn’t offset the loss of informal status as much as it might have. The first year or two with Sun, I floundered around. I wasn’t very effective. Then the government did one of its periodic favors and delivered the Clipper Chip. Policy issues seemed to be the most important threat to secure communications, and I turned my attention entirely to them.

What effect did that have on you?

I went through a not-so-surprising transformation from a technically centered, individually centered view of things to a much better understanding of society. Many of the technical predictions I made about technology from the ’70s to the late ’90s – such as when we would go to TripleDES – are correct. But my understanding of what society would be like in the ’90s was incorrect.

I imagined, for example, that the falling cost of electronics would give rise to a growth in the signals intelligence industry, and everyone would have to protect themselves, not recognizing the role of law and the way in which state power differs vastly from industrial power. To put it sympathetically, my political vision has matured. To put it less sympathetically, my vision has been co-opted or corrupted over these last 30 years. That’s what I mean by “compromised.”

It sounds to me like you matured.

Well, it doesn’t always feel like maturity. The last lines of a poem called “I Remember, I Remember” are: “It is little joy to know I am further off from heaven than when I was a boy.” Things become more complicated and less clear. You do become compromised, but at the same time, you don’t regret becoming compromised, because you learned interesting things; you were involved with interesting people.

I started out thinking of myself as NSA’s opponent, but within a few years, as a result of studying its technologies and activities, I developed a great deal more sympathy for intelligence overall. In the context of the Cold War, the worst possible thing was to imagine two blind men in a room with machine guns. Intelligence was a stabilizing phenomena in international relations in a way that I thought liberals were blind to.

What have the changes you have undergone meant in terms of your work at Sun and, recently, your appointment as CSO?

There’s a hidden assumption that the objective overall and for any particular period of my life is to triumph by means of creativity. When I became CSO, I recognized that there are trade-offs. I am trading a situation in which I could decide what was most important and work on it for one in which I have to work on things that occur “out there.”

What do you intend to do on behalf of Sun, as opposed to helping the Internet’s fragmented security environment become more integrated?

I intend to do that integration in the context of Sun’s products. I bring to this job, in addition to my reputation, a certain judgment acquired in 30 years in working in and studying security very broadly and being interested in everything from penetrating safes to cryptanalysis. I hope to have good judgment on where we will get the most bang for the buck.

Where are the financial incentives for businesses to invest in security?

“There’s a rift exemplified by the difference between myself and Scott Charney, chief security strategist at Microsoft. Scott is a policeman. Police think in terms of diagnosing things and retaliating. Security people think in terms of preventing things. Neither viewpoint is comprehensive.”

It’s still difficult to show a quantifiable return on security investment to decision makers, isn’t it?

The intrinsic costs – you can now do high-grade cryptography in ordinary chips, for example – have dropped a long way. The extrinsic costs affect things like, why can’t you buy a secure phone for less? This is fundamental. If you can integrate things into the product line of a major manufacturer of equipment, you can get the overhead down to where the extrinsic costs will decline and cost-based resistance will decline.

After Microsoft’s announcement that security is now a priority, Sun CEO Scott McNealey said that Sun didn’t need to send out a letter to make that point. Yet that was followed pretty quickly by your appointment as advocate for Sun’s security offerings. Where’s the distinction?

There’s a rift exemplified by the difference between myself and Scott Charney, chief security strategist at Microsoft. Scott is a policeman. Police think in terms of diagnosing things and retaliating. Security people think in terms of preventing things. Neither viewpoint is comprehensive, and it’s foolish to say that either alone can be entirely adequate. My prejudice is in favor of security mechanisms, denial-of-objective mechanisms – as far as possible – using intrusion detection, diagnosis and response mechanisms wherever necessary.

How has the security landscape in which we operate changed since Sept. 11?

I have more questions than answers. My top-level question about Sept. 11 is, do we really want to live in a world in which U.S. intelligence can detect every half-million-dollar, 20-person, two-year activity? I’m very concerned that a number of things from the rise and power of intellectual property purveyors to the hard-to-resist concerns for life and limb that has given new life and power to police institutions are going to lead us toward a much more rule-bound and controlled society.

Given the aggressive efforts of law enforcement since Sept. 11 to get access to whatever systems of information they would like, do you think some application along the lines of Clipper would be more attractive now?

The issue of key escrow won’t go away because, to the authoritarian mind, the natural view is, “Of course, a court has the right to issue a subpoena for this information. Therefore, it has the right to have machinery built in that will execute the subpoena for it and provide that information.” The anti-authoritarian mind would think, as I do, that the important thing about a free society is the distinction between being held to account for your actions and being forced to do what society wants.

In terms of the role of information technology, what kind of society do we have now?

I hate to use buzzwords, so take me seriously here – we’re moving into an information society. Here’s what I mean by that.

We have personal computers, which I think of as manufacturing objects, like factories.

They mostly manufacture services; sometimes they manufacture code or documents, but it’s a standardized unit of production. What distinguishes one from another is the information it has about what to produce. For example, an orchestra is a standardized piece of machinery that manufactures music; you feed it scores, and it manufactures music. We’re moving toward a world in which we can imagine, say, chip compilers or biological compilers that manufacture drugs. This will be a world in which small units of society – whether individual families, corporations or states – have standardized means of production. What goes on is a function of what information they have to feed into their means of production to turn it into more information or goods. In such a society, the flows of information describe the parameters of social control and social interaction.

What does that mean individually?

People born today will grow up in a world in which much of what we do is online. I have had a vision for 30 years, which I think is coming about. A marketing presentation that would have taken a month in 1980 can now be produced by one capable person in an afternoon. My vision was that early in this century one would be able to create a color movie with the ease formerly required to write a personal letter. We’re close. We grew up being creative because we lived largely within our own minds. Soon, the fantasies one can manage in one’s own mind unsupported won’t be able to compete with the ones that can be manufactured using available machinery. What are the implications of that?

You are on record as consistently saying things like, “People have the right to make any effort they wish to keep conversations private.” But in a networked world, corporate identity may well come to supplant individual identity. What will “privacy” mean then?

There are two different questions. The broader one is about the impact of information technology. The second is whether corporate identity will supplant individual identity, which may or may not turn out to be true. Information technology makes it possible to maintain larger organizations. This benefits not only corporations but nation-states as well. I was once bemoaning the rash of mergers and centralization of power, and a friend said, “Oh, we’ve had that sort of thing before; larger organizations always develop phony economics internally and, after a while, break up.” But I haven’t seen that in 20 years. We are still in an era of consolidation, because better information technology makes it feasible to have an organization of so many workers all over the world in a way that wasn’t feasible before.

Your description of the security landscape might sound pessimistic if one only reads the words, but you sound optimistic. What maintains your optimism? What can you communicate to younger security practitioners about that?

I don’t expect younger people to see things as I do. One of the most important things about the young is that they’re ignorant. When you’re older, you realize that people 30 years younger have never heard of many of the things that define the context of your life. We think of younger people as knowing a whole bunch of new stuff that we don’t, but it’s at least as important that they aren’t burdened with the direct experience of the earlier culture. What people think of as fundamental is what we’re used to. The argument about Caller ID a decade ago is an example. Where did the idea come from that you have the God-given right to make an anonymous telephone call? It’s an accident of the technology. Yet people were indignant about the fact that they were going to be identified.

Copyright © 2003 Information Security, a division of TruSecure Corporation

Top Gun on the SOC

in Info Sec Mag

August 2002

Top Guns

When mind and machine meet in the cockpit of a SOC.

BY Richard Thieme and Andrew Briney

Blinking lights. Bells and whistles. Frosted glass windows. Big-screen LCDs projecting fancy UI’s, colorful pie charts and streaming binary.

You expect eye candy when you tour a managed security operations center (SOC). You want mystique and intrigue, Tom Clancy, War Games and Mission Impossible. And the MSSPs are only too happy to oblige.

The pomp and circumstance is indeed impressive. But as it turns out, the most important computer in every SOC is the oldest computer of them all: the human brain. Security software has made great progress in its ability to consolidate, correlate and analyze event and log data from multiple devices–firewalls, IDSes, routers. But the people who sit in the cockpit of an MSSP SOC say old-fashioned intuition remains their most reliable tool when analyzing security events.

“Technology helps classify events, but has limitations,” says Cristophe Huygens, CTO of MSSP Ubizen. “We see these technologies more as traditional decision-support systems. Some straightforward rule-based classification can be done automatically, and you can relate that to a whole set of additional information. For instance, something you see in an intrusion detection probe may bring up something you saw in the firewall logs, so you can look at it from a holistic perspective and make a decision.

