Month: May 2016

Hi folks,

I have a (totally unbiased) fondness for historical figures with sweet sideburns, so it’s not shocking that I like Theodore Parker.  I mean, he’s no Burnsides, but who is?

So Theodore Parker – who is he?  He was a Unitarian minister in antebellum New England.  Abolitionist, transcendentalist, and pretty big brain – he generated a lot of good quotes in his day.  Among them:

I do not pretend to understand the moral universe; the arc is a long one, my eye reaches but little ways; I cannot calculate the curve and complete the figure by the experience of sight; I can divine it by conscience. And from what I see I am sure it bends towards justice.

Pretty solid, right?  In just a few short sentences, he divines the future evolution of humanity, prepares the reader for a long journey, and admits his inability to see the destination himself.  It would be totally understandable for any subsequent orator to simply reference Parker’s quote rather than try to improve or build upon it.  But those who want to affect change don’t usually make do with the status quo.  So, in February of 1965 – in the shadows of the assassinations of JFK and Malcom X – Martin Luther King Jr delivered a sermon at the Temple Israel of Hollywood.  In it, he included the following quote:

the arc of the moral universe is long but it bends toward justice

It’s a quote that King used many times, including during the March on Selma in 1965.  King, for all his awe-inspiring oratory skills, wasn’t afraid to lean on those who came before him and improve upon what they produced.  The same is true for all of our great leaders – they make use of the works of others and they don’t hold those works sacrosanct.  They update/change/edit in order to improve those works for their needs.  Parker’s quote worked well for a more verbose era, but King needed something more succinct – so he made some improvements.

The same is true for all of us.  What we do may not hold a candle to the works of Parker, King, and other giants of history, but our work is important nonetheless – important enough to warrant critical examination of those who came before us and important enough for us to make improvements as needed.  NIST special publications, OMB memorandums, FISMA, and other guiding documents for our field have been created by smart, dedicated, driven people – but they’re not infallible and they’re not custom tailored for our specific needs.

It’s incumbent upon us to lead in our own way and, in the pursuit of a better tomorrow, bravely make changes to that which may seem “good enough”.  It’s not dismissive or disrespectful – it’s just improvement and it should be welcomed.

Rex

Hi folks,

Like tens of millions of people, I’m a fan of Game of Thrones. (very minor spoiler alerts) For those who haven’t watched it, the gist is that there’s a big power struggle for control of this fantasy kingdom and while all these subplots play out regarding the intrigue and plotting of various power players, only a handful of people are aware of the looming threat from the north – an undead army which promises to wipe out mankind given the chance.

At the risk of reading too much into simple entertainment, I think there’s a huge lesson in the story.

One of the great things about cybersecurity is that the enemy is very well defined – people who are trying to do bad things to your assets and data. It’s hard to ask for a clearer mission. And while most of us are responsible for smaller components of the mission – say vulnerability scanning, or intel management, or training – all of our efforts point in the same general mission direction: stop the bad guys.

That’s what makes infighting so deeply disappointing.

Yes, disagreements on tactics will occur. Yes, some friction is good and helps us to refine and strengthen our plans. But territoriality, subversion, a lack of cooperation… that’s a waste of our precious collective resources for something that contributes nothing to the mission. These problems aren’t exclusive to .gov, of course. Internal conflict is everywhere. But much of the Federal sector embraces the concept of “rice bowls” as if it’s a defensible approach to business. As if responsibilities, once assigned, can never be changed because the individual’s interest trumps that of the organization. It’s a reflection of the outdated, inefficient, silo-based business model. It’ll die out eventually, but not soon enough.

Rex

Hi folks,

For all the issues Greece has today, the Greeks may deserve a little bit of a pass. They may not be able to handle their finances, but Western civilization has a debt of their own to them. Pythagoras, Democritus, Socrates and his crew… over the course of a few centuries, Greece churned out a whole bunch of big brains that changed the world.

One of those big brains was Zeno of Elea. Zeno is probably best known for two things: being a badass and frustrating mathematicians for nearly two millennia. He’s a badass because, while near death after being tortured to reveal the names of his co-conspirators in a plot to overthrow a tyrant, he pretended to have a secret for said tyrant, only to bite his ear off with his dying breath. He frustrated mathematicians with his paradoxes, the most famous of which are his arguments against motion, including the paradox of Achilles and the tortoise.

The gist of the paradox is that any object in motion, no matter how fast, cannot catch up to another slower object that got a head start. This being ancient Greece, the fastest guy they knew was Achilles, who is now perhaps best known for being the role played by Brad Pitt when he redefined 40 year old male body image standards. The jerk.

How does the paradox work? Basically, a tortoise gets a head start – maybe 100 meters. Then Achilles starts, but by the time he reaches the 100 meter mark, the tortoise has moved on, perhaps another 10 meters. Achilles then covers that ten meters, but the tortoise has moved on again, another meter. And so on. Achilles can never catch up, even if he gets really, really close. It took 2000 years for math to disprove Zeno’s paradox with convergent series thanks to Scottish mathematician James Gregory.

But we all know better even without the mathematical equation, right? And so did the ancient world. We all instinctively know that Achilles is faster than a tortoise, and that he could easily pass it despite a delayed start. It’s just obvious, even if we don’t have the definitive proof.

What would have happened if the world had waited for a mathematician to prove what we already knew? Would we have thrown up our hands and accepted defeat at the hands of a tortoise because nobody could disprove Zeno’s paradox? And what about all the other things we knew, but couldn’t prove – had we waited for definitive proof before simply accepting that something is even if we can’t express why, what advances and discoveries would we have missed?

In the Federal information security world, many have fallen into this trap.

Audits and regulations have become such a huge part of our world, that many people refuse to consider actions that aren’t prescribed by an outside, authoritative source. As if the absence of a reference by NIST or OMB somehow invalidates the value of an idea.

This lack of initiative and creativity isn’t caused by NIST or OMB – it’s our fault. We’ve become so conditioned to prioritize a lack of findings that we’re living the infosec equivalent of teaching to the test – focusing exclusively on known evaluation criteria. The problem is that our adversaries don’t play by the same rules – they don’t look only for unimplemented NIST 800-53 controls to exploit, they’ll exploit anything they can find. For as great a document as 800-53 is, we can’t afford to be limited by it. It and all the other guidance out there are not the definitive documents for information security.

Here’s the good news.  If this is fundamentally our fault, we can fix it.  We need to be comfortable doing things that aren’t prescribed by an external authority. We’re all hired as experts – let’s put our expertise to work. We need to use our creativity, our sound judgment, and our instincts as valid inputs into the information security process. Otherwise we risk missing out on progress while we wait for somebody else to prove what should have been obvious to us all along.

Rex