Monday, June 30, 2014

Book Review: No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (2014) by Glenn Greenwald

Executive Summary

No Place to Hide is a strange concoction: part exposé, part autobiography, and part screed “against the man.” It is not what I would call an example of rigorous journalistic reporting. It is more like storytelling with commentary. The story part includes the details of when and where Edward Snowden stole a treasure trove of classified U.S. government documents regarding warrantless mass surveillance of U.S. citizens and released them to a select few journalists. It also includes the details of how the author, Glen Greenwald, corralled the story and how that has affected his life.

The commentary part includes what Greenwald feels about the impact of Snowden’s released documents. He discusses how the documents show just how deep the rabbit hole goes in terms of mass surveillance against U.S. citizens, U.S. allies, and potential enemies. He argues that Snowden is really a hero and not a traitor and highlights how the government’s response to the debate is to attack the messenger and not the issues. 

Governments have a lot of opportunities to present their side to this debate. Greenwald is one voice on the other side that has grabbed center stage because of his relationship with Edward Snowden. Because of that, we should pay attention to what he has to say. Despite the less-than-stellar journalistic rigor, No Place to Hide is a cyber security canon candidate, and you should have read it by now. 

Introduction

Glenn Greenwald and other journalists began releasing a seemingly endless supply of classified U.S. government documents to the public in summer 2013. Those documents describe just how deep the rabbit hole goes in terms of U.S. government surveillance of its own citizens and allies and in terms of potential threats to the U.S. government.[1][2] Ever since, politicians, military leaders, and talk show pundits alike have attempted to characterize Edward Snowden—the man who stole the documents from the NSA and released them to the journalists—in an unfavorable light. They say he is a traitor.[3] They say he is a coward.[4] They say he is a spy.[5] They say he is a hacker.[6] They say he was just a low-level analyst with no understanding of the impact of what he did.[7] They say he was an insider threat.[8] But all of these characterizations, whether they turn out to be true or not, divert the conversation away from the main issue. None of these accusations address the most pressing question that we all, as American citizens, should be asking ourselves: Should the U.S. intelligence community be allowed to spy on U.S. citizens without the benefit of a warrant and without the benefit of a checks-and-balances system managed by a trusted third party? Glenn Greenwald does not think so and wrote No Place to Hide to make the case.

The book is a strange concoction: part expose, part autobiography, and part screed “against the man.” Greenwald tries to accomplish many tasks here, and I think because of that, the important messages within it are not as clear as they should be. He tries to set the record straight on the mechanics of how Snowden was able to position himself with two U.S. government contractors—Dell and Booze Allen Hamilton—and as an employee of the NSA and the CIA in order to steal secrets that exposed the U.S. government’s surveillance programs on U.S. citizens. But Greenwald does not provide enough detail to make sense of the story. Readers must seek other sources to fill in the gaps. 

He attempts to make the case that government-sponsored, unwarranted, and secret searches of American citizens is a trespass on the U.S. Constitution and America’s notions on privacy rights, but his argument is fuzzy. Everything Greenwald says is absolutely true, but the way he says it is not convincing. If you want a concise and elegant explanation why this is an issue that everyone should be concerned about, not just U.S. citizens but all citizens from around the world, watch Stephen Fry’s short video on the subject.[9]

He also launches an attack on the Fourth Estate, claiming that journalism has completely failed in its presumed adversarial role against the government and has not monitored and checked abuse of state power. He loses his credibility because instead of writing about the story, he is writing about himself in the story. It comes across as whiny.

And I am disappointed. I was hoping for the same gladiatorial panache that Greenwald displayed in the “Munk Debate on State Surveillance” in May [10] in which he peppered former NSA Director Michael Hayden with questions, but this panache was absent in No Place to Hide.

That said, this is an important book. Without Greenwald putting constant pressure on the American political establishment in order to challenge the need for such invasive programs, we would not be talking about it now a full year after the initial revelation in the Guardian newspaper in June 2013. And I believe we all must continue to talk about it. Just because No Place to Hide is not as clear as it could or should be does not mean that it does not have value.

This debate about how intrusive the U.S. intelligence community can be on American citizens, on American allies, and on potential American threats and about what the American political leadership decides to do about it will impact the character of the country forever. We have to get this right.


The Law

In order to understand the significance of the situation, we have to start with the Founding Fathers. According to Greenwald, they passed the Fourth Amendment because of their experience with the British before and during the American Revolution.[1] The Founders agreed that it was acceptable for a government to search individual citizens if it had probable cause of wrongdoing and produced a warrant approved by a judge attesting to the fact, but they viewed the practice of a government using a general warrant to make the entire citizenry subject to indiscriminate searches as inherently unacceptable.[1] The language in the Fourth Amendment to the U.S. Constitution is simple, elegant and clear. It is part of our Bill of Rights, and we fought a revolution to get it: 

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”[1]

According to Greenwald, 

“It was intended, above all, to abolish forever in America the power of the government to subject its citizens to generalized, suspicionless surveillance.”[1] 

Greenwald quotes U.S. Supreme Court Justice Louis Brandeis, in the seminal 1890 Harvard Law Review article “The Right to Privacy,” to make his point: 

“[R]obbing someone of their privacy was a crime of a deeply different nature than the theft of a material belonging.”[1]

After 9/11, Americans were afraid and rightfully so. More than 3,200 citizens died in a scant two hours due to the results of a well-executed, surprise, terrorist attack the likes of which had never been seen before on American soil. 

The US’s reaction was immediate. Not even a month later, President Bush signed a Presidential Directive called the Presidential Surveillance Program that granted an unprecedented amount of surveillance powers to the NSA, in pursuit of terrorist activities, that allowed bulk collection of metadata from U.S. citizens.[11][12] Shortly after, the U.S. Congress passed the Patriot Act that essentially made President Bush’s Directive the law of the land.[12][13] Section 215 of this act was the first legislation that authorized metadata collection.[12][14] The Patriot Act also authorized the FBI to compel Internet service providers, credit card companies, and phone companies via a national security letter (NSL) to provide information relevant to a counterterrorism or counterintelligence investigation. They could also impose gag orders to prohibit NSL recipients from disclosing that they received the NSL.[15] This change eliminated the former law enforcement restriction of collecting intelligence on only a foreign power without a warrant.[16]

According to Greenwald,

“What made the Patriot Act so controversial when it was enacted in the wake of the 9/11 attack was that Section 215 lowered the standard the government needed to meet in order to obtain “business records,” from “probable cause” to “relevance.” This meant that the Federal Bureau of Investigation, in order to obtain highly sensitive and invasive documents—such as medical histories, banking transactions, or phone records—needed to demonstrate only that those documents were “relevant” to a pending investigation.”[1]

In the mid-1970s, America clamped down on the intelligence community after scandals regarding CIA assassination plots and other abuses emerged in the public. As these things normally do over time though, the Patriot Act caused the pendulum to swing in the opposite direction in regard to how much leeway America wanted to give its intelligence community. We had taken almost all of the safeguards off of the intelligence community and told them to never let another 9/11 happen again. 

