Attack vs. Defense in Nation-State Cyber Operations

I regularly say that, on the Internet, attack is easier than defense. There are a bunch of reasons for this, but primarily it's 1) the complexity of modern networked computer systems and 2) the attacker's ability to choose the time and method of the attack versus the defender's necessity to secure against every type of attack. This is true, but how this translates to military cyber-operations is less straightforward. Contrary to popular belief, government cyberattacks are not bolts out of the blue, and the attack/defense balance is more...well...balanced.

Rebecca Slayton has a good article in International Security that tries to make sense of this: "What is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment." In it, she points out that launching a cyberattack is more than finding and exploiting a vulnerability, and it is those other things that help balance the offensive advantage.

Posted on April 13, 2017 at 5:45 AM • 25 Comments

Comments

My InfoApril 13, 2017 8:55 AM

This is a very basic concept.

Many, many potential vulnerabilities exist in any complex system.

Any one of them may be attacked in order to successfully penetrate the system.

All of them must be defended in order to successfully protect the system.

DanielApril 13, 2017 9:35 AM

I disagree with My Info because it simply isn't true that "all" of them must be protected. An attacker faces the same constraints as a defender does: time, energy, resources, knowledge. To be sure the attacker has a degree of advantage in that she chooses the time, place, and manner of attack but there is nothing new about that because that is true in every mode of warfare.

In my view what causes people like My Info to take such absolutist stances is ignorance. If one doesn't know much about the enemy every attack that is conceivable in theory becomes an attack that must be guarded against in practice. In practice, however, people and countries form habits, they develop MOs, they develop comparative advantages in some areas and not in other areas, they focus on certain strategic goals, etc, etc.
The result is that it is possible to limit the ranges of attacks that one has to defend against with a high degree of probability. Learning about one's enemy is a far better approach to security than hunkering in a cave with a tin foil hat on one's head.

ScottApril 13, 2017 9:44 AM

Bruce, you're misattributed as Bruce Schneider on page 87. I had to look up the source to confirm there wasn't someone with nearly the same name in the field testifying before Congress. Gave me a good chuckle.

DanielApril 13, 2017 9:51 AM

@Daniel

The first reduction of the "absoluteness" of this problem is to reduce the complexity of the system and the number of potential vulnerabilities.

Keep it simple stupid.

If we leave some potential vulnerabilities undefended, and we presume to know so much about our enemies' MO, comparative advantage, etc., etc., then surely our enemies will know about the vulnerabilities we leave undefended and then proceed to take full advantage of them.

No, I am not backing down from my absolute perspective.

Computer programming requires logic. No psychological analysis of our enemies, their MO, resources, etc., will prevent them from taking advantage of open logical vulnerabilities in our defense.

Clive RobinsonApril 13, 2017 10:28 AM

@ Bruce,

There are a bunch of reasons for this, but primarily it's 1) the complexity of modern networked computer systems and 2) the attacker's ability to choose the time and method of the attack versus the defender's necessity to secure against every type of attack.

The big dirty secret of "the complexity" is two fold, a) The lack of actuall "engineering design" in software -v- the artisanal patern aproach. b) The overwhelming desire of code cutters to lump everything together for effeciency/speed -v- the segregation and thus control and complexity limitation.

Whilst it's true an attacker can pick their time, place and method of attack it's not true that a defender has to defend everything for every type of attack. Again one problem with this is the lack of segregation. As has been said many times "A computer is not of much use without communication", but the statment misses the real point, it's "the type of communications" you alow which decides what you need to protect, how and importantly how much effort you have to put in.

As many systems administrators will chearfully point out, they are not alowed to lock down communications because of managment and code cutters. It goes something along the lines of a code cutter wanting to play with new technology, they then think up an excuse / business case to convince their managers that some new technology will "reap big benifits". In the majority of cases these days "new tech" is actually "grossly insecure communications" dependent, thus needless risk is taken. For other but similar reasons there is usually little or no segregation inside an organisation. Thus any weak spot is in effect an "open door policy" to attackers.

Fixing these problems would make defence not just easier but less costly in many ways.

There is nothing particularly new in this viewpoint, in essence it is using the same design methodology as used for TEMPEST/EmSec by electronics engineers and translating it from that domain to that of software design. However for many reasons to long to list it is not going to happen in the current economic/business climate where the measure of successe boils down to a rising "share price".

