EPISODE VI – Nation-State vs. The Internet (A Follow Up)
26 JUL 2016
For all those who have not been living under a rock, the last few days have been full of “excitement” regarding the Democratic National Committee’s e-mail leak and possible attempted Russian influence of the 2016 US Presidential Elections. Therefore, in follow up to Episode V, I felt this was a good topic to write on.
I will not be discussing any politics or policies in this piece. Furthermore, I will not be discussing possible Russian involvement, nor will I be discussing any potential capabilities. Much has been written on that elsewhere, by much more competent specialists.
With that said though, what I believe you should all discuss amongst yourselves is this:
If a major geopolitical force had the capability and ability to influence another major geopolitical force, would it? Would you?
Don’t be surprised if you pull out some history books and see this has been going on for, probably, oh, a few thousand years. The very nature of statecraft suggests that if you had the capability, ability, and opportunity to influence, why would you pass it up? The only reason to pass up the opportunity is because it is in your own interests to do so.
That is about the extent to which I will go on this matter.
What I will discuss is something much more fundamental and something I seem to be making a habit of in my updates: the “people problem” of cyber security.
What troubles me about the entire DNC e-mail leak – and I will use polite words – is the manner in which certain people acted. Let’s get some simple facts out of the way:
- Is the 2016 US Presidential Election a big deal? Yup.
- Are there stakeholders outside of the US that have an interest in the 2016 US Presidential Election? Yup.
- Is there a chance some other actor may have interest in the inner workings of those behind the 2016 US Presidential Elections? Yup.
- Have there been feelings of fracture within both parties? Yup.
- Has e-mail security been a major topic in the campaign for some time now? Does Winnie the Pooh like honey?
These are five simple questions, with five very simple answers. One does not need to be a specialist or have some deep level of understanding to answer these questions. They are simple answers because the answers are so transparent that even those with nothing more than a passing interest in what is going on should be able to answer these questions with total ease. These answers are not breaking news, nor do they present some sort of earth-shattering revelation. They are simply that simple.
Therefore, for the love all things fuzzy and cute – why-oh-why! – would the senior leadership of the DNC actually put in e-mails what they did?
I do not know. I really do not know because I am not in the heads of these people. Did they think they would not get caught? Did they think that – especially in such a hot and fractured political climate – that these comments would be a non-story if they ever got out? Did they think that the DNC’s e-mail server was that secure? Were they just that naïve? I truly do not know.
But what this scenario presents is a classic case of a “people problem” cyber security issue. I am not making a case, for or against, whether the comments were right or wrong. That is not the point. My frustration regarding this entire ordeal stems from this: why are people so ignorant to believe that by putting these words in an e-mail would not possibly come back to haunt them?
Are they so ignorant? Do they have such blind faith in their security systems? Or do they simply believe they are that far above and beyond any possible backlash? Again, I truly do not know. That is for them to tell us, not for us to try to decipher, because any attempt on our part is simply presumptuous.
I have a general rule of thumb when it comes to posting something the Internet, regardless of the medium, whether it is: e-mail, social media, online profiles, uploading/accessing files to/from a corporate network, peer-to-peer file transfer, and yes, even a LinkedIn post like this one. My general rule of thumb goes something like this:
Unless you’re willing to stand naked, in the middle of Times Square, screaming at the top of your lungs to say/show whatever it is you are about to upload, do not put it on the Internet!
It does not matter if it is a state secret, a comment regarding a colleague, or even a picture you may have to explain in the future. Unless you are ready to explain yourself, at some future point, why you did this, do not put it on the Internet…it’s that simple! And if you do, because you absolutely must, be prepared that one day you may have to answer as to why somebody else was able to get their hands on it and use it against you.
The issue regarding the DNC e-mail leak is not whether there was any Russian involvement; that is a by-product. Similarly, the issue is not whether the DNC e-mail server got hacked; that is also a by-product.
As an aside, let’s be honest for a moment: the DNC server is a target and a prized asset to steal; just as the RNC server is. For those who believe otherwise, please book me a ticket to Fantasyland to join you (and please pay for it while you’re at it). And let’s be even more honest: every possible state and non-state actor that thinks they can get a hold on these assets will do everything they can to do so. So why should it be any surprise to anybody that these actors would try to use these stolen assets to their advantage if they got their hands on them?
Perhaps I am a being a tad too realpolitik about this, but look at this from the perspective of the other actor and ask yourself: what would I do if I were in that position?
The issues regarding the DNC hack are as follows:
- Somebody behaved inappropriately; and
- There was a trail (or a way to monitor and access) that inappropriate behavior.
If there is no inappropriate behavior, who cares? Worst case you have on your hands is some damage control with some non-sensitive information.
Similarly, if there is inappropriate behavior (which I am in no way encouraging), please, at least be smart about and don’t leave a trail! Or don’t be so incredibly (be polite) “careless” to do something like, oh, send out a group e-mail with credentials to access a database!
Act carefully (especially if you plan on acting inappropriately). Act carefully from the beginning. Be a smart actor while operating in cyberspace.
If you act smartly, even if you do get hacked and subsequently need to deal with a “fire”, the fire you will need to put out will require a fire extinguisher; if you do not act smartly, that fire will require an army of firefighters and water bombers…and that may not even be enough (so get on your knees and start praying for rain).
No inappropriate behavior (or nothing sensitive available), no reason to hack; no reason to hack, no prospect of an actor trying to use stolen information against you. It’s that simple. No technical defense measure is as good as that solution.
This is a people problem, plain and simple.
In closing, for those who are about to say, “but George, what you’re proposing would require us to go back to the stone age and give up all these efficiencies we have found in our operations, increasing productivity, yada yada yada.”
That’s not really what I’m proposing. I’m proposing being smart about your actions while operating in cyberspace. The words “security” and “efficiency” should never be used in the same sentence. They are in complete contradiction to each other. What you need to do is define “risk” and “secure” in a way that works for you. Humans make this choice, not machines. This requires a culture change and it will take time, especially with so many billions already invested into technical measures, coupled by an already careless “meh” culture when it comes to security.
As always, I would like to thank everybody that has helped to spread the word. Cyber security is here to stay, so again, THANK YOU for all those who are supporting, sharing, liking, and doing their best to make cyber space a safer place!
Until the next Episode, all the very best to you and yours!