Thursday, June 21, 2018

What Do You Want In A Cyber Self Defense Course?

Your company, agency, whatever has hired an intern from the Mercyhurst intel program that has just completed their freshman year.  What do you want them to know about cyber?


That is one of the questions I will be wrestling with this summer.  I am teaching a new course in the fall called "Cyber Self Defense".  Nobody told me I had to teach this course.  Nope!  I volunteered (!) to teach this course.

You see, we have consistently noted that many of our first year students come to us with a pretty poor understanding of cyber related risks and how to minimize them.  The intent of this course is not to turn them all into white hat hackers.  All I really hope to do in the time I have is to make them into knowledgeable users.   
Its like the old joke about the two guys and the bear.  The first guys says, We will never outrun that bear!"  And the second guy goes, "I don't have to outrun the bear.  I just have to outrun you!"  I want to create users that can, at least, outrun the other guy.
We wanted to teach this class at the Freshman level because that is where we think it would be most useful.  It gives the students 3 more years to increase or at least use these skills and an educated user base will only help our own network become more secure.  If this first class goes well, I think I would recommend that it become a requirement for all intel students.

As the obvious wonderfulness of this offering became increasingly apparent, the question naturally arose, "Who will teach this magical, extraordinary course?"  Those of you of a certain age will remember the old Life cereal commercial lovingly preserved by YouTube (above).  Suffice it to say, I get to play the role of "Mikey" in the 2018 remake...

So I throw it out to you, Gentle Readers, what skills would you expect, what abilities would you want to see in that 18 year old intern you just hired for the summer?  I am looking for tools, tips, tricks, websites, sources, absolutely-must-cover topics, don't-waste-your-time topics and everything in between.  Free software and resources will be most appreciated but making students pay to get something that gives a big bang for the buck is also OK.

Here are a few details about the class to help you think through the problem.  It is a MWF class and each class lasts 50 minutes for 15 weeks.  I have access to a computer lab but I think I want the class to mostly be about their own devices - specifically cell phones and laptops (which virtually all students have).  We don't have a standard when it comes to these devices so we will likely have a mix of Apple and Windows, Android and IOS (With Windows and Android machines likely being in the majority).

Here are my initial thoughts:
  • First couple of weeks:  Focus on cleaning up and maintaining their own devices.  My assumption is that at least some of these students will come in with malware or viruses on their system already. Almost all will come in with some sort of factory installed bloatware and I doubt if any of their browser caches have ever been emptied.  The goal here would be to clean all of this up and to teach them how to maintain their devices
  • Next couple of weeks.  Focus on likely attack profiles and how to deal with situations where some sort of hack is more likely (e.g. coffee shops and airports).  Things like phishing and social engineering would get covered here.
  • Mid course.  Focus on privacy.  Talk about how info on the web gets passed around and used.  Talk about how to protect yourself from oversharing and what to do if you do get hacked.
  • Next couple of weeks.  Focus on advanced topics (e.g. Proxy servers, VPNs, Linux, etc).  Should they build their own computer?  
  • Final couple of weeks.  Talk about how to diagnose/help others with problems.  One of the most powerful tests of learning is seeing if the student can transfer their knowledge to new situations.  I want this kind of thing to be part of the final exam somehow.
I want this to be a project based course that gives students lots of hands on with their own devices but also gives them enough conceptual knowledge to be able to integrate new stuff as it comes along. 

I have a bunch of other half formed thoughts but I welcome your input and feedback first.  You can either drop it in the comments below (or in any of the social media where this will be posted) or you can just send me a note at kwheaton at mercyhurst dot edu.

Many thanks, hive mind!  Many thanks!

Monday, June 11, 2018

How To Talk Intel To Trump

This is not a political post.

I know, I know!  It seems almost impossible to make an apolitical statement about the current US president.  Hell, I am going to try - really try - and I am not even sure I can do it.  I have strong feelings about it and writing this post may very well do me in.

It is important to try, though, for two reasons:

  1. Intelligence professionals have long had to work for elected officials they did not like personally, professionally or politically.  It comes with the job.  Moreover, the bulk of the responsibility for figuring out how to make the relationship work falls on the intel professional, not the elected official.  That's not fair but it's true.
  2. I have something new to say about how to communicate intelligence to President Trump that might help.
OK.  Let's get to it.

For the last four years I have been running a project called Quickstarter.  Quickstarter connects students with skills with entrepreneurs without those skills in order to increase the odds of success using crowdfunding sites like Kickstarter.  I can talk all day about this project (and how - insert modest cough here - mindnumbingly successful it has been) but the key professional takeaways all have to do with intelligence support to entrepreneurs.

To build the program, I tapped into my own experience as an entrepreneur, best practices in crowdfunding and, importantly for this post, the growing body of literature in effectual reasoning.  Expert entrepreneurs, as it turns out, don't think causally (That's not a misspelling - I meant "causally").  They think "effectually."  