What We Learned from the Leaks

According to Greenwald,

“Snowden’s files indisputably laid bare a complex web of surveillance aimed at Americans (who are explicitly beyond the NSA’s mission) and non-Americans alike. …Taken in its entirety, the Snowden archive led to an ultimately simple conclusion: the US government had built a system that has as its goal the complete elimination of electronic privacy worldwide.”[1]

I think the biggest revelation about the Snowden leaks was not that the NSA was spying on U.S. Citizens, although that was a big one, but that our assumed liberal minded Internet start-ups were in on the deception. [1] According to classified documents that Snowden stole, the NSA had deals with most of our favorite Internet companies to collect information directly from their servers pertaining to U.S. citizens, companies like the following:

  • Apple Inc.
  • AOL Inc.
  • Facebook
  • Google Inc.
  • Microsoft Corp.
  • Yahoo! Inc.

According to the documents, Microsoft vigorously cooperated with the NSA to allow access to several of its most-used online services: SkyDrive, Skype, and Outlook.com.[1] Facebook and Google claim that they gave data only when the NSA presented a warrant. On the other hand, it is public record that Yahoo! fought the NSA in court against participating, but the company lost the case. Twitter declined to make it easier for the government to access Twitter data.[1]

The next biggest revelation was that the NSA indiscriminately collects millions of phone records every day from Verizon without a warrant and from both within the United States and from other countries. [1] This is the so-called metadata collection process that has been in the news from the start.

One revelation that the Fourth Estate has not talked about much is that President Obama signed a Presidential Directive in November 2012 authorizing the Pentagon to start planning for aggressive cyber attacks. He directed the military to draw-up potential overseas cyber targets.[1]

The biggest hypocritical revelation came from the documents that showed that the NSA is involved in economic espionage. The NSA targeted the Brazilian oil giant Petrobras, as well as other companies from Venezuela, Mexico, Canada, Norway, and Sweden for economic purposes, not terrorism.[1] In light of the recent U.S. Department of Justice (DOJ) indictments against five military Chinese hackers for conducting cyber economic espionage against the US,[17] this seems to be a little two-faced.

The Pro-surveillance Response: Discredit the Messenger

One thing that comes out loud and clear in this book is that Greenwald is acutely aware of the way the pro-surveillance side attempts to redirect the attention from the issue at hand. Instead of debating the merits of the American intelligence community spying on its own citizens, it first wants to flog Edward Snowden for breaking the law. It wants to criticize Greenwald for not being a great journalist. It accuses Snowden of running off to Taiwan and then to Russia to avoid incarceration as if that motive somehow weakens the revelation that the NSA collects all electronic communication, or at least as much as possible, from within the United States without a warrant. The pro-surveillance side says that if Snowden’s whistleblower attentions were so honorable, he would come back to the states to face the authorities. None of that matters, or if it did, it is at least secondary and causes confusion within the citizenry when we debate the topic: Should we sacrifice the tenants of the Fourth Amendment for the sake of a little more security?

The Pro-surveillance Response: If You Have Nothing to Hide, Then You Have Nothing to Worry about

Personally, I hate this argument. It is another misdirection by the pro-surveillance side and does not address the issue. What the pro-surveillance side wants you to think is that if you are a law-abiding citizen, then the only people who will be negatively impacted by mass surveillance are the criminals and the terrorists and all the rest of the bad people. According to Greenwald, 

“Governments have long convinced populations to turn a blind eye to oppressive conduct by leading citizens to believe, rightly or wrongly, that only certain marginalized people are targeted, and everyone else can acquiesce to or even support that oppression without fear that it will be applied to them.”[1]

In other words, this argument really implies that if a U.S. citizen completely conforms to the way the U.S. government wants you to think, then you are not at risk. The danger though is when an individual citizen starts to think that the U.S. government may not be doing the right thing and decides that he or she may want to speak out against it. There are plenty of examples of the U.S. government collecting intelligence on its citizens when leadership felt threatened by a dissenting voice: The FBI’s surveillance on Martin Luther King Jr.[18] and President Nixon’s Watergate operation[19] are just two famous examples. There are so many divisive issues in our culture today—gun control, abortion, universal healthcare, etc.—that there is no way that an individual citizen won’t be on the wrong end of an argument depending on who wins the next election. If your side loses, then you are no longer in conformance. In today’s technology terms, it is so easy to collect intelligence and discover dissenting voices that entire swatches of the population could be affected. This “if you have nothing to hide” argument is really not an argument about protecting us from the criminals; it is about suppressing dissenting voices, and that is scary.

The Pro-surveillance Response: Terrorism Is Scary

Greenwald makes the point that the U.S. government’s answer as to why it needs a mass surveillance program is that terrorism is scary.[1] I have worked for security vendors for the past decade, and I recognize this tactic. In the security space, we all recognize this as the fear, uncertainty, and doubt pitch. The idea is that we try to scare the hell out of you so that you buy our product. This is exactly what the U.S. government is doing here. When Greenwald asserts that the mass surveillance program has not stopped a single terrorist plot, the U.S. government has no answer other than that terrorism is scary.[1]

U.S. Hypocrisy

On 19 May 2014, the U.S. DOJ indicted five Chinese nationals for the crimes of “computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.”[20][21] I attended a dinner of government officials in Washington, DC, just after the DOJ made this announcement, and of course the subject came up for discussion. I was struck by the hypocrisy of the announcement in light of the Snowden revelations and said so, but the government officials present drew the distinction between national security espionage and economic espionage claiming that the United States engages in only national security espionage while China engages in both. According to Fred Kaplan at Slate magazine, President Obama pushed this negotiating point with Chinese President Xi Jinping at a Summit in Palm Springs in 2013.[20] According to Greenwald, NSA spokespeople claim that the agency

“does engage in computer network exploitation but does ***not*** engage in economic espionage in any domain, including ‘cyber.’”[emphatic asterisks in the original][1]

I was stunned that American officials would draw that very thin line there, but Greenwald points out that there really is no line at all and uses more Snowden documents to prove it. In No Place to Hide, Greenwald says that the NSA intercepted communications on the Brazilian oil giant Petrobras and routinely collected information from various economic summits.[1][22]

James Lewis, famous analyst for the Center for Strategic and International Studies, says there is a distinction between collecting intelligence regarding international economic questions and sharing that intelligence with U.S. companies to improve their bottom line.[23] He says there are many reasons why the state may want to know about the economic situation regarding a certain country, but that does not mean that the government collects it with any eye toward giving American companies an advantage.[23] He says that the U.S. law called the Economic Espionage Act specifically gives the United States permission to collect on bribery and non-proliferation issues but nothing else.[23]

However, as Glyn Moody from TechDirt opines regarding the Petrobras revelations,

“Or, you know, it could provide US companies with insights about which were the best lots in the forthcoming auction of seabed areas for oil exploration, or about highly-specialized deep-sea oil extraction technology, in which Petrobas is a world leader. After all, why wouldn't the NSA drop some useful hints about such things to US companies as a way of justifying its huge budget?”[32]

I am not a foreign policy expert by any means, but I don’t see how pushing an obvious double standard in negotiations with the Chinese can bear any fruit. It is one thing to agree on what is out of bounds and what is in bounds in terms of acceptable cyber espionage on the world stage, but to formally indict five Chinese citizens for a crime that you are also perpetrating seems disingenuous at best and absolute hubris at worst.

