Clive RobinsonJanuary 10, 2018 8:09 AM

@ Bruce,

In Michael Sulmeyer's report down in the section on atribution we find,

But I would have thought that the document would lead off by emphasizing that the United States possesses solid insight into this, so those who would try to hack and hide should think twice.

The "possesses solid insight" aspect of atribution worries me because translated that means "best guess in an uncertain world". Most nations would have no need to think twice about "hack and hide" they would hack and ignore the supposed "solid insight" argument.

Which is why the US has repeatedly talking about kinetic retribution to what it thinks is "solid insight". Even calling for it to be made a primary act of war demanding such things as premptive attacks.

It does not take much knowledge of the technology and the way things work to realise this is a very very bad situation. Especially knowing that the CIA atleast developed tools to make false attribution fairly easy.

As I've been known to say on the odd occasion, this needs to be dealt with as Crime not Espionage and evedentiary rules followed through out.

As we have seen the US fights a big game when it comes to invading a nations sovereign territory by sending in drone strikes against defensless civilians, but when it comes to a super power like China or Russia or nations that fall under their protection it is all bluster.

Thus it can easily be seen that the US intends to carry on with the notion they can just bomb any independent nation back to the stoneage just as a warning to other nations to stay in line. Then when the country gets back on it's feet send the country the option of sanctions or paying the US bill...

This is likely to force nations to form their own super power blocks in self defence, thus move on to developing stratigic defence systems to make clear that the US is to keep out of their back yard.

NBC / WMD proliferation is not what we realy need to be happening. Simply because the US IC SigInt agencies want to play only the Offencive game not the defensive stratagy.

DEAN BUSHMILLERJanuary 10, 2018 8:15 AM

These complex plans need to be backed up by simple cost effective measures that we can implement. Not one size fits all but if it fits most we should do it. I suggest 3 simple rules that will shift the responsibility to all for security. 1. Three technologies that have been around: dnssec, ipv6, and certificates for all. 2. Any communications not having these proof tools is considered completely untrusted. 3. Trust for all communications can now be tied to responsibility for security.

The technical details of each make it much more difficult for good security practices to be ignored by vendors selling products, consumers purchasing, and government regulating.

We need to start with tools that can be implemented by everyone at every level. Legacy devices will still work, but we can now make better cyber security decisions.

echoJanuary 10, 2018 8:49 AM

"Security" is the new politically correct go to word. I suspect as civic issues such as workers rights, gender quality, and poverty are addressed across the world that understanding will emerge and big "S" security will become less of a hot button issue. It's not possible to bomb, rape, or steal your way to victory, whatever "victory" is...

This document is an insight into the political minds of the people behind it but is only a partial view of a bigger picture.

Sancho_PJanuary 10, 2018 10:10 AM

Re: The four pillars of the 2017 NSS:

Everything down from “Protect the American People, the Homeland” is very sad.
It’s offensive and does not consider the small canoe we are all living on.
But is it American?

“… the American Way of Live” (at least part of):
= We want to waste and pollute because we are Americans, we are used to it.

“Promote American Prosperity:”
= Let’s grow, usurp, until we cover the whole canoe.

“Preserve Peace through Strength:”
= My (d#ck, button, bomb) is bigger!

“Advance American Influence”
= Elections are ours (but only abroad, internally we can’t).

True, a crocodile is President.
Until today I was hoping this was a mistake or rigged.

Petre PeterJanuary 10, 2018 10:48 AM

from Ben Buchanan

...a single rule for Calvinbball: You can't play it the same way twice. Unfortunately, that rule doesn't apply in cyber-security.

It doesn't. What we have, is a a bit more of Bailout and BugBounty than Calvinball. What would happen if ___ industry would ask for a bailout?

oh reallyJanuary 10, 2018 1:46 PM

"During my first year in office, you have witnessed my America First foreign policy in action. We are prioritizing the interests of our citizens and protecting our sovereign rights as a nation. America is leading again on the world stage. We are not hiding from the challenges we face. We are confronting them head-on and pursuing opportunities to promote the securi and prosperi of all Americans."

Gosh, who writes this tripe?

Oh, right.

hmmJanuary 10, 2018 1:54 PM

Why don't we just route NK and other pariahs-of-no-commerce-value straight to /dev/null /

Nobody has any legitimate userland-internet reason to visit NK sites. Why accept their traffic?
On one hand we're ratcheting up to nuclear war, on another their packets still route?

It makes no sense to me.

vas pupJanuary 16, 2018 10:51 AM

I've read the whole NSS paper, not comments.
That part caught my attention in particular:
"China, for example, combines data and the use of AI to rate the loyalty of its citizens to the state and uses these ratings to determine jobs and more."
I guess China already got the idea of management loyalty utilizing AI tools. As I stated before on this respected blog, management of loyalty (e.g. monitoring loyalty shifts by day by day analysis of behavior of any folks involved in security activity utilizing AI)in progress not only when hiring may reduce probability of unexpected defectors/leakers. As Steve Jobs said 'We hire smart people in order they say us what to do, not we told them what to do'. But we need loyalty monitoring/management to be sure smart people have our best interest in their brain/heart.
Google understood that carrot is more effective to generate and maintain loyalty. Unfortunately, Google is one of the few for now.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.