Go, Rudy, Go! Cyber-Security in the Age of Trump

Shortly before his inauguration, Donald Trump asked Rudy Giuliani to put together an advisory group aimed at helping Mr. Trump's administration understand and respond to "cyber-security" threats.  I'm obviously not going to be on Mr. Giuliani's committee, and I'm not an expert on cyber-security, either – but I did play one for about thirty years as an information technology manager and consultant, so here are my two bits.

The most important short-term threats of the type Mr. Giuliani's group will be advising the president on are terror-related.  Attacks like the latest Google account scam or attempts to subvert the electrical system are real, but they are not immediately important from a counter-terror perspective because neither lost data nor electrical blackouts panic populations.

Consider, in contrast, the effect an airborne attacker with hardware and software capable of taking over the automation in half a percent of the vehicles within a few miles of his flight path over L.A. would have if all of those vehicles accelerated into crashes at about the same time.  Worse, consider the impact a better funded and more patient terrorist group could have if it infiltrated state government data processing to effect the near simultaneous destruction of nearly everything 47 or 48 state governments know about their citizens, employees, and obligations – together with the infrastructure (including several hundred people) the recovery would depend on.

Threats of this kind are well known and well understood in the national security world, with formal task forces, committees, and other groupings long in place and working on countermeasures – mostly in the form of additions to existing technical and management standards.

Trump, however, changes the threat picture: first, the mullahs and others who hate everything America stands for probably saw attacking the United States as counter-productive during Obama's term because he made himself their fellow traveler – and because that's something Trump and the GOP Congress simply won't do, we can expect more, and better organized, attacks.

Second, the 2007 Pelosi budget, coupled with the Obama administration's crony capitalism and regulatory support for billionaire businesses, virtually ended market-changing innovation in the high tech industries – and that's about to change, too, as financial, legal, and regulatory barriers to innovation weaken or disappear.  New ideas, new products, and even whole new industries all sound pretty good – but because technical progress will render obsolete information technology-related security standards long before the traditional committees involved can react, enforcing these through government action will be even more counterproductive than it usually is.

The Giuliani committee's mandate therefore requires that they fill two different roles: provide immediate and well thought through advice to the president whenever short-term decisions related to cyber-security are required, and educate both the administration and members of Congress on what the real risks and possible longer-term responses actually are.

For Mr. Giuliani to make that happen, he has to have the right people on his team – and the over-riding consideration there is to avoid overreliance on people from the info-tech version of the uni-party: the Microsoft/IBM uni-culture now dominant in non-communications-oriented information technology.

Five suggestions:

1. Forget about the wintel "security" industry.  It's loud, it's pervasive, it's expensive, and it's useless.  Pat them on the head and say "good boy" in public, but recognize that flaws in the Microsoft on Intel architecture (wintel) are so fundamental that nobody – neither the top technical people at the NSA nor the self-proclaiming Windows guru down the hall – has been able to guarantee information integrity on any of this gear since the P.C. got its second communications board.

Everything in that industry is palliative: it's good faith and best efforts all the way.  And that's perfectly acceptable if the value of the information you're protecting is less than the cost of stealing it but largely delusory beyond that.

2. Ignore sector experts whose experience is grounded in Wintel or zOS mainframe management.  Thirty years of progressively more senior experience in a $100-million IBM shop with thousands of P.C. users typically qualifies the guy to phone Geek Squad when his home P.C. files disappear – and a demonstrated willingness to string buzzwords together in somber and convincing tones while wearing a nice suit is a virtual guarantee that everything this person knows for sure will prove counterproductive when applied outside the very limited range of technologies he used during his first year or two in the industry.

This may seem harsh, and obviously there are exceptions, but if you look at the typical senior I.T. manager's résumé, you'll find that the person played decisive roles in ambitious projects achieving magnificent successes – none of which, in reality, ever came close to meeting user expectations on cost, timing, or functionality.  The effect of time and employer change coupled with the near universal agreement among senior I.T. managers to neither ask nor tell instantiates what is easily the most miraculous of management phenomena: billion-dollar info-tech disasters, from Agriculture and the IRS to Obamacare and the Post Office, quietly disappear from budgets and production schedules but eventually achieve glorious new lives as testimonials to corporate and personal brilliance, dedication, and outstanding professionalism on the résumés of the people and companies whose actions created them.

There are exceptions – mostly Unix people from companies like HP and Sun who have left the industry.  Bill Joy, for example, is an absolute genius who, along with Scot McNealy, should be asked to serve the country on Mr. Giuliani's committee.

