The DHS brings its infantile, cyber-fantasy world to RSA 2015

OPINION: In his RSA 2015 keynote on national cybersecurity threats, Homeland Security head Jeh Johnson told an audience of cybsersecurity experts something so wildly impossible, it almost went unnoticed.

dhs-rsa-2015.jpg

OPINION: As we've seen on ridiculous, inaccurate TV shows like CSI Cyber, some people really let their fantasies and fears about information security and technology run wild.

But occasionally, they're so convinced that their far-out beliefs and wild imaginings are true that they spout off in front of a huge audience and say things that to all practical people sound... downright crazy.

Case in point: Department of Homeland Security Secretary Jeh Johnson in his RSA 2015 keynote this Tuesday.

On April 21, DHS head Jeh C. Johnson gave a 20-minute keynote to an RSA 2015 audience of thousands: Mostly white-collar cybersecurity professionals, and infosec researchers -- corporate, government, executive, engineers. It's important to note that many of them are also hackers.

If you've read the news blips about Johnson's RSA 2015 keynote, you probably didn't hear anything about his awkward pre-keynote chatter; it's not on the official government transcript.

In publications only covering the basics, the keynote's takeaway was the DHS is planning to open an office in Silicon Valley. At other outlets, you might have read that in addition to DHS's Silicon Valley outreach and recruitment plans, the DHS sallied yet another plea at techies to please stop with all the encryption work -- work that could create a small digital equivalent of private property for individual citizens of our no-holds-barred, data-sharing Internet era.

During the keynote, Johnson only went off script in a few places.

The DHS director began off-script, with an anecdote to warm up the audience. Johnson explained that he'd recently had an amusing experience with technology while visiting his daughter at college in California.

When he got to the campus with his son, also in college, Johnson discovered his kids were using something called YikYak -- which he described to RSA attendees and speakers as "a device for college kids to chat back and forth on their college campuses back and forth anonymously."

YikYak is actually an iOS and Android instant messaging app.

Johnson said that as soon as he arrived on campus, YikYak "lit up" with conversation among students who were trying to figure out why there was a security detail on campus.

After seeing messages wondering if Obama -- or Obama's kids -- were at the college, Johnson said that the next entry in the conversation came from his son. Johnson said: "He figured out how to hack his way into this campus's conversation."

After this, the head of the DHS lobbed a bizarre non-sequitur into RSA's collective lap saying, "Though I still use an iPod, I am learning."

Violet Blue

New report: DHS is a mess of cybersecurity incompetence

A large, embarrassing, and alarming Federal oversight report finds major problems and grave shortcomings with Department of Homeland Security cybersecurity programs and practices which are "unlikely to protect us".

Read More

When he started talking about cybersecurity, we entered the cartoonish, child-like cyberworld of the DHS. This world is lawless, black and white, a cyberworld where there are no rules and encryption means the bad guys win instead of protection for the masses.

Johnson said he acknowledged "the importance of what encryption brings to privacy," but that to allow encryption to proceed for consumers -- as if encryption only meant one thing, the antithesis to wiretapping -- it would present the same situation as if "after the advent of the telephone, the warrant authority of the government to investigate crime had extended only to the U.S. mail."

The head of the DHS then anchored the government's call against encryption saying, "Our inability to access encrypted information poses public safety challenges."

Like, the Internet won't be wheelchair accessible anymore? Not exactly. Johnson added, after a long pause, that "encryption is making it harder for your government to find criminal activity, and potential terrorist activity."

Still, calling encryption a "public safety challenge" (as in a threat, not a dare) elicits a worrying worldview on information security tools and best practices. The RAND Corporation describes public safety issues as issues that range "from policing and prisons to violent crime and the illegal drug trade, as well as homeland security and emergency preparedness." It adds, "RAND research helps inform policy debates that are often riddled with arguments driven not by evidence but by emotion and ideology."

Those who know little about computer security love to fantasize about an alternate reality where anything goes, where morals and ethics are forsaken because there are no rules or authorities, and where the unknown is so frightening that -- like in the Dark Ages -- imagination runs wild.

From the perspective of an institution that sees encryption as in line with the illegal drug trade, the online world is a virtual funhouse of horrors teeming with mysterious hackers hiding behind masks (or balaclavas and hoodies), or they're just Chinese or Korean, and they can reach through cyberspace to do anything they want.

Hiding in anonymous forums and behind pseudonyms, the shadowy hacker does his magic at the keyboard, and next thing you know, someone's yelling expletives at your infant baby through that adorable pink giraffe baby monitor you bought at Target. Then, it's chaos: Mobs in Guy Fawkes masks roam the virtual alleyways at night, their sadistic goal to write embarrassing things on low-level government websites that skipped their basic security updates. Entertainment mega-corporations, innocent as lambs, ignore every single security audit recommendation and basic security practice, and -- miraculously -- still become victims to the merciless, faceless, nearly untraceable evils of cyberspace.

Lying in wait for Internet innocents is the drug-dealing, Internet Scarface overlord poisoning society from some place so frightening and occult that it's called a "dark web" -- along with the pedophile pretending to be a friendly cartoon bear hiding behind the green voodoo of Tor.

What's worse, technology itself is out of control. Cars, planes, thermostats and appliances can be taken over by unknown assailants and made to do evil things, coming to life to spontaneously ignite, and some say, to strangle housewives with cords.

And because I'm on the dark side, sometimes I use privacy and anonymity tools, too.

Don't get your sci-fi-movie, CSI Cyber hopes up. It's not really all wizards and cyber-ninjas, flying through computers to simulate hacking, nor is the world of hacks and infosec as ready-made for crime noir fiction as some would have you believe.

Disturbingly, it wasn't just the DHS who said spurious, puerile things about technology to RSA 2015 attendees. In Thursday's "Renewing the Patriot Act" debate, Congressman Mike Rogers told the RSA audience more than once that metadata in bulk surveillance collection "is just the 'To: From:' like the front of an envelope."

Like former Governor Jeb Bush, who said he's tech-savvy in the same keystroke as he published online the personal and medical information of over 275,000 constituent emails (redacting PII after the fact), our government's cybersecurity decision makers are trying to bluff their way through class -- when in fact, school is out and this is real life.

You see, in real life with computers and people and hackers and security research, there are actually rules that constrain reality.

You can bluff about being tech-savvy, but when you screw up, you'll hurt people -- usually lots of people, and very publicly.

You can say that something which serves to protect people's privacy is a threat to safety because it is inconvenient to you, but when an actual public safety threat manifests harm because you bluffed your way into getting what you want, it's highly possible that you and your organization will cause enough harm to the public to go down in history under "things that should never be repeated."

This is old news for some of us -- and the DHS has had a long enough time to learn how to talk about cybersecurity, let alone long enough to stop getting it so very wrong. And by that I mean more than saying the DHS is out of step, out of touch, and so arrogant and ambivalent with a keynote like Johnson's that it's actually surprising at the end of the day that they can't even try to fool us into believing that cybersecurity isn't just another thing they have to pretend to understand until they retire.

On the other hand, maybe it's better this way.

The DHS will say crazy, wingnutty things that influence policy and law, and they'll stay away from the people actually making things go behind the scenes, hackers who know they have to be accurate about the way things actually work, and so even on their most immature days end up being more responsible, transparent and accountable than the head of the DHS.

Photo:RSA Conference 2015 on Flickr, reproduced with permission.