My InfoApril 13, 2017 11:46 AM

@Clive Robinson

b) The overwhelming desire of code cutters ...

You have a point there. By the time somebody in upper management has reason to think we need internet content filtering at work, what we really need is a mass layoff of brogrammers.

There's probably a prison barber in the next cell who will gladly do all the "cutting" for us.

John GaltApril 13, 2017 12:38 PM

[[[ Attack vs. Defense in Nation-State Cyber Operations ]]]

Easy.

How?

At war with Russia? Unplug their wires from network switches -- aka "bridges."

Blow up the bridge. You don't even need any C4 or engineers from the Army Corp of Engineers.

Problem solved.

PROBLEM: Too many educated idiots are trying to solve the problem of NOT blowing up the bridge. Lots of taxpayer money is keeping that bridge open.

Clive RobinsonApril 13, 2017 1:03 PM

The author of the article Rebecca Slayton has missed an important argument that would further support her view point.

Many people view cyberwarfare as no different to cybercrime. Thus they incorectly use the success of cybercrime to argue about the likely success of cyberwarfare.

It's similar reasoning to that you find with "Sunday morning / armchair quaterbacks" they talk a good game but their arguments are usually incorrect and made by trying to move backwards from an known effect to a cause of their on choice then move forward again to their desired conclusion of a different effect.

The main difference between cybercrime and cyberwarfare currently is the former is "opportunistic" whilst the latter is "highly targeted". It's why using the results of current cybercrime to draw conclusions about current cyberwarfare is an "apples -v- potatoes" argument.

To see why cybercrime cares not how many target attack failures it has as long as the few successes show a profit. Cyberwarfare however is about attacking what are in effect unique targets, thus a single failure is the write-off of development cost to that point.

Whilst throwing further resources at new attacks on the same target may eventually turn failure to success there are two issues to consider the first is lost time the second is lost suprise.

That is some types of cyberwarfare have to work at a single point in time, and even if they don't the chances are high that the initial attack will get noticed and the defence thus more active, and even retaliatory offensive counter attacks made.

This in turn raises the question of future cyberwarfare and how they can be turned from the current unique target to any target that is available. We already have seen how this might play out with IoT devices being used to perform massive denial of resources attacks. If we look at the attack on the "Krebs on Security" attack we can draw a number of conclusions. However the one of importance was what resource was being denied and to whom. The resource was communications and it effected the readers of the Krebs site. The point to note is that not only was the attack from distributed points those being denied the resource were also distributed and importantly the two distributions had a near identical distrubution on the network.

In the case of nation state level denial of resource attacks it is unlikely that the distribution of the deniers will be the same as the denied. Thus a carefull selection of network cut-off points will reduce the ability to deny resources from a major problem to a minor anoyance.

Such knowledge means that a cyberwarfare attacker will not realy benifit from a distributed denial of resource attack unless they can be assured that they can match their attack distribution to that of those they are seeking to deny the resources to. Which in effect brings such a cyberwarfare attack from a general one against any target that can be subverted in any location, to specific targets in the same network segments as those they wish to deny resources to. In effect this means attacking some if not all of the same hosts they wish to deny resources to. Logically this would not be a productive way to proceed, because if you can gain control over a host you wish to deny resources to, it would probably be easier to just damage the host system in some way. Thus it follows that the only time an attacker would carry out a denial of resources attack, is when they can not directly attack specific target hosts.

If you go through similar reasoning it becomes clear that one of the best defence stratagies is "hybrid vigour" where there is a significant number of varied if not effectively unique hosts. The problem with this is that you get into issues of nonscalability which requires proportionately more manpower to implement.

Thus the question of how many hybrids are required. Interestingly this is where voting system approaches by you advantages. Over a lifetime ago the New York Telephone company was considering reliability issues that effected their customers and developed the first redundant systems. Half a century ago NASA improved on this by having not just hybrid hardware but hybrid software developed by teams that had no influance on each other. Thus if an odd number of hybrids did the same task you would expect the same outputs for the same inputs, if they varied then you would go with the majority agreament. This is generaly refered to as a "fault tolerant voting system".

However there is a problem, many modern fault tolerant voting systems do not have the hybrid hardware/software which gives the system it's real strength. Which means such systems are not fault tolerant to being attacked, as a successfull attack against one host is a successful attack against all hosts in such a system.

This highlights why the development of hybrid systems for defence is so important and it is an area which needs a lot more attention than it is currently getting.

