Dan Greer / Cybersecurity as Realpolitik

\documentclass[12pt]{article}
\usepackage{chicago}

\usepackage{chicago}
\usepackage{parskip}
\usepackage{enumerate}
\usepackage{pict2e}
\usepackage{url}

% --------------------
% Formatting
% --------------------
% \setlength{\parindent}{0}     % Supersceded by parskip
% \setlength{\parindent}{15pt}  % If you want the paragraph indent back.
% --------------------

% --------------------
% Command Definitions
% --------------------
\newcommand{\booktitle}[1]{\textit{#1}}
\newcommand{\articletitle}[1]{``{#1}''}
\newcommand{\journaltitle}[1]{\textit{#1}}
\newcommand{\movietitle}[1]{\textit{#1}}
% --------------------

\begin{document}

\title{Cybersecurity as Realpolitik\footnote{
    nominal delivery draft, 6 August 2014}
}

\author{Dan Geer}

\date{August 6, 2014}

\maketitle

\begin{abstract}
    Power exists to be used.  Some wish for cyber safety, which they
    will not get.  Others wish for cyber order, which they will not
    get.  Some have the eye to discern cyber policies that are ``the
    least worst thing;'' may they fill the vacuum of wishful thinking.
\end{abstract}

Good morning and thank you for the invitation to speak with you
today.  The plaintext of this talk has been made available to the
organizers.  While I will not be taking questions today, you are
welcome to contact me later and I will do what I can to reply.  For
simple clarity, let me repeat the abstract for this talk:

\begin{quote}
    Power exists to be used.  Some wish for cyber safety, which they
    will not get.  Others wish for cyber order, which they will not
    get.  Some have the eye to discern cyber policies that are ``the
    least worst thing;'' may they fill the vacuum of wishful thinking.
\end{quote}

There are three professions that beat their practitioners into a
state of humility: farming, weather forecasting, and cyber security.
I practice two of those, and, as such, let me assure you that the
recommendations which follow are presented in all humility.  Humility
does not mean timidity.  Rather, it means that when a strongly held
belief is proven wrong, that the humble person changes their mind.
I expect that my proposals will result in considerable push-back,
and changing my mind may well follow.  Though I will say it again
later, this speech is me talking for myself.

As if it needed saying, cyber security is now a riveting concern,
a top issue in many venues more important than this one.  This is
not to insult Black Hat; rather it is to note that every speaker,
every writer, every practitioner in the field of cyber security who
has wished that its topic, and us with it, were taken seriously has
gotten their wish.  Cyber security \emph{is} being taken seriously,
which, as you well know is not the same as being taken usefully,
coherently, or lastingly.  Whether we are talking about laws like
the Digital Millenium Copyright Act or the Computer Fraud and Abuse
Act, or the non-lawmaking but perhaps even more significant actions
that the Executive agencies are undertaking, ``we'' and the cyber
security issue have never been more at the forefront of policy.
And you ain't seen nothing yet.

I wish that I could tell you that it is still possible for one
person to hold the big picture firmly in their mind's eye, to track
everything important that is going on in our field, to make few if
any sins of omission.  It is not possible; that phase passed sometime
in the last six years.  I have certainly tried to keep up but I
would be less than candid if I were not to say that I know that I
am not keeping up, not even keeping up with what is going on in my
own country much less all countries.  Not only has cybersecurity
reached the highest levels of attention, it has spread into nearly
every corner.  If area is the product of height and width, then the
footprint of cybersecurity has surpassed the grasp of any one of us.

The rate of technological change is certainly a part of it.  When
younger people ask my advice on what they should do or study to
make a career in cyber security, I can only advise specialization.
Those of us who were in the game early enough and who have managed
to retain an over-arching generalist knowledge can't be replaced
very easily because while absorbing most new information most of
the time may have been possible when we began practice, no person
starting from scratch can do that now.  Serial specialization is
now all that can be done in any practical way.  Just looking at the
Black Hat program will confirm that being really good at any one
of the many topics presented here all but requires shutting out the
demands of being good at any others.

Why does that matter?  Speaking for myself, I am not interested in
the advantages or disadvantages of some bit of technology unless I
can grasp how it is that that technology works.  Whenever I see
marketing material that tells me all the good things that adopting
this or that technology makes possible, I remember what George
Santayana said, that ``Scepticism is the chastity of the intellect;
it is shameful to give it up too soon, or to the first comer.'' I
suspect that a majority of you have similar skepticism --- ``It's
magic!'' is not the answer a security person will ever accept.  By
and large, I can tell \emph{what} something is good for once I know
\emph{how}
it works.  Tell me how it works and then, but only then, tell me
why you have chosen to use those particular mechanisms for the
things you have chosen to use them for.

Part of my feeling stems from a long-held and well-substantiated
belief that all cyber security technology is dual use.  Perhaps
dual use is a truism for any and all tools from the scalpel to the
hammer to the gas can --- they can be used for good or ill --- but I
know that dual use is inherent in cyber security tools.  If your
definition of ``tool'' is wide enough, I suggest that the cyber
security tool-set favors offense these days.  Chris Inglis, recently
retired NSA Deputy Director, remarked that if we were to score cyber
the way we score soccer, the tally would be 462-456 twenty minutes
into the game,\footnote{
Chris Inglis, confirmed by personal communication
} i.e., all offense.  I will take his comment as
confirming at the highest level not only the dual use nature of
cybersecurity but also confirming that offense is where the innovations
that only States can afford is going on.

Nevertheless, this essay is an outgrowth from, an extension of,
that increasing importance of cybersecurity.  With the humility of
which I spoke, I do not claim that I have the last word.  What I
do claim is that when we speak about cybersecurity policy we are
no longer engaging in some sort of parlor game.  I claim that policy
matters are now the most important matters, that once a topic area,
like cybersecurity, becomes interlaced with nearly every aspect of
life for nearly everybody, the outcome differential between good
policies and bad policies broadens, and the ease of finding answers
falls.  As H.L. Mencken so trenchantly put it, ``For every complex
problem there is a solution that is clear, simple, and wrong.''

The four verities of government are these:

\begin{itemize}
    \item Most important ideas are unappealing
    \item Most appealing ideas are unimportant
    \item Not every problem has a good solution
    \item Every solution has side effects
\end{itemize}

This quartet of verities certainly applies to the interplay between
cybersecurity and the affairs of daily living.  Over my lifetime
the public expectation of what government can and should do has
spectacularly broadened from guaranteeing that you may engage in
the ``pursuit of happiness'' to guaranteeing happiness in and of
itself.  The central dynamic internal to government is, and always
has been, that the only way for either the Executive or the Legislature
to control the many sub-units of government is by way of how much
money they can hand out.  Guaranteeing happiness has the same dynamic
-- that the only tool government really has to achieve the outcome
of everyone happy or everyone healthy or everyone safe at all times
from things that go bump in the night is through the dispensing of
money.  This is true in foreign policy; one can reasonably argue
that the United States' 2007 troop ``surge'' in Iraq did provide an
improvement in safety.  One can also argue that the work of those
troops, some of whom gave what Abraham Lincoln called ``the last
full measure of devotion,'' was materially aided by the less publicized
arrival of C-130s full of \$100 bills with which to buy off potential
combatants.  Why should cybersecurity be any different?

