omg cyber!
TRANSCRIPT
About Me
• Robert M. Lee (@RobertMLee)
• AF Cyber Warfare Operations Officer
– My views/comments definitely only represent me
• Adjunct Lecturer at Utica College
• PhD Student at Kings College London
• SANS Course Author/Instructor (ICS/SCADA track)
• Author of:– SCADA and Me: A Book for Children and Management
– Little Bobby
“OMG Cyber: Thirteen Reasons Why Hype
Makes for Bad Policy”
• Published in the RUSI Journal with Thomas Rid
• Draws from my background in IC and USAF
• Draws from his background in Academia
• Written in formal Buzzfeed/Gawker Style
The 13 Points
• Hype creates confusion
• Hype limits results
• Hype betrays purpose
• Hype erodes talent
• Hype creates friction
• Hype breeds cynicism
• Hype degrades quality
• Hype weakens products
• Hype clouds analysis
• Hype kills nuance
• Hype escalates conflict
• Hype creates hypocrisy
• Hype undermines trust
Militaries and the Intelligence Community
• Strategic visions and grab bag scenarios
• The cult of popular opinion and internal biases
• The push for metrics over substance
• PowerPoints and “facts”
• Robert Hale: “‘we tried to capture it all, but I’d say there’s a gray area here in what counts as cyber”
• General Welsh: “When you come to educate us, don't come in using cyber talk”
• NATO: “to put pressure on smaller countries to spend more money on their cyber-defence capabilities”
Sony –Somewhere North of Wrong
• Sony Pictures Entertainment – security staff size
• Discussions around and likely investment in hack-back
• Victims shaming in real life vs. industry
A Little More Focus on Doing
• A lot of people talk about security – not many actually do it
• Tons of excuses – some pretty legitimate – but more focus on security as a process, while supporting the mission, and an emphasis on people over boxes will help
• Stop over hyping it – leadership will either not believe you (analyst who cried wolf) or believe you (maybe worse)
A Little Less Self Licking Ice Cream Cones
• Government – Wants that cyber-stuff
• Vendors – Sure can make some cyber-stuff
• Journalism – Needs that cyber-goodness scoop
• Academia – Loves to be quoted as a cyber-expert