John GaltApril 13, 2017 6:48 PM

@ Clive

>>> The main difference between cybercrime and cyberwarfare currently is the former is "opportunistic" whilst the latter is "highly targeted". It's why using the results of current cybercrime to draw conclusions about current cyberwarfare is an "apples -v- potatoes" argument.

I disagree. YOU ARE THE TARGET IN TARGET PRACTICE.

Case in point: The birth of spyware (publicly acknowledge)http://www.nbcnews.com/id/3341694/ns/technology_and_science-security/t/fbi-software-cracks-encryption-wall/#.WPAKFZfaZQs

Another: Wikileaks https://wikileaks.org/vault7/#Grasshopper

Another: Want to see my firewall logs and all the probes that hit me from .mil and "owned" sites?

Last but not least: The purpose of cyberwar is to "disrupt" the enemy. "Disruption" includes targets like yourself and IBM and Google and Banks, etc.

And the #1 tools of choice: NMAP and Metasploit.

Sancho_PApril 13, 2017 7:02 PM

So we meditate on a offense-defense balance, musing on $$$.
And then look at Stuxnet?
Counting their damage as part of their costs of defense?
I don’t get it, sorry.

Cyber-security expenses of industrial control systems before Stuxnet?
- They didn’t know how to spell it, not only in Iran.
It was unprotected COTS SW and HW, LAN and USB being everywhere.
And today?

I think Stuxnet isn’t a good example for “cyber cyber”, more likely for good old physical sabotage.

@Clive Robinson re segregation

Right, but even without LAN from engineering station to the control station someone has to have the means to re-program the controller (?).
If the SW is “signed” by His Highness, the controller will accept it, even if it was a 2v3 fault tolerant one.

At the core there is the “re-programmable for convenience”.

tyrApril 13, 2017 8:13 PM


@Clive, et al

There are a couple of points that do make
sense. Trying to portray everything in the
knee jerk simplicity used for the fake news
gets the conflation of warfare and crime.
Most of the 'war on terror' shows what happens
when you attempt to militarize against crime.
Most of the terrorist actions are criminal
behaviors which reasonable police work can
limit. Getting the IC and the Army into the
act masks off the possibility of any solution.
All it does is make it harder to control.

The idea that a computer is useless without
built-in communications is just cultural bias.
The younger generation never saw one without
so it must be part of the machine. When we
had to build our own modems they weren't an
integral part of the comp but no one insisted
that their computers were worthless without it.

The major sacrifice was of any security for the
convenience of communications and remote control.
IoT is the same level of silliness carried to
the extreme by those who want things to market
as somehow new and shiny. Hooking your LED lit
toilet seat up to the Net is completely insane
unless you are in the salesforce.

The Net made perfect sense for the purpose of
its design. Hooking up everything that way is
collective insanity looking for a way to break
everything.

Comp is only a small part of electronic warfare
the danger is thinking it should be the tail
that wags the dog.

John GaltApril 13, 2017 11:16 PM

@ MY INFO

This is a very basic concept. Many, many potential vulnerabilities exist in any complex system. Any one of them may be attacked in order to successfully penetrate the system. All of them must be defended in order to successfully protect the system.

And then someone created SystemD

The major sacrifice was of any security for the convenience of communications and remote control. IoT is the same level of silliness carried to the extreme by those who want things to market as somehow new and shiny. Hooking your LED lit toilet seat up to the Net is completely insane unless you are in the salesforce.

The Net made perfect sense for the purpose of
its design. Hooking up everything that way is
collective insanity looking for a way to break
everything.

Comp is only a small part of electronic warfare
the danger is thinking it should be the tail
that wags the dog.

SystemD again.

Why Debian/Shuttleworth gave into this... I'll never understand...

UNLESS... you add Torvald's not-too-long-ago NSA (headshaking non-)commentary and consider RedHat's only real paying customer is the DODO.

Patriot COMSECApril 14, 2017 4:35 AM

Mr. Schneier gets to the point.

I was just writing on some of the same issues.
https://wordpress.com/read/blogs/127303276/posts/4

Our company views information technology as a weapon you carry when you talk, either for defense or offense. It is not something that is here to start a conversation. It is for personal or societal defense, and it's for personal or societal fighting.

I have not yet read Mr. Schneier's book "Liars and Outliers", but I am willing to bet that he did not say that civilizations are in a battle to the death. Nor did he go into how trust is a charade, or made extremely difficult, in multicultural societies.