3. The committee will need a backroom: people with the skills and personal integrity to help the committee sift kernels of value from piles of the hot and steaming – and this is one of those rare cases where many of those who teach can also do.  Thus, the recipe for an effective backroom is simple: recruit the people needed from computing science faculties, have them bring along a few grad students with part-time jobs in physics or engineering to do the hard work, and rely on the open source community for real-world review when needed.

The usual rule in security is "trust no one," but in computing, the opposite is often good advice: in this field, nothing works that can't be coded, and both academic discussion in computing science and open source code are read and thought about by some very bright people, almost none of whom are particularly shy about calling out errors.  As a result, you can generally trust stuff that's gone through both versions of the open source process to be exactly what it says it is and do only what it says it does.

This may seem unduly optimistic – but look at the facts.  Linux in all its variations, including Android, works; Solaris on SPARC and BSD on Power are the most secure systems available (and even the BSD-derived OS on the Mac or iPhone is fairly good), while the billions industry and government waste on I.T. that doesn't remotely meet expectations stand in stark contrast to the successes organizations like DARPA have had with enormously complicated codes delivered by small teams working with limited resources.

4. Almost everyone assumes that information security is about software, and that's certainly true, but hardware is even more important.  The bottom line here is simple: if you don't know a lot about everyone involved in making every part of your system, you can't trust that system.

As far as I know, for example, there is no practical way to know whether an Intel server CPU embedded in some larger processor stack is sometimes running an entire virtual OS dedicated to doing something you know nothing about – like feeding content to a steganographic process running on some user's graphics board for subsequent upload, and one-time use, on the web server I.T. thinks is totally disconnected from the executive office system.

Basically, if you don't know what's in both the hardware and the code on every device in every machine on your network, you can't know what that network is doing – and most monitoring software is easily fooled as long as the attacker's code is significantly smaller than whatever it pretends to be.

It's vitally important, therefore, that Giuliani's group get some significant commercial and defense hardware manufacturing expertise on board – but extraordinary paranoia is especially important here, because overseas manufacturing can easily make many of those involved on the American side look as though they have been thoroughly compromised.

5. Last (but not least), many of the roadblocks the Obama administration has thrown up against entrepreneurial success have been implemented via the tax and regulatory systems – particularly with respect to banking and public finance rules.  Thus, Mr. Giuliani will need to recruit some serious tax and legal expertise from among the ranks of those who serve the very small to medium business communities, because those will be the people who know what has to be done to give smaller, more agile entrepreneurial groups a fair chance to bring innovative products and ideas to bear on America's cyber-security problems.

Shortly before his inauguration, Donald Trump asked Rudy Giuliani to put together an advisory group aimed at helping Mr. Trump's administration understand and respond to "cyber-security" threats.  I'm obviously not going to be on Mr. Giuliani's committee, and I'm not an expert on cyber-security, either – but I did play one for about thirty years as an information technology manager and consultant, so here are my two bits.

The most important short-term threats of the type Mr. Giuliani's group will be advising the president on are terror-related.  Attacks like the latest Google account scam or attempts to subvert the electrical system are real, but they are not immediately important from a counter-terror perspective because neither lost data nor electrical blackouts panic populations.

Consider, in contrast, the effect an airborne attacker with hardware and software capable of taking over the automation in half a percent of the vehicles within a few miles of his flight path over L.A. would have if all of those vehicles accelerated into crashes at about the same time.  Worse, consider the impact a better funded and more patient terrorist group could have if it infiltrated state government data processing to effect the near simultaneous destruction of nearly everything 47 or 48 state governments know about their citizens, employees, and obligations – together with the infrastructure (including several hundred people) the recovery would depend on.

Threats of this kind are well known and well understood in the national security world, with formal task forces, committees, and other groupings long in place and working on countermeasures – mostly in the form of additions to existing technical and management standards.

Trump, however, changes the threat picture: first, the mullahs and others who hate everything America stands for probably saw attacking the United States as counter-productive during Obama's term because he made himself their fellow traveler – and because that's something Trump and the GOP Congress simply won't do, we can expect more, and better organized, attacks.

Second, the 2007 Pelosi budget, coupled with the Obama administration's crony capitalism and regulatory support for billionaire businesses, virtually ended market-changing innovation in the high tech industries – and that's about to change, too, as financial, legal, and regulatory barriers to innovation weaken or disappear.  New ideas, new products, and even whole new industries all sound pretty good – but because technical progress will render obsolete information technology-related security standards long before the traditional committees involved can react, enforcing these through government action will be even more counterproductive than it usually is.

The Giuliani committee's mandate therefore requires that they fill two different roles: provide immediate and well thought through advice to the president whenever short-term decisions related to cyber-security are required, and educate both the administration and members of Congress on what the real risks and possible longer-term responses actually are.

