Wednesday, May 27, 2015

What's really behind the Wassenaar BIS rule proposals?

Much has already been written about the new Wassenaar amendments and why they are a bad idea.  If you're only going to read one post on the topic, don't read mine. Rob Graham did a much better job describing the problem here.  I might write something on that in the future, but only if I really feel I have something to add.  I did publicly comment on the proposed rules to BIS and you should too.  You have until July 20, 2015 to do so.

I'd like to comment on why I think rules like this are even in draft form.  Yes, certainly they benefit spying organizations and there's probably some invisible heavy hand there.  But the Patriot Act benefits them as well and that's falling apart in front of our eyes.  So what's the real problem?  I blame Hollywood.

Let's be honest, the infosec field is hard to understand.  My mom has no idea what I do for a living and I haven't really tried to explain it to her.  But I should.  Because every few months, she calls me and asks some inane question about whether I can help her do something that she saw my apparent peers do on CSI or NCIS.  And this has been going on since before CSI-Cyber or Scorpion were on TV.

My mom is at least one of the good guys.  She's interested in stuff like "helping the police by enhancing that photo from the surveillance system at work" or "hack into Instagram to see who is really bullying your niece."  My mom isn't dumb: she's a retired field grade Army Officer and an accomplished mental health nurse. She just doesn't understand what is and isn't possible in the world of cyber (ugh, I threw up in my mouth a little when I wrote 'cyber').

When hackers in Die Hard take down the national power grid using 0days and those in Swordfish can write bank firewall bypassing worms at will (apparently using some graphical coding language, the likes of which nobody has ever seen before) - what are average people to believe is or isn't possible?  Even if these are viewed as just minor exaggerations, the implications are still pretty scary. Of course, if you are reading this blog, you probably already know things don't work that way.  But wow do we suck at communicating it.

From Swordfish - what the literal f$#k is this?!

The average person is ignorant of detailed facts outside of their chosen profession.  Politicians and bureaucrats, the ones interpreting and crafting rules around Wassenaar, doubly so.  This congressman was worried Guam (yes, the island) might capsize if Marines were moved in a facilities consolidation.  In case you are curious, this guy has been re-elected several times since.  To my point, Rep Hank Johnson has zero chance of understanding the idiosyncrasies of Wassenaar, so just calling your elected official to complain is probably not an effective strategy (especially if you live in GA's 4th district).

I can't think of another professional field that would not stand up and fight back against Hollywood if their profession was mis-portrayed the way infosec is.  Could Hollywood get away with a show that portrayed all cops as dirty?  What about a show where all nurses were portrayed as drug addicts?  Or a show that documented how all teachers inappropriately touch their students when nobody is watching?  Nope, the professional groups wouldn't stand for it.

In infosec films, even the hero regularly breaks the law to get the job done.  As a group, we need to do more to correct the common person's impressions of infosec.  The "I Am The Cavalry" movement takes a lot of flack from people in the industry who think they aren't doing enough/doing it right/etc.  But I will say that at least they are doing something.  I don't have all the answers, but I believe the solution is three fold:

  1. Stop standing by while Hollywood butchers our profession.  It's insulting.  Instead of laughing 
  2. Take some time to do grassroots education.  I recently spoke to my daughter's 2nd grade class on career day. The teacher, who molds young minds, cut me off when describing a penetration test because she thought I was talking about breaking the law.  After a quick side discussion, we were back in business, but this is the sort of grassroots education that needs to happen.
  3. Talk to your elected officials as well or support an industry group that does.  They don't understand our issues any better than they understand the intricacies of open heart surgery.  Explain it to them.  They make the laws we'll all have to live with and garbage in/garbage out as the old saying goes.

I'd love to know what you think about this - how do we educate the public that what we do isn't horribly evil and in need of regulation?


  1. This comment has been removed by the author.

  2. Media presents cyber attacks frequently because it catches people’s interests. Why are they interested? It is because these attacks have the potential to have a detrimental impact on their lives. An attack 20 to 30 years ago may impact a university, government or business; it had very little impact on people and information about them. Most PII or PHI was on paper in a physical format and not digital. Hollywood portraying a teenage hacker could be attributed to a historical viewpoint. In a demographical observation, hackers in the 80’s were most likely young adults or teenagers. Understandably so considering technology was not as prevalent in most homes unlike today. Most adults and teenagers in the 80’s were learning what a computer was and how to use it. Teenagers may have had a more devious curiosity and little remorse for their actions. Fast forward to the present and now that teenage hacker is an adult with a career as either a very experienced hacker or a hacker turned security professional. Computers today are not only a staple in most households but most have more than one computer (if you include smart phoned, tablets, etc). With identify theft and credit card security breaches affecting more and more people, they want to know more about how to protect themselves. If the source of information on how an attack occurs is from Hollywood or the media, then that’s on them, or is it? I agree with your solution being multi-faceted. Unlike the media, we as security professionals need to take the time to educate the elderly, young students and influential government officials. Taking the time to speak at your daughter’s 2nd grade career is a great start and advertising it was even better. If we also would stop trying to impress each other online, stop being introverted offline and took time to explain concepts in a simpler form to non-technical individuals maybe then we might have more of a positive impact. Hopefully more security professionals, me included, follow your lead and recommendation on this subject. Until that happens, we will keep trying to impress using h@x0r speak insulting all the n00bs in the process.


Note: Only a member of this blog may post a comment.