yesterday in my presentation at UNITED Security Summit i offered to drop my presentation on defending the virtual environment and instead speak on the crisis in US foreign policy and attacks on US citizens in north africa. the audience seemed surprised but i wasn’t kidding. to strike a balance i tried to blend the two topics together.
this is not a stretch. aside from studying international relations for many years and a degree in international history with a focus on the horn of africa i see some very clear parallels to information security issues we deal with in virtual environments and cloud.
first, consider the fact that us embassies in foreign countries are like virtual machines hosted by service providers. the embassies and consulates depend heavily upon the host for security and segmentation to reduce risk from other residents. what goes on inside the embassy has an expectation of privacy and sovereignty despite being within a host country.
second, embassies have many controls internally as well as support from their home country. this is similar to the enterprise support of an asset. i’m talking not only about high walls, cameras, gates and guards but also response capabilities to investigate attacks and arrest perpetrators. many of those capabilites are offered by hosts but the point is that the embassy is backed by the much larger and more like-minded resources of its home country.
third, it even could be said that the guest is a source of resources for the host. trade and commerce diplomacy are a usual function the office and staff in an embassy. a service provider has a financial relationship to virtual machines in some ways like a country depends on a foreign country’s diplomatic office in their capitol city. in other words a country can’t just shut down or damage an embassy without economic consquences to itself.
from there i could go on about the parallels (we also cover them in our book) but instead i would like to switch into a straight analysis of the benghazi attack. much of what i have been reading has suggested that protests over a youtube video or football hooliganism somehow escalated into an armed violent attack on US soil.
at first glance this might make some kind of strange sense, since protests can certainly turn ugly. seconds later any sensible person should see the problem with the link. protesters don’t tend to carry rocket launchers. rocket launchers don’t tend to be used without training and practice. and then there’s the fact that three of the victims in the attack were trained by US military and two were elite SEALs. it quickly becomes a stretch to see the incident as a protest. the dichotomy should be familiar to those who have listened to debates about what makes an APT different from other threats.
another problem with the video story is attribution. no one really knows who made this video or why. protests against it that blame the US are like protests against host providers for the actions of their users. a conspiracy theorist could easily cook up an argument that the movie was created by activists from libya or egypt as a propaganda tool to incite conflict and destabilization. another conspiracy theory could be that hawks in the US created the movie to precipitate a fight with the jihadists and force the US govt’s hand in areas of security control, funding or policy.
but aside from a wild or crazy conspiracy theory, which no one seems to be talking about anyway, there is not yet a strong link from the video to an armed attack in benghazi. al jazeera at one point even used “football fans” to describe the protest. i wish the media would just drop the entire video aspect and instead focus on the more relevant details of the story. CNN seems to have done the best job of any source but here’s how i think the situation could have been reported.
the US ambassador to libya was a seasoned, dedicated and talented diplomat who was no stranger to risk in foreign countries. when planes could not fly into libya during the fall of gaddafi he instead hitched a ride on a cargo ship and sailed into the country to initiate diplomatic relations. that takes some serious guts. violent extremism and hostility in eastern libya towards western nations had been reported by him for years but he set about personally trying to engage with supporters in that area. again, the guy was not afraid of taking personal risk to help advance democracy in libya. he was an entrepreneurial and forward-thinking person embedded in the issues of the country he wanted to help.
as a security professional i have worked with many executives who know how to take big risks. it’s the nature of the job. they are trying to build and enhance their organization’s work in often difficult circumstances. and i am trying to advise them of how to avoid disaster, or at least recover quickly and completely. i imagine that two navy SEALs and an Air Force IMO (all known for their diplomatic skill) with the ambassador in benghazi were acting in a similar capacity as advisors in a risky situation. the US was actively surveying the threat to libya from weapons looted after the fall of gaddafi and probably negotiating stability for the region. what that team did not anticipate, unfortunately, was the people harboring weapons were so violent/extreme and would turn without impedence on the US team. the ambassador and his staff were in higher risk than anticipated while the service provider (government and pro-US factions of libya) were far less able to support and secure the envoy than anticipated.
the more i read about the situation, the less i think a video link makes any sense at all. there was a trained, elite and talented diplomatic team on the ground in a facility with very few defenses. they were experts in risk mitigation and they knew the date and the location well. suddenly a trained group of jihadists surrounded their location and fired sophisticated rockets and guns in two phases. it sounds like a planned ambush; it was NOT a protest but rather a criminal act with premeditation.