For Mr. Giuliani to make that happen, he has to have the right people on his team – and the over-riding consideration there is to avoid overreliance on people from the info-tech version of the uni-party: the Microsoft/IBM uni-culture now dominant in non-communications-oriented information technology.

Five suggestions:

1. Forget about the wintel "security" industry.  It's loud, it's pervasive, it's expensive, and it's useless.  Pat them on the head and say "good boy" in public, but recognize that flaws in the Microsoft on Intel architecture (wintel) are so fundamental that nobody – neither the top technical people at the NSA nor the self-proclaiming Windows guru down the hall – has been able to guarantee information integrity on any of this gear since the P.C. got its second communications board.

Everything in that industry is palliative: it's good faith and best efforts all the way.  And that's perfectly acceptable if the value of the information you're protecting is less than the cost of stealing it but largely delusory beyond that.

2. Ignore sector experts whose experience is grounded in Wintel or zOS mainframe management.  Thirty years of progressively more senior experience in a $100-million IBM shop with thousands of P.C. users typically qualifies the guy to phone Geek Squad when his home P.C. files disappear – and a demonstrated willingness to string buzzwords together in somber and convincing tones while wearing a nice suit is a virtual guarantee that everything this person knows for sure will prove counterproductive when applied outside the very limited range of technologies he used during his first year or two in the industry.

This may seem harsh, and obviously there are exceptions, but if you look at the typical senior I.T. manager's résumé, you'll find that the person played decisive roles in ambitious projects achieving magnificent successes – none of which, in reality, ever came close to meeting user expectations on cost, timing, or functionality.  The effect of time and employer change coupled with the near universal agreement among senior I.T. managers to neither ask nor tell instantiates what is easily the most miraculous of management phenomena: billion-dollar info-tech disasters, from Agriculture and the IRS to Obamacare and the Post Office, quietly disappear from budgets and production schedules but eventually achieve glorious new lives as testimonials to corporate and personal brilliance, dedication, and outstanding professionalism on the résumés of the people and companies whose actions created them.

There are exceptions – mostly Unix people from companies like HP and Sun who have left the industry.  Bill Joy, for example, is an absolute genius who, along with Scot McNealy, should be asked to serve the country on Mr. Giuliani's committee.

3. The committee will need a backroom: people with the skills and personal integrity to help the committee sift kernels of value from piles of the hot and steaming – and this is one of those rare cases where many of those who teach can also do.  Thus, the recipe for an effective backroom is simple: recruit the people needed from computing science faculties, have them bring along a few grad students with part-time jobs in physics or engineering to do the hard work, and rely on the open source community for real-world review when needed.

The usual rule in security is "trust no one," but in computing, the opposite is often good advice: in this field, nothing works that can't be coded, and both academic discussion in computing science and open source code are read and thought about by some very bright people, almost none of whom are particularly shy about calling out errors.  As a result, you can generally trust stuff that's gone through both versions of the open source process to be exactly what it says it is and do only what it says it does.

This may seem unduly optimistic – but look at the facts.  Linux in all its variations, including Android, works; Solaris on SPARC and BSD on Power are the most secure systems available (and even the BSD-derived OS on the Mac or iPhone is fairly good), while the billions industry and government waste on I.T. that doesn't remotely meet expectations stand in stark contrast to the successes organizations like DARPA have had with enormously complicated codes delivered by small teams working with limited resources.

4. Almost everyone assumes that information security is about software, and that's certainly true, but hardware is even more important.  The bottom line here is simple: if you don't know a lot about everyone involved in making every part of your system, you can't trust that system.

As far as I know, for example, there is no practical way to know whether an Intel server CPU embedded in some larger processor stack is sometimes running an entire virtual OS dedicated to doing something you know nothing about – like feeding content to a steganographic process running on some user's graphics board for subsequent upload, and one-time use, on the web server I.T. thinks is totally disconnected from the executive office system.

Basically, if you don't know what's in both the hardware and the code on every device in every machine on your network, you can't know what that network is doing – and most monitoring software is easily fooled as long as the attacker's code is significantly smaller than whatever it pretends to be.

It's vitally important, therefore, that Giuliani's group get some significant commercial and defense hardware manufacturing expertise on board – but extraordinary paranoia is especially important here, because overseas manufacturing can easily make many of those involved on the American side look as though they have been thoroughly compromised.

5. Last (but not least), many of the roadblocks the Obama administration has thrown up against entrepreneurial success have been implemented via the tax and regulatory systems – particularly with respect to banking and public finance rules.  Thus, Mr. Giuliani will need to recruit some serious tax and legal expertise from among the ranks of those who serve the very small to medium business communities, because those will be the people who know what has to be done to give smaller, more agile entrepreneurial groups a fair chance to bring innovative products and ideas to bear on America's cyber-security problems.