Share this page!

Robert M. Lee Profile picture
Twitter logo
28 Mar, 11 tweets, 3 min read
To the security professionals facing difficulties getting an entry level job, being properly resourced, facing internal policy issues, being beaten down by competing frameworks/guidance/advice even from USG...the “if NSA could monitor your networks we’d fix it” is insulting.
I really do like the NSA; having served there I know the amazing work they do. I’m also a privacy advocate as many there are. There’s real roles and responsibilities for government to help private sector. More surveillance isn’t the answer. Actually there is no one answer.
When you’re in USG (NSA/DHS/DOD/etc.) you hear that people need help. You have insights and training. You want to help. It’s awesome. But the problems aren’t that simple. You also see rising threats but don’t see the closure that happens inside those companies. It creates angst
There’s really important government led changes needed. But there’s also board and CEO level management of risk needed. No government can scale to these problems. No company can. You have to build and incentivize and ecosystem wide approach.
You have *the* answer? How does it scale to 55,000 water companies to start with most who don’t have an IT person let alone a security team? That’s just one sector. NSA would love, out of good intentions, to monitor US infrastructure. It won’t put a dent in cybersecurity.
What I’d love to see is clear communication from government at CEO level on what they want private sector companies to do and invest in. Then for USG to focus on USG mission space. Our weapon systems, federal owned infrastructure, government networks, etc. are not consistent.
USG needs to fix USG mission space. Then tell everyone loudly what worked and didn’t work for them. Share insights. But when you have SolarWinds in USG, OPM, etc. please don’t tell others you can help them with the same problems you don’t have under control.
I’m a huge fan of CISA. I agree with @C_C_Krebs testimony recently on making CISA the federal CISO. Give them the resourcing *and* authorities to hunt and enact change across USG mission space. Tons of national security impacting work to be done.
When theres a short term mission set to pick up (e.g. election security) go for it and help. But long term mission sets you must be careful on. If you say “I’ve got the ball” you’ve got to have it. Others will stop investing. And frankly there’s too much work in USG for much else
NSA has important Title 50 missions. Candidly I think CYBERCOM and NSA should split. And we should keep NSA focused on the amazing SIGINT work it does and out of domestic cybersecurity. To all my govt peers I know this isn’t easy stuff.
For national security needs - not cybersecurity needs - USG wants to know certain things like how far wide impacting is a threat, do the entities know about it, etc.? That can be solved for separately but shouldn’t be conflated with “we’re doing this to help make you cyber safe”

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robert M. Lee

Robert M. Lee Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RobertMLee

Robert M. Lee Profile picture
1 Mar
There’s a new @nytimes article out on a @RecordedFuture report coming out tomorrow ok potential Chinese activity targeting Indian electric sites. I’ll hold broad thoughts for the report to drop where I can dig in but a few initial thoughts: nytimes.com/2021/02/28/us/…
First, it’d be no surprise to find that between two states that have conflict (and with some skirmishes bordering on going larger) that there would be targeting of critical national infrastructure such as the electric system (power grid). So the claim seems very reasonable
Interestingly, the NYT writes: “Now, a new study lends weight to the idea that those two events may well have been connected” referring to a power outage last year in India. But what’s interesting is the RF analysts don’t seem to say that noting instead a link is unsubstantiated
Read 17 tweets
Robert M. Lee Profile picture
17 Feb
A quick thread on intelligence analysis in the context of cyber threat intelligence. I see a number of CTI analysts get into near analysis paralysis phases for over thinking their assessments or over obsessing about if they might be wrong. (1/x)
Consider this scenario. A CTI analyst identifies new intrusions and based on the collection available and their expertise note that the victims are all banks. Their consumer wants to know when threats specifically target banks (not just that banks are victims).
The CTI analyst has, from their collection, at this time, and based on their expertise enough to make an activity group (leveraging the Diamond Model in this example) that meet's the requirement of their consumer. So what's the problem?
Read 14 tweets
Robert M. Lee Profile picture
11 Feb
Yesterday in the Congressional hearing on homeland cybersecurity @C_C_Krebs and @DAlperovitch very kindly called out @DragosInc as a good example/company to work with in ICS/OT. Not “buy Dragos stuff” but “here’s a good example of an approach” and I just want to say thanks
We’ve been afforded a really cool place in the community to be allowed to focus on ICS/OT and have a ton of support from around the community.

What mostly stood out to me on this topic is that both recognized the unique approach required for ICS (Dragos or not)
Enterprise security is very important. And there’s lots to learn from them for ICS. But ICS security is different especially when dealing with physical systems. Understanding the unique risks, systems, etc all matter but most important is understanding the mission and priorities
Read 5 tweets
Robert M. Lee Profile picture
11 Feb
The fact that so many are focusing on the water plant using Windows 7, which had nothing to do with how the attack was done, is interesting. Folks have an obsession with vulnerabilities and while they can matter a lot it is a fundamentally different value prop in ICS.
The attack took advantage of TeamViewer. In this instance the OS didn’t matter. The TeamViewer application was Internet facing and available. The attack took advantage of the HMI, that’s not a software vuln issue, they just did what operators could do on the system natively
There’s a lot of “insecure by design” systems in ICS. Meaning most of the things you want to do you don’t need a vulnerability or exploit to do.

Also a lot of IT security is system or data security, protect the system don’t let folks get root, encrypt the data, etc. ICS is not
Read 9 tweets
Robert M. Lee Profile picture
10 Feb
In my career I have found the loudest naysayer voices find themselves in echo chambers to make themselves feel like thought leaders but are often well in the minority and simply not part of where the real work happens, ostracized by the do’ers for being heroes in their own mind.
My advice to the folks who find themselves trapped in those echo chambers is to step out of the social media bubble when necessary and look into the much larger community and partake in it and move the needle forward. In all corners of this infosec industry you’ll find the do’ers
It’s appropriate to have informed discussion about what the best paths forward are. But if you find yourself critiquing more than working - ask yourself what path you’re on. Everyone’s biases, that’s ok, but make sure you’re building up more than tearing down or you’ll be alone
Read 4 tweets
Robert M. Lee Profile picture
20 Dec 20
I know there’s a desire to calm people down and have some confidence, but I would advise anyone pretending they have an understanding of the scope of the SolarWinds compromise to dial it down a bit. It’s going to take time, could be more accesses, and our collection isn’t great.
E.g. “right now there are only $X orgs that are impacted” is based on very limited visibility with an expectation we understand all the compromise routes and adversary command and control capabilities. We simply don’t know that to be true and won’t in the first couple weeks
Should average citizens be freaking out? No, this isn’t war stop the hyperbole. From a national security perspective though the President and Congress must have confidence in the integrity of its critical and defense critical sites. We’re no where near “we understand this” yet.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @RobertMLee has new unrolls!

Check out other threads from @RobertMLee!

Read all threads by @RobertMLee