Thursday, December 15, 2016

The DIRNSA trap



New domains, such as cyber, are challenging for leadership. There are always moments where you see people hang on the words of a DIRNSA, especially one who has just exited and is more free to talk (aka, sell whatever solution they are hawking in their retirement). But I want to point out that in most respects these high level people have very little experience in the cyber domain as we know it, and you are better off going to an old 90's hacker-type like Halvar to get strategic advice about what sorts of solutions are going to work next year and the year after that.

Look, I get the magic of the NSA. Being inside the bubble is like living in a crystal ball. I read the presidential daily brief every morning, and then browsed the crypto library or looked at papers on various things far ahead of the outside space. It's like being a Guild Navigator, steeped in Melange.

Folding spacetime is not easy.


Typically, people confuse CLEARANCE with UNDERSTANDING. But reading high level reports and hearing briefings can occlude strategic understanding, especially if you don't have the background to see the whole picture. Obama, towards the end of his term, put in a whole staff on cyber security with no technical or industry experience. Look at Michael Daniels - 17 years at OMB (!) doing financial review of the IC, I'm sure at a very high level of clearance. But he has no technical understanding - he has a undergrad in public policy, not even computer science. This trend was throughout Obama's appointments, and it has led to serious undercutting of our national policy efforts. It doesn't matter how cleared you get, what SAPs you get read into: you cannot get clarity on these issues that way.

I'm often chided for holding fast to a rule that you cannot operate strategically in this domain without understanding the technology - I used to make as a rule that nobody could use the exploits my team created operationally without being able to write them themselves. And spending some time in industry seems like it is a requirement for making good policy decisions when nearly everything you do in the cyber domain goes over private networks and software.

A lot of it is just time in grade. A DIRNSA comes from an intel background, but obviously will probably not have 20 years of cyber-hacking under their belt. Your average 90's hacker will. And these days, they all have the clearances and money from their respective governments to use it. We're not playing against amateurs anymore, and we need to stock our bench respectively.

No comments:

Post a Comment