The Argument against Mass Surveillance for Anti-terrorism

Greenwald cites five reasons why mass surveillance is a bad idea:

  1. The practice of mass surveillance is likely unconstitutional.[1][24]
  2. President Obama’s own review panel said that the metadata program was not essential to preventing terrorist attacks.[1][25]
  3. Mass surveillance collection, as opposed to targeted collection, makes finding terrorists more difficult.[1]
  4. Mass surveillance is a draconian reaction when you consider the statistically small chances that you will die from a terrorist attack.[1][26][27][28]
  5. Even if mass surveillance were necessary, allowing the government to do it without transparency is counter to the Founding Fathers’ design of the country.[1]

Unconstitutional

On 16 December 2013, U.S. District Judge Richard J. Leon ruled that the government did not make its case concerning the need for mass surveillance in order to protect against terrorism in a timely manner. According to Leon, 

“The Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time sensitive in nature… Thus, plaintiffs have a substantial likelihood of showing their privacy interests outweigh the Government’s interest in collecting and analyzing bulk telephony metadata and therefore the NSA’s bulk collection program is indeed unreasonable search under the Fourth Amendment.”[24]

Review Panel Conclusions

In the wake of the Snowden revelations, President Obama directed a review of the entire program on 27 August 2013. On 18 December 2013, the panel published its findings. [25] Panel members acknowledged that 

“In addressing these issues, the United States must pursue multiple and often competing goals at home and abroad.”[25]

The following are those goals:

  • Protecting the nation against threats to its national security. [25]
  • Promoting other national security and foreign policy interests. [25]
  • Protecting the right to privacy. [25]
  • Protecting democracy, civil liberties, and the rule of law. [25]
  • Promoting prosperity, security, and openness in a networked world. [25]
  • Protecting strategic alliances. [25]

With that said, the panel could not find any pressing need for the metadata collection program:

“Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders.”[1][25]

Mass Surveillance Collection Makes Finding Terrorists More Difficult

Greenwald points to the NSA’s less-than-stellar record at preventing any number of terrorist plots in recent history:

  • The 2012 Boston Marathon bombing. [1]
  • The attempted Christmas Day bombing of a jetliner over Detroit. [1]
  • The plan to blow up Times Square. [1]
  • The plot to attack the New York City subway system. [1]
  • The string of mass shootings from Aurora to Newtown. [1]
  • Major international attacks from London to Mumbai to Madrid. [1]

He believes that the reason the record is so poor is that the actual collection of all of that data makes it harder to find and prevent terrorism activities compared to other more traditional law enforcement activities driven by warrants. 

Is Mass Surveillance Necessary to Solve a Statistically Small Risk

This is the classic risk equation that all security people are used to evaluating. Anybody can come up with a terrorism scenario that would be devastating to the country. As security professionals, our job is to evaluate these scenarios across a two-dimensional risk matrix. On the x-axis, we plot how likely is it that this scenario will actually happen from “not very likely” on the left to “will absolutely happen” on the right. On the y-axis, we plot how impactful the scenario is if it were to happen from “no impact” on the bottom to “will materially impact the country” on the top. None of us has unlimited resources. Because of that, we focus on the risks that end up in the up-and-to-the-right section on our risk matrix. These are the scenarios that are likely to happen and that will have a meaningful impact if they do. The fact is that for most terrorism scenarios, they tend to sit in the up-and-to-the-left section on the risk matrix. The chances of them happening are not too likely, but if they do, they will have a medium to large impact. 

These terrorism scenarios are outliers because they are not that likely to happen. According to Greenwald, 

“The number of people worldwide who are killed by Muslim-type terrorists, Al Qaeda wannabes, is maybe a few hundred outside of war zones. It’s basically the same number of people who die drowning in the bathtub each year.”[1]

Greenwald’s point is that we should seriously consider if we want to deconstruct the Fourth Amendment to protect ourselves from such an event, an event that is scary for sure, but an event that is not likely to happen.

Mass Surveillance without Transparency Is Counter to the Founding Fathers’ Design of the Country

There has always been a tension between national security and government transparency. James Madison -- one of the Founding Fathers and a primary contributor to the American Constitution -- believed that 

Transparency was an essential cornerstone of democratic governance. [29]

And Patrick Henry’s said that 

The liberties of a people never were, nor ever will be, secure when the transactions of their rulers may be concealed from them.[30]

Greenwald points out,

“Democracy requires accountability and consent of the governed, which is only possible if citizens know what is being done in their name. The presumption is that, with rare exception, they will know everything their political officials are doing, which is why they are called public servants, working in the public sector, in public service, for public agencies.”[1] 

The point is that whatever we as a nation decide is the legitimate use of the U.S. intelligence apparatus, we must also insist that the mechanical process of that apparatus be completely transparent to the American citizen.

Why the Leaks Were Good

Putting aside the issue of whether Edward Snowden is a hero or a criminal, Greenwald contends that his release of the Snowden documents to the public has far more positive impact to the United States and to the world at large than any negative consequences that may have occurred to the U.S. intelligence apparatus because of it. Greenwald lists the following positive outcomes from the Snowden leaks:

  • The entire world is debating the merits of the ubiquitous state surveillance, pervasive government secrecy, and the value of individual privacy.[1] 
  • The world is challenging America’s hegemonic control over the Internet.[1]
  • Journalists are reconsidering the proper role of journalism in relation to government power.[1]

Thoughts on Snowden

Throughout No Place to Hide, Greenwald presents a personality picture of Edward Snowden. Compared to Chelsey Manning,[31] the other notorious whistleblower in recent U.S. history, Snowden thought long and hard about what he was doing. He may have been naïve and uninformed, but Greenwald’s picture of him is of a person who has seen an egregious wrong, thought about what to do about it, considered the consequences for him and the nation, and executed a plan to try to create change. Greenwald quotes Snowden, 

“My sole motive is to inform the public as to that which is done in their name and that which is done against them. The U.S. government, in conspiracy with client states, chiefest among them the Five Eyes—the United Kingdom, Canada, Australia, and New Zealand—have inflicted upon the world a system of secret, pervasive surveillance from which there is no refuge. They protect their domestic systems from the oversight of citizenry through classification and lies, and shield themselves from outrage in the event of leaks by overemphasizing limited protections they choose to grant the governed.”[1]

“I’m not afraid of what will happen to me. I’ve accepted that my life will likely be over from my doing this. I’m at peace with that. I know it’s the right thing to do.”[1]

For all of the things he may be—traitor,[3] coward,[4] spy,[5] hacker, [6] low-level analyst,[7] insider threat[8]—Snowden is definitely a man of his own conviction. You may not agree with what he did, and you can point to his naiveté about the impact of what he did to the intelligence establishment, but he stood up for what he thought was right and decided to do something about it regardless of how that affected his own personal life.

