Saturday, November 23, 2024

What Can We Learn from Ronald Reagan About DevSecOps?

On June 4, 1983, President Ronald Reagan was relaxing at Camp David while watching a movie. The film, which had just been released that weekend, left Reagan so rankled and rattled he felt compelled to bring it to the attention of the National Security Council at a meeting the following Monday. “Have any of you seen this movie?” he asked the assembled experts. No one had, so the Hollywood veteran recounted the provocative plot.

WarGames tells the tale of a High School hacker who finds his way into the intercontinental ballistic missile systems at NORAD.  The tech-wiz teen, played by Matthew Broderick, challenges the computer to a contest (“Shall we play a game?”). After a bit of back-and-forth, Broderick settles on a diversion that sounds like it could be some fun: Global Thermonuclear War. The plot begins to thicken when the Artificial Intelligence based system, Joshua (nee WOPR), takes things a bit further than expected, bringing the world to the brink of Nuclear Armageddon.

When Reagan asked the assembled experts on that Monday morning if something like that could really happen – if a hacker could crack into our military systems – General John Vessey, Chairman of the Joint Chiefs of Staff (in what was likely just an effort to placate the President) promised he would look into it.

A week later General Vessey reported to Reagan on what he had found: “Mr. President, the problem is much worse than you think.”

That conversation led to a frantic series of meetings, memos, conferences, and conversations that ultimately resulted in NSDD-145, which Reagan signed as an Executive Order on September 17, 1984. That simple 11-page document, titled National Policy on Telecommunications and Automated Information System Security, proved to be as prescient as it was disturbing in noting:

Telecommunications and automated information processing systems are highly susceptible to interception, unauthorized electronic access, and related forms of technical exploitation, as well as other dimensions of the hostile intelligence threat. The technology to exploit these electronic systems is widespread and is used extensively by foreign nations and can be employed, as well, by terrorist groups and criminal elements. Government systems as well as those which process the private or proprietary information of US persons and businesses can become targets for foreign exploitation.

Four years after watching WarGames, almost to the day, Reagan was in West Germany, standing in front of the Brandenburg Gate on June 12, 1987. He was there to challenge the General Secretary of the Communist Party of the Soviet Union with his now iconic entreaty: “Mr. Gorbachev, tear down this wall!”

881 days later, chunks from the physical manifestation of the Iron Curtain that Winston Churchill had forewarned would descend across Europe – that totem of totalitarianism that separated East and West Berlin for 28 years – were being sold as souvenirs. Lesson Learned: Walls Fall.

Just a year after Reagan called out communism and the Berlin Wall came tumbling down, in October of 1988, The Gipper found himself having to call for yet another wall to be torn down. More precisely, he ordered the destruction of all four walls, the basement, the roof, and every bit, brick and stick of the still unfinished US Embassy in Moscow.

Why? Because in the course of construction US inspectors had found that so many listening devices had been embedded into the structure that the only way to secure the building was to tear it down and start over. What was to have been the base of a diplomatic tightrope strung between the US and USSR to navigate the Cold War ended up as a crime of inattention that cost American taxpayers an additional $270 million ($626M in 2021, adjusted for inflation).

Adding insult to injury, Victor Sheymov – a Soviet KGB Major and American spy – told his CIA debriefers in May 1980, just shortly after construction of the embassy began, “you won’t have a single secret in that building.” The KGB, he told them, “Was going to make the building itself a giant system of sensors that could pick up virtually anything inside the building.”

As Ronnie was wrestling with the threats posed by the Soviet Union and cybersecurity, a new industry and accompanying ethos of open-source computer programming was exploding in the President’s home State of California. And the culture of openness that took hold there has never let go. From the beginning, the very first generations of Developers were solely concerned with efficiencies; not with security. What is now known as the Open-Source Ethos continues to be the predominant paradigm that prevails among Coders all around the world.

Open-Source culture inexorably embraces openness, abjures standardization, and prizes transparency, collaboration, community, rapid prototyping, and iterative releases. The “Open-Source Way” embraces inclusiveness and is based on a basic belief that good ideas can come from anywhere; both within and beyond one’s own organization. In short, the OS mindset is exactly antithetic to most of the best practices that lend to effective DevSecOps: The integration of security as a shared responsibility throughout the entire IT lifecycle.

So, how do these tales about a past president intersect and what lessons do they leave us with?

While the US, at Reagan’s behest, began to take cybersecurity seriously beginning in the 1980s, all efforts were then – and have been, since focused on efforts to thwart incursions. Until recently, nearly all cyber defense focused on walls; firewalls, to be specific, and the subsequent focus on trying to keep hackers out. But what do you do if a hacker gets through? Well, for the most part… you’re screwed.

This myopic focus on firewalls would be analogous to what would have happened had Reagan ordered our Russian Embassy to counter the threats that had already been integrated into the building by ordering a more fortified fence.

While a drawbridge, thick wooden doors, and an alligator-filled moat can do wonders to slow down the storming hordes, what do you do when they get through?

You cannot rely on just having bigger barriers or  brawnier bouncers at the door. And simply ordering Coders to take DevSecOps seriously is about as effective as Nancy’s advice to just tell kids to “Just Say No”.

To be effective, DevSecOps tools, tactics, techniques, and technologies need to be incorporated, integrated, and instantiated into your workflow – seamlessly, frictionlessly, nearly invisibly – as the code is being developed and compiled.

Most CISOs still spend most of their time and budget building stronger and stronger firewalls, or SIEMS to tell you when bad guys may be trying to sneak in through the window. A few now also include forensic tools to investigate what happened after cyber crimes have occurred. Having the cyber equivalent of a Video Doorbell without also having motion detectors to catch crooks is a sure recipe for disaster. The only truly effective strategy is to monitor your code at the code-level, simultaneously and continuously.

The time to catch cyber-crooks is not just before or after an incursion occurs – it’s also while they’re in the act.

………………………………………………

Dr. JT Kostman is a Data Scientist, Mathematician, and Psychologist. You can learn more about how he helps organizations Stay Cyber Safe by reading his best-selling book, or by visiting CodeLock.it for information on the first – and only – solution that (according to the US Department of Homeland Security) “completely eliminates any and all threats of intrusion based malware.”

 

Latest