The Space Force Should Improve the Cybersecurity of Space Assets:

President Trump offered his support last month for the creation of a Space Force within the U.S. military. In a paper released last week, my Harvard colleague Greg Falco argues that one of the first missions for this new force should be to improve the cybersecurity of space assets. This proposal is worthy of deep consideration as the cybersecurity of space assets remains a top, if underexamined, priority for national security, and the opportunity to shape the roles and missions of a new Space Force will soon pass. 

Falco does not hype the threat, but his assessment of the risks are sobering: The consequences of disrupting or degrading connectivity are striking when one considers how much of U.S. critical infrastructure relies on connectivity in or through space. His recommendations take a similarly balanced approach and offer interested policymakers a few potential steps to get started, such as modifying pertinent sections of the Code of Federal Regulations. 

One area that could benefit from future research is how to deconflict roles and missions between a Space Force (or the military in general), the Department of Homeland Security, NASA and other parts of the federal government. This specific issue is a bit beyond the scope of Falco’s paper, but it reflects a challenge that still seems to bedevil federal cybersecurity policy: Who exactly is in charge of what?  Space assets and affiliated organizations span the military, civilian government and multiple private-sector spheres. Perhaps more than any other sector of the U.S. economy and society, improving the cybersecurity of space assets really will require a whole-of-nation approach. 

(Via Lawfare – Hard National Security Choices)

It’s a stupid name. However, I generally agree that this should be job #1. The risks are simply too great to delay action in understanding, mitigating, and remediating (where possible).

Also on:

Five ways to make your presentation better:

  1. Make it shorter. No extra points for filling your time.
  2. Be really clear about what it’s for. If the presentation works, what will change? Who will be changed? Will people take a different course of action because of your work? If not, then why do you do a presentation?
  3. Don’t use slides as a teleprompter. If you have details, write them up in a short memo and give it to us after the presentation.
  4. Don’t sing, don’t dance, don’t tell jokes. If those three skills are foreign to you, this is not a good time to try them out.
  5. Be here now. The reason you’re giving a presentation and not sending us a memo is that your personal presence, your energy and your humanity add value. Don’t hide them. Don’t use a prescribed format if that format doesn’t match the best version of you.

And a bonus: the best presentation is one you actually give. Don’t hide. Don’t postpone it. We need to hear from you.

A presentation is expensive. It’s many of us, in real time, in sync, all watching you do your thing. If you’re going to do it live, make it worth it. For us and for you.

(Via Seth’s Blog)

I’m pasting a copy of this in my work notebook. I’m strong at #3 & #5, need some improvement on #1 & #2, and #4 … well, sometimes I struggle with that.

I suggest the following amendment:

6. Avoid jargon, acronyms, and colloquialisms. Unless speaking to a homogenous audience, try not to use too much specialized language which could leave portions of your audience lost.

Also on:

InfoSec Recruiting – Is the Industry Creating its own Drought?:

The InfoSec industry has a crippling skills shortage, or so we’re told. There’s a constant stream of articles, keynotes, research and initiatives all telling us of the difficulty companies have in finding new talent. I’ve been in the industry for over 30 years now and through my role as one of the directors of Security BSides London, I often help companies who are struggling to grow their teams. More recently, my own circumstances have led me to once again join the infosec candidate pool and go through the job hunt and interview process.

I have been in the position of hiring resources in the past and understand that it is not easy and takes time. But having sat through a few interviews of my own now, I am beginning to wonder if we have not brought this situation upon ourselves. Are the expectations of recruiters out of proportion?

Yes

Are they expecting to uncover a hidden gem that ticks every single box?

Yes.

Is it really true that the infosec talent pool is running empty, or is it that the hiring process in the industry is creating its own drought?

Maybe?

Part of this situation may be coming from the way hiring managers are questioning candidates. There is no perfect questioning methodology, but today, focusing purely on technical questions cannot be a good solution because – LMGTFY – even fairly lazy candidates can study and prepare for any technical questions beforehand. It might seem obvious that a hiring manager needs to look at a wider scope, evaluating the candidate’s ability to learn, adapt, and demonstrate their analytic or creative capabilities, but this is the part that seems to be missed.

I’ve always taught and been taught that asking questions is a good thing because it demonstrates logical and analytical thinking and shows that you are trying to better understand the situation and audience and react with the most appropriate response. If a hiring manager simply pursues a vague line of questioning they’ll only ever be able to evaluate a candidate by taking a subjective decision. I’ve even heard reports that hiring managers have rejected a candidate on the basis that they felt the person would outshine them.

