IoT Botnet Attacks – Judge for Yourself

Yesterday’s mass-IoT-botnet attack on core Internet services (Twitter, Netflix, etc. via DNS provider Dyn) is drawing a lot of attention, mainly because for the public at large it is an eye-opening education in the hidden Internet of Things connections between their beloved electronic devices and online services.

Image of swarming networked DVRs and Webcams

You can read elsewhere the as-yet-understood details of the attack (e.g. “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage” by Brian Krebs). And you’ll be reading more and more warnings of how this particular attack is just the beginning (e.g. from my friend Alan Silberberg, “Mirai Botnet DDoS Just the Beginning of IoT Cybersecurity Breaches“).

But today, in the wake of the attack, a DC friend known for peering around corners asked for my opinion about the ultimate meaning of this approach, and whether this attack means “the game has changed.” Here’s my response:

Last year I was asked by Georgetown Law School to give a private briefing to the Federal Judicial Center’s annual convocation of 65 federal judges from jurisdictions across the United States. The overall FJC session addressed “National Security, Surveillance Technology and the Law,” and in part was prompted by the Edward Snowden and WikiLeaks events. Here’s an article about the conference, and you can view the full agenda here. As you can see from the agenda, I joined noted security expert Bruce Schneier in presenting on “Computer Architectures and Remote Access.” That’s a fairly technical topic, and so I asked an organizer ahead of time what the judges wanted to learn and why, and was told “They’re encountering a tidal wave of cases that involve claims against government warrants for access, and conversely claims involving botnet attacks and liability.” I then asked what level of technical proficiency I should assume in preparing my remarks, and was told, “Based on their own self-assessments, you should assume they’re newbies encountering computers for the very first time.”

After a good laugh, that was the approach I took, and with patience Bruce and I were able both to educate and to spark a great back-and-forth conversation among the nation’s judges about the intricacies of applying slowly evolving legal doctrines to rapidly evolving technical capabilities.

The answer to today’s question is Yes, the game has changed. The tidal wave is well upon us and won’t be technically turned back in large part. We can (over time) introduce tighter security into some elements of IoT devices and networks, but that won’t be easy and would hamper the ease and invisibility of IoT operations. I think eventually we’ll come to realize that the notion of “Internet Security” is going to be like “Law & Order” – a good aspiration, which in everyday practice is observed in the breaking.

We’ll develop more robust judicial and insurance remedies, to provide better penalization and risk-valuation avenues, for what will be an inevitably continuing onslaught of law-breaking.

Yet in that onslaught crimes will be better defined, somewhat better policed, definitely better prosecuted (our Judges will be better educated!), and perhaps most importantly victims will be better insured and compensated, as we learn to manage and survive each new wave of technological risk.

By the way, if you’d like to plunge into the reading list which those federal judges had assigned as their homework on surveillance technologies and national security law, click here or the image below to download the 5-page syllabus for the session, courtesy of Georgetown Law, with links to the full set of Technology Readings and Legal Readings, across fields like Interception and Location Tracking, Digital Forensics, Metadata and Social Network Analytics, Cloud Computing and Global Communications…. It’s a very rich and rewarding collection, guaranteed to make you feel as smart as a federal judge🙂


Video of DoD Innovation Discussion at Cybersecurity Summit

Earlier this week I wrote (“Beware the Double Cyber Gap“) about an upcoming Cybersecurity Summit, arranged by AFCEA-DC, for which I would be a panelist on innovation and emerging technologies for defense.

The Summit was a big success, and in particular I was impressed with the level and quality of interaction between the government participants and their private-sector counterparts, both on stage and off. Most of the sessions were filmed, and are now available at

You can watch our panel’s video, “Partnering with Industry for Innovation,” and it will provide an up-to-the-moment view of how US Cyber Command and the Department of Defense as a whole are attacking the innovation challenge, featuring leadership from the USCYBERCOM Capabilities Development Group, and the Defense Innovation Unit-Experimental. Solarflare CEO Russ Stern (a serial entrepreneur from California) and I offered some historical, technical, market, and regulatory context for the challenge those two groups face in finding the best technologies for national security. Most of my remarks are after the 16:00 minute mark; click the photo below to view the video:

photo: Lewis Shepherd; Gen. “Wheels” Wheeler (Ret.) of DIUx; Russell Stern, CEO Solarflare

From my remarks:

