I don’t know whether to be excited or horrified:

http://www.innovateuk.org/content/competition/cyber-situational-awareness-we-want-the-benefit-of.ashx

Cyber Situational Awareness: We want the benefit of hindsight & we want it now!

The MoD Cyber & Influence research programme (in collaboration with wider government) seeks to enable freedom of manoeuvre across all operating environments by finding ways to defend all of MoD’s digital assets. A key challenge in cyberspace is finding new ways to quickly enable decision makers to understand what cyber events are taking place; the relevance these events have to missions; and the potential impact on real-world operations, to assist them to make timely and proportionate decisions.

This CDE SBRI themed call seeks proposals that grasp the scale and breadth of the challenges of providing cyber situational awareness (cyber SA) to decision makers, from the physical and data levels up to the MoD enterprise level.

The following areas are of particular priority:

• Enabling analysts and decision makers to mitigate the data deluge issues associated with operating in cyberspace to improve their understanding.
• Improving the communication of the status of cyberspace to decision makers.
• Predicting events in cyberspace, providing a level of confidence in a conclusion that enables decision makers to be proactive, rather than reactive, in their decision making.
• Developing an understanding of events in cyberspace and the impact that subsequent decisions have on the resilience and robustness of the MOD enterprise.

Excluded from the competition are proposals to detect cyber threats; that propose visualisation approaches without a clear reason of how the visualisation will add significant value; or that restrict their scope of cyber SA to a small part of cyberspace, eg intrusion detection systems or data mining.

The competition will launch at an event held at Reading Town Hall on Tuesday 25th September 2012. Potential applicants are strongly recommended to attend the seminar, registration is necessary via http://www.science.mod.uk/events/event_detail.aspx?eventid=184 . The call will close at 1700hr on Monday 29th October 2012

The brief will be available after the seminar on 25 September.

The flippant security guru in me says the cheapest way to enhance cyber situational awareness is to buy everyone “KEEP CALM AND CARRY ON” t-shirts for there is much happening on the network but little of it is relevant or fixable and there is much that is ignorable.

However instead let’s try to remain positive and look a this analytically:

“Freedom of manoeuvre” apparently means the possibility of changing your plans or decisions in order to achieve what you want; of course the MoD aren’t really spelling out the big picture of what they want – nor are they defining a cyber event – so we’re a little blind in our analysis.

But given that the next few words are “defend all of MoD’s digital assets” they are probably just saying that they want to carry out what we in the enterprise world call business.

They want confidentiality, integrity, availability. That sort of thing.

So far, so absolutely normal. The only difference is that in leaving the ivory tower they’ve brought their lingo with them. Let’s play with it a bit:

The company seeks to enable business operations across all business sectors by finding ways to defend all of its digital assets. A key challenge on the Internet is finding new ways to quickly enable management to understand what outages and hacks are taking place; the relevance these events have to projects and products; and the potential impact of events upon operations, to assist management to make timely and proportionate decisions.

This call seeks proposals that grasp the scale and breadth of the challenges of providing real-time operations status to management, from the physical and data levels up to the enterprise level.

Yep. Exactly the same.

From the bottom this is known as “let’s confuse management with technical stuff they don’t understand, but not confuse them too much in case they do something stupid; we should aim to inform them just enough to make them feel in control and assure our jobs”.

From the top this is known as “we have become detached from how everything is working at the coalface and need to both understand better, reassert control, and demonstrate leadership”.

I remember this game from Sun Microsystems; I wrote AutoHack* and ran it against Sun’s internal network; my novice then-manager took the ill-advised step of presenting the raw data to a CxO Board (…of the 20,000+ hosts, AutoHack broke into 6,000+ of them as root without authentication, and a further 2,500 by exploiting…) – and the relevant CxO stormed out of the boardroom because he could not be allowed to hear such things in an official forum, being legally liable.

He hadn’t been previously sufficiently aware.

A huge shitstorm came down after that: having your department pass AutoHack testing became a metric by which middle-management got awarded quarterly bonuses – which sounds great except that meant discovery of a new “5-STAR BUG” at the end of a quarter meant that nobody got their bonus…

This eventuality was rather unpopular, as you might guess.

So the next phase was taking the AutoHack operations away from Alec, implementing “change control” (ie: never updating it) and building a “exceptions” process for machines which were too mission-critical to tweak, fix, poke or amend; thus the most important machines generally had the most dreadful security.

In disgust I quit the Network Security Group a year later, having created an enormous (possibly at that time the world’s largest) security visualisation tool and seen the entire thing go to waste as the bureaucratic corpus reacted against it.

The big lesson for me was that non-geeks cannot cope with the notion of vulnerability in computing.

Normal people think of vulnerability as they might think of car maintenance – you need new tyres, you need an oil change: the tyres you probably change quite soon, oil-changes get deferred. There is a smooth greyscale of things which need fixing now versus things which need fixing this month, or this year; and if you drive a little less harshly, a little more considerately, you could stretch things out for longer.

Normal people are not equipped to cope in a world where with the publication of a blog post somewhere else, suddenly every system you manage is known to be suffering from a mission critical issue which requires immediate maintenance; it’s the ultimate form of loss of control, it’s like public relations and fashion – your success is at the whim of what other people say about you and your capital equipment / possessions.

It’s anathema to those who have not lived soaked in it for a few years.

And yet, what do we see on the shopping list?

• Enabling analysts and decision makers to mitigate the data deluge issues associated with operating in cyberspace to improve their understanding.
• Improving the communication of the status of cyberspace to decision makers.
• Predicting events in cyberspace, providing a level of confidence in a conclusion that enables decision makers to be proactive, rather than reactive, in their decision making.
• Developing an understanding of events in cyberspace and the impact that subsequent decisions have on the resilience and robustness of the MOD enterprise.

So we want management analysts and decision makers to not be bothered by detail when there is nothing but detail in cyberspace; we want to pretend that cyberspace is a place that has a status – a global, geopolitical world rather than a mishmash of chit-chat in a global coffee shop. Walk into a huge overflowing Starbucks and give me a “status of the conversations going on in there”.

As I’ve written elsewhere, cyberspace is not a world, it’s communication. It does not have a status other than ongoing.

Regards point 3 which I shall describe as prediction; security is a world of surprise – that’s the whole point – and the way to get along is to be as clever, boring and minimalistic as possible.

Regards point 4 which I shall describe as retrospective review; the inevitable result will be: “we were surprised”.

This call smacks of senior management key decision makers who feel they’ve dropped out of the loop and delegated or lost control, and who are looking for a way to push themselves back towards relevance but don’t really know what that would look like.

So I have the perfect solution.

Nothing beats experience. Replace 50% of the key decision makers with people who grew up on the Internet and spent a minimum of 5 years in the private sector doing security.

* geek translation: AutoHack = Nessus, but several years earlier.