The year retrospective. 2013 has been the largest single year of structural change in the threat landscape since the run of incidents I wrote about across 2011 — and where 2011 was about specific failures of specific defensive vendors, 2013 has been about the trust chain itself. The framework that I had been working with at the start of the year did not survive the summer.
The list of what I wrote about, in chronological order: Aaron Swartz and the CFAA; Mandiant APT1; the Spamhaus DDoS; the AP Twitter compromise; Snowden and PRISM; GCHQ Tempora; Lavabit and Silent Mail; the three-month Snowden synthesis; BULLRUN; the Silk Road takedown; the Adobe breach; Target. Twelve substantive posts plus the year-opening reflection. By volume of what I wrote, this is approximately the same as 2012; by what those posts were actually about, it is a different year.
The structural shape of 2013 organises around three things.
First: state-actor attribution moved from "we cannot publicly attribute" to "we have concrete public attribution". Mandiant's APT1 work in February named PLA Unit 61398 with documentary evidence; the Snowden disclosures from June onwards named NSA and GCHQ programmes with primary-source documents. The security-research community now has a body of public attribution work that did not exist twelve months ago, and the engagement conversations have changed accordingly. "We think this is a state actor" was the framing at the start of the year; "we know which state actor" is the framing at the end. The implications for clients with state-actor exposure (which on the Mandiant breakdown is most large UK organisations in some industries) are direct. The privacy-and-encryption methodology I have been developing has been re-pitched at every secondment client over the past six months on the basis of the new attribution evidence.
Second: the trust chain through commercial encryption infrastructure has been demonstrated to be subverted at multiple layers. BULLRUN at the cryptographic-standards layer (Dual_EC_DRBG specifically); Lavabit-and-Silent-Mail at the service-provider layer; the broader vendor-cooperation hints in the Snowden material at the platform-vendor layer. The argument I have been making at the practitioner level — that defensive engineering needs to assume the trust chain is contested — is now the argument that the primary documents make on my behalf. The engagement-team material on encryption has been substantially rewritten over the autumn to reflect this; the recommendation list is shorter and more carefully justified than it was at the start of the year.
Third: data-breach-by-public-spectacle has become the dominant operational shape of credit-card-and-consumer-data incidents. Target at forty million cards is the year-end demonstration; Adobe at thirty-eight million users is the autumn equivalent on the consumer-data-and-source-code side. The structural pattern that has emerged through the year is that retail and consumer-platform breaches are now happening at scale large enough that any individual incident below approximately ten million records does not generate substantial public coverage. The threshold for "newsworthy breach" is materially higher than it was at the start of the year, which is itself an indication of how the operational baseline has shifted.
For Hedgehog, 2013 has been continuity rather than transformation. The SOC is now eighteen months operational with five monitoring clients, and the detection content has matured through the year in the directions I described in the eight-week update from October 2012. The structural decision about 24/7 staffing that I deferred to mid-year has been deferred again to early 2014; the existing analyst rota has been adequate through the year, and the financial case for 24/7 has not yet sharpened to the point where it is the right time to commit. The fifth secondment conversation that I mentioned in the 2012 retrospective has resolved into TWI, which has been part of the portfolio since spring; the practice now runs Towry, Northcott, News International, Browne Jacobson, and TWI as sustained vCISO secondments alongside the Hedgehog client base. The shape of the practice is operationally stable.
For the wider piece I have been outlining for two months — about commercial security infrastructure and state-level surveillance infrastructure — it is now mostly written. I will publish it in early 2014, after one more pass through the engagement-team review. The argument has held up through everything that has surfaced over the autumn; the difficulty has been keeping it short enough to be readable while addressing all the strands the year has produced.
The reading I have come back to most this year. Bruce Schneier's blog on the Snowden material has been the steadiest source. Brian Krebs on the credit-card-breach beat continues to be the right primary source. The Mandiant report is, by some distance, the standout single piece of practitioner-grade attribution work the year has produced. Glenn Greenwald's No Place to Hide, which is being trailed for early 2014, is the one I expect to read first when it lands. Bruce Sterling's Tomorrow Now (from 2002, which I went back to in November) had several passages on the state-and-commerce relationship that were sharper than I had remembered.
For 2014, the priorities are continuity. The privacy-and-encryption methodology continues to develop; the long-form piece will land in the first quarter; the SOC build continues; the secondment portfolio is stable. The structural question of what to do about the post-Snowden trust environment is the question I expect to spend most of my reading time on. The first technical post of 2014 will be whatever breaks; on present indications, the post-Target retail-breach wave is likely to produce two or three more substantive incidents through the first quarter, and I expect the next state-actor disclosure within months.
Happy 2014, when it arrives. The notebook continues.