“That’s where the art and the magic of the decision-making process is difficult to qualify,” Huygens adds. “If it were simply based on rules, we would not need security analysts.”

Although it may sound obvious, a clear understanding of the distinction between what machinery can and cannot know is critical. Increasingly sophisticated IDSes, data mining software and security information management (SIM) systems can be used to identify and automatically respond to events using preset rules. But automation only gets you so far, Huygens says.

“We’re moving toward more and more accurate rules. If we had accurate measurement tools and a good overview of the situation at the customer’s site–his entire system, his vulnerabilities–then in theory we could specify a rule-based response,” he says. “But we don’t. That lack of information must be replaced by experience, customer intimacy, knowing how the customer does things.”

In effect, Huygens says, “The automated system is saying to the analyst, ‘Sorry, I don’t have enough information about the infrastructure or the signatures to figure out what’s going on here. You take over.’”

Human Heuristics

The word “heuristics” often comes up in the context of advanced detection of viruses or intrusions. Software employing heuristic scanning attempts to identify attacks based on artificial intelligence and pattern matching.

But in the cockpit of a SOC, heuristics takes on a much more human element, says Chris Trudeau, director of technical operations at TruSecure‘s managed security division in Atlanta.¹

“The technology isn’t going to help you with the unknown,” says Trudeau. “The technology can identify all the things that don’t apply to a specific set of rules or what’s acceptable. But understanding the output of that–determining which events are real and serious and which are of no concern–that requires an actual human to look at them. And that’s where human intuition comes into play.”

The oft-cited refrain of the gun lobby–”Guns don’t kill people; people kill people”–is often used as a metaphor for computer security. As in: “Computers don’t hack computers; humans do.” While the comparison can be useful in understanding the psycho-social aspects of intrusion detection, Trudeau suggests that it’s just as important to pay attention to the usage patterns of the other humans in the cycle: the end users.

“The large majority of things that would be classified as an incident are based not on somebody trying to get in to do bad stuff, but on the end user not understanding what they’re doing,” he says. “There are far more alerts resulting from users who just don’t understand what they’re doing than from hackers who are trying to do bad things.”

Element of Subjectivity

SOC operators will tell you that turning data into knowledge and content into context involves a lot of subjectivity. More to the point: When decision-making is equal parts technology and human intuition, you’d better have multiple levels of analysis to ensure accuracy.

Like many SOCs, Herndon, Va.-based NETSEC uses a multitiered event escalation process. Some decisions are made by junior support analysts, who sit in the trenches 24/7 looking for anything out of the ordinary. These Level 1 analysts err on the side of caution, says Derrick Jamieson, director of NETSEC’s NSOC operations. If there’s any doubt about the event in question, it gets sent up to an Analyst 2, then to an Analyst 3, and finally to Jamieson himself.

“By the time it reaches me, it has been confirmed as a malicious attack, potentially an intrusion, and is classified as a full-scale incident,” says Jamieson. “Client intervention has started, and I’m engaged in both resolving the incident and being a liaison with the client.”

NETSEC’s escalation policy reduces the likelihood that any analyst’s bias will distort the team’s decision-making. “There’s no traditional methodology for doing data analysis,” Jamieson says. “You develop it with your own style and flair. It’s how you see the sun and how I see it. Analysis is the same, based on subjective perception.”

A SOC’s multilayered decision-support infrastructure is further strengthened by the diversity of the analysts themselves, who often have varied yet complementary backgrounds. Tina Bird, director of network intelligence for Counterpane Internet Security, decides when the firm should issue alerts about new threats. Bird is a former systems admin who has a Ph.D. in astrophysics and likes to study mysticism–all of which she brings to bear when evaluating event data.

“I learned as a research scientist to look at data and infer what was causing the patterns I was seeing,” Bird says. “Today, I’m using those same skills. I watch myself make decisions and can see what I’m paying attention to. What makes me able to do this is a background in Zen meditation. I learned to observe my mind and see what I was keying on.”

The SOC staff’s best weapon is a balance in the knowledge base and expertise of its staff, Bird says. “That there is no well-defined career path in infosec isn’t all bad. Like an intelligence analyst, you have to see things in different ways and always be aware that you don’t know the angle from which your attacker is coming.”

Howard Schmidt Goes to War

An Interview with Howard Schmidt

May 2002

Howard Schmidt

The new vice chairman of the Critical Infrastructure Protection Board aims to keep cybersecurity a top priority in the post-9/11 world.

BY Richard Thieme

Q:You were recently named vice chairman of the Critical Infrastructure Protection Board, but you’ve said that Richard Clarke, the board’s chairman and special advisor to the president on cybersecurity, considers you a “co-chair.” How does that sort out?
A:The presidential executive order established a chairman and a vice chairman for the Critical Infrastructure Protection Board, which is comprised of 26 senior U.S. government executives. We also have 20 standing committees that are subsets of the board. Beyond the core issues of the board and its subcommittees, there are four basic areas we cover: national security; the security of government systems; outreach, including private/public and state/local/international; and assisting the various law-enforcement communities. Richard and I cross over as necessary, but I’m particularly focused on the outreach and law enforcement/investigative pieces. Richard says we’re interchangeable; that’s why he says I’m more like a co-chair.

Clarke is frequently questioned about the threat of a “digital Pearl Harbor.” How do you interpret that phrase? What would a digital Pearl Harbor look like?
By “digital Pearl Harbor,” we mean a devastating attack on our ability to use the online world. For example, there were DNS server problems a few years ago that caused significant latency because some major ISPs had problems with corrupted files or bad zone files. If that had been allowed to perpetuate, it could have seriously impacted our ability to communicate using the Internet. A digital Pearl Harbor would be similar, but have a far more dramatic effect.

During the Sept. 11 attacks, the U.S. nearly lost some key nodes in its financial exchange mechanisms, and telecommunications took a big hit. What have we learned about distributing resources more effectively?
I can talk about a similar incident as an example. A fire in a tunnel near Baltimore last year effectively knocked out the Internet and a whole bunch of Northeast telecoms because there wasn’t a good understanding of single points of failure. We had all that wire and cable strung through that one tunnel. Take a physical event like that and look at the cascading effects, such as when a tree fell across power lines in Oregon and the lights went out in Tucson. If we have that happening at the same time as a virus or Trojan attack, as you said, a cascading effect could cause significant disruptions because of interdependencies in our infrastructure.

What did we learn from Sept. 11? We need to find out where those events are correlated. What the interdependencies are and how we can be more resilient. And how can we resist attack, be resilient and remediate in a relatively short period of time? Answering those questions is part of the board’s mission statement.

We don’t know where all the interdependencies are, and we need a better handle on that so we can protect them. We’re moving forward quickly, but you can’t turn a 600-foot ship around on a dime. Am I satisfied with our speed? Yes. All of those potential effects and attacks are being considered.

The New York Electronic Crimes Task Force (NYECTF), which was based in the World Trade Center, was operational within 48 hours of the Sept. 11 attacks, due in large part to its public/private partnerships. You frequently define your work as creating public/private partnerships, but there are different assumptions in the public and private sectors about goals, which makes sharing information tricky. How are you enabling people to stand on common ground?
The NYECTF is one example of how public/private partnerships work. A lot of telecoms after Sept. 11, through the National Coordination Center, immediately put up significant resources without any hope of compensation. Within hours, a number of companies went to the federal government and said, “Here’s $20 million in resources, tell us what you need us to deploy.” That’s one way it worked.

What happened with the NYECTF was happening on a grander scale on the national level, from telecoms to the IT infrastructure to the Pentagon. I was at the Pentagon within 36 hours of the attack with a blank check from the private sector saying, “Here’s what we can offer to get the Pentagon and New York communications up and running.”

In the immediacy of the moment, we entered a space of extraordinary cooperation. But the half-life of a crisis, as Stash Jarocki of Morgan Stanley says, is 90 days. That’s when the level of urgency diminishes by half. Do people still understand what we’re up against?
I think that in a lot of cases we do; a lot of people were genuinely converted. It has been said that 70 percent of the people are back at some level of normalcy. We need to find a balance. We want people to do things on a normal basis, but we also want a continued sense of urgency about things that are really critical. We still have a critical mass of people inside and outside the government saying, “I don’t care about the bureaucracy, what can we do to facilitate something effective?”

“I challenge anyone to find a CEO today involved in the industries that affect the critical infrastructure that will say security isn’t a CEO issue.”