Suppose, however, that surveillance becomes too cheap to meter,
that is to say too cheap to limit through budgetary processes.  Does
that lessen the power of the Legislature more, or the power of the
Executive more?  I think that ever-cheaper surveillance substantially
changes the balance of power in favor of the Executive and away
from the Legislature.  While President Obama was referring to
something else when he said ``I've Got A Pen And I've Got A Phone,''
he was speaking to exactly this idea --- things that need no
appropriations are outside the system of checks and balances.  Is
the ever-wider deployment of sensors in the name of cybersecurity
actually contributing to our safety?  Or is it destroying our safety
in order to save it?

To be entirely clear by way of repetition, this essay is written by
someone as his own opinion and not on behalf of anyone else.  It
is written without the supposed benefits of insider information; I
hold no Clearance but am instead informed solely by way of open
source intelligence.  This path may be poised to grow easier; if
the chief benefit of having a Clearance is to be able to see into
the future a little further than those without one, then it must
follow that as the pace of change accelerates the difference between
how far can you see with a Clearance versus how far can you see
without one will shrink.

There are, in other words, parallels between cybersecurity and the
intelligence functions insofar as predicting the future has a strong
role to play in preparing your defenses for probable attacks.  As
Dave Aitel has repeatedly pointed out, the hardest part of crafting
good attack tools is testing them before deployment.  Knowing what
your tool will find, and how to cope with that, is surely harder
than finding an exploitable flaw in and of itself.  This, too, may
grow in importance if the rigor of testing causes attackers to use
some portion of the Internet at large as their test platform rather
than whatever rig they can afford to set up in their own shop.  If
that is the case, then full scale traffic logs become an indispensable
intelligence tool insofar as when an attack appears to be de novo
those with full scale traffic logs may be in a position to answer
the question ``How long has this been going on?''  The company Net
Witness, now part of EMC, is one player who comes to mind in this
regard, and there are others.  This idea of looking backward for
evidence that you didn't previously know enough to look for does
certainly have intelligence value both for the Nation State and for
the enterprise.

And there is a lot of traffic that we don't have a handle on.  John
Quarterman of Internet Perils makes a round number guess that 10\%
of Internet backbone traffic is unidentifiable as to
protocol.\footnote{
    John Quarterman, personal communication
}
Whether he is off by a factor of two in either direction, that is
still a lot of traffic.  Arbor Networks estimates that perhaps 2\%
of all \emph{identifiable} backbone traffic is, to use their term, ``raw
sewage.''\footnote{
    ``2\% of Internet Traffic Raw Sewage''
    \url{http://www.arbornetworks.com/asert/2008/03/2-of-internet-traffic-raw-sewage}
}
There are plenty of other estimates of this sort, of
course.  To my way of thinking, all such estimates continue to
remind us that the end-to-end design of the Internet\footnote{
    ``End-to-End Arguments in System Design''
    \url{http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf}
}
was not some failure of design intellect but a brilliant avoidance of
having to pick between the pitiful toy a completely safe Internet would
have to be versus an Internet that was the ultimate tool of State
control.  In nothing else is it more apt to say that our choices are
Freedom, Security, Convenience --- Choose Two.

Let me now turn to some policy proposals on a suite of pressing
current topics.  None of these proposals are fully formed, but as
you know, those who don't play the game don't make the rules.  These
proposals are not in priority order, though some are more at odds
with current practice than others and might, therefore, be said to
be more pressing.  There are more where these came from, but this
talk has a time limit, and there is a meta-analysis at the end.


\section{Mandatory reporting --- YES/Tiered}

The United States Centers for Disease Control are respected the
world around.  When you really get down to it, three capabilities
describe the CDC and why they are as effective as they are: (1)
mandatory reporting of communicable diseases, (2) stored data and
the data analytic skill to distinguish a statistical anomaly from
an outbreak, and (3) away teams to take charge of, say, the appearance
of Ebola in Miami.  Everything else is details.  The most fundamental
of these is the mandatory reporting of communicable diseases.

At the same time, we have well established rules about medical
privacy.  Those rules are helpful; when you check into the hospital
there is a licensure-enforced, accountability-based, need-to-know
regime that governs the handling of your data.\footnote{
    Protected Health Information, abbreviated PHI, as defined by
    Section 1171 of Part C of Subtitle F of Public Law 104-191, ``The
    Health Insurance Portability and Accountability Act of 1996,'' also
    known as HIPAA.
}
Most days, that is, but if you check in with Bubonic Plague or Typhus or
Anthrax, you will have zero privacy as those are the ``mandatory
reporting of communicable disease conditions'' as variously mandated not
just by the CDC but by public health law in all fifty States.

So let me ask you, would it make sense, in a public health of the
Internet way, to have a mandatory reporting regime for cybersecurity
failures?  Do you favor having to report cyber penetrations of your
firm or of your household to some branch of government or some
non-government entity?  Should you face criminal charges if you
fail to make such a report?  Forty-eight States vigorously penalize
failure to report sexual molestation of children.\footnote{
    ``Penalties for failure to report and false reporting of child
    abuse and neglect,'' US Dept of Health and Human Services, Children's
    Bureau, Child Welfare Information Gateway.
}
The (US) Computer Fraud and Abuse Act\footnote{
    U.S. Code, Title 18, Part I, Chapter 47, Section 1030
    \url{http://www.law.cornell.edu/uscode/text/18/1030}
}
defines a number of felonies related to computer penetrations, and the
U.S. Code says that it is a crime to fail to report a felony of which
you have knowledge.\footnote{
    U.S. Code, Title 18, Part I, Chapter 1, Section 4
    \url{http://www.law.cornell.edu/uscode/text/18/4}
}
Is cybersecurity event data the kind of data around which you want to
enforce mandatory reporting?  Forty-six States require mandatory
reporting of one class of cyber failures in the form of their data
breach laws,\footnote{
    Security Breach Information Act
    \url{http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb\_1351-1400/sb\_1386\_bill\_20020926\_chaptered.pdf}
}
while the Verizon Data Breach Investigations
Report\footnote{
    Verizon Data Breach Investigations Report
    \url{http://www.verizonenterprise.com/DBIR}
}
found, and the Index of Cyber Security\footnote{
    Index of Cyber Security
    \url{http://www.cybersecurityindex.org}
}
confirmed, that
70-80\% of data breaches are discovered by unrelated third parties, not
by the victim, meaning that the victim might never know if those who do
the discovering were to keep quiet.  If you discover a cyber attack, do
you have an ethical obligation to report it?  Should the law mandate
that you fulfill such an obligation?