Mankind is not as social as his internet connection.

Those who are well-off do not think of the world or its struggles this way. Thinking that you are at war, or ideas such as how you do not really live in a democracy, can ruin dinner.

When you are behind a desk and it is late, and your job is in cyber war or some closely related field, the pressure mounts. It is like the room is filling up with water up to your neck. Not all activities such as these are in safe locations, so the distinction between cyber war and close quarters battle can be blurred.

Attribution and blowback.

The psychological import of cyber war, whether defensive or offensive, is very important. The motivations or even lack of motivation are interesting. Another thing that needs to be considered is how defeat in cyber war tends to be silent--the general reaction is to pretend it did not happen. Look at the OPM fiasco. In a sense, the tension comes from caring. Some people who are involved in this kind of war really do not care about what they are doing. Some care intensely. One of the main points may just be that it is funner to destroy. It is fun to attack. It might be more stressful, but it is not a terrible stress.

On defense you have to wait and think, and thinking is the great bane of humankind. But defense expects less: you do what you can and go home. Offense is a lot funner: you are in the center of the ring and you can smell blood.

Patriot COMSEC
Chiang Mai, Thailand

John GaltApril 14, 2017 4:51 AM

@ Patriot COMSEC

SILENT WEAPONS FOR QUIET WARS

Security

It is patently impossible to discuss social engineering or the automation of a society, i.e., the engineering of social automation systems (silent weapons) on a national or worldwide scale without implying extensive objectives of social control and destruction of human life, i.e., slavery and genocide.

This manual is in itself an analog declaration of intent. Such a writing must be secured from public scrutiny.

Otherwise, it might be recognized as a technically formal declaration of domestic war. Furthermore, whenever any person or group of persons in a position of great power and without full knowledge and consent of the public, uses such knowledge and methodologies for economic conquest - it must be understood that a state of domestic warfare exists between said person or group of persons and the public.

The solution of today’s problems requires an approach which is ruthlessly candid, with no agonizing over religious, moral or cultural values.

You have qualified for this project because of your ability to look at human society with cold objectivity, and yet analyze and discuss your observations and conclusions with others of similar intellectual capacity without the loss of discretion or humility.

Such virtues are exercised in your own best interest. Do not deviate from them.

Descriptive Introduction of the Silent Weapon

Everything that is expected from an ordinary weapon is expected from a silent weapon by its creators, but only in its own manner of functioning.

It shoots situations, instead of bullets; propelled by data processing, instead of chemical reaction (explosion); originating from bits of data, instead of grains of gunpowder; from a computer, instead of a gun; operated by a computer programmer, instead of a marksman; under the orders of a banking magnate, instead of a military general.

It makes no obvious explosive noises, causes no obvious physical or mental injuries, and does not obviously interfere with anyone’s daily social life.

Yet it makes an unmistakable "noise," causes unmistakable physical and mental damage, and unmistakably interferes with the daily social life, i.e., unmistakable to a trained observer, one who knows what to look for.

The public cannot comprehend this weapon, and therefore cannot believe that they are being attacked and subdued by a weapon.

The public might instinctively feel that something is wrong, but that is because of the technical nature of the silent weapon, they cannot express their feeling in a rational way, or handle the problem with intelligence. Therefore, they do not know how to cry for help, and do not know how to associate with others to defend themselves against it.

When a silent weapon is applied gradually, the public adjusts/adapts to its presence and learns to tolerate its encroachment on their lives until the pressure (psychological via economic) becomes too great and they crack up.

Therefore, the silent weapon is a type of biological warfare. It attacks the vitality, options, and mobility of the individuals of a society by knowing, understanding, manipulating, and attacking their sources of natural and social energy, and their physical, mental, and emotional strengths and weaknesses.

http://www.bibliotecapleyades.net/sociopolitica/esp_sociopol_cooper2a.htm

Patriot COMSECApril 14, 2017 4:55 AM

One more thing: there may be some kind of balance in state-sponsored cyber operations as an abstraction, but in practice we need to keep our eyes on what is really going on and has happened in the last few years: the utter defeat, the mopping of the floor, the robbing of the US cookie jar, by Beijing. It is belly laughs and back slapping all-round for them. There are taboo topics in America. One cannot say that the Office of Personnel Management failed because a female was in charge, nor that she was a Puerto Rican and put in place to be a token; nor can one say that the CIO was worthless, nor can one mention that she was put into place for diversity. Again, laughter in Beijing. When Obama landed in Hangzhou last year, he was treated with amused contempt. Yes, amused contempt. If you stole the names and confidential info of everyone in the intell field for the US, for free, you would chuckle too. Especially easy since it was on an unsecure system.