The Solution

In No Place to Hide, Greenwald would prefer not letting the U.S. government spy at all, but he recognizes that is probably a bridge too far. In the meantime, he offers these four intermediate solutions that are not that unreasonable:

  • Enact legislation that will provide oversight, accountability and transparency for the entire intelligence community. [1]
  • Convert the FISA court into a transparent judicial system so that there is an adversarial relationship to both sides of the argument. [1]
  • Encourage international efforts to build new infrastructure so that all traffic does not go through the US. [1]
  • Encourage individuals to adopt COMSEC tools and demand that vendors make them easy to use. [1]

Conclusion

No Place to Hide is not what I would call rigorous reporting. Greenwald conveys what happened to him as he followed this story and thus became part of the story himself. As I sought to corroborate the details presented within, I found I had to go to other sources to fill in the gaps. 

That said, his telling of the story is important enough to the security community, the United States and to the world at large that I think it is required reading. He discusses everything from the Fourth Amendment and why it should be anathema to all American citizens to allow the government to spy on its communications without a warrant, to NSA programs and their scope, to the government’s justification of mass surveillance by attempting to discredit Snowden. He then lays out the arguments against mass surveillance without a warrant, describes why the world is better off today because of the Snowden leaks, and describes the detailed timeline from when Snowden initially contacted Greenwald to their meetings in Taiwan to Snowden’s eventual escape to Moscow. Finally, Greenwald describes his reasonable solution for the problem: better legislation to provide oversight, accountability and transparency for the entire intelligence community, convert the FISA court into a, adversarial judicial system, encourage international efforts to build new infrastructure so that all traffic does not go through the United States and finally, encourage individuals to adopt COMSEC tools so that all intelligence agencies have trouble intercepting communications.

Greenwald tries to present a lot of complicated material in No Place to Hide. He was not completely successful at doing so, but he is writing about the fundamental principles of how we want the United States to behave in the digital world. Governments have a lot of capability to present their side to this debate. Greenwald is one voice on the other side that has grabbed center stage because of his relationship with Edward Snowden. Because of that, we should pay attention to what he has to say. Despite the less–than-stellar prose, No Place to Hide is a cyber security canon candidate, and you should have read it by now. 

Sources

[1] “No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State,” by Glenn Greenwald, Published by Metropolitan Books, 13 May 2014, last visited 6 June 2014,

[2] “NSA collecting phone records of millions of Verizon customers daily,” by Glenn Greenwald, The Guardian, 6 June 2013, Last Visited 30 June 2014,

[3] “Congress Flips Out About 'Snowden The Traitor' As They Try To Pass Legislation To Stop The Program He Revealed,” by Mike Masnick, TechDirt, 5 Aug 2013, Last Visited 30 June 2014, 

[4] “INSIDE THE MIND OF EDWARD SNOWDEN,” by Tracy Connor, NBC News, 28 May 2014, Last Visited 14 June 2014,

[5] “Snowden: 'no relationship' with Russian government,” by Peter Cooney and Warren Strobel, Reuters, 29 May 2014, last visited 14 June 2014,

[6] “Edward Snowden's interview: 10 things we learned,” by Catherine E. Shoichet, CNN, 29 May 29 2014, last visited 14 June 2014,

[7] “Defending His Actions, Snowden Says He’s a Patriot,” by Elena Schneider and Steve Kenny, The New York Times, 28 May 2014, last visited 14 June 2014,

[8] “Federal agencies embrace new technology and strategies to find the enemy within,” by Christian Davenport, The Washington Post, 7 March 2014, last visited 14 June 2014,

[9] “Stephen Fry on surveillance: there is something squalid and rancid about being spied on - video,” by Stephen Fry, The Guardian, 7 June 2014, last visited 14 June 2014,

[10] “Munk Debate on State Surveillance: Greenwald/Ohanian vs Hayden/Dershowitz,” Munk Debates, Moderated by Rudyard Griffiths, 3 May 2014, last visited 14 June 2014,

[11] "The Taming of the Spook," by William Saletan, Slate, 1 July 2013, last visited 20 August 2013,

[12] “General Alexander at Black Hat 2013: Privacy vs. Security vs. Transparency,” by Rick Howard, Terebrate, 20 August 2013, last visited 11 June 2014,

[13] “Timeline of NSA Domestic Spying,” by the Electronic Frontier Foundation, last visited 20 August 2013,

[14] "Transcript: Newseum Special Program - NSA Surveillance Leaks: Facts and Fiction," by Harvey Rishik, Robert Litt, M.E (Spike) Bowman, Kate Martin, Gene Policinski, Ellen Shearer, Joel Brenner, and Stewart Baker, 26 June 2013, last visited 20 August 2013,

[15] "National Security Letters: A Little Less Secret?" by Alex Abdo (Staff Attorney, ACLU National Security Project) and Hannah Mercuris, Free Future: Protecting Civil Liberties in the Digital Age, 9 May 2012, last visited 20 August 2013,

[16] "A Review of the Federal Bureau of Investigation’s Use of National Security Letters," by the U.S. Department of Justice, Office of the Inspector General, March 2007, last visited 20 August 2013,

[17] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” the Department of Justice, 19 May 2014, last visited 18 June 2014,

[18] “FBI tracked King's every move,” by Jen Christensen, CNN, 29 December 2008, last visited 16 June 2014,

[19] “The Watergate Story,” by The Washington Post, last visited 16 June 2014,

[20] “Why Did the Justice Department Indict Five Chinese Military Officers?” by Fred Kaplan, Slate magazine, 21 May 2014, last visited 16 June 2014,

[21] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” by the Office of Public Affairs, the United States Department of Justice, 19 May 2014, last visited 16 June 2014,

[22] “NSA accused of spying on Brazilian oil company Petrobras,” by Jonathan Watts, The Guardian, 9 September 2013, last visited 16 June 2014,

[23] “U.S. Policy on Economic Espionage,” by James Andrew Lewis, Center for Strategic and International Studies, 7 December 2011, last visited 18 June 2014,