My answer to this set of questions is to mirror the CDC, that is
for the force of law to require reporting of cybersecurity failures
that are above some severity threshold that we have yet to negotiate.
Below that threshold, I endorse the suggestion made in a piece two
weeks ago, ``Surviving on a Diet of Poisoned Fruit,'' by Richard
Danzig where he made this policy proposal:\footnote{
    ``Surviving on a Diet of Poisoned Fruit; Reducing the National
    Security Risks of America's Cyber Dependencies''
    \url{http://www.cnas.org/surviving-diet-poisoned-fruit}
}

\begin{quote}
    Fund a data collection consortium that will illuminate the
    character and magnitude of cyber attacks against the U.S. private
    sector, using the model of voluntary reporting of near-miss
    incidents in aviation.  Use this enterprise as well to help
    develop common terminology and metrics about cybersecurity.

    While regulatory requirements for aviation accident reporting
    are firmly established through the National Transportation Safety
    Board, there are no requirements for reporting the vastly more
    numerous and often no less informative near misses.  Efforts to
    establish such requirements inevitably generate resistance:
    Airlines would not welcome more regulation and fear the reputational
    and perhaps legal consequences of data visibility; moreover,
    near accidents are intrinsically more ambiguous than accidents.
    An alternative path was forged in 2007 when MITRE, a government
    contractor, established an Aviation Safety Information Analysis
    and Sharing (ASIAS) system receiving near-miss data and providing
    anonymized safety, benchmarking and proposed improvement reports
    to a small number of initially participating airlines and the
    Federal Aviation Administration (FAA).
\end{quote}

Today, 44 airlines participate in that program voluntarily.  The
combination of a mandatory CDC model for above-threshold cyber
events and a voluntary ASIAS model for below-threshold events is
what I recommend.  This leaves a great deal of thinking still to
be done; diseases are treated by professionals, but malware infections
are treated by amateurs.  Diseases spread within jurisdictions
before they become global, but malware is global from the get-go.
Diseases have predictable behaviors, but malware comes from sentient
opponents.  Don't think this proposal is an easy one or one without
side effects.


\section{Net neutrality --- CHOICE}

There is considerable irony in the Federal Communications Commission
classifying the Internet as an information service and not as a
communications service insofar as while that may have been a gambit
to relieve ISPs of telephone-era regulation, the value of the
Internet is ever more the bits it carries, not the carriage of those
bits.  The FCC decisions are both several and now old, the FCC
classified cable as an information service in 2002, classified DSL
as an information service in 2005, classified wireless broadband
as an information service in 2007, and classified broadband over
power lines as an information service in 2008.  A decision by the
D.C. Circuit Court of Appeals on this very point appeared earlier
this year,\footnote{
    Verizon v. FCC, 740 F.3d 623 (D.C. Cir. 2014)
    \url{http://www.cadc.uscourts.gov/internet/opinions.nsf/3AF8B4D938CDEEA685257C6000532062/\$file/11-1355-1474943.pdf}
}
but settled little.  The question remains, is the Internet a
telecommunications service or an information service?

I've nothing new to say to you about the facts, the near-facts, nor
the lying distortions inherent in the debate regarding network
neutrality so far or still to come.  What I can say is that network
neutrality is no panacea nor is it anathema; peoples' tastes vary
and so do corporations'.  What I can say is that the varied tastes
need to be reflected in constrained choice rather than the idea
that the FTC or some other agency can assure happiness if and only
if it, rather than corporations or individuals, does the choosing.
Channeling for Doctor Seuss, if I ran the zoo I'd call up the ISPs
and say this:

Hello, Uncle Sam here.

You can charge whatever you like based on the contents of what
you are carrying, but you are responsible for that content if it
is hurtful; inspecting brings with it a responsibility for what
you learn.
-or-
You can enjoy common carrier protections at all times, but you
can neither inspect nor act on the contents of what you are
carrying and can only charge for carriage itself.  Bits are bits.

Choose wisely.  No refunds or exchanges at this window.

In other words, ISPs get the one or the other; they do not get both.
The FCC gets some heartache but also a natural experiment in whether
those who choose common carrier status turn out differently than
those who choose multi-tiered service grades with liability exposure.
We already have a lot of precedent and law in this space.  The
United States Postal Service's term of art, ``sealed against inspection,''
is reserved for items on which the highest postage rates are charged;
is that also worth stirring into the mix?

As a side comment, I might add that it was in Seuss' book \booktitle{If I Ran
the Zoo} that the word ``nerd'' first appeared in English.  If Black
Hat doesn't yet have an official book, I'd suggest this one.


\section{Source code liability --- CHOICE}

Nat Howard said that ``Security will always be exactly as bad as it
can possibly be while allowing everything to still
function,''\footnote{
    Nat Howard at USENIX 2000, per Marcus Ranum
}
but with each passing day, that ``and still function'' clause requires
a higher standard.  As Ken Thompson told us in his Turing Award
lecture, there is no technical escape;\footnote{
    Ken Thompson, ``Reflections on Trusting Trust,'' 1984
}
in strict mathematical terms you neither trust a program nor a house
unless you created it 100\% yourself, but in reality most of us will
trust a house built by a suitably skilled professional, usually we will
trust it more than one we had built ourselves, and this even if we have
never met the builder, or even if he is long since dead.

The reason for this trust is that shoddy building work has had that
crucial ``or else ...'' clause for more than 3700 years:

If a builder builds a house for someone, and does not construct
it properly, and the house which he built falls in and kills
its owner, then the builder shall be put to death.
-- Code of Hammurabi, approx 1750 B.C.

Today the relevant legal concept is ``product liability'' and the
fundamental formula is ``If you make money selling something, then
you better do it well, or you will be held responsible for the
trouble it causes.''  For better or poorer, the only two products
not covered by product liability today are religion and software,
and software should not escape for much longer.  Poul-Henning Kamp
and I have a strawman proposal for how software liability regulation
could be structured.

\begin{enumerate}
    \item \textbf{Consult criminal code to see if damage caused was due
        to intent or willfulness.}

    We are only trying to assign liability for unintentionally caused
    damage, whether that's sloppy coding, insufficient testing, cost
    cutting, incomplete documentation, or just plain incompetence.
    Clause zero moves any kind of intentionally inflicted damage out of
    scope.  That is for your criminal code to deal with, and most
    already do.

    \item \textbf{If you deliver your software with complete and
        buildable source code and a license that allows disabling any
        functionality or code the licensee decides, your liability is
    limited to a refund.}

    Clause one is how to avoid liability: Make it possible for your
    users to inspect and chop out any and all bits of your software they
    do not trust or want to run.  That includes a bill of materials
    (``Library ABC comes from XYZ'') so that trust has some basis,
    paralleling why there are ingredient lists on processed foods.