Let's not pretend that there is some kind of balance going on. A former DIRNSA called it the greatest grab of technology in human history. Effect? Trump just said China is not a currency manipulator. Can you hear the funeral music for the USA playing in the background?

Rufo Guerreschi April 14, 2017 6:42 AM

You assume great complexity to determine that attack is eqsier than defense. But than complexity is not at all a given if you want to provide basic computing functionality. You could easily increase the intensity of security design and review, relative to complexity, by 1 or 2 orders of magnitude, as we are doing at trustless.ai

Clive RobinsonApril 14, 2017 8:04 AM

@ PatrioticCOMSEC,

When ... your job is in cyber war or some closely related field, the pressure mounts. It is like the room is filling up with water up to your neck. Not all activities such as these are in safe locations, so the distinction between cyber war and close quarters battle can be blurred.

It's not anything like "close quaters battle" even if you are a NOC. It is however quite similar to being a white collar criminal or cybercriminal engaged in the activities that will get you detained.

Your argument is just as bad as those in the military command who say US Drone pilots in airconditioned containers just a short drive from Sin City should receive medals and honours previously reserved for those showing initiative or bravery whilst under enemy fire...

albertApril 14, 2017 11:28 AM

@Clive,

"...It's not anything like "close quaters battle" even if you are a NOC. It is however quite similar to being a white collar criminal or cybercriminal engaged in the activities that will get you detained...."

Bullshit.

There are hundreds of 'white collar' criminals on Wall Street that will -never- be punished. The same for the Banksters in the UK.

Perhaps you'd like to explain the record numbers of drone pilots quitting the UASF (http://inthesetimes.com/working/entry/17718/drone_pilots)

How about the psychological effects of pulling the trigger on 'combatants' (who later turn out to be civilians)?

Anyone with any humanity in them would quit. Only the sociopaths will remain. Maybe the AF should hire sociopaths directly. Simple enough to screen for.

All of this for -totally senseless and illegal- 'wars', at the service of the oligarchs. Yeah, that'll weigh on -some- people.

. .. . .. --- ....

John GaltApril 14, 2017 12:14 PM

@ albert

[[[ Anyone with any humanity in them would quit. Only the sociopaths will remain. Maybe the AF should hire sociopaths directly. Simple enough to screen for.

All of this for -totally senseless and illegal- 'wars', at the service of the oligarchs. Yeah, that'll weigh on -some- people. ]]]

Birds of a feather do what?

Everything that is expected from an ordinary weapon is expected from a silent weapon by its creators, but only in its own manner of functioning.

It shoots situations, instead of bullets; propelled by data processing, instead of chemical reaction (explosion); originating from bits of data, instead of grains of gunpowder; from a computer, instead of a gun; operated by a computer programmer, instead of a marksman; under the orders of a banking magnate, instead of a military general.

THE GOAL

It is patently impossible to discuss social engineering or the automation of a society, i.e., the engineering of social automation systems (silent weapons) onIt is patently impossible to discuss social engineering or the automation of a society, i.e., the engineering of social automation systems (silent weapons) on a national or worldwide scale without implying extensive objectives of social control and destruction of human life, i.e., slavery and genocide. a national or worldwide scale without implying extensive objectives of social control and destruction of human life, i.e., slavery and genocide.

THE METHOD
The solution of today’s problems requires an approach which is ruthlessly candid, with no agonizing over religious, moral or cultural values.

QUALIFICATIONS
You have qualified for this project because of your ability to look at human society with cold objectivity, and yet analyze and discuss your observations and conclusions with others of similar intellectual capacity without the loss of discretion or humility.

Such virtues are exercised in your own best interest. Do not deviate from them.

THE STATUS QUO

Otherwise, it might be recognized as a technically formal declaration of domestic war. Furthermore, whenever any person or group of persons in a position of great power and without full knowledge and consent of the public, uses such knowledge and methodologies for economic conquest - it must be understood that a state of domestic warfare exists between said person or group of persons and the public.


Statistically, 2% of the population is psychopathic.

The world is ruled by psychopaths at the top (destroyers/looters) ... and their minions by wanna-be-psychopaths (sociopaths or "hitchhikers").


