The notebook is fourteen years old today. This is, by my count, the year the discipline I have been keeping tips into ordinary habit — there is no longer a process of "deciding to write this week's post", there is only the question of which thing to write about. The kettle is on, the kitchen table is the same one from 1998, and the coffee — for what it is worth — has continued its slow upward drift in quality since I last commented on it.
I should write the year retrospective properly, because 2011 was the most operationally substantive year I have written about in a decade.
The list of incidents I wrote about, in chronological order: HBGary Federal; the RSA SecurID compromise; Comodo; Sony PSN; Lockheed Martin and the SecurID-derived attacks against the defence contractors; the LulzSec fifty-day campaign; the News International phone-hacking scandal and the engagement that followed; DigiNotar; Duqu; and Stratfor's Christmas-Eve compromise. Plus Operation Tunisia in January, which was the political-cyber prologue to most of the rest of the year. That is more than one major incident per month, sustained across twelve months, and the retrospective question is what the pattern means.
The pattern means three things, I think.
First, the defensive vendors sit inside the threat model. RSA and SecurID. Comodo and DigiNotar and the certificate-authority business model. The implicit assumption that runs through every CISO conversation, every PCI-scope decision, every ISO 27001 controls statement — that the security infrastructure you buy from your vendor arrives in working order — is now demonstrably wrong. The work for 2012 is reckoning with that assumption explicitly. The boards I sit in front of need to be having this conversation, and they need to be having it on the basis of "what compensating controls exist for the case where one of our security vendors is compromised", which is a question most of them have never been asked.
Second, the CA trust model is structurally broken in ways that nobody has a near-term answer for. Several hundred root authorities, each with resellers, intermediates, and registration authorities below them; no published list of the operational population; OCSP soft-fail by default; revocation infrastructure that does not work in practice. The work being done on certificate transparency — Ben Laurie and Adam Langley at Google have been pushing this — is the most promising defensive direction, and Moxie Marlinspike's Convergence is the alternative I am paying most attention to, but neither is deployed at scale and neither will be in 2012. The cost of the CA failure model will continue to be paid by the people who happen to be holding TLS-protected services when the next ComodoHacker comes through.
Third, the nation-state operational tempo has compressed sharply. Stuxnet was the proof-of-concept; Duqu is the reconnaissance phase for the successor operation; the cycle between them is approximately twelve months rather than the multi-year cadence that defensive thinking has been planning around. This affects the engagements with industrial-or-OT exposure most directly — Northcott has some, two of the Hedgehog clients have some, several of the secondment relationships touch on supply chains — but it also affects the wider question of how an organisation reasons about being-in-the-target-set. "We are not a Stuxnet target" is no longer the answer when the reconnaissance phase will accept compromising the supplier or the engineering services provider to the eventual target.
For 2012, the priorities are clearer than they were a year ago. The privacy and encryption focus I committed to last January has been the through-line of the year's work, and continues. The structural decision I have been deferring on Hedgehog — whether to build operational capacity around the practice rather than continue as a single practitioner — has now hit the point where deferring further is a worse choice than committing. I have been talking through the autumn with two specific people about coming in, and I expect a decision in the first quarter. The shape I am now strongly leaning towards is a small operational SOC with monitoring and incident-response capability, run from a Stafford office with a couple of analysts, that supplements the advisory work rather than replacing it. The financial argument is plausible, the demand from existing clients is there, the structural contribution to the practice is meaningful. The deciding question is whether I want to be in the role of "person who runs a SOC" rather than the role of "person who advises clients on how to run one", and the honest answer is that I do not yet know.
The vCISO secondment portfolio is now stable: Towry, Northcott, News International, and Browne Jacobson, with the Hedgehog client base running alongside. There is a fifth conversation that has been going on through November and December that I will not pre-empt by naming yet. The engagement model — sustained part-time CISO advisory across multiple substantial UK organisations — has settled into a rhythm that works for the practice and works for the clients. There is nothing structurally wrong with continuing this through 2012; the SOC question is a separate question.
The reading priorities for 2012 are continuity rather than change. Schneier's blog continues; Brian Krebs's reporting has been the steadiest source on the credit-card side of breach journalism; Risks Digest remains the right place for the broader picture; F-Secure's weblog and the various Symantec and Kaspersky researcher blogs are the technical baseline. The standout piece of long-form work I read in 2011 was the Liars and Outliers draft material that Bruce Schneier has been circulating; the book is out in February and I will write about it then.
The first technical post of 2012 is likely either Megaupload — which everyone is expecting to be taken down imminently and which is going to produce an interesting trial of the takedown infrastructure — or whatever follows the Stratfor dump as Anonymous-aligned operators decide what to do next. Or possibly the SOPA/PIPA legislative fight that the US is having about what kind of takedown infrastructure should exist in the first place.
Happy 2012 to anyone reading.