Do you see “functional networks” being built in creative ways?
Building personal relationships is crucial. One thing that encouraged me to take this government job was the people I had worked with from my private-sector position, people who truly believe that we can make a difference, people who have grown up in this business together. It gives us extra leverage that in addition to our professional responsibilities, we all have a passion to do everything we can.

Some say that Gov. Tom Ridge, the director of the Office of Homeland Security, has an impossible job that doesn’t carry the full authority to accomplish his assigned tasks. Do you see any similarities between his job and yours?
I agree that he has a tremendous job, but I don’t agree that he lacks authority. His challenge is that this is a brand-new issue, whereas we have been doing cybersecurity for some time and have a pretty good sense of what it will take to bring it up to par. Both jobs are important and challenging, but we have more experiences behind us that we can build on.

Are you reasonably satisfied with what you have been able to do to this point at the Critical Infrastructure Protection Board?
At this point, I am 100 percent satisfied. Every conversation I have tells me that. One issue that we dealt with was the SNMP vulnerability. In my previous government life, it would have been more challenging to try to coordinate a response. In this case, we had all the key players from government, the private sector and academia on conference calls to look at the issues and come up with technical responses. It’s phenomenal to have everyone going in the same direction.

Some security pundits say that everything we do going forward will be built on platforms that are permanently flawed.
The Internet, as we all know, wasn’t designed to be secure. If you go to a security engineer and ask what it will take to fix this, you’ll be told that we have to upgrade infrastructure. It’s not necessarily because a vendor has something good or bad, but because the threat model has changed significantly.

There must be reengineering of processes to make the infrastructure secure. We have to build in testing and response capabilities so we’re proactive instead of reactive. At the same time, we have to educate people on how to be secure. Look at the history of the automobile. We added brake lights, then seat belts and so on, and now we have pretty safe cars. They’re not and never will be perfect, but they’re much better than they were. If we train people and put the right processes in place and improve the technology so it’s designed to reduce the threat, we’ll be in much better shape.

Some security and IT professionals believe technology is advancing at a pace greater than our ability to field people to manage and secure the systems. How do you respond to that?
The systems we’ve created up to now have been far more complex than they should be. It’s a growing process, and that’s the source of my optimism. Like cars, they’re becoming easier to use and maintain. We’re not going to have a CIO in everyone’s house, and you shouldn’t need one to own and use technology. The engineering needs to be secure and simple, and the curve for IT professionals will drop dramatically because things will be easier to use and security will be part of the fundamental process. I am encouraged because Richard Clarke has met with CEOs of major companies that make routers and software, and every one has said security is now a number one priority. It may not have been a priority before, but it is now.

Is that due to the recognition that litigation may lead to software manufacturers being held as responsible defective products?
That’s part of it. But I think there’s a greater realization about the importance of security. I think of my trajectory using computers. I once used a Commodore 64 to set up bulletin boards, for example, and it was a minor inconvenience if my hobby computer wasn’t accessible. But my dependency has changed significantly and a lot of vendors recognize this. It’s not a toy, but something we depend on in many different areas. In my role at Microsoft, I heard the White House say for years, “This is not a hobby now, it’s part of the critical infrastructure,” which is why so many people are now on board with security.

Since Sept. 11, we’ve moved toward greater surveillance, which some say is eroding personal privacy and liberties. Do you think anything will inhibit that process?
I think we’ll reach a balance. Building up borders has been one of our problems. It’s the “Tootsie Pops syndrome,” with hard outer shells and soft chewy centers. That’s how we built networks. We had firewalls and strong perimeters, designating anything inside as trusted. Living in a ubiquitous online world, we have to secure individual devices and define profiles for resources under particular sets of circumstances.

As to privacy–without security, you have no privacy. That doesn’t mean we have to give up privacy, but we must have some level of authentication. For example, if I have a $20 bill in my pocket and want a $10 and two $5s, I don’t need identification to get that change from a bank. However, if I want to open an account, I do. If I want a safety deposit box, I need better authentication–I need two keys and someone has to come into the vault with me. I think these levels of authentication translate into the online world.

Given the level of threat we face, we’re asking people to trust authorities with invasive surveillance technologies because it will ultimately serve the greater good. Is privacy over?
Privacy is a very individual thing. When I subscribe to a magazine, I give up a certain level of privacy for the benefits of getting the information in that magazine. There’s always a trade-off, giving something up for the service that you want. You should be able to surf the ‘Net and get medical information anonymously without compromising your privacy. A bar can ask for an ID that proves you’re 21 before serving you alcohol. By showing a government-issued ID, like a driver’s license, we give up some privacy to have that drink. That’s where balance comes in.

For society as a whole and for individuals who want different levels of access to information, there will be different sets of rules.
I don’t think we really know what “balance” is at this point. We’re still in a state of shock. We are searching for the right balance, and it will almost certainly differ from what “balance” was when I was 16.

These are uncharted waters. How will people be held accountable?
On the government side, this is one reason the Critical Infrastructure Protection Board was created. The Government Information Systems Reauthorization Act requires the head of each federal agency to be responsible and accountable for security in their agency. The recent GAO report shows there’s a lot of work to be done, but those people are going to be held accountable. The board is giving them the tools and mechanisms to do cross-government collaboration to get their systems in order.

On the private-sector side, if you lose customers because your Web site gets hacked, you won’t be trusted. Accountability in the private sector will come from the necessity of providing that level of trust.

It’s been said that one of the reasons you left government service the first time was because of bureaucratic politics–especially with the military. Some said you grew frustrated with having to fight for resources and funding, and felt stifled by the bureaucratic culture’s rigidity and lack of teamwork. By returning to government service, are you saying that this culture no longer exists?
That’s right. Conditions have changed significantly in government and also in the private sector. When everyone is focused narrowly on their own issues, they lose sight of the bigger issues. There’s now a greater recognition that “your issue is my issue.”

I’ll never forget a meeting at the White House where I told Richard Clarke that we had been coming to meetings on public/private partnerships for some time now and the definition of a “good meeting” was that “we had a good meeting.” It was frustrating. Richard and a few others got eight or 10 of us together and said, “This is serious business. Do you in your companies really understand the impact of what we’re discussing beyond what you’re selling or producing? That this goes way beyond that?” From my perspective, that was a real turning point in the conversation on the public/private relationship. People began seeing and saying that it wasn’t just about what they were doing; it was about what we were all doing.

Are we 100 percent there yet? Of course not. But I challenge anyone to find a CEO today involved in the industries that affect the critical infrastructure that will say security isn’t a CEO issue.

It takes time to generate this kind of change, and you’re trying to communicate the depth and magnitude of the need for change to others so that the “community of interest” will include more people.
That’s correct. In a conference call on the Nimda worm, we had an astonishing level of participation. I marveled at the unprecedented technical depth, the senior-level management expertise and the level of government participation. Everyone was laying out their cards on the table; everyone was working together to identify what Nimda was doing, how to stop it and, if you had it, how to fix it.

Throughout our conversation I’ve heard you say how encouraged you are about security becoming a priority. Was this level of awareness not possible prior to Sept. 11?
Yes. I spent three tours in Southeast Asia, I’m a cop, a proverbial “tough guy,” but the day I got the call from the White House after the Sept. 11 attacks asking me to be part of the team, I sat there almost in tears thinking that this is a no-brainer. We just had the worst death toll on American soil due to a terrorist attack, so it’s not whether it’s convenient, it’s that “this is the way to do it.” I have met others who were in the private sector and joined the team because they felt a tremendous obligation to do their part. This is a job we all have to do together. Failure is not an option.

BioLines

> 1967-1983
U.S. Air Force

> 1983-1994
Police officer with the Chandler, Ariz., police department.

> 1994
Headed the ComputerExploitation Team at the FBI’s National Drug Intelligence Center.

> 1994-1997
Directed the USAF Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.

> 1997-2002
Worked at Microsoft as chief security officer.

> 1997-2002
Taught computer forensics at the University of New Haven, Conn.

> 1999-2002
Served as international board president of the Information Systems Security Association.

> 2001-2002
President of the Information Technology-Information Sharing and Analysis Center.

> 2002
Appointed vice chairman of the Critical Infrastructure Protection Board.

Copyright © 2002 Information Security, a division of TruSecure Corporation

This is the interview edited for Information Security Magazine. The original conversation was so dense with Bacian insights and worthwhile observations that I am presenting it in its entirety as well.

The IDS Den Mother

Becky Bace has made a security career out of building communities to overcome technical challenges.