[24] “Civil Action No. 13-0851,” by U.S. District Judge Richard J. Leon, U.S. District Court for the District of Colombia, 16 December 2013, last visited 17 June 2014,

[25] “LIBERTY AND SECURITY IN A CHANGING WORLD: Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies,” by Richard A. Clarke, Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein, and Peter Swire, the White House, 12 December 2013, last visited 17 June 2014,

[26] “The Black Swan: The Impact of the Highly Improbable,” by Nassim Nicholas Taleb, Random House, 22 April 2007, last visited 17 June 2014, 

[27] “Terrorism Deaths, Injuries, Kidnappings of Private U.S. Citizens, 2011,” by the U.S. Department of State, 31 July 2012, last visited 17 June 2012,

[28] “You’re More Likely to be Killed by a Toddler than a Terrorist,” by Washington’s Blog, 12 June 2013, last visited 17 June 2014,

[29] “Government Transparency and Secrecy: An Examination of Meaning and Its Use in the Executive Branch,” by Wendy Ginsberg, Maeve P. Carey, L. Elaine Halchin, and Natalie Keegan, Congressional Research Service, 14 November 2012, last visited 18 June 2014,

[30] “Government transparency directly related to our liberty,” by James Zachary, transparency project of georgia, 16 April 2014, last visited 18 June 2014,

[31] “Bradley Manning Uncovered U.S. Torture, Abuse, Soldiers Laughing As They Killed Innocent Civilians,” by Matt Sledge, The Huffington Post, 21 August 2013, last visited 18 June 2014,

[32] “Latest Leak Shows NSA Engaging In Economic Espionage -- Not Fighting Terrorism,” by Glyn Moody, TechDirt, 9 September 2013, last visited 18 June 2014,

References

“A Guide To The Career Of Edward Snowden,” by Eric Lach, TPM, 20 June 2013, last visited 14 June 2014,

“Cryptocat,” by Arlo Breault, Dmitry Chestnykh, David Dahl, Daniel "koolfy" Faucon, Andreas "Gordin" Guth, Frederic Jacobs, Nadim Kobeissi, last visited 18 June 2014,

“Edward Snowden: A Timeline,” by Matthew Cole And Mike Brunker, NBC News, May 2014, last visited 14 June 2014,

“Edward Snowden timeline of events,” by the Associated Press, Politico, 1 August 2013, last visited 14 June 2014,

“Espionage and Covert Operations: A Global History” (24 lectures recorded course), Chantilly, VA: The Great Courses, 2011. 

“NSA collecting phone records of millions of Verizon customers daily,” by Glenn Greenwald, The Guardian, 5 June 2013, last visited 14 June 2014,

“Officials’ defenses of NSA phone program may be unraveling,” by Greg Miller and Ellen Nakashima, The Washington Post, 19 December 2013, last visited 16 June 2014,

“Off-the-Record Messaging,” by Ian Goldberg, OTR Development Team, Last Updated 28 September 2013, last visited 18 June 2014,

“September 11 Anniversary Fast Facts,” by CNN Library, CNN, 11 September 2013, last visited 11 June 2014,

“Snowden's Army record: short,” by Tom Vanden Brook, USA TODAY, 10 June 2013, last visited 14 June 2014,

“Snowden's Instruction PGP video to GGreenwald,” by TheDigitalfolklore, YouTube, 14 May 2014, last visited 18 June 2014,

“The Newsroom finale 1x10 - The Greater Fool speech,” by Sloan Sabbath (Olivia Munn), written by Aaron Sorkin, HBO, 26 August 2012, last visited 7 June 2014,

“Timeline of Edward Snowden's revelations,” by Joshua Eaton, Aljazeera America, last visited 14 June 2014,

Thursday, May 22, 2014

Memorial Day

Memorial Day this year is on 26 May and is observed in the United States on the last Monday of May. I wrote this essay back in 2000 when I was stationed at the Pentagon; before the madness of 9/11 kicked in and long before our country committed its military to over a decade of war. I like to re-read it every Memorial Day to remind myself of the staggering number of US soldiers (over 6,650) and US civilians (over 3000) [2] that have died since then in Iraq and Afghanistan, that we still have soldiers and civilians in harms way there, and that they will be there for days to come [3][4].

As these courageous men and women have come back home, I fear the country cannot fathom the sacrifices these people, and their families, have made for us and the troubles they yet face as they try to re-integrate back into society. 

That would be worry enough. 

But when I consider the latest revelations [5] about how the United States Department of Veteran’s Affairs has been breaking our country’s sacred promise to these damaged souls – the best of all of us really– I cannot hold back the tears of shame and sorrow and rage. 

Please keep them in your thoughts. Write to your senators and congressmen to express your disapproval. More importantly, give these brave soldiers (military and civilians) and their loved ones a hand if you get the opportunity.

Reborn at Arlington

1500 US Army soldiers stood on the misty parade field at Fort Meyer waiting for the sun to rise. The leadership had scheduled another morale building yet mandated "fun run" wherein once a quarter, the entire unit comes together to do PT (Physical Training) in a show of Esprit de Corp and cohesion. Since we were all stationed at the Pentagon, many of us were fairly senior, a little broken down in the body department, and had seen our fair share of these types of events. Still, there we were, at the twilight of our careers huddled in small groups during the dawn of one more PT morning. 

Of course, there was the usual grumbling between the older soldiers; asking one another if we were motivated yet and if we had a cup of Esprit De Corps to spare. But there was a sprinkling of young soldiers among us too and their shiny new faces kept us old timers from getting too cynical and fussy.

As the sun poked up above the horizon, the Army's Command Sergeant Major called the gaggle to attention and the formation began to run. The Non-Commissioned Officers (NCOs) led the assemblage in rousing voice and extolled the virtues of Granny[6], My Girl [7] and the C-130 [8]. Below the roar of the singing, just in the background, you could hear the footsteps of the 1500 strong pounding the pavement in syncopated rhythm.

The formation crested the hill overlooking Arlington Cemetery and the vista of Washington DC opened up to us. The Army Colors, at the front of the formation, started their decent towards the cemetery just as the sun had risen to about the same height as the Washington Monument several miles distant. And still the singing and the pounding drove the formation as it snaked down the hill towards the gates of the National Cemetery.

The colors passed into the cemetery and, like a line of dominoes falling, the singing faded away. One platoon after the other fell silent in mute honor of our fallen comrades-in-arms laid to rest in Arlington. As the voices died down, the only sound you could hear was the constant beat, beat, beat of the run and the Army colors whipping in the slight breeze. Nobody spoke except for the occasional NCO keeping everybody in step with a solid, but not too loud, 1 - 2 - 3 - 4, 1 -2 - 3 - 4. It was serene. It was sublime.

