<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Occasionally I like to reflect, as you all do, on the various
things that have mis-shaped our understanding of cyber war. <br>
</p>
<p>For example, take this Intercept article based on the Snowden
leaks:
<a class="moz-txt-link-freetext" href="https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/">https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/</a></p>
<p>Viewed in hindsight, this article points very closely at
something I'm going to support in depth in an article coming out
shortly, which is that <b>the term "Critical Infrastructure" does
not apply in cyber the way defense strategists think it does</b>.
I mention this, which may seem obvious to the readership of this
list, because if you read policy papers they go on an on about how
nations should avoid "attacking" each others "critical
infrastructure" as a "norm". They don't, of course, consider
defining a lot of terms in any specificity, but they do mention
that under no circumstances should CERTs be attacked. Which
clearly is ridiculous because in cyberwar the CERT is something
you will have penetrated first so you know when you've been caught
everywhere else. Likewise, CERTs are usually very easy to attack.
Likewise, top on your list is <a class="moz-txt-link-abbreviated" href="mailto:secure@microsoft.com">secure@microsoft.com</a>, and every
other security contact. And in order to claim those things as "off
limits" we have to declare huge swaths of infrastructure (often
unknown ahead of time) as off limits.</p>
<p>Also visible in retrospect is that people love to focus on the
catchy phrases. "I hunt sys-admins". Sure you do! But that means
your strategic offensive efforts have already failed at least
twice. In order to get to the point where "I hunt sys-admins" team
is involved, you have to get through "I hunt developers", "I hunt
other hackers", and "I hunt system integrators". And even above
them is "I hunt standards developers and cryptographers" (aka,
NIST :) ). <br>
</p>
<p>-dave<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</body>
</html>