An Interview with Becky Bace

BY Richard Thieme

Q: A former colleague of yours at NSA calls you the “den mother” of intrusion detection research. Did you always want to be an engineer?

A: No. I thought I would do something in medicine, but I was diagnosed with epilepsy in my adolescence and was told that no medical school would ever touch me.

My grandfather was principal of an elite girls’ schools in Tokyo, and my mom went to birthday parties at the Imperial Palace. They lost everything in the war, and she was a war bride. My dad was a self-educated Teamster from a classic Alabama dirt-farmer family. I was one of seven kids raised in Birmingham. Jimmy Hoffa established a scholarship fund, and I was a recipient.

In my senior year of high school, while neurologists discussed how to classify my disability, I won the Betty Crocker award for Alabama, which included a scholarship. In 1973, I was the only woman to attend the University of Alabama at Birmingham in engineering.

When did computing enter the picture?

At Alabama. I took my first course as a freshman on a monster IBM mainframe with 1 MB of memory. I did the punch card scene, doing Fortran and COBOL. I loved math, but a math career just seemed too risky. That’s why I went into engineering.

I was teaching an engineering lab when a couple of Xerox technicians said, “Come work for us. We’re under the gun for affirmative action. With your background, you’re heaven-sent.” I may have been heaven-sent, but I wasn’t warmly welcomed. I remember the guy across the desk at Xerox saying, “I guess we have to hire you, since you passed the test.” I stayed with Xerox for five years as a specialist repairing copier machines, while taking night courses in math and economics.

Issues of race and gender bias permeate your career. How would you say those factors affected your work and life?
I wouldn’t have had that initial job at Xerox if they hadn’t hired me under affirmative action, so it’s a wash in the long run. But it’s certainly a two-edged sword. At times, I think people discriminated on the basis of gender when it wasn’t acceptable to do it on the basis of race. Sometimes customers would raise a ruckus for having to deal with me because they believed they had been given “second best” when I showed up, even though I was better educated than most of the men.

For a woman, to be average is an invitation to be maligned. From a personal point of view, you can write it off. But from a functional point of view, it damages the organization. It damages your ability to be a mission player, and it hinders the organization from picking the best person for the right spot because they have to cater to such idiocy.

When did you go to NSA?

I moved to Baltimore with Paul, my husband, and took courses at night. I found a job I loved, running a data processing shop for a civil engineering firm; my husband went to work at the NSA. He said, “Remember those people at school wandering around, whose shoes didn’t match and would walk into a wall if you gave them a stick of gum to chew? This place is crawling with them. You’ve got to come here.” So I did. That was 1984.

What helped you realize your potential?

When I got involved in security in 1989, Gene Spafford was the gold standard. At the University of California at Davis, where we were doing a brain trust sort of project, I felt almost embarrassed talking to Spafford because my academic career was so checkered. I spent eight years taking tons more courses than I needed to get an undergraduate degree. It turns out Spafford had every bit of an eclectic background as I did. The ways I was different from the mainstream turned out to be pluses, not minuses.

Spafford said that when you don’t connect with a bureaucracy, everyone assumes that the problem is that you have too little to offer. The problem is more often that you have way too much. That made me feel better about my skills and potential.

How did you make the jump to IDS research?

When my son was diagnosed with autism, a friend at the National Computer Security Center (NCSC) said I needed a job that didn’t involve so much travel. She had a project that pointed toward initial intrusion detection work. I looked at what they’re doing and thought, I may be an idiot, but this is the only thing we were doing that makes sense to me.

I challenged a manager to let me to run with the IDS project. We had funding locked in, so I said, “Let’s roll with it, and I’ll come to you with a strategy for either straightening it out or bringing it down.”
I didn’t always see eye to eye with the bureaucratic way of doing things, so I actually got on the telephone with stakeholders-that was radical-and looked around to see who was doing work in this space. I started to forge relationships and connections. That’s how I got it done.

What was the state of intrusion detection when you began working on it?

Jim Anderson, my mentor, came up with the concept of intrusion detection around 1980, after which he had a Frankenstein experience-”Oh my God, what did I create?” He saw that it was such a sexy notion that it overshadowed preventive measures. The systems were more specialized and sophisticated than a lot of what I see in the commercial world today, and those systems were deployed and then abandoned because people lost interest.

orothy Denning and Peter Neumann did a study in the mid-1980s, and Dorothy wrote a seminal paper, “An Intrusion-Detection Model,” in which she described what is still the de facto model.1 We haven’t even gone 40 percent of the way along the path she described. The government did several prototypes and the Air Force
was cranking up for another round-these were the days of Haystack and before the days of the network security monitor.

What do you think of the move toward “intrusion prevention?”

There’s a lot of hype and a lot of vision. As Stephanie Forrest, who researches immunology and intrusion detection at the University of New Mexico at Albuquerque, found, any automated response that does detection, decision-making and correction needs to be done relatively low in the network stack, way down at a very fine-grained level. The lower in the stack it occurs, the subtler the correction mechanism can be.

There’s an analogy between some things we know about medicine and what we do in computer security. Some of the lessons learned doing things like chemotherapy apply. You can conceptualize or model certain correction mechanisms, but the correction is too crude if you do them at too coarse a level. You end up with all kinds of revenge effects that create more problems for the whole organism.

Where’s it all headed?
It’s splitting as the network evolves and becomes ubiquitous. Monitoring and detection capabilities reside in and permeate the stack from the coarsest to the finest grain. At the finest grain, it’s easier to make generic rules about what should happen. In those situations, you’re in a better position to make self-corrections. But anything can suffer when you start dealing with things on more granular levels-for instance, at the packet flow and routing level. At those points, you lose some of the differentiation between functions that occur for security reasons and functions that occur for quality-of-service reasons.

People get all hyped about doing protocol checking and correction of malformed packets. Good network gear does a little of that packet scrubbing as a part of routine network management. Now you’re in a situation where you accommodate the fact that that may happen more often than you might expect from a strictly statistical point of view. In so doing, though, you’re saying that you don’t care so much about who did it or where a bad stream of traffic is coming from. But the bottom line is, you accept that you have to worry about a denial of service, not that some 12-year-old in Peoria has decided to inject frag packets into the network. That ultimately helps a lot. Scrubbing packets isn’t going to give you a problem in terms of burying you in false alarms and creating noise levels, where people can bury stuff.

From a detection point of view, we’ll get more powerful about being able to pull back and take a look at larger patterns and see subtler patterns of behavior. That puts us in a kind of brave new world of intrusion detection. Right now, we’re still implementing signature recognition in a klugdey way. There’s a lot of improvement yet to be done. Commercial forces will drive most of this improvement, not someone in DARPA.

You once said, “I don’t believe that anyone in defense circles, which are at the root of a lot of what we know about security, could ever have foreseen the impact of the World Wide Web. Some folks in defense were blindsided by the whole notion of distributed systems.”

That’s right. The people in the ranks knew that security was going to be a headache, but I don’t think they understood to what degree. They were dealing with trusted network interpretation (TNI) and the Rain- bow series. I was supposed to be taking the Orange Book’s principles and extrapolating them to networked systems. It turned out to be the nature of networked systems that you have an erosion of security with each additional system you add to the network. At that point, however, people were just beginning to grapple with the idea that they had sensitive, unsecured data.

Was that frustrating for you?

To a degree, but I’m willing to beat my head against the wall only so much. Then I go off and start laying the groundwork for something that will solve the problems.

I cobbled together people who had at least a partial view of what was wrong. That connected me with Tsusomu Shimomura, Matt Bishop and Dan Farmer-people I regard very highly. I systematically worked my connections, and serendipity helped a lot. So I cobbled together a community-a fast-growing community-of good people.

What do you mean by “cobbling together a community of good people” and “serendipity?”

My partner at Infidel, Terri Gilbert, says that serendipity is what happens when you consciously make a piece of yourself available-things do converge. It’s amazing how things converge over time.

Terri recognizes the importance of what we’re doing. She said, “You know, the whole notion of how to secure this stuff once it’s automated really is the problem of this generation.” I think she’s right. We have to get real about it. Trust is central. Information security is a context in which we can define these critical human and community concepts in a way that matters. Something this important can’t take place outside of a community with a mission.

I learned a lot about how to do it just growing up. In the Japanese community, there are about three degrees of separation between people, and if you want to get something done, you’ll use that awareness. Coming from a small town, it was natural for me to rely on my community for support. And it also feeds into the law of large numbers: If enough people vote on a particular outcome, you’ll reach general convergence pretty quickly and that convergence will be nicely centered on the correct answer.