In people management, one of the rules that you learn is that you need to evaluate performance based on attainable and measurable indicators. I propose this needs to be the same for the hiring process so that the hiring manager can make a meaningful decision.

Ultimately, interviewing a candidate on the principles of discussion, exchange and analytic capabilities will help the hiring manager identify the right person. It’s important to assess whether the person has a good foundational skill set that allows them to analyse and understand the work that needs to be performed. A good candidate not only needs the technical competencies but also the softer skills that help them adapt, learn and acquire the broader capabilities needed to successfully integrate a team. Onboarding and probationary periods are there to allow a team to conduct a final check of the candidate’s technical and soft skills.

So what needs to change? I believe hiring managers need to ask themselves whether searching for that golden needle in the haystack is the most effective way to identify and recruit talent. By changing the perspective that the interview process should be more of a constructive discussion instead of vague and rigid Q&A, companies will get a better view of how that candidate might actually work on the ground. And by adapting questions to the level of experience in front of them, they are likely to see much more potential from every candidate that they engage with. Sure, the infosec talent pool might not be overflowing, but maybe our skills shortage isn’t quite as terrible as we might think.

(Via Liquidmatrix Security Digest)

A friend and former employee of mine has been in the job hunt. Recently we caught up over lunch. The stories he told of the interviews and the overall process gave me flashbacks in my own job hunt over five years ago.

Our industry likes to not learn easy lessons. And they fail to learn these lessons over and over again.

The approach I continue to advocate is to find the right fit for the position and team. And having some diversity in staff — in skills, abilities, and personalities as well as the traditional factors — makes for a stronger, more resilient team.

Also on:

Newsmaker Interview: Bruce Schneier on ‘Going Dark’ and the Crypto Arms Race:

TP: Thinking about the FBI, is there is there a middle ground between the things that law enforcement wants to do and the people’s right for security and privacy?

Bruce: The middle ground is having less security and giving more access to people who want to break into systems – that’s the FBI and the Chinese government and cybercriminals. That’s the middle ground. Think of it as a dial. How much security do you want to have? How much access do you want?

This notion that I can build a backdoor that only works if a [person with a] certain morality tries to use it. That’s what doesn’t work. If you’re willing to have your nuclear power plant a little less safe in exchange for giving the FBI access, that’s your tradeoff.

(Via The first stop for security news | Threatpost)

A lightweight read that makes for a great resource when trying to explain this to non-security types.

※ Typical full disclosure as Bruce and I are part of the same organization.

Also on:

Containers or virtual machines: ​Which is more secure? The answer will surprise you:

The real point, though, isn’t which technology is more secure per se. It’s that, for the most severe security problems, containers and VMs have about the same level of security. Indeed, Bottomley thinks, “it is perfectly possible to have containers that are more secure than hypervisors and lays to rest, finally, the arguments about which is the more secure technology.”

“The next step,” he continued, “is establishing the full extent of exposure to a malicious application and to do that, some type of fuzz testing needs to be employed”

In addition, Bottomley’s work is only the start. He’s shown it’s possible to objectively measure an application’s security. As he said, “I don’t expect this will be the final word in the debate, but by describing how we did it I hope others can develop quantitative measurements as well.”

(Via Latest Topic for ZDNet in security)

I highly recommend reading the source post here: Measuring the Horizontal Attack Profile of Nabla Containers. It’s about as long but more technical than the above article.

I’ve not kept up with containers much in the last few years. I was taken by the technology and the approach to the point of having a rather nice lab set up at home on a spare BSD box I had kicking around. I remember someone presenting a talk on using containers (specifically, Docker instances) on the desktop for better process isolation of web browsers and security testing tools. I almost wish I had the cycles to dive back in.

p.s. — Steven J. Vaughan-Nichols, the author of the first article, should donate, some, of his, many, extra, commas to James for his post. 😉

Also on:

Evaluating a “Cybersecurity Moonshot”

For cybersecurity, however, the “moonshot” or the sometimes-interchangeable cyber “Manhattan Project” may not be the best models.

First, both the moonshot and the Manhattan Project were relatively focused, short-term efforts aimed at a single and clearly defined objective—land on the moon, explode an atomic bomb. We do not have the same clarity and focus for cybersecurity. Project Apollo, delayed by a tragic fire, took seven years to put people on the moon while the Manhattan Project took three years to build the atomic bomb. Both were well-resourced. It may be possible to match these speeds if the technological objective of the cybersecurity moonshot was clearly defined and if the United States is willing to make the needed investments, but the construct we call cyberspace is the most complex creation ever built by humans. There are entrenched interests fearful of any change, and the politics of a cyber moonshot will be much more daunting.