Midway through the run, the Sergeant Major called the formation to a halt and commanded us to right-face towards the middle of the cemetery. The rising sun burned off the last vestiges of mist from the manicured lawns. The breeze trickled through the formation’s silence and the Army Colors at the front. And then we all heard it; that mournful sound of a single bugler playing Taps. [9] It has been my experience that all military buglers start low at first; almost whispering the sound through the horn. Then they crescendo the tune to wrap the listener into a cocoon of sadness, memory and a sense about lives that could have been. On that misty morning, many soldiers young and old could not stop the tears from falling onto their cheeks.

A chill went down my back as it occurred to me that we were not merely taking a morning jog anymore. We were actually passing in review. These fallen soldiers who performed the ultimate sacrifice for their country were watching us and sizing us up. I hoped that we could pass muster. I had this great desire to let them know that we had the guide-on now and it was in good hands. We would not let them down. I stood a little taller then and the burden of running was a little lighter.

As the 1500 boarded the buses to head back to the Pentagon, I realized that this old soldier was less cynical today; less worn for wear. Although I may not have the shiny face of one of those new soldiers, I was reborn this morning. Together, both old and young, we will carry on.

Sources:

[1] “2013 in photos: the year in news,” PHOTO BY MANUEL BALCE CENETA, ASSOCIATED PRESS, Last Visited 22 May 2014

[2] “US and Allied Killed,” Neta C. Crawford and Catherine Lutz, Costs of War Project, Watson Institute, Brown University, March 2013, Last Visited 22 May 2014,

[3] “US Assisting Iraq in Fight Against Al Qaeda 2 Years After Troops Withdraw,” by Martha Raddatz and Luis Martinez, ABC News, 23 January 2014, Last Visited 22 May 2014, 

[4] “How many U.S. troops are still in Afghanistan?” CBS News, 9 January 2014, Last Visited 22 May 2014, 

[5] “Shinseki in Line of Fire, From the Chief: V.A. Secretary Criticized on Hospital Scandal,” by SHERYL GAY STOLBERG and MICHAEL D. SHEAR, NYTs, 21 May 2014, Last Visited 22 May 2014,

[6] "Army Cadence - My Old Granny, She's 91," 19 September 2008, Last Visited 22 May 2014,
http://www.youtube.com/watch?v=upw7zz0UiqE

[7] "C-130 Rollin' Down The Strip," 20 May 2007, Last Visited 22 May 2014

[8] "U.S. Army Cadence My Girls A Pretty Girl," 14 July 2008, Last Visited 22 May 2014

[9] “Montgomery clift trumpet,” From Here to Eternity, Posted 12 March 2007, Last Visited 22 May 2014,

Monday, May 5, 2014

Book Review: Secrets and Lies: Digital Security in a Networked World (2000) by Bruce Schneier

Executive Summary

Secrets and Lies: Digital Security in a Networked World is the perfect book to hand to new bosses or new employees coming in the door who have not been exposed to cyber security in their past lives. It is also the perfect book for seasoned security practitioners who want an overview of the key issues facing our community today. Schneier wrote it more than a decade ago, but its ideas still resonate. He talks about the idea that “security is a process, not a product.” With that one line, Schneier captures the essence of what our cyber security community should be about. He explains that even though we have advanced technology designed to specifically find cyber break-ins, people are the still the weakest link. He describes how cyber risk is not a special category. It is just another risk to the business. He highlights the ludicrous idea that software vendors have no liability or selling buggy code, and he was one of the first thought leaders to characterize the adversary as something more than just a hacker. He makes the case for things that the cyber security community still needs in order to make the Internet more secure, things like strengthening confidentiality, integrity, and availability (CIA); improving Internet privacy and Internet anonymity; and challenging the idea that security practitioners must make the Sophie’s Choice between better security or more privacy in terms of government surveillance. Finally, he anticipates the need for a Bitcoin-like capability long before Bitcoin became popular. The content within Secrets and Lies is a good introduction to the cyber security community, and Schneier tells the story well. Because of that, Secrets and Lies is candidate for the cyber security canon, and you should have read it by now.

Introduction

Full disclosure: The first civilian job I took after I retired from the US Army was with the company that Bruce Schneier founded called Counterpane. I may be a little biased. One of the main reasons I took that job was his book Secrets and Lies.[1] When I read it (2003), it was a revelation to me. His quote “security is a process, not a product” was like manna from the gods. At that point in my security career, I had not considered that. And from what I have seen in the cyber security community, many of us have not yet leaned that point. 

When I started putting the cyber security canon series[2] together this past year, I always intended to include Schneier’s book, but as the year progressed, I did not have time to reread it in time for the presentation I gave at the RSA conference in February.[3] The first question I got after giving the presentation was, why isn’t Secrets and Lies in the candidate list? Sheepishly, I admitted that it should be and resolved to get it on the list as soon as possible.

The Story

Secrets and Lies demonstrates Schneier’s evolution as an early thought leader in the cyber security community and outlines some key concepts that are still valid today.

Security Is A Process

In the preface, Schneier freely admits to thinking in his earlier life that cryptology would solve all of our Internet security problems.[1] He even wrote a book about it in 1995 called Applied Cryptography: Protocols, Algorithms, and Source Code in C.[4] In Secrets and Lies, however, he is forced to acknowledge upfront that technology by itself does not even come close to solving these problems.[1] You do not get security out of a box. You get security by applying people, process, and technology to a problem set,[1] and the more complex we make things, the more likely it is that we are going to screw up the process.[1] 

People Are the Weakest Link

The weak link in all of this is the people.[1] You can have the best tools on the planet configured to defend your enterprise, but if you do not have the qualified people to maintain them and to understand what the tools are telling you, you have probably wasted your money. This goes hand in hand with the user community too. It does not matter that I spent a gazillion dollars on Internet security this year if the least-security-savvy people on your staff take their laptops home and unwittingly install malcode on their machines.

Risk

Cyber security is not special in terms of the overall business need. You do not have cyber risk. You have risk.[1] What I have noticed in my career is that many security -practitioners and senior-level company leaders do not understand this concept. Many organizations treat “cyber risk” as a thing unto itself and throw the responsibility for it over to the “IT guys” or to the “security dorks.” Company leaders tend not to consider “cyber risk” like other risks to the business, or if they do, they do not give it a lot of thought. In my mind, this is one of our community’s great failures. It is up to all of us to convey that essential idea to senior leadership in our organizations. 

Software Liability

Every new piece of software deployed has the likely potential to expose additional threats to the enterprise in terms of new vulnerabilities, and vendors have no liability for this.[1] In other industries, if a vendor were to produce a defective product that causes monetary damage to a company, that company would most likely sue that vendor with a high probability of success in court. It is not like that in the commercial software business or even in the open-source movement. Vendors will patch their systems for sure, but they accept no responsibility for, let’s say, hackers stealing 400 million credit cards from the Target retail chain.[5] Schneier is aghast at this development that the user community has let vendors get away with this stance.[1] 

Adversary Motivations

Secrets and Lies was the first time that I had seen an author characterize the adversary as a person or a group with motives and aspirations.