“I’m here to provide context. I’ve been in both these worlds – I came from Silicon Valley; I came to the Defense Intelligence Agency after 9/11, and found all of these broken processes, all of these discontinuities between American innovation & ingenuity on one hand, and the Defense Department & the IC & government at large…
Silicon was a development of government R&D money through Bell Labs, the original semiconductor; so we have to realize the context that there’s been a massive disruption in the divorcing of American industry and the technology industry, from the government and the pull of defense and defense needs. That divorcing has been extremely dramatic just in the past couple of years post-Snowden, emblematically exemplified with Apple telling the FBI, “No thanks, we don’t think we’ll help you on that national security case.”
So these kinds of efforts like DIUx are absolutely essential, but you see the dynamic here, the dynamic now is the dog chasing the tail – the Defense Department chasing what has become a massive globally disruptive and globally responsive technology industry…  This morning we had the keynote from Gen. Touhill, the new federal Chief Information Security Officer, and Greg told us that what’s driving information security, the entire industry and the government’s response to it is the Internet – through all its expressions, now Internet of Things and everything else – so let’s think about the massive disruption in the Internet just over the last five years.
Five years ago, the top ten Internet companies measured by eyeballs, by numbers of users, the Top 10 were all American companies, and it’s all the ones you can name: Amazon, Google, Microsoft, Facebook, Wikipedia, Yahoo… Guess what, three years ago the first crack into that Top 10, only six of those companies were American companies, and four – Alibaba, Baidu, Tencent, and Sohu – were Chinese companies. And guess what, today only five are American companies, and those five – Google, Amazon, Microsoft, Facebook, Yahoo – eighty percent or more of their users are non-U.S. Not one of those American internet companies has even twenty percent of their user-base being U.S. persons, U.S. citizens. Their market, four out of five of their users are global.
So when [DoD] goes to one of these CEOs and says, “Hey c’mon, you’re an American” – well, maybe, maybe not. That’s a tough case to sell. Thank God we have these people, with the guts and drive and the intellect to be able to try and make this case, that technological innovation can and must serve our national interest, but that’s an increasingly difficult case to make when [internet] companies are now globally mindsetted, globally incentivized, globally prioritizing constantly…”

Kudos to my fellow panelists for their insights, and their ongoing efforts, and to AFCEA for continuing its role in facilitating important government/industry partnerships.

Beware the Double Cyber Gap

I’ve somehow been invited onto yet another star-studded panel in Washington DC – on October 11 at the 2016 AFCEA DC Cybersecurity Summit. I don’t recommend many cyber conferences or events, as they’ve become overly frequent and unfocused. This one’s different, and brings together acknowledged senior experts from multiple federal agencies, including the Department of Homeland Security, Department of Defense, intelligence community and others from industry. If cyber’s your game you should be there, the line-up of speakers is truly impressive.

(It’s too late to register online, but on-site registration is available for the first day at the venue, DC’s Grand Hyatt on H Street downtown. The second day, which is classified sessions at TS/SCI at a separate location, is already sold out, but Day 1 still has a few seats left.)

I realize, though, that most of my readers will not be in attendance, so I thought I’d share a few highlights which I expect from my own panel, titled “Partnering with Industry for Innovation – DIUx” and focusing on DoD’s new Defense Innovation Unit Experimental (now in Version 2.0!) and its partnerships in government and the private sector.

Our session participants:

  • Moderator: Francis Rose, Host, Government Matters on ABC 
  • Charles Nelson, Deputy Director for Outreach, U.S. Cyber Command Capabilities Development Group (CDG)
  • Lewis Shepherd, Private Consultant on Advanced Technologies and Strategic Innovation
  • Sean Singleton, Director of Engagement, DIUx
  • Russell Stern, CEO, Solarflare Communications
  • Maj Gen Robert “Wheels” Wheeler (Ret.), Senior Advisor, DIUx

We intend to cover the DIUx approach to work with innovative companies (in Silicon Valley and across the United States) for new solutions and technologies for warfighters.

But I also intend to discuss a certain two-sided disparity: the Double Cyber Gap.

If you’re of a certain age, you can’t help thinking about national security strategy as momentary scenes from “Dr. Strangelove” flicker by in your mind. I’ve always loved Stanley Kubrick’s 1964 satirical nuclear black comedy, which answered the question, “What would happen if the wrong person pushed the wrong button in a nuclear-armed world?” One of the many classic moments is a send-up of the era’s bipolar worry about superpower equipoise, with a “Doomsday Machine Gap” and its inevitable successor, a “Mineshaft Gap.”

