[EDIT] Added some additional thoughts based on twitter feedback
I just read an article about how Silicon Valley and DC are at odds on getting security clearances, and my thoughts won’t fit into 140 characters as Twitter demands. (And apparently this is what blogs are for!)
Here's the article: Friction heats up between DC, Silicon Valley. Go ahead and read it first. I'll wait.
OK, great! You're back -- so let's dive in.
Setting the stage here:
“U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California. Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues” <1>
That's all well and good, and it's important to move fast and share information, so why wouldn't everyone (eligible, anyway) want to get clearance? It's simple: The private sector worries that when you get that clearance, it means the government kinda controls you. It means whatever information they decide is secret, you are no longer at liberty to share or discuss. Even it's already out in the public sphere. Even if everyone else is already talking about it.
So, on the one hand, there are government and military secrets, which require a clearance that can grant an individuals custodianship. But on the other hand, getting government clearance is not exactly easy, fast, or painless. It can stifle open conversation and broader information sharing. To be clear, there are also secrets in the civilian and private sector that that companies and individuals are custodians of—we are not strangers to managing sensitive information.
But the friction here isn't about secrets, at least not really, it's about relationships.
I believe that relationships are built upon trust and communication. I believe that trust between individuals is explicit, and trust between organizations can be implicit. <2> This creates a very confusing paradox for corporate executives and cybersecurity practitioners tasked with protecting the public’s interest. But in light of that, there are two thoughts that strike me in considering points of view presented in the article:
- I believe Security Clearances are as much about trust as they are about control
- I believe that keeping secret information about vulnerabilities and hacking attacks private profits the attacker more than the current victim
“The lack of cooperation from Silicon Valley, Washington officials complain, injects friction into a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure: Real-time threat information sharing between government and the private sector.“ <1>
One of the underlying assumptions of many in this article is that the sensitive information is:
- Discovered by the government
- Owned by the government
- Must be disseminated by the government
This is probably the most confusing part of the Information Sharing discussions I engage in. No doubt, government targets are interesting and juicy to a variety of attackers… but there are so many more private industry targets! [Read: a great deal of this information originates in the private sector, and can move much more quickly to useful places when ownership & custody stays in the private sector. Some civilian-owned data is honored in this way by the TLP (Traffic Light Protocol) classification matrix.]
In my personal experience, and those I work closely with across the industry, information found organically online (through a variety of sources) is considerably more timely and helpful than information coming out from government sources. Those that work in law enforcement and government roles find information feeds and conversations had with private industry types to be FAR more thorough and timely than anything they get elsewhere.
Yes, there are times when the information that government agents have is unique, super sensitive, and extremely timely—those of active investigations like major retail breaches and criminal investigations. That information is phenomenally useful, and sensitive due to the ongoing nature of an investigation.
And I believe corporate executives and cybersecurity practitioners would welcome some level of clearance tied to that specific data set. I really do.
But ignoring the time-intensive and super-invasive background checks and interviews, I believe there are two key issues that stand in the way here:
- We know what it takes to protect information, and those doing background checks keep getting hacked, and
- We don’t really want to have to worry when talking about information we found in the public domain.
As a private citizen, I have not pursued offers of support getting a clearance because part of my job is to clarify information on attacks and vulnerabilities that create risk to companies and consumers. If I were exposed to *something* that *someone* *somewhere* labeled as “classified” in any way, I would have to maintain some kind of evidence to identify where I came into contact with said information in the public domain before discussing that “otherwise classified” material.
That scares me.
I promise you it scares many executives AND cybersecurity folks.
I think we can all agree that there is SOME modicum of time where post-breach information should be sheltered, that the victim of an attack doesn't need to be named while still helping to protect companies and consumers at risk, and the faster we can invalidate the tool or technique of the attacker, the more companies and consumers we can protect.
But I also believe that keeping information about vulnerabilities and hacking attacks profits the attacker more than the current victim. By extension, this also means:
- Successful crime will likely cost the attacker more, as their tools, techniques, servers, operational overhead will be taxed as what they are using becomes invalidated or watched.
- The likelihood of additional data points may help draw a net aiding in the identification and capture of the attacker.
But until we reach that ideal state, where information is shared easily and quickly, I worry we are trying to extend a false economy of secret information. <2>
Governments seem to have a misplaced belief that citizenship implies loyalty. As civilians, there is a perception of the government’s xenophobic lack of trust. To be very clear - that’s not just a US thing, that’s probably true of most countries involved and engaged in the cyber domain.
The internet is a very international space, which has historically enabled executives to bring their business to Silicon Valley. While I’m stating the obvious, let me quote a dear friend of mine, “Lots of those execs wouldn’t qualify as .gov believes (sincerely) that citizenship==loyalty.” It isn’t just a discussion of ROI for corporate executives that could help protect the American economy- it may be that they wouldn’t qualify for a security clearance.
<2> Terminology stolen (with a hat tip to Ryan Moon & Nathan Fowler)