“Adversaries have varying objectives: raw damage, financial gain, information, and so on. This is important. The objectives of an industrial spy are different from the objectives of an organized-crime syndicate, and the countermeasures that stop the former might not even faze the latter. Understanding the objectives of likely attackers is the first step toward figuring out what countermeasures are going to be effective.”[1]

This was another revelation to me. At this point in my career when I first read the book, I did not put much thought into the adversaries at all except that they were “hackers” and were trying to steal my stuff. This is Schneier’s first cut of a complete adversary list:
  • Hackers
  • Lone Criminals
  • Malicious Insiders
  • Industrial Espionage Actors
  • Press
  • Organized Criminals
  • Police
  • Terrorists
  • National Intelligence Organizations
  • Info warriors

In my work, I have found it useful to refine Schneier’s list of people into the following adversary motivations:
  • Cyber Crime
  • Cyber Espionage
  • Cyber Warfare
  • Cyber Hactivism
  • Cyber Terrorism
  • Cyber Mischief

The bottom line is that these adversaries have a purpose, and it helps network defenders if they understand what kind of adversaries are likely to attack the defender’s assets.

Things Stay the Same

Sadly, even though Schneier published Secrets and Lies in 2000, all of these things are still true, and there is no real solution is sight. Many organizations still think that installing the latest shiny security toy to hit the market will make their networks more secure. They don’t stop to think that they might be better off if they just made sure that the toys they already have installed on their network worked correctly. 

People are still the weak link both in the security operations center (SOC) and in the general user community. As I have written elsewhere, talented SOC people are hard to come by,[6] and many organizations still spend resources on robust employee-training programs, but the results are mixed at best.[7][8][9] 

CISOs are still struggling to convey the security risk message to the C-Suite.[10][11] Most of us came up through the technical ranks and think colorful bar charts about the numbers of systems that have been patched are pretty cool. The CEO couldn’t care less about those charts and instead wants to know what the charts mean in terms of material risk to the business. 

Finally, software vendors still have no liability when it comes to deploying faulty software that results in monetary loss to a customer. This just seems to be something we have all accepted, that it is much better to build a working piece of code first and then worry how to secure it later. I know the entrepreneurs in the crowd prefer this method because the alternative slows the economic engine down if developers spend time adding security features to a new product that derives no immediate revenue opportunities. But this is the great embarrassment to the computer science field: we have not eradicated bugs like buffer overflows in modern code. How is it possible that we can send people to the moon but we cannot eliminate buffer overflows in code development? Don’t get me wrong; the industry has made great strides in developing tools and techniques in these areas—just look at the Building Security in Maturity Model (BSIMM) project to see for yourself[12]— but the fact that, as a cyber security community, we have not made it mandatory to use these techniques is one of the reasons we are just a field of study and not a profession like, say, civil engineering. 

What We Need

In the end, Schneier makes the case for things that the cyber security community needs in order to make the Internet more secure. Long before the acronym became a staple on Certified Information Systems Security Professional (CISSP) exams, he advocated the need to strengthen confidentiality, integrity, and availability (CIA). He does not call it CIA in the book, but he talks at length about the concepts. He was prescient in his emphasis on the need for Internet privacy and Internet anonymity and was one of the first thought leaders to start asking the question about security versus privacy in terms of government surveillance. He also anticipated the need for a Bitcoin-like capability[13] long before Bitcoin became popular.[1] 

The Tech

Unfortunately, when you begin to write a technology book about the current state of the art surrounding cyber security, much of what you write about is already outdated as you go to press. As I was rereading Schneier’s book, I chuckled to myself when he referenced his blindingly fast Pentium III machines[14] running Windows NT.[15] Today, the Pentium III S 1400MHz scores a whopping .311 on the PassMark CPU benchmark scale compared to 13.304 for the latest Intel-Core I-7 4930K @ 3.40 GHz. That is MHz compared to GHz.[16] The world has indeed changed.

Firewalls Are Not Enough

Schneier wrote Secrets and Lies at the time when the industry had just accepted that a stateful inspection firewall was not sufficient to secure the enterprise. 

“Today’s firewalls have to deal with multimedia traffic, downloadable programs, Java Applets, and all sorts of weird things. A Firewall has to make decisions with only partial information: It might have to decide whether or not to let a packet through before seeing all the packets in transmission.”[1]

Besides firewalls, he describes other controls that the cyber security community has decided are necessary to secure the perimeter, such as demilitarized zones (DMZs),[17] virtual private networks (VPNs),[18] application gateways,[19] intrusion detection systems,[20] honeypots,[21] vulnerability scanners,[22] and email security.[23][1] Since the book’s publication, security vendors have added even more tools to this conga line, tools like URL filters,[24] Domain Name System (DNS) monitoring,[25] sandboxing technology,[26] security incident and event management systems (SIEMS),[27] and protocol capture and analysis tools.[28]

As of right now, May 2014, the cyber security community is mounting a bit of a backlash against the vendor community’s conga line strategy. Practitioners simply can’t manage it all. The best and most recent example of this is the Target data breach.[5] Like the rest of us, the Target security team installed the conga line of security products and even had a dedicated SOC to monitor them. The controls dutifully alerted the SOC that a breach was in progress but there was so much noise in the system (and perhaps Target’s process was not as efficient as it could be) that nobody in the organization reacted to the breach until it was too late.[5] Because of this kind of situation, many organizations are looking for simpler solutions rather than continuing to add new tools to the security stack.

Cryptology

According to Schneier, underlying everything is cryptology. As you would expect from a cryptologist, Schneier believes that his field of study is the linchpin of the entire idea of Internet security.

“Cryptography is pretty amazing. On one level, it’s a bunch of complicated mathematics. On another level, cryptography is a core technology of cyberspace. In order to understand security in cyberspace, you need to understand cryptography. You don’t have to understand the math, but you have to understand its ramifications. You need to know what cryptography can do, and more importantly, what cryptography cannot do.”[1] 

I agree. (Note: The difference between the terms cryptography, cryptanalysis, cryptology, and cryptologist is left as an exercise for the reader.[29]) I would say that the cyber security community has failed in this regard since Schneier published Secrets and Lies. While it is true that cryptography is the underlying technology that makes it possible to secure the Internet, it is still too complicated for the general user to leverage. In light of the Edward Snowden revelations[30]—that we not only have to worry about foreign governments spying on our electronic transmissions, but we also have to worry about our own government doing it—the fact that most people do not know how to encrypt their own email messages as a matter of course is a testament to our industry’s failure.

Kill Chain

Schneier makes a distinction between computer and network security,[1] that the conga line of security tools that make up the security stack at the network perimeter is not the same as the set of tools you need to secure the endpoint. While this is still true today, the cyber security community has merged these two ideas together since Schneier’s book was published. The thought is that it does not make sense to consider network and endpoint security separately; it makes more sense to think of everything as a system. As organizations develop indicators of compromise at both the network layer and the endpoint layer, essentially the Kill Chain model,[31] the cyber security community can develop advanced adversary profiles about the attacker’s campaign plan.

Conclusion

I have always considered Secrets and Lies the perfect book to hand to new bosses or new employees coming in the door who have not been exposed to cyber security in their past lives. However, when I decided to reread this book for possible inclusion in the candidate list for the cyber security canon, I was worried that it would be dated, that the ideas I was so enamored with more than a decade ago would look a little long in the tooth today. That could not be further from the truth. Schneier explains, in easy-to-understand language, just exactly what the cyber security landscape looked like more than 10 years ago. Remarkably, the landscape is still consistent with this view, and we are still struggling with many of the same issues today. The subtitle to his book should be, “Security is a process, not a product.” With that one line, Schneier captures the essence of what our cyber security community should be about. The content within Secrets and Lies is a good introduction to the cyber security community, and Schneier tells the story well. It is a candidate for the cyber security canon, and you should have read it by now.

Sources

[1] “Secrets and Lies: Digital Security in a Networked World,” by Bruce Schneier, John Wiley & Sons, 2000, last visited 7 April 2014,

[2] “Books You Should Have Read by Now,” by Rick Howard, Terebrate, 16 February 2014, last visited 7 April 2014, 

[3] “Cyber Security Canon: You Should Have Read These Books by Now,” by Rick Howard, RSA Conference, 24 February 2014, last visited 26 April 2014, 

[4] “Applied Cryptography: Protocols, Algorithms, and Source Code in C,” by Bruce Schneier, John Wiley & Sons, 1993, last visited 24 April 2014,

[5] “A First Look at the Target Intrusion, Malware,” by Brian Krebs, KrebsOnSecurity, 14 January 2014, last visited 25 April 2014,

[6] “Top 5 skills needed for a SOC analyst,” by Rick Howard, CSO Online, 10 March 2014, last visited 25 April 2014,

[7] “Why you shouldn't train employees for security awareness,” by Dave Aitel, CSO Online, 18 July 2012, last visited 25 April 2014,

[8] “Is Data Security Awareness Training Effective?” by Daniel Solove, LinkedIn, 18 February 2014, last visited 25 April 2014,

[9] “Measuring the Effectiveness of Your Security Awareness Program,” by John Schroeter, CIO, 12 February 2014, last visited 25 April 2014,

[10] “Cybersecurity is for the C-suite, 'not just the IT crowd,’” by Clay Dillow, CNNMoney, 6 January 2014, last visited 25 April 2014,

[11] “Using Cyber-Attacks for C-Suite Buy-In,” by Jeffrey Roman, BankInfoSecurity, 29 March 2013, last visited 25 April 2014,

[12] “BSIMM Advancing Software Security,” by Ann All, eSecurityPlanet, 20 October 2013, last visited 25 April 2014, 

[13] “What is Bitcoin?” by Tal Yellin, Dominic Aratari, and Jose Pagliery, CNNMoney, last visited 26 April 2014,

[14] “Intel Pentium III processor families,” by CPU World, 28 March 2014, last visited 10 April 2014,

[15] “Windows NT: Remember Microsoft's almost perfect 20-year-old?” by Andrew Orlowski, The Register, 20 August 2013, last visited 10 April 2014, 

[16] “CPU Benchmarks: Over 600,000 CPUs Benchmarked,” by Passmark Software, 2014, last visited 10 April 2014,

[17] “DMZ - Demilitarized Zone,” by Bradley Mitchell, About.com, last visited 25 April 2014,

[18] “What Is a VPN: VPN Solutions and Key Features?” by Bradley Mitchell About.com, last visited 25 April 2014,

[19] “Application Gateway,” by Cory Janssen, technopedia, last visited 25 April 2014,

[20] “Intrusion Detection System - IDS Technology and Deployment,” by Palo Alto Networks, last visited 25 April 2014,

[21] “Intrusion Detection FAQ: What is a Honeypot: Honey Pot Systems Explained?” by Loras R. Even, SANS, 12 July 2000, last visited 25 April 2014,

[22] “Vulnerability Scanning for Business,” by Brian Robinson, ITSecurity, last visited 25 April 2014,

[23] “Email security – Essential Guide,” by Arif Mohamed, ComputerWeekly.com, last visited 25 April 2014,

[24] “Control Web Activity with URL Filtering,” by Palo Alto Networks, last visited 25 April 2014,

[25] “APT Prevention: WildFire: Protection from targeted and unknown threats,” by Palo Alto Networks, last visited 25 April 2014,

[26] “Malware-detecting 'sandboxing' technology no silver bullet,” by Ellen Messmer, Network World, 26 March 2013, last visited 25 April 2014,

[27] “Security Incident and Event Management (SIEM),” by technopedia, last visited 25 April 2014,

[28] “Hackers Techniques, Tools, and Incident Handling: Lab 4,” by poplynnsho, StudyMode, July 2013, last visited 25 April 2014,

[29] “Cryptography vs Cryptanalysis vs Cryptology…” by Nick Pelling, Cipher Mysteries, 3 February 2009, last visited 26 April 2014,

[30] “Edward Snowden: the whistleblower behind the NSA surveillance revelations,” by Glenn Greenwald, Ewen MacAskill, and Laura Poitras, The Guardian, 9 June 2013, last visited 26 April 2014,

[31] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin, Lockheed Martin Corporation, Presented at the 6th International Conference on Information Warfare and Security, The George Washington University, Washington, DC, 17-18 March 2011. Last visited 26 April 2014,
http://academic-conferences.org/pdfs/ICIW_2011-book.pdf

References

“Book Review - Secrets and Lies: Digital Security in a Networked World,” by Elaine Ah Chin Kow, Xceed, 8 November 2013, last visited 7 April 2014,

“Secrets and Lies: Digital Security in a Networked World Bruce - Schneier - John Wiley 2000 - A book review,” by Danny Yee, Danny Yee's Book Reviews, 2000, last visited 7 April 2014,

“Secrets and Lies: Digital Security in a Networked World by Bruce Schneier - 430 pages, ISBN 0-471-25311-1, Wiley, New York, 2000 - www.wiley.com,” by J. M. Haile, Macatea Productions, 12 October 2006, last visited 7 April 2014,

“Secrets & Lies: Digital Security In A Networked World,” by Jeff "hemos" Bates, Slashdot, 19 September 2000, last visited 7 April 2014

“Title: Secrets and Lies: Digital Security in a Networked World- Author: Bruce Schneier - Publisher: Wiley - Publication Date: August 2000 - Pages: 412,” by Shuang-lin Lee, Information Security (INLS187), last visited 7 April 2014,