Kubrick was skewering the mindset of the “Missile Gap” controversy, which was fresh in his mind as he wrote the screenplay during President Kennedy’s term; JFK had won office in 1960 in part by attacking Vice President Richard Nixon for ignoring an imminent Soviet “Missile Gap” superiority. As Wikipedia summarizes, “Kennedy is credited with inventing the term in 1958 as part of the ongoing election campaign, in which a primary plank of his rhetoric was that the Eisenhower administration was weak on defense. It was later learned that Kennedy was apprised of the actual situation [no actual gap] during the campaign, which has led scholars to question what the (future) president knew and when he knew it. There has been some speculation that he was aware of the illusory nature of the missile gap from the start, and was using it solely as a political tool, an example of policy by press release.”

You can read the New York Times retrospective look (it popped the Missile Gap bubble originally in a 1961 story), and go through a valuable collection of the CIA’s now declassified documents from the era. But what’s relevant is the notion of early warning about a perceived or real disparity between opposing forces. Unfortunately that’s what I see developing, in a couple of very significant ways.

The Double Cyber Gap

Picture in your mind both faces of a double-sided coin. The Double Cyber Gap consists of two linked phenomena:

  1. The Post-Snowden Gap: there’s a newly demonstrable political or ideological cleavage between Silicon Valley commercial technology companies and their erstwhile innovation partners in DoD and the US intelligence community. The Apple/FBI dispute over decrypting the San Bernardino bombing-case iPhone was only one dramatic example; others aren’t played out in open media. I’ve written and spoken about that gap for the past few years as I’ve watched it yawn open, and have tried to limit its width in my government advisory roles and while consulting for tech firms. DIUx works to that goal as well, though the Secretary of Defense himself acknowledged that its first highly-touted incarnation was a failure.
  2. The Capability-Adoption Gap: Those same commercial companies aim their innovations to the widest possible market – meaning globally. For advanced cyber capabilities (dual-use as defensive or offensive) or other digital disruptions, very predictably we know that early adopters will include nation-state government agencies (including in Russia and China), hacking communities, and individual cyber criminals working on their own illicit agendas.

You can practically draw a cyclical diagram of the progression of advanced cyber techniques and technologies, with their adoption passing rapidly from commercial bleeding-edge users to foreign actors and malevolent individuals… and then, tardily if at all, to mainline US government agencies, long after their potency is being exploited by adversaries, or reverse-engineered and exceeded.

The Double Cyber Gap presents DoD with nearly a Hobson’s Choice. DoD can rely increasingly on commercial cyber technologies because of their rapid innovation and disruption – but only while realizing that it won’t be gaining any advantage over foreign adversaries, who are adopting the same commercial capabilities and likely deploying them even faster. It’s deeply problematic for US cybersecurity strategy, and a potentially fatal flaw for DoD’s related “Third Offset” strategy as well.

Let me illustrate that “no-choice-at-all” dilemma with an intriguing behind-the-scenes story, an excerpt from a new profile of Silicon Valley entrepreneur (Y Combinator co-founder) Sam Altman, who is now not only driving his YC startups but also the new OpenAI artificial intelligence research company he has co-founded with Elon Musk and others. The excerpt presents the AI vector of what I’m calling the Double Cyber Gap:

This spring, Altman met Ashton Carter, the Secretary of Defense, in a private room at a San Francisco trade show. Altman wore his only suit jacket, a bunchy gray number his assistant had tricked him into getting measured for on a trip to Hong Kong. Carter, in a pin-striped suit, got right to it. “Look, a lot of people out here think we’re big and clunky. And there’s the Snowden overhang thing, too,” he said, referring to the government’s treatment of Edward Snowden. “But we want to work with you in the Valley, tap the expertise.”

“Obviously, that would be great,” Altman said. “You’re probably the biggest customer in the world.” The Defense Department’s proposed research-and-development spending next year is more than double that of Apple, Google, and Intel combined. “But a lot of startups are frustrated that it takes a year to get a response from you.” Carter aimed his forefinger at his temple like a gun and pulled the trigger. Altman continued, “If you could set up a single point of contact, and make decisions on initiating pilot programs with YC companies within two weeks, that would help a lot.”

“Great,” Carter said, glancing at one of his seven aides, who scribbled a note. “What else?”

Altman thought for a while. “If you or one of your deputies could come speak to YC, that would go a long way.”

“I’ll do it myself,” Carter promised.

As everyone filed out, Chris Lynch, a former Microsoft executive who heads Carter’s digital division, told Altman, “It would have been good to talk about OpenAI.” Altman nodded noncommittally. The 2017 U.S. military budget allocates three billion dollars for human-machine collaborations known as Centaur Warfighting, and a long-range missile that will make autonomous targeting decisions is in the pipeline for the following year. Lynch later told me that an OpenAI system would be a natural fit.

