The notebook is sixteen years old today. The kettle is on; the kitchen table is the same one; the coffee — which I made claims about getting better in last year's anniversary post — has, against expectations, continued to improve. There is a new espresso machine in the kitchen since the autumn that has been the most useful piece of equipment in the house this year.
I am writing a shorter post than usual because the 2013 retrospective covered most of what would normally appear here. The structural shape of 2013 — state-actor attribution moving from theoretical to documented, the trust chain through commercial encryption being demonstrated as subverted, breach-by-public-spectacle becoming the dominant retail incident shape — has produced a different working environment than the one I started 2013 in, and the priorities for 2014 are mostly about consolidating the response to that shift.
The long-form piece I have been outlining since the summer — about commercial security infrastructure and state-level surveillance infrastructure — is being finalised this fortnight and will go out in February. The argument is that the two infrastructures are, in many places, the same infrastructure, and that the security-engineering response to that fact has not been adequate. The piece is approximately twelve thousand words at present and is more uncomfortable than the engagement-team review has been comfortable with. I expect to publish it on the blog and possibly to circulate a longer version through peer-CISO channels with appropriate editing for the specifics. The Snowden material is the documentary backbone; the operational implications drawn from it are mine.
For Hedgehog, 2014 is the year I expect the SOC question to resolve. We are now eighteen months into the SOC build with five monitoring clients, and the structural decision about whether to commit to twenty-four-hour staffing — which has been deferred twice — is going to need to be made this spring. The financial case has been incrementally improving through the year; the operational case has been incrementally clearer; the reservation I have had about whether I want to be in the role of "person who runs a SOC" rather than "person who advises clients on how to run one" is now mostly resolved, and the answer is yes. The first quarter is going to be when I commit to the recruitment plan that takes the SOC to twenty-four-hour staffing.
The vCISO secondment portfolio is stable: Towry, Northcott, News International, Browne Jacobson, TWI. The five-client portfolio has been the right shape for the practice through 2013; I expect it to be the right shape through 2014. There has been one conversation about a sixth client over the past month, which I am declining for capacity reasons; if the SOC goes to 24/7 the practice will have less of my time available for advisory, not more.
The reading priorities for 2014 are continuity. Schneier, Krebs, Risks Digest. Greenwald's No Place to Hide will be the long-form work I read first when it lands in May. The continuing flow of Snowden disclosures — there is, on the public reporting, substantial material still unpublished, and the pace of disclosure has shown no signs of slowing — will be the running technical reading. There is a piece I have been meaning to write about the operational TTP-deep-dive work the SOC has produced, drawing on eighteen months of detection-content development; whether that lands as a blog post or as something I take to a conference I have not yet decided.
The first technical post of 2014 is likely the long-form piece, depending on whether anything immediately breaks. The Target post-mortem analysis is continuing and may produce something worth writing about; the Mt. Gox situation that has been quietly developing through the autumn looks like it may resolve into something substantial in the first quarter. The Yahoo webcam revelations that the Guardian has been trailing for weeks may also land soon. Happy 2014 to anyone reading.