IF THE SHOE FITS, WEAR IT.

Dirk PraetApril 14, 2017 12:54 PM

@ albert

How about the psychological effects of pulling the trigger on 'combatants' (who later turn out to be civilians)?

@Clive does have a point in the sense that none of these guys get shot at or endure any of the other hardships commonly associated with a (physical) battlefield. If they burn out because their management works them to the bone and/or get haunted at night by the faces of all the innocent civilians they have sent to Kingdom Come, they still get off quite well, I'd say. You cannot voluntarily join any army and then expect never to get into a position where you have to kill other human beings. It kinda goes with the territory.

albertApril 14, 2017 4:57 PM

@Dirk,

There are many reasons why folks join the military, and many reasons why they leave. The chances of physical harm are obvious to everyone, yet the chances of psychological harm are less well known, downplayed, or ignored.

It's a crap shoot.

In some cases, PTSD goes right along with physical injury, and it's a devastating combination for some.

Coincident to the conversation:
https://fas.org/blogs/secrecy/2017/04/usaf-cos/

. .. . .. --- ....

Patriot COMSECApril 15, 2017 11:08 PM

@Clive Robinson

If you are a NOC and you are doing a little free-flowing CQB with your pals in Miram Shah, then you deserve a break today at McDonalds. Either that or you have watched too much television in Omaha and you need to come out of your stupor and stop dreaming.

In a conflict zone, someone doing cyber might be intimately involved in operations which have immediate local effects. That is what I meant by saying that the lines between types of warfare might become blurred. You may be doing your own defense and keeping yourself alive. But in reality I think most enemies have primitive weapons and primitive technology. I am imagining an example: let's say you are French and you are doing cyber in Africa (maybe they really do, who knows?), and your enemy has 1950's radios that run on an old battery. Even though the local African militia humiliates your forces every single time there is a fight, you just cannot get your cyber ops going. No one at HQ in Lyon has figured out why info is only coming in by the kilobyte. If you say that the enemy has no computers, then the whole op will get cancelled and you won't get anymore special pay--and you are only $700 Euros short of that new muffler for your Harley. The boss of your boss is only 7 million Euros short of a new house on the sea, and nobody wants to spoil the fun.

Yes, I am saying that cyber can be a charade, a big fat joke conceived by the unknowing for the purpose of expanding a budget.

But cyber does have a role against nation states. We may think of special operators as guys who run on beaches with a machine gun on their shoulders. They may also be someone who has TCP/IP skillz.

The great mistake here, for the United States in particular, is this fetishizing of technology. This has especially been true since 9-11. We need better technology to fight terror, right? Better technology means winning wars, right?

Not necessarily. But don't tell that to someone in Arlington, VA who wants to sell a whizz-bang, NEW (my God, it is NEW!) device to fight poor people with no medical care and primitive weapons, poor food, and old radios. Taliban. They wear plastic shoes, cannot even bathe often, suffer from diseases which are routinely cured in the West... and the Taliban are kicking that ass. Forget cyber. YouTube.

If the ANA and ANP can hold Afghanistan for another fighting season, then that will be a miracle.

What technology can do depends on the enemy. But in a vendor-driven cash bonanza like Iraq was, or a vendor-driven, Dubai-destined, contractor-deluxe pimpmobile like what the US likes to roll with in Afghanistan, the enemy has every advantage. If you don't believe that, read the news. And it all happened before in Vietnam.

"Just a few more years and the Afghan ARVN... I mean the ANA and ANP... will be ready. A new dawn of hope..."

The degree to which warfare is not understood, even by, or especially by, the folks who should be experts in this in the US, is stupefying. Again, if you don't think that is true, then tell me which war that the US has won in the last 40 years. Then fill me in on how much was spent. Next, let's talk about cyber. This does not bode well for the future. Want to feel great? Here you go: the US armed ISIS. But at least we had super sexy cyber. Did not do a damn thing, oh, and we also had diversity and a world-class sexual assault prevention program! Would you like fries with that?

smellynewbieApril 16, 2017 10:06 PM

*sigh* Imagine a world without Javascript and ISP not selling out. It's all unicorns and rainbows, right?

Clive RobinsonApril 17, 2017 12:13 AM

@ smellynewbie,

It's all unicorns and rainbows, right?

No more unicorns, we can't aford them, it's just "My little pownies" all the way down...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.