Altman was of two minds about handing OpenAI products to Lynch and Carter. “I unabashedly love this country, which is the greatest country in the world,” he said. At Stanford, he worked on a DARPA project involving drone helicopters. “But some things we will never do with the Department of Defense.” He added, “A friend of mine says, ‘The thing that saves us from the Department of Defense is that, though they have a ton of money, they’re not very competent.’ But I feel conflicted, because they have the world’s best cyber command.” Altman, by instinct a cleaner-up of messes, wanted to help strengthen our military—and then to defend the world from its newfound strength.

Altman is patriotic, and thoughtful – very. But his conversation with Secretary Carter might best have begun with that private reluctance he shared only with the reporter later.

Even though the Double Cyber Gap is palpable, in Altman’s thinking and elsewhere, there are ways around that Hobson’s Choice dilemma. I share those with my consulting clients and we’ll be addressing them and new ideas at the Cybersecurity Summit as well. I hope to see you there, but I’d be interested in hearing your thoughts also  (comments below or email).

RIP Justice Antonin Scalia

Supreme Court Justice Scalia passed away today. My wife Kathryn Ballentine Shepherd, a semi-retired attorney, has worked at the Supreme Court since 2003 (in the Curator’s KBS and Scalia.jpgOffice, giving Chambers tours and lectures on the  history of the Court and its Justices). Through her I’ve met and spent quite a bit of time with Justice Scalia over the years, and always enjoyed his writing and analyses, his humor and humanity. You see here a recent photo of Kathryn joking with him at the Supreme Court – he really seemed to love spending time with her, joshing with her in front of crowds (perhaps because she was a smart lawyer as well), and he always seemed to steer visiting friends to her for a “private” tour.

I was at Chief Justice Rehnquist’s funeral in 2005; he was deeply loved by the Supreme Court “family.” On today’s Court, the most-loved by them in my observation: Antonin Scalia.

One of the funnier moments in my recollection was at a 2006 Supreme Court Historical Society reenactment of the Aaron Burr treason trial held in the Court’s actual Chambers one evening, with Justice Scalia playing the role of the actual trial judge, Chief Justice John Marshall. Scalia peered down from the bench as the DC attorneys recruited for the event began to play out their own roles – among them Scalia’s own son Eugene, a powerhouse lawyer in his own right. “Chief Justice Marshall” (Justice Scalia) looked over his glasses and boomed out, “OK, who’s next – it says here your name is, um, Scall-ee-a, Scall-eye-a, what kind of name is that??” The audience roared with laughter. That was the common reaction to his ever-present, ever-witty humor.

For seven years I’ve recycled an old Reagan-era joke (it was originally about Thurgood Marshall), updating it for the Obama Administration and asking, “Who’s the most important conservative in Washington DC? Justice Scalia’s doctor.” In today’s hyper-politicized era, we’re about to see why….


Burning Man, Artificial Intelligence, and Our Glorious Future

I’ve had several special opportunities in the last few weeks to think a bit more about Artificial Intelligence (AI) and its future import for us remaining humans. Below I’m using my old-fashioned neurons to draw some non-obvious links.

The cause for reflection is the unexpected parallel between two events I’ve been involved in recently: (1) an interview of Elon Musk which I conducted for a conference in DC; and (2) the grand opening in London of a special art exhibit at the British Library which my wife and I are co-sponsoring. They each have an AI angle and I believe their small lessons demonstrate something intriguingly hopeful about a future of machine superintelligence

Continue reading

Slow-Live-blogging #NASASocial for CRS7 Launch


I was really giddy at being selected by NASA to participate in the agency’s innovative “NASA Social” program, where social-media personalities are credentialed and allowed to cover NASA rocket launches. Launch is scheduled for Sunday June 28 at 10:21 AM EDT – fingers crossed for good weather🙂.

I’ll be updating every couple hours or so over the weekend, and will definitely take good advantage of the tweets and photos of my colleague attendees (with credit of course!). The items follow in chronological order:

Continue reading

Twitter Search as a Government case study

In addition to periodic think-pieces here at Shepherd’s Pi, I also contribute a monthly online column over at SIGNAL Magazine on topics relating to intelligence. This month I keyed off a recent discussion I had onstage at the 2015 AFCEA Spring Intelligence Symposium with Elon Musk, particularly a colloquy we had on implications of the emerging cleavage (post-Edward Snowden) between Silicon Valley technology companies and their erstwhile innovation partners, U.S. intelligence agencies.

Continue reading

%d bloggers like this: