“Keeping to your message, repeat it many times, and ignore the criticism” are key principles of success in Washington DC policy work. If you say something over and over again, it must be true. It does not matter if the message is true, based on facts, or have any empirical data to support your assertion. The point is the “message” is a tool to support the policy agenda. Ignore the collateral damage from the message’s consequences, just keep driving the message. This approach is having a dire effect on the cybersecurity posture of all global telecommunications and the Internet. It diverts attention from the real issues to the “message of the week” that supports some other policy agenda.
Let us look at an example from James Clapper, the director of National Intelligence, to the Senate Armed Services Committee. In this case, the asserted “message” is communicated to Kevin Fogarty at IT WORLD:
– From “Cyberwar is coming, spy chief warns, but offers no help” by by Kevin Fogarty
The “message” being asserted is that the network incident on April 8th, 2010 was intentional.
The problem with this assertion is that it is not based on the data. As Craig Labovitz points out in a series of blog posts:
I will add to this data. In my “cybersecurity” capacity at the time of the incident, working as a key Operational Security member of the community, and an accountable party responsible for security incidents at the company I worked at on April 8, 2010, I contacted my peers inside China. This issue was expressed as an operational goof. These “operational goofs” are normal. We see them all the time on the Internet. They are considered to be operationally impacting, but not intentional. Just human error.
Yet, when the people who design, build, and operation the Internet say “April 8, 2010, was not a security incident,” policymakers choose to ignore the experts. Why? Because the facts do not align with the “message.” 🙁
To add more data to the inaccuracies of the “message,” look at the following:
– From BGPMon Blog – one of the major transparency tools we use to monitor all of the Internet.
Here we have three major sources of data that point out that April 8, 2010, was not a “China Hijacking incident using BGP.” Do the facts from the experts matter to the Washington “message?” No. Is this fixation on the “message” a problem with the security of the Internet? YES!
Why is this normal policy approach a security threat to the Internet? The message supports a policy agenda. The policy agenda is not stated nor linked to the facts. The facts are what we use to build better networks. It is engineering 101. It is science 101. Ye, when the facts counter a policy agenda that policy agenda will override the good engineering and science for some other goal. A goal that is not necessarily moving towards a more secure Internet. A goal that will increase the cybersecurity risk.
BGP Hijacking is a threat. As you can see in a NANOG video presentation “Hijacking Mitigation: Something is Better Than Nothing,” the feasibility to perform BGP Hijacking is real. The community who operate the Internet have some tools we use today to monitor, alert, and mitigate BGP Hijacking. The community also has developments that will improve the BGP security on the Internet. But this work can be disrupted by conflicting “policy agendas.”
If you are a reporter writing about “Cyberwar” and getting quotes from government policymakers, ask hard questions. Do your homework. The Internet Operations community is not shy about stating the real facts. The good, the bad, and the ugly Internet data is usually there to validate or disprove the “message.”
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.