DNS - Ex-CSO of Facebook Wants 'Cyber Counterinsurgency' Doctrine

Max Kelley, the former chief security officer of Facebook (News - Alert), called for a unified cyber security doctrine among U.S. government agencies and the commercial sector.  

Kelly, who spent five years building the security team at Facebook before leaving the company three weeks ago, said that the practices of cyber warfare and cyber security are actually the same thing.

“Cyber warfare is the thing I know least about,” said Kelly. “The people who talk about it actually don’t know much about it.”  

Unlike many gloom and doom cyber war predictions, Kelly believes any computer offensive activities would be quite limited and targeted in scope. “The network is too valuable” for anyone to risk full-scale destruction of the global information infrastructure.

Compounding matters for the U.S. government are the existence of “not one, but dozens” of cyber war doctrines colored by institutional biases. “The Air Force talks in terms of strategic bombardment and precision munitions,” said Kelly. “The Army thinks about logistics and moving packets. For the FBI and DHS, it’s a law enforcement problem… all are true and false.”

Common themes to all discussions of cyber warfare include intelligence gathering, network defense, and occasionally “denying personnel or assets to the enemy.” In actual practice, most agencies are focused on gathering intelligence.

Kelly, whose previous jobs include a stint at the FBI as a Computer Forensics Examiner and vice president of Technology at Ticketmaster, said problems with cyber security and cyber ware stem from legacy thinking that treats protecting computer assets like buildings. “Computers were big boxes that had to be controlled,” said Kelly, with putting up walls (firewalls) and access controls. “But that philosophy makes you segregate machines and limits information flow, reducing the functionality of machines.”

Under Kelly, Facebook’s philosophy to cyber security was to focus less on the growing hordes of vulnerabilities and more on threats and attacks. “We’d focus on who and why, then going after them any way we could,” Kelly stated. “Vulnerabilities grow to infinity as systems grow.”

“The tendency in organizations is to look at attacks like the weather – it just happens. Most [cyber] attacks focus on you, done by real people,” Kelly continued. “Find out who, follow the money… break the money [flow], break the reasons why people attack you. You make it too hard; they’re going to go on to somewhere else.”

A unified doctrine for cyber warfare should be modeled on counterinsurgency (COIN), learning all about attackers and basing responses to cyber attacks based upon behavior, not identity.   CCOIN (cybercounterinsurency) would focus on installing the “primacy of influence” by making sure that users would have more authority in controlling their machines and therefore have a more vested stake in making sure machines weren’t corrupted – machines could be therefore be better trusted.

“Trust your uses,” Kelly said. “A little trust goes a long way. When people try to circumvent [security] measures, they’re trying to do so because it keeps them from doing what they need to do. If you have trust, there are less circumvention measures [taking place].” 

CCOIN would look at behavior and activity and Kelly said organizations need to have software that monitors behavior as the way forward “rather than cataloging worms and viruses.”

“Spend less time worrying about vulnerabilities,” Kelly said. “Do more threat assessment. Id the attacker, and then go after them with everything you can.” 

Facebook’s cyber problems have mostly been spam, with a “little unauthorized access.” The company’s response was to identify the people attacking it, and then using existing U.S. laws to prosecute offenders. A few good “800 million dollar” spam judgments proved to be an effective means in stopping attacks.