We understand that there are powerful ways of counteracting these big, hairy problems. If you apply enough people with a few criteria at the beginning, convergence will begin immediately. You may not find the needle right away, but you’ll eliminate the three-quarters of the hay-stack that’s not productive.

You’ve said that you had no delusions about the capabilities of the government side of the fence because commercial superstars can do some things far better. Like what?

I recently keynoted an investment conference for a Wall Street firm and said that they shouldn’t invest in “techie toy” firms anymore. We’re at a critical juncture in the life cycle of security products-either they have legs, brand loyalty or show signs of maturing. So instead of sitting back and saying, “We’re smarter than those customers; we know better than they do what they need,” we should actually query customers about what they need.

We have had a tremendous amount of hubris in the security field. We’ve said that because we’re the security gurus, we don’t have to know anything about how customers interact with their systems. That’s so untrue. If you don’t understand your value proposition, you’re screwed.

We also have to get a better a sense of the context in which security operates. We tend to get so enchanted with content that we forget about context. It’s all about context. It’s critical to integrate products with the users-the human side-with the underpinnings, the network and platforms; and with the business itself, corporate policy and bureaucracy. Gaps in any of those will give you problems in functionality, security and liability.

And now you’re working in the VC arena. How are you plugging this new career direction into your work as a researcher?

Building new firms is great fun. It’s returning to my old venue, but from a different angle. I love seeing new ideas. Instead of being a failed bureaucrat, I’m a startup person who was stuck in the wrong slot.

Before, I was at a juncture between research and implementation. I was basically in applied research. A lot of smaller firms that used to have their own R&D gave it up in the ’70s and ’80s because they couldn’t justify prototyping something for a couple of decades before moving it to market. There are only a few ivory tower places where you can do pure research, and I had a basic, practical, farm girl mentality. Applied research is what you have to do at startups, and that’s what I’m doing for the VC firm. You’re giving people legs, allowing them to take research that may not have been high-risk research but was more like systems research, where you take an isomorphic approach and apply it to a whole new problem set.

The other part that’s refreshing is that it forces me to do technology transfer, but really grow tech abilities beyond anything one can do in government. The downside of government is that you can do this stuff and not have to actually produce. Here I don’t have that luxury. Because everyone is on that same page, you wind up doing a lot. There’s no debate about the level of pressure required to make you produce.

BioLines

• 1984-1996
  Worked for the National Security Agency in various positions.
• 1989-1995
  Led the NSA’s Computer Misuse and Anomaly Detection (CMAD) research program and helped build the Information Security Research and Technology Group.
• 1995
  Received the NSA Distinguished Leadership Award for building the CMAD community.
• 1989-1995
  Served as technical monitor for the Intrusion Detection Expert System (IDES) and Next Generation Intrusion Detection Expert System (NIDES) research program at SRI International.
• 1996
  Served as deputy security officer at the Los Alamos National Laboratory’s Computing, Information and Communications Division.
• 1998
  Cofounded and became president/CEO of security consultancy Infidel Inc.
• 2000
  Authored Intrusion Detection (McMillan Technical Publishing, January 2000).
• 2002
  Appointed as a venture capital consultant at Trident Capital.

Copyright © 2002 Information Security, a division of TruSecure Corporation

March 2002

Roundtable

Automating Cyber Defenses

Four of infosec’s cutting-edge thinkers examine how intelligent systems might be made to analyze, understand and automatically respond to attacks.

MATT BISHOP (bishop@cs.ucdavis.edu ) is an associate professor in the Department of Computer Science at the University of California, Davis. He serves on the executive committee of the National Colloquium for Information System Security Education and on the editorial board of the Journal of Computer Security.

WILLIAM R. CHESWICK (ches@lumeta.com ) is chief scientist and cofounder of Lumeta Corp., a spin-off of Lucent/Bell Labs that offers intranet topological and perimeter verification services. He’s the coauthor of Firewalls and Internet Security: Repelling the Wily Hacker (Addison-Wesley, 1994).

GARY M. JACKSON (gjackson@air.org ) is director of the Center for the Advancement of Intelligent Systems at the American Institutes for Research in Washington, D.C., and CEO and president of PsynapseTechnologies LLC.

PHILLIP PORRAS (porras@sdl.sri.com ) is program director at the System Design Laboratory of SRI International in Menlo Park, Calif. He is the principal investigator on the EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) Project, researching and developing systems and components for anomaly and misuse
detection in computer systems and networks.

Moderator RICHARD THIEME (rthieme@thiemeworks.com ) is a contributing editor for Information Security. He writes, speaks and consults on the human dimensions of technology and the workplace.

INFORMATION SECURITY MAGAZINE (ISM): The purpose of this roundtable is to discuss new technologies and methodologies for automated cyberattack prediction and response, as well as the shift in compsec thinking from a reactive/defensive framework to a predictive/proactive one. Let’s begin with the general ideological landscape. Where did we come from? How are we changing?

BISHOP: The state of the art in automated response–in terms of predicting new attacks–is abysmal. If we can describe attacks, we can detect them when they occur or after they occur. But identifying new attacks is very difficult to do in any kind of automated fashion. In some sense, that’s the ideal for a good intrusion detection or intrusion response system. Once we know an attack is under way, assuming we can detect it in real time, various kinds of responses can take place. But the nature of the response should vary according to the specific policy of the site.

It’s not clear to me that people understand the tight binding between policy and response. People often assume a specific security policy when they describe a response and aren’t explicit about the particular policy. As a result, their actions may be appropriate in one circumstance, but not in another.

ISM: They are not contextual.

BISHOP: Correct. They’re not related to the specific context of a policy. In the research community, that’s understood. However, the impression I get from many vendors and training programs is that this isn’t understood or openly discussed. How does policy affect response? How does response affect the continuing functioning of the organization trying to respond?

As for automatic attack prediction, one problem is trying to predict how you’re going to be attacked. Without knowledge of the attackers, all you can do is analyze your system and try to find weak points. There are methodologies for doing that, but it boils down to having a good knowledge of the system, and there are no guaranteed automated ways to do this. It requires human intelligence to try certain things. There are a lot of automated tools that will help, but you need humans in the loop.

PORRAS: Until 1996, I tended to see intrusion detection as a self-contained system. People were trying to build full systems that would do detection, fire primitive scripts to respond to attacks, provide visualization, maybe do data management, all within a single component. From ’96 to ’99, the community shifted toward decomposing the intrusion detection process into alert collection, sensing and all the post-analysis capabilities that would follow sensing, separating them logically and developing standards for interoperating between them.

In the area of intrusion report correlation, I’m seeing momentum in groups emphasizing advanced visualization, trying to get more insight into what sensors are telling them. The more we can make sensors commodities, the more we can embed them into applications, operating systems and network infrastructure, where they’ll generate alerts. Then we can provide better automated processing of those systems. We believe that’s better than developing a single approach to detecting attacks through monitoring network traffic, for example.

There are people developing methodologies for automating the process of managing alerts. When you get into the automated world of processing alerts, we now deploy sensors that generate thousands or tens of thousands of alerts on a daily or weekly basis. There’s no expectation that we’ll develop automated tools that will fire thousands of responses that will make thousands of changes to your system on a daily basis.

JACKSON: My background is different. I’m a Ph.D. psychologist who crossed over into artificial intelligence design. I’ve developed applications for 15 years, primarily in government. The Center for the Advancement of Intelligent Systems is funded by the U.S. government to look at predictive methods that combine behavioral science and computer science.

We’re developing technology to address these issues. If we’re to become proactive in the area of intrusion detection, we need to unite behavioral sciences and computer science. Systems don’t break into systems; people do, so we want to look at what people do.

Our approach, however, is a radical departure from the kind of hacker profiling done in the past. We’re not studying hackers per se, but rather high-level hacking expertise. We want to model not what hackers have done in the past, but hacker intent. We’ve looked at proactive methods and have had some success in the area of asymmetric warfare. We’re applying those methods to intrusion detection, using insights about prediction from weather prediction, physics and other sciences. If we’re going to determine what someone might do next, we have to be able to predict intent, and all we have to look at is the current activity of that person once he’s in the network.

Within the government, I worked at developing predictive methods. When we applied these techniques to computer intrusion, we discovered some principles. One is that we seem to be able to assess the intent of someone entering a system and can deal with it accordingly. If someone appears to be exhibiting harmful intent, we want to track or block that person, depending on the analysis. So, we work at the atomic level of activity and convert that into what that means from a behavioral standpoint. The assessment system operates in real time and makes assessments that are very close to human assessment. We’re currently throwing attacks at the system to determine true-false positives and true-false negatives.

ISM: In [the book] Mind Over Machine, Stuart and Hubert Dreyfus illuminated why expert systems could only go so far in emulating human expertise. Human experts often go far beyond what rule-based systems can determine. Are you saying that you’re close to that level of intuitive functioning, and if so, what enabled you to reach that level?

JACKSON: We have hacker-knowledgeable people on our team. We’ve discovered that when we run certain activities against the system, and then run the same activities against people with hacker expertise and ask them to characterize the activity, the results in both cases–although blind and independent–are extremely close.

“The more we can make sensors commodities, the more we can embed them into applications and network infrastructure, where they’ll generate alerts.”
-PHILLIP PORRAS, SRI International

ISM: Ches, what do you bring to this conversation?

CHESWICK: I bring 10 years of skepticism. I started out running Bell Labs’ firewall around 1988. Around 1990, I read Clifford Stoll’s Cuckoo’s Egg. Stoll learned a lot just by watching, and I decided to do the same. I spent several years watching people bang up against the Bell Labs firewall until I got bored. It was like counting bugs on a windshield. It became clear that the way you do intrusion detection is to record everything, throw away everything you understand and look at the rest. I’ve seen dozens of papers over the past decade that have tried to collect this data and do it automatically. They all use terms like “pattern matching,” “AI” and “neural networks,” and they can do it to some extent, but they’re all characterized by high false positives, which means that as a practical guy, I don’t want to run this system.

Our questions were, “Who was attacking the outside?” and “Who was attacking the inside?” It was assumed that the intranet was a safer place than the Internet. After we threw away everything we didn’t know about, we were usually left with a long list of administrative errors. Of course, there was evil stuff, too, but most was administrative. Some we fixed, and some things weren’t worth it. It wasn’t real time and didn’t shut down the machine if an attack was taking place. My approach–which I still think is the best approach, although it’s hard to do in a world of Microsoft software–is to try to anticipate the kinds of software errors that we know are the source of many intrusion vulnerabilities. Then design systems that are robust, highly resistant and unlikely to be hacked that way. And then use the IDS supplementally to check our assertions.

Bruce Schneier talks about comparing computers to safes. Safes are rated for a certain amount of time. The whole point is to not let the bad guys have too long a period of time to do their work, so you need alarms and IDSes to make sure the cops arrive within 60 minutes, or the safe is broken.

I don’t think we’re getting much closer to automating the hard part, which is the human decision piece, recognizing the intent of what’s going on. Phil’s EMERALD Project attempted this, and Gary says he has made progress, but there are big jobs yet to be done.

“People buy the ‘hottest’ IDS tool that will be very good about telling them about DoS in the network, but is useless detecting problems inside the host.”
-MATT BISHOP, University of California, Davis

JACKSON: I agree.

CHESWICK: The intent of the attackers is an interesting problem if you’re looking at a lot of attacks. If you’re in a secure area–say you’re in the firewall around the payroll section, where you have the crown jewels–a single packet may be sufficient to shut down the machine and call the cops. It depends on where you put these things. The Honeynet Project suggests putting honeypots in places where people will be attracted to them. I have been advocating honeypots for 10 years. They are sometimes the last level that alerts people that they’ve been “had.” It’s another layer, and we want a lot of layers of defense.

The question of intent is interesting. The point about people breaking into machines rather than machines breaking into machines isn’t entirely true. Look at Code Red, for example. Sure, there was a human at the end of it, but it was essentially an automated network battlebot that wandered in and out of networks all over the world. There’s a human who comes behind, and maybe there you can follow the intent. Last year, it was a new thing for compromised machines to persistently announce their presence to addresses around the world. You didn’t have to go hunting for weak computers, because they would send packets to you.

JACKSON: Let me qualify my statement. People build scripts, and, of course, scripts can break in, but this isn’t autonomous, spontaneous behavior. The behavior within a script is geared toward a specific purpose, and as a result there are specific kinds of signatures that do occur.

If we can observe activities and are accurate enough at identifying them as meaning something from a behavioral standpoint in terms of intent, then combinations of them might mean something, too. One of our concerns isn’t so much the methodology as the speed: How much can you see at one time, especially on an active network? Our initial results are good.

ISM: Is the whole human-machine context a moving target, then? This reminds me of conversations about ‘Net war focused on the intent of the actor as the only way to distinguish a hostile intruder from someone who belongs. We do better protecting against attacks that have happened in the past, but isn’t the terroristic intent to be innovative and design novel attacks?

CHESWICK: I’m not sure that we’ve seen a really new attack in years–or at least one that we were not expecting. Most attacks relate to underlying vulnerabilities or programming problems we’ve known about for decades.

BISHOP: If anything, Bill, you’re too conservative. The problems we’re seeing now are the same problems we saw in the ’80s and ’70s and, according to my colleagues, the ’60s, just in different arenas.

PORRAS: I agree with that wholeheartedly. In the space of doing sensing, the observation space isn’t really that large. We’re seeing the same sorts of symptoms produced by the hosts being attacked or the same sorts of activities coming across hosts that are generating attacks. We’re having some success in being able to detect variations and even new attacks that are effectively generating the same sorts of symptoms. For example, in our own environments, we’ve been able to detect Code Red and the variations of Code Red that came afterward without having to write a whole new series of heuristics to detect them, not because we’ve been able to detect exactly what systems it’s going after, but rather the symptom of attacks. There’s a lot of similarity in the kinds of damage these automated attacks try to do, and we’re trying to leverage as much as we can from our observations of symptoms.

BISHOP: I agree fully that it’s necessary to look at the people launching the attacks and study them to predict where attacks will come from. I teach computer security at the graduate and undergraduate levels, and one year my texts consisted of Sun Tzu’s The Art of War, Machiavelli’s The Prince and Saul Alinsky’s Rules for Radicals. On the surface, they have nothing to do with computer security….

“If the future of intrusion detection is to improve, it must become more interdisciplinary and include the human side of hacking.”
-GARY M. JACKSON, Center for the Advancement of Intelligent Systems

ISM: In fact, they have everything to do with computer security.

BISHOP: Yes. Like it or not, my experience is that humans haven’t changed how they interact with one another. Sun Tzu’s work is a blueprint for how to attack systems. To defend them properly, you have to understand the attacks and the attackers.

ISM: You all agree that the computer-human interface is critical. But how much research is done in the context of how people actually behave as opposed to how they ought to behave? How much weight is given to the training of the “human firewall?”

JACKSON: We take off where many intrusion detection systems stop, at the point of detection. We look at the whole human network in terms of possibilities and probabilities and ask, what are the possibilities after detection has occurred? We take it as a given that good programmers and good science can build good detectors, so detection isn’t the issue for us so much as what you do once you’ve detected an intrusion. We’re trying to proceed from the detection of multiple activities at different times. It’s how you assess and deal with it after the fact that determines, we think, the amount of risk.

It’s amazing what you can determine about a person from a limited amount of information. That’s the whole basis for psychological assessment. We look at the human framework post-detection and ask what it means when we see this kind of activity from the point of view of our expert hackers. We wanted to depart from studying ankle-biters for obvious reasons. We want to think about the best–or worst–possible ways to generate harm and model that, so if we see some indication that that might be occurring, we can sound an alert. The big question is, are we achieving our goal of increasing true positives and true negatives and decreasing false positives and false negatives?

PORRAS: The work I’ve seen in the general area of discovering attacker intent and profiling what the adversary is after is manifest in ongoing research in, for example correlated attack modeling. Groups pursue red team tree building and try to recognize typical activities that might characterize amateurs as opposed to nation states trying to compromise systems. Sensors will generate, for example, alerts that might indicate recon, say, followed by an aggressive attempt to take remote authority of a network. You may not get all that information from sensors, but people are trying to develop models for how to bring together alerts produced by today’s sensors and develop complex attack modeling languages.

“The Internet will continue to get more and more dangerous. We need to build systems and programs that aren’t obviously broken.”
-WILLIAM R. CHESWICK, Lumeta Corp.

ISM: A cyberattack might be one aspect of a larger “swarming” attack. Is work being done to correlate network intrusions with symptoms of an attack, say, on the power grid?

PORRAS: That kind of research area is in proposal format right now. I’ve seen it at the local domain or, at best, the computer enterprise level. The idea of developing regional correlation systems or systems that can compare activities at the Bank of America with activities at Charles Schwab and give some kind of guesstimate as to what’s happening in the financial community, or ask if the chip industry is under attack because Motorola, Intel and Texas Instruments are passing alerts to an escrow service doing regional or financial sector correlation–that’s a very hot proposal topic right now. But we have to walk before we can run.

BISHOP: My experience with companies trying to do correlation across organizational boundaries is that competition is the problem. Texas Instruments and Intel, for example, are competitors, and they are going to be very careful about what they share. Sometimes the information they consider sensitive is exactly what you need to do the correlation. I’ve not yet heard of anyone affirming the level of sharing needed for this to work.

CHESWICK: The kind of inference correlation we’re discussing is something at which the human brain excels. Automating the process is a high target. It’s very hard to match the capacity of the human brain.

A week after Sept. 11, a number of us were contacted by someone from the National Security Council who wanted to know how to answer the question, “Is the Internet under attack right now?” With our Internet mapping and a number of other tests, we came up with a process that would give an idea if that was true. One answer might be, “20 percent of the usual routers aren’t reachable right now.” It’s not clear how you take that kind of information and correlate it with information like, “a dozen oil refineries blew up in Chicago at the same time.” It takes a human to do that sort of thing.

JACKSON: I disagree. I worked specifically in the area of human decision making versus automated systems. If the problem is very constrained and we know the parameters, it’s difficult to beat an automated assessment system.

The problem isn’t the human brain so much as the information provided to us.

Information in a complex situation, like asymmetric warfare, is a serious problem. There are many sensors, but it takes tremendous cooperation among all of those sensors coming to a central point to reach an accurate decision. It’s extremely difficult. Second, there is very little ground to compare new information with, so we can make comparisons in terms of class recognition issues. My experience with some of the systems we’ve constructed is that if it’s very constrained, and you need speed and accuracy, the human tends to fall off at that point.

ISM: The complexity of these issues indicates how hard it might be for some in the private sector to get a handle on what’s doable. How can someone without your expertise make a decision about what’s possible and what their business needs are?

CHESWICK: They have to (a) ask their expert and (b) choose lots of solutions. You don’t want a monoculture in your computer systems or IDS or anything else. You want to have belts and suspenders on these things in case something does go wrong.

BISHOP: People who try to purchase IDSes don’t ask themselves, “What is the ‘must-not’ activity that I must get out of bed for at four in the morning?” People tend toask, “Who is the market leader in intrusion detection software?” Then they buy that and say, “Now that I’ve installed that network-based IDS, we’ll no longer have someone illegally transition to root. If they do, my network-based IDS tool will tell me about it.”

Those who develop and market IDSes often don’t explain the “sweet spot” of what IDS software is capable of doing. Most IDSes can do pretty well in recognizing privilege violations, privilege subversions–things that happen inside the host and inside the process. But people often buy the hottest, most recently reviewed IDS tool that will be very good about telling them about port scans or DoS in the network, but are virtually useless at detecting problems happening inside the host. They need to ask, “What must I know and what’s the ideal software to tell me?”

ISM: Where should they get that advice? Where can they find informed, impartial answers to those questions?

BISHOP: Vendors will tell them that they detect everything. I really don’t know. It’s difficult. I’d like to see operating systems come with their own misuse detectors so that the OS can tell you when someone is corrupting that system or doing something they shouldn’t be doing. I want to see applications become smarter at this, but I don’t expect that to happen.

ISM: I get notices of computer security workshops, but I don’t see workshops teaching people to ask the questions you say are most important.

BISHOP: It’s a failure on the part of the people developing this technology to express what the technology is good at and when you should use a different component. People want to sell you an entire solution. The motivations of commercial vendors differ completely from the motivations of security researchers.

ISM: So managers making these decisions know that if they buy the leading product, they will not be fired. They aren’t rewarded for thinking the right way or making the right choices for the right reasons.

JACKSON: One problem is that we’ve been solution-oriented instead of integration-oriented. There are many people out there who are confused, and their job seems to be to buy something that lets them check the box that shows they have done their job by deploying an IDS.

BISHOP: All of this ties into knowing your policy and knowing how your vendor’s solution fits in with your policy. People need to make that connection.

ISM: So for now, the human in the loop is critical, and managed security services are the human form of automating the response we need. Where should we go in the future?

JACKSON: If the future of intrusion detection is to improve, it must become more interdisciplinary and include the human side of hacking. The computer science is there, but the field is lacking in terms of bringing in the knowledge and expertise of the behavioral sciences so we can get better anticipation of responses of those intending to do harm.

CHESWICK: The Internet will continue to get more and more dangerous. We need more tools in the area of software design. We need to build systems and programs that aren’t obviously broken. Unless we have those tools, a lot of this is bailing a ship with a hole in the bottom.

PORRAS: Security is ultimately a human endeavor. Technology can help, but you’re dealing with people. We need to improve technologies, but we cannot neglect the human element.

BISHOP: When all is said and done, a skilled administrator is still the best intrusion detector.

March 2002 Table of Contents

More Than Human:

The Network is More Than the Sum of its Parts when Disaster Hits

by Richard Thieme

A friend who immersed himself in the study and practice of karate left the late show at the movies one night and turned a corner toward his car. A hand came out of the darkness and grabbed him by the shoulder. He immediately turned and with one swift cut, broke his assailant’s neck.

Except it wasn’t an assailant. It was a friend who had wanted to say hello.

“Be sure that what you practice is what you want to do,” he told me, “because when you don’t have time to think, what you have practiced is what you will do.”

Bob Weaver, the Assistant Special Agent in charge of the US Secret Service New York Field Office, which includes the Electronic Crimes Task Force, has been practicing for a long time. He has more than twenty-five years of government service, and as head of the NYECTF, he supervises a dedicated staff of high tech crime fighters and criminal investigators. When the attack on September 11 put their office at the center of Ground Zero, they did what they had practiced.

That practice plus their ability to execute under fire in a war zone is a pattern for all organizations.  Sec. 105 of the “Patriot Bill,” the “expansion of the national electronic crime task force initiative,” requires that the Director of the United States Secret Service “develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States, for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.”

How did the New York Electronic Crimes Task Force become a model for the rest of the country?

“Our unique skill set starts with protection,” Weaver said, “which I see as an asset, not a detriment. We had to learn how to share. We’re a small agency and our weakness is our strength – we have to partner. We can’t be the guys in the plane, on the boat, on the corner, so we have to partner with corporations, with state city and local, with military, and depend on all of them for key strategic pieces. This created our institutional culture and made us responsive. That’s why we became a model for local inter-agency cooperation and private-public partnership.”

The NYECTF represents a confederation of law enforcement agencies, public prosecutors, academia, and private industry institutions in a strategic alliance to pool their core competencies to address electronic crimes. The Task Force surrounded itself with some of the best people in technology, which meant joining forces with the private sector.

“When it comes to technology,” Weaver said, “we don’t always have the expertise, the right tools or the people with the right type of knowledge to work some of our cases. The private sector gives us that.”

So “partnership” is more than a  buzzword for the NYECTF. It’s the essence of their culture.

On September 11, it saved the day.

“We used bricks and mortars like everybody else,” Weaver said, “but when the bricks and mortar went down, we were comfortable in the virtual world.  If we had not been, we would not have been operational within 48 hours. We would have been wiped out and we would have stayed wiped out.”

The Secret Service offices were on the 9^th and 10^th floors of 7 World Trade Center, one of several buildings in the WTC concourse, connected to the complex at the base of the north tower so their windows faced the front of the WTC and looked up at the north tower.

“When the first plane hit we looked up out of our building and saw the fire and explosion. It was easy to see that it was time to evacuate.

“Because we were so flexible, we were able to have our ‘bricks and mortar’ 100% catastrophically destroyed but our virtual component had us operational within 48 hours. I attribute that directly to the corporate partnerships that we had developed, plain and simple.”

The cell phones went down in the immediate aftermath of the attack so they used two-way pagers to communicate. Once they were back, they used cell phones too.

Cellular and paging networks are the only wireless networks currently used. “We don’t use wireless computer networks. It’s not that they cannot be secure, but they are currently not at the level of security which would enable us to use them.”

The decision on the right time to use wireless networks will be made by the Investigative Research Management Division (IRMD) of the Secret Service and the CIO, not at the level of the field office.

But on September 11, cellular and pager networks plus the human network – alliances built with the corporate sector – provided the resiliency they needed.