    The word ``disabling'' is chosen very carefully:  You do not need to
    give permission to change or modify how the program works, only to
    disable the parts of it that the licensee does not want or trust.
    Liability is limited even if the licensee never actually looks at
    the source code; as long has he has received it, you (as maker) are
    off the hook.  All your other copyrights are still yours to control,
    and your license can contain any language and restriction you care
    for, leaving the situation unchanged with respect to
    hardware-locking, confidentiality, secrets, software piracy, magic
    numbers, etc.

    Free and Open Source Software (FOSS) is obviously covered by this
    clause which leaves its situation unchanged.

    \item \textbf{In any other case, you are liable for whatever damage
    your software causes when it is used normally.}

    If you do not want to accept the information sharing in Clause 1,
    you fall under Clause 2, and must live with normal product liability,
    just like manufactures of cars, blenders, chain-saws and hot coffee.

\end{enumerate}

How dire the consequences, and what constitutes ``used normally'' is
for your legislature and courts to decide, but let us put up a
strawman example:

\begin{quote}
    A sales-person from one of your long time vendors visits and
    delivers new product documentation on a USB key, you plug the
    USB key into your computer and copy the files onto the computer.
\end{quote}

This is ``used normally'' and it should never cause your computer to
become part of a botnet, transmit your credit card number to Elbonia,
or copy all your design documents to the vendor.  If it does, your
computer's operating system is defective.

The majority of today's commercial software would fall under Clause
2 and software houses need a reasonable chance to clean up their act
or to move under Clause 1, so a sunrise period is required.  But no
longer than five years --- we are trying to solve a dire computer
security problem here.

And that is it really:  Either software houses deliver quality and
back it up with product liability, or they will have to let their
users protect themselves.  The current situation --- users can't see
whether they need to protect themselves and have no recourse to
being unprotected --- cannot go on.  We prefer self-protection (and
fast recovery), but other's mileage may differ.

Would it work?  In the long run, absolutely yes.  In the short run,
it is pretty certain that there will be some nasty surprises as
badly constructed source code gets a wider airing.  The FOSS
community will, in parallel, have to be clear about the level of
care they have taken, and their build environments as well as their
source code will have to be kept available indefinitely.

The software houses will yell bloody murder the minute legislation
like this is introduced, and any pundit and lobbyist they can afford
will spew their dire predictions that ``This law will mean the end
of computing as we know it!''

To which our considered answer will be:

\begin{quote}
    Yes, please!  That was exactly the idea.
\end{quote}


\section{Strike back --- LIMITED YES}

I suspect that a fair number of you have, in fact, struck back at
some attacker somewhere or, at least, done targeting research even
if you didn't pull the trigger.  I'd trust many of you to identify
targets carefully enough to minimize collateral damage, but what
we are talking about here is the cyber equivalent of the smart bomb.
As I implied earlier, cyber smart bombs are what the national
laboratories of several countries are furiously working on.  In
that sense, you do know what is happening behind the curtain, and
you know how hard that targeting really is because you know how
hard attribution --- real attribution --- really is.

The issue is shared infrastructure, and that issue is not going
away.  There are some entities that can operate globally and strike
back effectively, Microsoft and the FBI teaming up on the GameOver
Zeus trojan for example,\footnote{
    ``Microsoft and FBI team up to take down GameOver Zeus botnet''
    \url{http://www.techradar.com/us/news/internet/web/microsoft-and-fbi-team-up-to-take-down-gameover-zeus-botnet-1251609}
}
but that's an expensive therapy in
limited supply that can only be applied to the most damaging malware.
Nevertheless, that is the therapy we have.  Smaller entities cannot
act globally nor can they act in certain ways without pairing with
national agencies.  That can, and must, go on, but I don't see how
the individual or the smaller entity can shoot back.  All I see is
for the individual or the smaller entity to put all their effort
into having fast recovery.


\section{Fall backs and resiliency --- TOO COMPLICATED FOR ONE POLICY}

There has always been a lot of talk about what to do when failure
is unacceptable and yet failure is inevitable.  Heretofore, almost
anything that has come to be seen as essential to the public gets
some sort of performance standard imposed upon it, electricity and
water, say.  But let's talk about software.

For one example, a commonly voiced desire for cryptographic protocols
is ``algorithm agility,'' the ability to swap from one cryptographic
algorithm to another if and when the first one becomes unsafe.  The
security benefit of such a swap is not what you turn on but what
you turn off.  For that to be possible, a second algorithm has to
already be in place, but that means that the second algorithm had
to be designed in at the outset and at both ends, with a way to
choose between them such that either end of the proposed connection
can force a change-over to the alternate algorithm.  One might argue
that implementing algorithm agility actually means a single, more
complex algorithm.  Or maybe what you want is two algorithms where
you always use both, such as when you encrypt with one algorithm
and super-encrypt with another so that the failure of one has no
practical effect on security and nothing has to change.

I say all that just to demonstrate that it is not always simple to
have a pre-deployed fallback should something break, that design
willpower alone is not enough.  So perhaps mandating pre-deployed
fallbacks is a bad idea entirely.  Perhaps what is needed is a way
to reach out and upgrade the endpoints when the time of necessity
comes.  But today, or real soon now, most of the places needing a
remote management interface through which you can remotely upgrade
the endpoints are embedded hardware.  So let me ask a question,
should or should not an embedded system be required to have a remote
management interface?  If it does not, then a late discovered flaw
cannot be fixed without visiting all the embedded systems --- which
is likely to be infeasible because some you will be unable to find,
some will be where you cannot again go, and there will be too many
of them in any case.  If it does have a remote management interface,
the opponent of skill will focus on that and, once a break is
achieved, will use those self-same management functions to ensure
that not only does he retain control over the long interval but,
as well, you will be unlikely to know that he is there.

Perhaps what is needed is for embedded systems to be more like
humans, and I most assuredly do not mean artificially intelligent.
By ``more like humans'' I mean this: Embedded systems, if having no
remote management interface and thus out of reach, are a life form
and as the purpose of life is to end, an embedded system without a
remote management interface must be so designed as to be certain
to die no later than some fixed time.  Conversely, an embedded
system with a remote management interface must be sufficiently
self-protecting that it is capable of refusing a command.  Inevitable
death and purposive resistance are two aspects of the human condition
we need to replicate, not somehow imagine that to overcome them is
to improve the future.

Lest some of you think this is all so much picayune, tendentious,
academic perfectionist posturing, let me inform some of you and
remind the others that it is entirely possible to deny the Internet
to a large fraction of its users.  Home routers have drivers and
operating systems that are binary blobs amounting to snapshots of
the state of Linux plus the lowest end commodity chips that were
extant at the time of the router's design.  Linux has moved on.
Device drivers have moved on.  Samba has moved on.  Chipsets have
moved on.  But what is sold at Best Buy or the like is remarkably
cheap and remarkably old.  With certainty born of long engineering
experience, I assert that those manufacturers can no longer build
their deployed software blobs from source.  If, as my colleague Jim
Gettys has laboriously measured, the average age of the code base
on those ubiquitous low-end routers is 4-5 years,\footnote{
    Gettys J, former VP Software, One Laptop Per Child, personal
    communication
}
then you can be assured that the CVE catalog lists numerous methods of
attacking those operating systems and device drivers
remotely.\footnote{
    Common Vulnerabilities and Exposures, cve.mitre.org/cve
}
If I can commandeer them remotely, then I can build a botnet that is on
the \emph{outside} of the home network.  It need not ever put a single
packet through the firewall, it need never be detectible by any means
whatsoever from the interior of the network it serves, but it is most
assuredly a latent weapon, one that can be staged to whatever level of
prevalence I desire before I ask it to do more.  All I need is to
include in my exploit a way to signal that device to do three things:
stop processing anything it henceforth receives, start flooding the
network with a broadcast signal that causes other peers to do the same,
and zero the on-board firmware thus preventing reboot for all time.  Now
the only way to recover is to unplug all the devices, throw them in the
dumpster, and install new ones --- but aren't the new ones likely to have
the same kind of vulnerability spectrum in CVE that made this possible
in the first place?  Of course they do, so this is not a quick trip to
the big box store but rather flushing the entire design space and
pipeline inventory of every maker of home routers.  There appears to be
an event at DefCon around this very issue.\footnote{
    SOHOpelessly Broken, \url{http://www.sohopelesslybroken.com}
}

Resiliency is an area where no one policy can be sufficient, so
I've suggested a trio of baby steps: embedded systems cannot be
immortal if they have no remote management interface, embedded
systems must have a remote management interface if they are to be
immortal, and swap-over is preferable to swap-out when it comes to
data protection.


\section{Vulnerability finding --- HEGEMONY}

Vulnerability finding is a job.  It has been a job for something
like eight years now, give or take.  For a good long while, you
could do vulnerability finding as a hobby and get paid in bragging
rights, but finding vulnerabilities got to be too hard to do as a
hobby in your spare time --- you needed to work it like a job and
get paid like a job.  This was the result of hard work on the part
of the software suppliers including the suppliers of operating
systems, but as the last of the four verities of government says,
every solution has side effects.  In this case, the side effect is
that once vulnerability finding became a job and stopped being a
bragging-rights hobby, those finding the vulnerabilities stopped
sharing.  If you are finding vulns for fun and fame, then the minute
you find a good one you'll let everybody know just to prevent someone
else finding it and beating you to the punch.  If you are doing it
for profit, then you don't share.  That's where the side effect is
-- once coin-operated vuln finders won't share, the percentage of
all attacks that are zero-day attacks must rise, and it has.

In a May article in The Atlantic,\footnote{
    ``Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?''
    \url{http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix-cybersecurity-holes-or-exploit-them/371197}
}
Bruce Schneier asked a cogent
first-principles question: Are vulnerabilities in software dense
or sparse?  If they are sparse, then every one you find and fix
meaningfully lowers the number of avenues of attack that are extant.
If they are dense, then finding and fixing one more is essentially
irrelevant to security and a waste of the resources spent finding
it.  Six-take-away-one is a 15\% improvement.  Six-thousand-take-
away-one has no detectable value.

If a couple of Texas brothers could corner the world silver
market,\footnote{
    ``Hunt Brothers Corner Silver Market''
    \url{http://web.archive.org/web/20060118031501/http://www.wallstraits.com/main/viewarticle.php?id=1298}
}
there is no doubt that the U.S. Government could openly corner the
world vulnerability market, that is we buy them all and we make
them all public.  Simply announce ``Show us a competing bid, and
we'll give you 10x.''  Sure, there are some who will say ``I hate
Americans; I sell only to Ukrainians,'' but because vulnerability
finding is increasingly automation-assisted, the seller who won't
sell to the Americans knows that his vulns can be rediscovered in
due course by someone who \emph{will} sell to the Americans who will
tell everybody, thus his need to sell his product before it outdates
is irresistible.

This strategy's usefulness comes from two side effects: (1) that
by overpaying we enlarge the talent pool of vulnerability finders
and (2) that by making public every single vuln the USG buys we
devalue them.  Put differently, by overpaying we increase the rate
of vuln finding, while by showing everyone what it is that we bought
we zero out whatever stockpile of cyber weapons our adversaries
have.  We don't need intelligence on what weapons our adversaries
have if we have something close to a complete inventory of the
world's vulns and have shared that with all the affected software
suppliers.  But this begs Schneier's question: Are vulnerabilities
sparse or dense?  If they are sparse or even merely numerous, then
cornering the market wins in due course.  If they are dense, then
all we would end up doing is increasing costs both to software
suppliers now obligated to repair all the vulns a growing army of
vuln researchers can find and to taxpayers.  I believe that vulns
are scarce enough for this to work and,, therefore I believe that
cornering the market is the cheapest win we will ever get.

Let me note, however, that my colleagues in static analysis report
that they regularly see web applications greater than 2GB in size
and with 20,000 variables.  Such web apps can only have been written
by machine and, therefore, the vulns found in them were also written
by machine.  Machine-powered vuln creation might change my analysis
though I can't yet say in what direction.


\section{Right to be forgotten --- YES}

I've spoken elsewhere about how we are all intelligence agents now,
collecting on each other on behalf of various overlords.\footnote{
    ``We Are All Intelligence Agents Now''
    \url{http://geer.tinho.net/geer.rsa.28ii14.txt}
}
There are so many technologies now that power observation and
identification of the individual at a distance.  They may not yet be in
your pocket or on your dashboard or embedded in all your smoke
detectors, but that is only a matter of time.  Your digital exhaust is
unique hence it identifies.  Pooling everyone's digital exhaust also
characterizes how you differ from normal.  Privacy used to be
proportional to that which it is impossible to observe or that which can
be observed but not identified.  No more --- what is today observable and
identifiable kills both privacy as impossible-to-observe and privacy as
impossible-to-identify, so what might be an alternative?  If you are an
optimist or an apparatchik, then your answer will tend toward rules of
data procedure administered by a government you trust or control.  If
you are a pessimist or a hacker/maker, then your answer will tend
towards the operational, and your definition of a state of privacy will
be my definition: the effective capacity to misrepresent yourself.