perpetrators of the attack and their supporters naturally want to link the attack to something more broad because they seek to foment legitimacy for an obviously illegitimate act. to decouple the attack from the video or anything else is to neuter their propaganda and activist appeal. we need to focus the discussion and lay bare the facts.
the video should not be used to create a freedom of speech debate. while the US is unique in the world in how it protects hate speech, not all hate speech is protected. fighting words (those that incite immediate violence) for example are not protected. if fighting words include hate speech there are higher penalties. so there is a limit to free speech even in america. also it is easy to see how the US can denounce the video and even ban it, given the record of the obama administration on civil liberties. but the point is not that we should debate speech rights. we should forget the video (it is just one of any number of possible motives) and talk instead about the issue with extremist armed militias.
back to information security for a minute, this is like a rogue administrator at a provider who attacks a customer. the google service reliability engineer (SRE) incident is perhaps the most notorious case. nobody really wants to debate what motivated him or whether other administrators were motivated to do the same. nobody says that SRE was angry or demented because of a video, or a song (played backwards) or drugs. motive is very hard or even impossible to ascertain. on the other hand the consequence of his actions were clear and preventable. that SRE was fired and no one should be able to cause such harm now. changes supposedly are made by a service provider (Google) to detect a breach sooner and respond more effectively to protect their guest/customer.
imagine for a minute that you’re a customer of google. reports come in to you that a google SRE engineer is a devout linux user and was upset by one of your users who said that apple is better and posts a rant that linus torvalds is bisexual. that SRE starts deleting your assets.
do you spend your time talking about the rights for this rant post and defending your user’s right to speech? do you really need to raise the question at all to deal with the issue? more likley you would see the SRE as an exception to the google staff and demand a response that supports your shared interests — detain and prosecute that individual for criminal behavior. you might even help google figure out how to avoid the incident in the future.
with that in mind i turn back to the small size of the protests and recent attacks on embassies across the region. there are attacks in multiple regions but they in fact are just a few dozen or at most hundreds of people; i see only tiny and extremist elements. the majority of the population in the host countries are not taking up arms and they are not marching in the streets. the countries most at risk, of course, are the ones least able to show clear leadership. gaddafi was a dictator but he kept things pointed in one direction. the vacuum from his absence, like that in egypt, is a test of popular will.
the majority in libya seem to want to maintain strong relations with the US, as also proven by pro-Western Touareg rebels in Mali who were ex-Gaddafi soldiers. they also appear to be strongly opposed to the fundamentalist and jihadist movements like those that attacked the ambassador. the opposing forces in these nascent countries often gets desribed as one sect fighting with another sect. it also may be said to be a religion fighting with another religion or a secular versus religious fight. instead i hope we can work towards describing it as a fight between democratic and extremist views.
the best response by the US is to align with moderates and offer assistance in finding and removing criminal elements that threaten the stability needed for democracy to take hold. that seems to be exactly what clinton and obama are doing. kudos to them for calling out the video as hateful and disgusting, which it is, and for taking swift action to support their hosts in finding the source of risk.
the attacks show in an unfortunate way that US efforts against terrorism have been effective in going back towards the threat of only embassy attacks. if the best that the extremists can do is an ambush of an insecure building on their home territory then things have clearly changed since their 9/11 attack. it is not hard to see how a seasoned ambassador even might have misjudged the risk. he was ambushed and social engineered. and if he didn’t see it coming, it is hard to say anyone else could have. although, it is interesting to note that the british embassy was attacked in benghazi earlier and the canadians pulled out of their embassy in iran not long before tragedy hit the US in libya. was there a memo or just more evidence it has no real link to the video?
in conclusion, the story is that a violent act towards US citizens never will be tolerated even from weak threats that must resort to ambush and deception. now the US is in a position to align itself with reasonable and moderate people in host countries and to work with them to find and isolate criminal behavior.
the perpetrators of the attack on embassies must be prosecuted and the security systems of the host countries need to be enhanced and supported. alignment and diplomacy is what got the ambassador into trouble. it ended in tragedy because of risks taken but we know how to respond and handle those risks.
we can pick up where he left off without assuming the same risks (add in more control); and a shared effort further can help reduce threats, like an enterprise working with cloud providers. libya needs to secure their environment to protect freedom/democracy and they may need help from the US to get it done.