<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Like many of us I feel sometimes like John Nagl when it comes to
pointing out that we are engaged in what looks and feels like
Counter-Insurgency in cyberspace, although we are acting like we are
not. As background, I spent my early years working for the Defense
Department, so the way "War Writ Big" is done is built into my
headspace. And for the past decade I've run Immunity, which is one
of the few pure-plays in the offensive space, but is still a small
insurgent by any standard. For the past couple of months I've been
working on adapting the modern counter-insurgency treatises to our
area of expertise.<br>
<br>
Let me quote from Nagl's<a
href="http://www.amazon.com/Knife-Fights-Memoir-Modern-Practice/dp/1594204985">
recent book</a> in the chapter dedicated to trying to change the
Army from a "Sweep and Clear" methodology to a "Clear, Hold and
Build" counterinsurgency methodology.<br>
<br>
<i>"Only the population could identify the insurgents in their
midst, and they would do so only if they could be certain that
they would survive the experience."</i><br>
<br>
Recently Sony and GitHub have both come under attack from nation
states who want to enforce a censorship regime on them. What the US
has to offer these companies is a Sweep and Clear methodology. No
doubt it is clear to both of them and any interested observers that
they may not survive the experience of an ongoing conflict. <br>
<br>
To move to a "Clear Hold and Build" strategy in cyberspace we need a
complete shift in focus. The first step is the least popular, and
the most difficult: We need to establish comprehensive situational
awareness, with as many layers as we had in An-bar province.
Satellites, Drones, SIGINT and HUMINT all played into building a
picture in Iraq and "Find, Fix, Finish, Analyze and Disseminate"
(F3EAD) can be just as devastatingly effective in the Cyber Domain.
<br>
<br>
However, just as in Iraq, building real situational awareness
requires partnering with a vastly different culture. In this case,
Google, Microsoft, Apple, and other companies, many of whom are not
based in America, are directly at odds with the USG when it comes to
cyber policy. <br>
<br>
The recent <a
href="http://www.washingtonpost.com/world/national-security/as-encryption-spreads-us-worries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f-ee745911a4ff_story.html">administration
push</a> to implement "split key" cryptographic escrow on top of
Apple and Google is just one example. Even if implemented perfectly
and painlessly, Google and Apple will always remember it as an
injustice forced upon them, one that puts them at a severe
disadvantage in foreign markets. <br>
<br>
Unfortunately, the first step of Counter Insurgency (c.f.
Kilcullen's work) is asking yourself what kind of State you are
trying to build and whether that is even possible. We have not done
even this. It's time to do it now, and to begin building support for
a comprehensive USG and allied effort to perform proper Counter
Insurgency in cyber.<br>
<br>
If you want to collaborate on a policy (and random thoughts)
document for this, let me know and I'll see about sharing my current
Google Doc on this with you, or just come visit me at the bar at <a
href="http://www.infiltratecon.org/">INFILTRATE</a>. :)<br>
<br>
Thanks,<br>
Dave Aitel<br>
CEO<br>
Immunity, Inc.<br>
<br>
</body>
</html>