Misrepresentation is using disinformation to frustrate data fusion
on the part of whomever it is that is watching you.  Some of it can
be low-tech, such as misrepresentation by paying your therapist in
cash under an assumed name.  Misrepresentation means arming yourself
not at Walmart but in living rooms.  Misrepresentation means swapping
affinity cards at random with like-minded folks.  Misrepresentation
means keeping an inventory of misconfigured webservers to proxy
through.  Misrepresentation means putting a motor-generator between
you and the Smart Grid.  Misrepresentation means using Tor for no
reason at all.  Misrepresentation means hiding in plain sight when
there is nowhere else to hide.  Misrepresentation means having not
one digital identity that you cherish, burnish, and protect, but
having as many as you can.  Your fused identity is not a question
unless you work to make it be.  Lest you think that this is a problem
statement for the random paranoid individual alone, let me tell you
that in the big-I Intelligence trade, crafting good cover is getting
harder and harder and for the exact same reasons: misrepresentation
is getting harder and harder.  If I was running field operations,
I would not try to fabricate a complete digital identity, I'd
``borrow'' the identity of someone who had the characteristics that
I needed for the case at hand.

The Obama administration's issuance of a National Strategy for
Trusted Identities in Cyberspace\footnote{
    National Strategy for Trusted Identities in Cyberspace,
    \url{http://www.nist.gov/nstic}
}
is case-in-point; it ``calls for the development of interoperable
technology standards and policies --- an `Identity Ecosystem' --- where
individuals, organizations, and underlying infrastructure --- such as
routers and servers --- can be authoritatively authenticated.''  If you
can trust a digital identity, that is because it can't be faked.  Why
does the government care about this?  It cares because it wants to
digitally deliver government services and it wants attribution.  Is
having a non-fake-able digital identity for government services worth
the registration of your remaining secrets with that government?  Is
there any real difference between a system that permits easy, secure,
identity-based services and a surveillance system?  Do you trust those
who hold surveillance data on you over the long haul by which I mean the
indefinite retention of transactional data between government services
and you, the individual required to proffer a non-fake-able identity to
engage in those transactions?  Assuming this spreads well beyond the
public sector, which is its designers' intent, do you want this
everywhere?  If you are building authentication systems today, then you
are already playing ball in this league.  If you are using
authentication systems today, then you are subject to the pending design
decisions of people who are themselves playing ball in this league.

After a good amount of waffling, I conclude that a unitary, unfakeable
digital identity is no bargain and that I don't want one.  I want
to choose whether to misrepresent myself.  I may rarely use that,
but it is my right to do so.  If that right vanishes into the
panopticon, I have lost something and, in my view, gained next to
nothing.  In that regard, and acknowledging that it is a baby step,
I conclude that the EU's ``Right to be Forgotten'' is both appropriate
and advantageous though it does not go far enough.  Being forgotten
is consistent with moving to a new town to start over, to changing
your name, to a definition of privacy that turns on whether you do
or do not retain the effective capacity to misrepresent yourself,
a right which I will remind you is routinely granted but to those
who have especially helped governmental causes (witness protection,
e.g.).  A right to be forgotten is the only check on the tidal wave
of observability that a ubiquitous sensor fabric is birthing now,
observability that changes the very quality of what ``in public''
means.  Entities that block deep-linking to their web resources are
neutralizing indexability.  Governments of all stripes, irretrievably
balkanizing the Internet through the self-same vehicle of indexing
controls, are claiming that a right to do so is inherently theirs.
The only democratizing brake on this runaway train is for individuals
to be able, in their own small way, to do the same as do other
entities.  I find it notably ironic that The Guardian newspaper's
championing of Edward Snowden's revelations about privacy loss is
paired with the same paper's editorializing that ``No one has a right
to be forgotten.''\footnote{
    ``The Right to Be Forgotten Will Turn the Internet into a Work of
    Fiction,''
    \url{http://www.theguardian.com/commentisfree/2014/jul/06/right-to-be-forgotten-internet-work-of-fiction-david-mitchell-eu-google}
}
Au contraire, madames et monsieurs, they most assuredly do.


\section{Internet voting --- NO}

Motivated \& expert opponents are very nearly undefendable against.
People like us here know that, which is why it is natural for people
like us here to oppose voting over the Internet.  The National
Center for Policy Analysis thinks online voting is a bad idea.  NIST
thinks online voting is a bad idea.  With Pamela Smith, Bruce
McConnell editorialized in the pages of the Wall Street
Journal\footnote{
    ``Hack the Vote: The Perils of the Online Ballot Box''
    \url{http://online.wsj.com/articles/pamela-smith-and-bruce-mcconnell-hack-the-vote-the-perils-of-the-online-ballot-box-1401317230}
}
that online voting is a bad idea.  The fact that we here have near
universal disdain for the idea has not seemed to change much policy.

Now it is always true that a thorough security analysis will get
much less attention than a juicy conspiracy theory even if both
lead to the same conclusion.  How do we explain this?  If I knew
that, then I would commence to explaining, but we may not need to
explain it if the integrity of some election is put at question by
events.  I'd like to think that we don't need carnage to motivate
a re-think, but perhaps we do.  If we do need carnage, then may its
coming be sooner rather than later.


\section{Abandonment --- CERTAINTY OF CONSEQUENCES}

If I abandon a car on the street, then eventually someone will be
able to claim title.  If I abandon a bank account, then the State
will eventually seize it.  If I abandon real estate by failing to
remedy a trespass, then in the fullness of time adverse possession
takes over.  If I don't use my trademark, then my rights go over
to those who use what was and could have remained mine.  If I abandon
my spouse and/or children, then everyone is taxed to remedy my
actions.  If I abandon a patent application, then after a date
certain the teaching that it proposes passes over to the rest of
you.  If I abandon my hold on the confidentiality of data such as
by publishing it, then that data passes over to the commonweal not
to return.  If I abandon my storage locker, then it will be lost
to me and may end up on reality TV.  The list goes on.

Apple computers running 10.5 or less get no updates (comprising a
significant fraction of the installed base).  Any Microsoft computer
running XP gets no updates (likewise comprising a significant
fraction of the installed base).  The end of security updates follows
abandonment.  It is certainly ironic that freshly pirated copies
of Windows get security updates when older versions bought legitimately
do not.

Stating what to me is the obvious policy stance, if Company X
abandons a code base, then that code base must be open sourced.
Irrespective of security issues, many is the time that a bit of
software I use has gone missing because its maker killed it.  But
with respect to security, some constellation of {I,we,you,they} are
willing and able to provide security patches or workarounds as time
and evil require.

Would the public interest not be served by a conversion to open
source for abandoned code bases?  I believe it would.  But wait,
you say, isn't purchased software on a general purpose computer a
thing of the past?  Isn't the future all about auto-updated smartphone
clients transacting over armored private (carrier) networks to
auto-updated cloud services?  Maybe; maybe not.  If the two major
desktop suppliers update only half of today's desktops, then what
percentage will they update tomorrow?

If you say ``Make them try harder!,'' then the legalistic, regulatory
position is your position, and the ACLU is already trying that
route.  If smartphone auto-update becomes a condition of merchantability
and your smartphone holds the keying material that undeniably says
that its user is you, then how long before a FISA court orders a
special auto-update to \emph{your} phone for evidence gathering?