A cyber moonshot could increase its chances of success if it could identify technologies that would provide wide-ranging improvements for cybersecurity.

(Via csis.org)

This article raises some excellent concerns. Indeed, in order for this kind of thing to be successful (or like the Solarium Project I wrote about the other day) we need to define clear goals and objectives.

And we need fresh thinking, something VCs, the cybersecurity industry, and the US government largely lack at the moment. Everyone seems to be iterating the same concepts.

What do you think? Is this a space where a government run or sponsored project could, assuming the best conditions, make a noticeable impact?

Also on:

The story of Mary:

Mary spent a lot of time on the phone speaking with her CEO, general counsel, CFO and other business leaders in her company and at those she was evaluating for purchase. “A good deal doesn’t get done on email” she was fond of telling her co-workers. And it was true. So as Mary was waiting on her delayed flight to board at Newark International Airport one day, she decided to squeeze in one more call to try and finalize the terms of a merger that was coming together between her company and a competitor.  What Mary didn’t consider, as she was singularly focused on that conversation, was that she wasn’t alone in her conversation. Sitting near her, and listening to every word she said, was a financial reporter from a well-known business website. He put two and two together pretty easily. The pending merger would not be a secret for long.

You can use your imagination to guess what happened next. Story of the pending merger, which Mary had finalized on the call that day, broke online within 24 hours. Investors and speculators climbed all over the stocks of both companies and the fallout drastically changed the financial dynamics, effectively killing the deal. In the end, Mary’s company calculated that the failed merger attempt cost them $12 million, not to mention the lost market opportunity and value that the merger would have created. No one was ever able to tie the leak directly to Mary, but since there were so few people involved in the negotiations there were assumptions made. Mary’s career stalled after that.

(Via CSO Online)

I’ve talked before about my role in defending against outsiders learning about potential Mergers & Acquisition targets of a former employer. So much around this is old-school physical security and OpSec. It is challenging but fun work – very cloak and dagger.

The article is a nice reminder that all of your security budget going toward shiny boxes and cool services doesn’t protect against this very real risk scenario.

Also on:

Supply-Chain Attacks: Why the U.S. Should Worry:

There are different types of supply-chain attacks: generic attacks, which attempt to sabotage all devices; and targeted attacks, which take advantage of knowing the end customer for a device. Additionally, supply-chain attacks on the software component can take place not only when a device is shipped but also whenever the software receives an update. There are also information-gathering supply-chain attacks in which a cloud service provider reveals data.

The U.S. government needs to take supply-chain attacks much more seriously and refine government purchasing in ways that resist these attacks. Some attacks—such as bulk sabotage of consumer chips or devices—are probably unavoidable. But wide-ranging attacks like these can cause only limited amounts of damage, because, unless they are particularly subtle, they are more likely to be detected.

(Via Lawfare – Hard National Security Choices)

Why supply chain isn’t a bigger discussion when discussing security boggles my mind. Every company and organization – and individual – is vulnerable.

Also on:

A Glimpse into Private-Sector Cybersecurity in Japan:

Many Japanese government agencies and corporate actors are discovering the importance of cybersecurity as a set of national policies (the selection of Tokyo for the 2020 Olympics has been an impetus). But Japan’s role in the global economy means that government, business, policy, and academic actors outside of Japan need to understand the current policy stances and policy processes for their own economy and cybersecurity. “Business Management and Cybersecurity” provides an excellent entry into Japan’s changing understandings and its roles in global cybersecurity.

… Another example of the value of the book’s comparative approach is its description of the different expectations the chief information-security officer (CISO) role in corporations in Japan and overseas. Only 63 percent of Japanese companies assign a CISO, whereas the ratio is 95 and 85 percent in the U.S. and Europe respectively. While CISOs are “dual-hat” positions in 35 percent of Japanese companies, the ratio is only 17 percent in the U.S. and 18 percent in Europe. Since Japan does not have many long-term cybersecurity professionals as the U.S., and since Japanese business culture does not usually recruit C-suite executives externally, “Business Management and Cybersecurity” expresses doubt that an American or European approach of hiring and assigning a CISO would work in Japan. Instead, the book suggests that cybersecurity team building would be more effective given Japan business culture and patterns of Japanese corporate governance.

(Via Lawfare – Hard National Security Choices)

The review definitely echoes my observations working here for the past 30 months. Looks like I found my next book! I just hope there is an English edition that doesn’t lose too much in translation.

Also on: