<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<img alt="<overwatch picture>"
src="cid:part1.E15CCD8E.CEEE3286@immunityinc.com" height="332"
width="591"><br>
<br>
<a href="http://imgur.com/gallery/VkkGb">Overwatch </a>has swept
the nation! In particular, it's swept the small cadre of hackers
that makes up Team Cyber, to the point where you can make random
professional connections on any server Blizzard sends you to. A
couple nights ago I talked about INFILTRATE with some people while
we shot at each other with imaginary dragon arrows. And I wanted to
talk here about the Overwatch story a bit, because I think it
describes a lot about how our dear friends in Government Policy
Circles see cyber. <br>
<br>
Like a lot of stories, like Avengers, or really any movie ever,
Overwatch has a team of super-powered heroes wearing super-gear
trying to either protect or attack various super-weapons, like a
"doom gauntlet" or some super bomb on a floating cart. But the
actual game is about team dynamics. It's maybe 20% individual skill
and 80% communication and coordination. Like all modern games or
sports there's a "meta-game" of picking which strategy to use
against the other team, and the right "meta" changes at different
levels of skill - a team of novices is simply not going to be able
to take advantage of the minute shifts in game balance provided by a
flanking strategy. <br>
<br>
Look at US Cyber Policy? What do you see but a focus on the "Doom
Gauntlets" of 0day and the "Payloads riding on the floating carts"
of Intrusion Software. If only we could hold another meeting on
vulnerability disclosure? Did you know cars have vulnerabilities? If
only we could protect ourselves from having BAD people hacking our
clearly outlined critical infrastructure but also make sure BAD
people don't communicate freely over Twitter but also GOOD people
should be invulnerable when in their hotel rooms in Ethiopia!<br>
<br>
The thing about the meta-game of cyber war (or Overwatch) is that
it's impossible to describe in an hour long meeting at the CFR. And
as much as everyone likes to make fun of Dilbert-Artist <a
href="http://blog.dilbert.com/post/148152679301/experience-is-overrated">Scott
Adams</a> for suggesting on Twitter that "most things can be
learned in an hour-long meeting with top experts", that's exactly
how our policy circles want to work. Let's get some "top subject
domain experts" in a room for an hour with two policy people and
then at the end they will make a decision by redefining some things
as good and some things as bad and let's see how that works. <br>
<br>
So, very briefly here, I'd like to talk about the "meta-strategy" of
what in the US is known as "salami slicing" as far as Cyber War
goes. <br>
<br>
<img alt="<genji picture>"
src="cid:part4.9DB77B8C.17C3BD8E@immunityinc.com" height="191"
width="341"><br>
<br>
One thing that you cannot do in most areas of conflict is
over-specialize. But the cyber domain is different. It rewards
overspecialization to a huge degree. If all my team does is Java
middleware, and we've got ten years of experience on only that, we
can hack any company on the planet without breaking a sweat. If I do
only ONE bugclass on Solaris of all things but I do it with the ease
of breathing, then I can hack anything as well. If I am the world
expert on cross site scripting then I will have a shell on
kernel.org, guaranteed. The struggle between all the groups with
these levels of specialization is purely about communication and
coordination. There's no Doom Gauntlet, or maybe there's only Doom
Gauntlets or the Gauntlet is you or something. Analogies always
break down at inconvenient points. <br>
<br>
When you see high level people in the US Financial world interact
with Spook world for the first time (often at <a
href="http://infiltratecon.com/">INFILTRATE</a>) they're amazed at
this level of specialization. "She spent 10 years on X.25?" they'll
say, with a sort of half-amazement-half-disgust in their voice. What
I always hear is that the high-skill-and-resource cyber meta-game is
not what they expected. <br>
<br>
-dave<br>
</body>
</html>