Friday, May 16, 2008

Offense Kills Pirates

I just finished watching a great program on my favorite channel (The History Channel) called True Caribbean Pirates. It traces the story of piracy in the Caribbean from the 16th through the early 18th centuries. I was mostly interested in learning how the great powers of the day dealt with this problem, since I blogged about modern Pirates in the Malacca Strait and 18th and 19th century pirates off the Barbary Coast.

If many modern information security practitioners had been tasked with protecting commerce in the face of piracy, they would probably have bought ever more elaborate but largely ineffective defensive measures.

Instead, the royal navies of the area decided to hunt down pirates and hang them. Sure, the pirates continued their raids for a long time, but eventually the main players (England, France, Spain, Holland) stopped warring amongst themselves and directed their offensives against the pirates.

We're not going to see any fundamental changes in information security until those we elect to protect our rights rise to the task and go on the offensive. Private companies (especially modern ones) aren't in a position to "strike back" against threats -- that's the role for the police and militaries of the world. It's time to kill some pirates, not leave "critical infrastructure protection" to the "private sector."

For related thoughts please see last year's post Taking the Fight to the Enemy Revisited.


David Bianco said...

If you liked this show, you'll probably want to read Under the Black Flag: The Romance and Reality of Life Among the Pirates. It's pretty much the standard work on the subject now, and no doubt one of the main sources the producers used. And it's only about $4 on Amazon if you don't mind buying used. 8-)

I've been reading my copy lately. It's great fun!

Greg Hoglund said...

I just read Under the Black Flag. I couldn't put it down. Ditto the recommendation.

Anonymous said...

The military-infosec comparison is worn out and obviously DOES NOT WORK. (See Richard's blog post on FISMA 2007 specifically the DoD's F/F score). This way of thinking makes for a reader-grabbing controversial blog post, but it doesn't make a lot of sense these days. Oh if it were only as simple as "Hey, they have a pirate flag, get them!"

Taking physical action against the threat is really the least intelligent way of securing your network. It just doesn't scale. When you turn the testosterone down and actual think about what you are suggesting, it doesn't make a lot of sense. Attackers will just better mask their location and alter tactics. Sure, dropping a JDAM on a group of attackers or kidnapping a few of them will scare some... But we're not going to attack China or any other nation.

I'll start by saying that we'd be entering dangerous territory if the MPAA/RIAA is handing the DoD grid coordinates to kill pirates. :) But I'll assume you don't mean that we should be using the military to solve private industry's woes. I assume you mean more serious threats.

So why can't the US government beat the Chinese at their own game? Is the problem so insurmountable that we have to resort to physical action? You don't see the Chinese attacking other countries, or "killing pirates" to solve their network security woes.

Now, there are exceptions to what I am about to say. There probably are smart, skilled and out-of-the-box thinkers who work for the federal government either directly or as contractors. I am sure there are some very smart minds at the NSA, etc. However in my experience the US government typically doesn't attract the most skilled security people. Most of the "good" security people work in private industry. We all know it. The guys who are highly skilled run security tools, all the rest live in Excel spreadsheets and do C&A work. The government has a real problem attracting and keeping top talent. Instead, they hire government contractor body shops. "This analyst doesn't know what nmap is but at least they have a clearance. Put them on site and bill them out!"

Whenever I hear about a huge security gaffe (e.g. Unisys's performance at DHS) I just chuckle. And now the USAF wants to start an "offensive wing". Buy 5,000 Core Impact licenses and declare MISSION ACCOMPLISHED! Who's going to drive Core Impact (or any other vendor solution that the gov was suckered into paying 1 million dollars for)? Who cares! As long as they have their clearance and they have their CISSP.

China on the other hand doesn't have this issue. They seem to walk into our networks on a daily basis. It's not a budgeting issue. Everyone knows that the DoD has a HUGE IT security budget and access to a ton of vendor solutions. I wonder what our problem is???

Anonymous said...


Mike said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.