“We were virtually indestructible because we’re community based,” Weaver said. “We are a distributed network, so strong that its like trying to step on mercury. This is a new model in law enforcement, where we’re not 100% bricks and mortar. We’re as comfortable in the virtual world as in the physical.

“What was theory before is now battle-tested. Redundancy in our network made it robust, not only survivable but operational.”

No government group can give details of their network operations, which would constitute a playbook for enemies, so Weaver can only affirm the importance of the wireless network and the operational model they had built.

“It was totally unexpected, of course, a complete surprise when it happened. We evacuated – which is easy to say but not easy to do when there are 200-300 people in the building on your floors for whom you’re responsible. We needed to seek all of them out to be sure they left safely. That was a coordinated effort – it wasn’t just me, it was all of us, all of the agents in the office. Heroic things were done that day. Great responsibility was taken at great risk, at great sacrifice. We lost Craig Miller, an employee that we still can’t find. His body has never been recovered. People here are still grief-stricken.”

As wireless networks become ubiquitous because of mobility, redundancy, and flexibility, it is unthinkable to allow them to grow without adequate security, given what’s at stake.

For wireless networks to thrive, “you need bandwidth,” Weaver notes, “and the capability to encrypt very heavily. You’re protecting operational data and intellectual property. ‘Operational security’ is our watchword these days.

“For the last quarterly meeting of the NYECTF, we scanned lower Manhattan for wireless networks. We were pleased that some were heavily encrypted and had changed default settings, which is good, but we found that 50% of all wireless networks scanned were unprotected. We had full access to them.

“That is not good,” he said dryly, “particularly in the financial district.”

“We shared that information with them, not to embarrass them, but because making them aware of the truth about less protected or unprotected networks enabled them to take appropriate action.

“The time has come to pay attention. If not now, when? If September 11^th wasn’t enough, what is?”

The vulnerability of wireless networks is a consistent factor in incidents investigated by the Secret Service. A news agency in New York intercepted the data streams of the New York city police and fire departments. Mobile data terminals were intercepted. In fact, anything and everything that can be sent by wire or orally over the airwaves has been intercepted in New York.  For every wireless possibility – fax, pagers, wireless computer networks, cellphones – the Secret Service has arrested people and confiscated equipment.

Often it’s not a criminal doing mischief but a commercial enterprise selling large numbers of appliances. In the Breaking News Network case, thousands of customers were sold technology for decoding software over the Internet. The only way to defend against the decoding software was to be encrypted at a level that the software couldn’t crack. That held true for mobile data terminals as well. If not protected with encryption, they were vulnerable.

So the NYECTF frequently issues public safety and service messages and takes a systemic approach. They respond to criminal activity, issue public notices, and talk to companies so they understand how criminal ingenuity has compromised their software or products.

Weaver is heartened by the degree of responsiveness in New York City. “The private sector is increasingly aware and people are taking appropriate counter-measures. They are getting the game. There’s a surge in the dollars spent on security. People doing physical security in New York can not keep up with demand. There’s a lot more willingness by corporations to spend money on disaster recovery and network security.

“The same thing happened at Y2K,” Weaver recalls. “Some said, it was good we had Y2K for practice, but in a way, it was almost a shame there wasn’t a little nip there because afterwards, in the afterglow, it was almost as if it was much ado about nothing. But we learned lessons that helped when disaster really hit. It can come in an earthquake, a flood, a catastrophic terrorist event. Y2K raised the bar and the industry and community are better off for it.”

At this point in the conversation, a colleague handed Weaver a picture of his former office in flames.

“I can’t believe this picture,” he said, the tone of his voice lowering. “There are flames shooting out of my office. There is no other fire on that side of the building (the West Broadway side) but there is in my office. It’s incredible.

“I knew we lost everything in the attack, but I guess my friend wanted to be sure I didn’t forget.”

Memories of those events are never far from Weaver’s conscious thoughts.

“After we evacuated and relocated, we went back in for rescue. You have to understand that everything caught fire and was burning. The building had long since been evacuated but all of our equipment was lost. The evacuation was not a safe evacuation. It was a dangerous environment. Shrapnel was flying and falling, fires were everywhere, the evacuation was like trying to walk through a mine field.

“Contingency plans are a wonderful thing. Either you have them or you don’t. Our plans said, take the stairs, so we did, but at the lobby level, where the stairs ended, it would have been unwise to go outdoors because shrapnel was falling, hitting the building, setting cars on fire, so people had to be rerouted through a side door to the side and rear of the building. That was done by some key people who took initiative.”

The genuine heroism of ordinary people under conditions of extraordinary stress was exemplary.

“What kind of person,” Weaver asked, “is a private citizen in a plane flying over Pennsylvania who takes it on himself along with people he never met before to make a decision that they are going to take the plane back? When you consider that person – how he grew up, his ethics, his principles, his values – you have to put him on a level with the police and firemen and Port Authority personnel and all the others including Secret Service who ran in when everyone else was running out.”

Because of the shift in how Americans experience themselves in light of the attack, words that might have seemed affected before September 11^th are now the simple truths of our lives.

“There really is a call to public service,” Weaver acknowledged. “In the Secret Service Headquarters in Washington DC, in the main entrance, etched in stone, is a five-pointed star. On the points of the star are five words: duty, justice, courage, honesty, and loyalty. Those attributes were chosen for a reason. The words are indelible, etched in stone, and they mean something important to us.”

Out of his tested commitment and twenty-five years experience, Weaver has solid advice for anyone willing to listen.

There must be a systemic approach to security that addresses the real underlying issues. That means working first in a preventive mode, a risk management mode.  “No one wants to be in a crisis response mode, but when we do have to go there, when we can’t control things, we can manage things. If we could control things we would have prevented the second plane from hitting. We couldn’t.  But we can manage how we respond.”

Again and again, wireless networks as a metaphor for human networks emerged from our discussions. The level of security demanded by electronic networks is now demanded by society.

“We have to approach security issues as a community,” Weaver said. “That’s what partnerships have taught us.  When corporations find a way to have a value-added relationship that is mutually beneficial with government entities like ourselves, they become aware of what’s going on in the community and with our help get a peek under the hood that keeps them forewarned. This is always a work in progress – none of us really anticipated the degree to which there would be such a misuse of technology – so the work in progress is very high maintenance.

“But even when we have that mutually beneficial relationship, many stop once they know the problem and identify a solution. That’s not enough. Implementing solutions and producing a work product that has deliverables and outcomes is the end game. That’s how businesses keep score and we run parallel with that.

“When it’s in our best interest, we form alliances and creates bridges to one another. But those bridges must be built before critical incidents happen.

“People in New York that worked with us knew about pager intercepts of data, cellular intercepts, computer intercepts, and wireless networks because we shared that information with them. That enabled them to protect their bottom line.”

Weaver knows that corporations want to answer one question when they spend money on security: are they getting a bang for their buck? Businesses spend an average of 3-5% of their budgets on security. Does that investment return a profit?

Weaver can’t provide numbers to answer that question but knows from experience that “if you’re not exercising due diligence at this stage of the game, you’ll pay for it later. Do you want to pay now or pay later? Are you willing to risk corporate assets on a gamble that it won’t happen to you? If you are, best of luck.”

Physical security is impossible to separate from IT security. “They will be joined together forever,” he said. “Information is a hard asset. People must understand it’s value.”

Maybe there is a simple way to quantify these issues, he added.

“What don’t you want people to have? That’s exactly what they want. Then, what would your company be without it?”

The NYECTF reports quarterly to the community on its efforts. At an invitation-only meeting on November 27, 2001, many of the 200 corporations, 12 universities, and 50 law enforcement agencies that belong to the Task Force sent representatives to hear Weaver and his colleagues describe a new initiative. They announced a program to support homeland defense by creating programs for education and awareness at the community outreach level. This effort includes a partnership with this writer who is Founder and Director of the Homeland Defense Network, a grassroots effort to identify and make available a wide variety of opportunities for people on the home front/front lines to be educated, trained and supported in realistic ways for their roles in a protracted war with terrorism. They also announced a new initiative to help businesses with physical security audits.

“We do come back,” Weaver concluded, looking at the picture of his office in flames. “There’s a resiliency in the human spirit that’s wonderful. Just pour a little ‘miracle grow’ on it and – here we are again.”

Richard Thieme (rthieme@thiemeworks.com) speaks and writes about “life on the edge,” including the impact of technology on people, organizations and society. He is Founder and Director of the Homeland Defense Network (www.homelanddef.net).