If you say ``But we already know what they're going to do, don't
we?,'' then the question is what about the abandoned code bases.
Open-sourcing abandoned code bases is the worst option, except for
all the others.  But if seizing an abandoned code base is too big
a stretch for you before breakfast, then start with a Public Key
Infrastructure Certifying Authority that goes bankrupt and ask ``Who
gets the keys?''


\section{ Convergence --- DEFAULT DENY}

Let me ask you a question: Are the physical and digital worlds one
world or two?  Are cyberspace and meatspace converging or diverging
over time?  I conclude that they are converging, but if they are
converging, then is cyberspace looking more and more like meatspace
or is meatspace looking more and more like cyberspace?  That is not
so clear.

Possibility \#1 is that cyberspace becomes more and more like
meatspace, ergo the re-creation of borders and jurisdictional
boundaries is what happens next.  Possibility \#2 is that meatspace
becomes more and more like cyberspace, ergo jurisdictional boundaries
grow increasingly irrelevant and something akin to one-world
technocratic government more or less follows.  The former is
heterogeneous, the latter is the monoculture of a single nation-state.
As we all know, resiliency and freedom obtain solely from heterogeneity,
so converging meatspace to cyberspace is the unfavorable outcome,
but what can be done about it?

At the end of last year, the Pew Research Center invited 12,000
``experts'' to answer a single Yes/No question:

\begin{quote}
    By 2025 will there be significant changes for the worse and
    hindrances to the ways in which people get and share content
    online compared with the way globally networked people can operate
    online today?\footnote{
    \url{http://www.pewinternet.org/2014/07/03/net-threat}
    }
\end{quote}

Of the 12,000 invited, some 1,400 did answer.  Putting aside whatever
selection bias may be reflected in who chose to answer and who did
not, Pew found four themes dominated respondent comments:

\begin{enumerate}
    \item Actions by nation-states to maintain security and political
    control will lead to more blocking, filtering, segmentation, and
    balkanization of the Internet.

    \item Trust will evaporate in the wake of revelations about government
    and corporate surveillance and likely greater surveillance in the
    future.

    \item Commercial pressures affecting everything from Internet
    architecture to the flow of information will endanger the open
    structure of online life.

    \item Efforts to fix the ``too much information'' problem might
    over-compensate and actually thwart content sharing.
\end{enumerate}

My colleague Rob Lemos mapped Pew's themes to the two alternative
futures I mentioned above,\footnote{
    Rob Lemos, personal communication
}
saying that ``If cyberspace converges to our physical reality, then we
will have balkanization and commercial efforts to artificially create
information monopolies, while if the physical world goes toward digital
space, then we have greater surveillance, the erosion of trust, much
information leakage, and the reaction to that leakage.''  More
crucially, Lemos also observed that the growth of technology has greatly
increased personal power:

\begin{quote}
    The impact that a single person can have on society has significantly
    increased over time to where a single individual can have a
    devastating effect.  The natural reaction for government is to
    become more invasive {possibility \#2 above} to better defend its
    monoculture, or more separate {possibility \#1 above} to firewall
    threats from one another.  Because threats and kinetic impacts
    can increasingly travel through the digital realm, they necessitate
    that the policy and legal frameworks of the digital and physical
    world converge.
\end{quote}

In other words, Lemos argues that convergence is an inevitable
consequence of the very power of cyberspace in and of itself.  I
don't argue with Lemos' idea that increasingly powerful, location
independent technology in the hands of the many will tend to force
changes in the distribution of power.  In fact, that is the central
theme of this essay --- that the power that is growing in the net,
per se, will soon surpass the ability of our existing institutions
to modify it in any meaningful way, so either the net must be broken
up into governable chunks or the net becomes government.

It seems to me that the leverage here favors cyberspace whenever
and wherever we give cyberspace a monopoly position, which we are
doing that blindly and often.  In the last couple of years, I've
found that institutions that I more or less must use --- my 401(k)
custodian, the Government Accounting Office's accounts payable
department, the payroll service my employer outsources to, etc. ---
no longer accept paper letter instructions, they each only accept
digital delivery of such instructions.  This means that each of
them has created a critical dependence on an Internet swarming with
men in the middle and, which is more, they have doubtlessly given
up their own ability to fall back to what worked for a century
before.

It is that giving up of alternative means that really defines what
convergence is and does.  It is said that all civil wars are about
on whose terms re-unification will occur.  I would argue that we
are in, to coin a phrase, a Cold Civil War to determine on whose
terms convergence occurs.  Everything in meatspace we give over to
cyberspace replaces dependencies that are local and manageable with
dependencies that are certainly not local and I would argue much
less manageable because they are much less secure.  I say that
because the root cause of risk is dependence, and most especially
dependence on expectations of system state.  I say ``much less secure''
because one is secure, that is to say that one is in a state of
security, if and only if there can be no unmitigatable surprises.
The more we put on the Internet, the broader and unmitigatable any
surprises become.

This line of thought is beginning to sink in.  Let me quote from a
Bloomberg article a month ago:\footnote{
    ``Banks Dreading Computer Hacks Call for Cyber War Council''
    \url{http://www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html}
}

\begin{quote}
    Wall Street's biggest trade group has proposed a government-industry
    cyber war council to stave off terrorist attacks that could trigger
    financial panic by temporarily wiping out account balances,
    according to an internal document.

    The proposal by the Securities Industry and Financial Markets
    Association calls for a committee of executives and deputy-level
    representatives from at least eight U.S. agencies including the
    Treasury Department, the National Security Agency and the Department
    of Homeland Security, all led by a senior White House official.

    The document sketches an unusually frank and pessimistic view by
    the industry of its readiness for attacks wielded by nation-states
    or terrorist groups that aim to ``destroy data and machines.''  It
    says the concerns are ``compounded by the dependence of financial
    institutions on the electric grid,'' which is also vulnerable to
    physical and cyber attack.
\end{quote}

So here you have the biggest financial firms saying that their
dependencies are no longer manageable, and that the State's monopoly
on the use of force must be brought to bear.  What they are talking
about is that they have no way to mitigate the risk of common mode
failure.

To repeat, risk is a consequence of dependence.  Because of shared
dependence, aggregate societal dependence on the Internet is not
estimable.  If dependencies are not estimable, they will be
underestimated.  If they are underestimated, they will not be made
secure over the long run, only over the short.  As the risks become
increasingly unlikely to appear, the interval between events will
grow longer.  As the latency between events grows, the assumption
that safety has been achieved will also grow, thus fueling increased
dependence in what is now a positive feedback loop.  Accommodating
old methods and Internet rejectionists preserves alternate, less
complex, more durable means and therefore bounds dependence.  Bounding
dependence is \emph{the} core of rational risk management.

If we don't bound dependence, we invite common mode failure.  In
the language of statistics, common mode failure comes exactly from
under-appreciated mutual dependence.  Quoting:\footnote{
    High Integrity Software System Assurance, section 4.2,
    \url{http://hissa.nist.gov/chissa/SEI\_Framework/framework\_16.html},
    but you'll have to look in the Internet Archive for it
}

\begin{quote}
    [R]edundancy is the provision of functional capabilities that
    would be unnecessary in a fault-free environment.  Redundancy
    is necessary, but not sufficient for fault tolerance... System
    failures occur when faults propagate to the outer boundary of
    the system.  The goal of fault tolerance is to intercept the
    propagation of faults so that failure does not occur, usually
    by substituting redundant functions for functions affected by a
    particular fault.  Occasionally, a fault may affect enough
    redundant functions that it is not possible to reliably select
    a non-faulty result, and the system will sustain a common-mode
    failure.  A common-mode failure results from a single fault (or
    fault set).  Computer systems are vulnerable to common-mode
    resource failures if they rely on a single source of power,
    cooling, or I/O.  A more insidious source of common-mode failures
    is a design fault that causes redundant copies of the same
    software process to fail under identical conditions.
\end{quote}

That last part --- that ``A more insidious source of common-mode
failures is a design fault that causes redundant copies of the same
software process to fail under identical conditions'' --- is exactly
that which can be masked by complexity precisely because complexity
ensures under-appreciated mutual dependence.

In sum, as a matter of policy everything that is officially categorized
as a critical infrastructure must conclusively show how it can
operate in the absence of the Internet.  The 2008 financial crisis
proved that we can build systems more complex than we can operate,
the best policy counter to which has been the system of ``stress
tests'' thereafter administered to the banks.  We need other kinds
of stress tests even more.


\section{Conclusion}

I titled this talk ``Cybersecurity as Realpolitik.''  Realpolitik
means, in the words of British historian E. H. Carr, that what is
successful is right and what is unsuccessful is wrong, that there
is no moral dimension in how the world is, and that attempting to
govern based on principles cannot succeed.  Realpolitik is at once
atheistic and anti-utopian.

I find that distasteful and, it seems, that in governing my own
life I daily give up power advantage for principle.  At the same
time, having principles such as ``Might does not make right'' may
well be a failing on my part and, by extension, a failing on the
part of those who govern according to principle.  Cybersecurity as
we describe it in our mailing lists, on our blogs, at our cons, and
so forth is rich in principles and utopian desiderata, all the while
we have opponents at all levels and probably always will for whom
principle matters little but power matters a lot.  As Thomas Ray
said, ``Every successful system accumulates parasites'' and the
Internet plus every widely popular application on it has parasites.
For some observers, parasites and worse are just a cost of doing
business.  For other observers, design which encourages bad outcomes
is an affront that must be fixed.  It is realism and realism alone
that remains when all else fails.

Political realism of the sort I am talking about is based on four
premises:

\begin{itemize}
    \item The international system is anarchic
    \item States are the most important actors
    \item All states within the system are unitary, rational actors
    \item The primary concern of all states is survival
\end{itemize}

This is likewise the realism of the cybersecurity situation in a
global Internet.  It is anarchic, and states have become the most
important actors.  States' investment in offensive cyber is entirely
about survival in such a world.  States are driven to this by the
dual, simultaneous expansion of what is possible and what their
citizens choose to depend on.

The late Peter Bernstein, perhaps the world's foremost thinker on
the topic, defined ``risk'' as ``more things can happen than
will.''\footnote{
    \booktitle{Against the Gods} and this 13:22 video at
    \url{http://www.mckinsey.com/insights/risk\_management/peter\_l\_bernstein\_on\_risk}
}
With technologic advance accelerating, ``more things can happen than
will'' takes on a particularly ominous quality if your job is to
ensure your citizens' survival in an anarchy where, daily, ever
more things can happen than will.  Realpolitik would say that under
such circumstances, defense becomes irrelevant.  What is relevant
is either (1) offense or (2) getting out of the line of fire
altogether.  States that are investing in offense are being entirely
rational and are likely to survive.  Those of us who are backing
out our remaining dependencies on digital goods and services are
being entirely rational and are likely to survive.  The masses who
quickly depend on every new thing are effectively risk seeking, and
even if they do not themselves know it, the States which own them
know, which explains why every State now does to its own citizens
what once States only did to officials in competing regimes.

You have politely listened to a series of ``get off the dime'' policy
proposals around mandatory reporting, net neutrality, source code
liability, strike back, fall backs, resiliency, vulnerability
finding, the right to be forgotten, Internet voting, abandonment,
and convergence, all by one guy that no one ever elected.  I thank
you, friends and countrymen, for lending me your ears.  But I shall
be happier still if some one or several of you find the articulateness
that overcomes the dynamic which we now inhabit, namely that if
what is successful is right and what is unsuccessful is wrong, the
observable allocation of success and of failure is utterly disconnected
from the technical facts of cybersecurity as we know them here.  In
the end, reality always wins, and the reality of technical facts
has more staying power than the reality of market share or utopian
enthusiasm.

Nevertheless, cybersecurity is all about power and only power.
Realpolitik says that what cybersecurity works is right and what
cybersecurity does not work is wrong and Realpolitik thus resonates
with Howard's ``Security will always be exactly as bad as it can
possibly be while allowing everything to still function.''  Realpolitik
says that offense routinely beating defense is right, and imagining
otherwise is wrong, that those whose offense wins are right while
those whose defense loses are wrong.  Realpolitik says that offense's
superiority means that it a utopian fantasy to believe that information
can be protected from leakage, and so the counter-offense of
disinformation is what we must deploy in return.  Realpolitik says
that sentient opponents have always been a fact of life, but never
before have they been location independent and never before have
they been able to recruit mercenaries who will work for free.
Realpolitik says that attribution is impossible unless we deploy a
unitary surveillance state.

I have long preferred to hire security people who are, more than
anything else, sadder but wiser.  They, and only they, know that
most of what commercially succeeds succeeds only so long as attackers
do not give it their attention while what commercially fails fails
not because it didn't work but because it wasn't cheap or easy or
sexy enough to try.  Their glasses are not rose-colored; they are
spattered with Realpolitik.  Sadder but wiser hires, however, come
only from people who have experienced private tragedies, not global
ones.  There are no people sadder but wiser about the scale and
scope of the attack surface you get when you connect everything to
everything and give up your prior ability to do without.  Until
such people are available, I will busy myself with reducing my
dependence on, and thus my risk exposure to, the digital world even
though that will be mistaken for curmudgeonly nostalgia.  Call that
misrepresentation, if you like.

There is never enough time.  Thank you for yours.


To the reader, see also: ``algorithmic regulation''

\rule{3in}{0.02in}


This and other material on file at
\url{http://http://geer.tinho.net/pubs}

\end{document}