Dr. Saras Sarasvathy of the Darden School of Business at the University of Virginia did the first research on this idea and a number of other researchers have confirmed, in whole or in part, her results (the best introduction to effectual reasoning is probably her 2010 TEDx talk embedded below).  



If you don't have time to watch the video (and I do suggest you do), she sat down with a bunch of highly successful entrepreneurs and a bunch of corporate, MBA types and presented them with the same problem.  Then she watched (and coded) how they went about solving it.  It turns out the entrepreneurs attacked the problem entirely differently than the corporate guys.  She claimed that the entrepreneurs were practicing effectual reasoning.

What, then, is effectual reasoning?

Well, there is a whole website developed just to explain this (and all the research behind the concept) but it boils down to the difference between these two statements:
  • If I can predict the future, I can control the future. (Causal reasoning)
  • If I can control the future, I don't need to predict it. (Effectual reasoning)
(Note:  Some of you may think you see where this is heading and some of you may already be dismissing it.  I advise both groups to wait a bit before coming to a conclusion.)

Entrepreneurs (highly successful ones anyway) tend to focus on what they can control and how they can use that to move the ball in the general direction of where they want to go.  They don't much care for things like market forecasts or worrying about what their competitors are going to do.  

There is more to effectual reasoning than a worldview that values control more than prediction, of course.  It turns out that highly successful entrepreneurs have four additional principles that they tend to follow as they are thinking through problems:
(Note:  The definitions below are taken more or less intact from the Society for Effectual Action's website but have been lightly edited for length and relevance.)
  • Means (or the Bird-in-hand Principle).  When expert entrepreneurs seek to build a new venture, they start with their means:  Who I am—my traits, tastes, and abilities; what I know—my education, training, expertise, and experience; who I know—my social and professional networks.
  • Co-creation (or the Crazy Quilt Principle).  Since entrepreneurs tend to start the process without assuming the existence of a predetermined market for their idea, they don’t know who will challenge it and see little value in trying to figure that out. Instead, entrepreneurs generally take the idea to the nearest potential user. Some of the people they interact with make a commitment to the venture, committing time and/or money and/or resources and, thus, self-select into the new-venture creation process. 
  • Affordable Loss (or the Manage the Downside Principle).  Expert entrepreneurs think in terms of affordable loss rather than expected returns. Instead of calculating upfront how much capital they will need to launch their project and investing time, effort, and energy in building that capital, the effectual entrepreneur tries to estimate the downside and examines what he/she is willing to lose. The entrepreneur then uses the process of building the project to bring other stakeholders on board and leverage what they can afford to lose together. 
  • Leverage Contingencies (or the Lemonade Principle).  This principle is at the heart of entrepreneurial expertise—the ability to turn the unexpected into the profitable. Expert entrepreneurs learn not only to work with surprises but also to take advantage of them. In most contingency plans, surprises are bad—the worst-case scenarios - but because entrepreneurs do not tie their idea to any theorized or preconceived “market,” surprises can lead to valuable opportunities.
What does all this have to do with President Trump?  Look, we could debate whether or not Donald Trump is as successful as he says he is or as much of an entrepreneur as he claims to be but let's not.  Rather, let's assume, for the sake of argument, that he would fall into the category of "highly successful entrepreneur".   

Once you take that step, and you familiarize yourself with the principles of effectual reasoning, you have an alternative interpretation of his actions.  For example, when Trump reportedly asked "Why can't the US use nukes?" many people were horrified.  Seen through an entrepreneur's eyes it could be that he was just exploring the means at his disposal.  Likewise, Trump often floats ideas via Twitter without any staffing or planning.  It could be a sign of dysfunction or it could be that he is merely looking for enough co-creators to move the yardsticks knowing that he can control the narrative with another tweet tomorrow.  He certainly seems to have a disdain for in-depth preparation and forecasts and a preference for action.  Likewise, his approach to the North Korea summit seems to be all about managing the downside risk.  All of this is consistent with someone who is an effectual instead of a causal reasoner.  

Given that virtually all of the governmental enterprise is built around causality and deliberate planning and virtually all of the intelligence enterprise is built around forecasting, it is no wonder that there is a disconnect between the president and the intelligence community.  

Other explanations have been offered, of course.  Trump has been called everything from a sociopathic narcissist to a bumbling idiot to a tool of the Russians to a genius playing n-dimensional chess.  There is certainly evidence consistent with all of these hypotheses.  I am here to suggest one more - the effectual reasoner hypothesis.  I think that there is some good evidence to support this view but, more importantly, it gives real insight into how the intel community might be able to effectively pivot in order to better support this president and this administration.  On the off chance that he is "just" an entrepreneur, here are some things that occurred to me about how the intelligence community could improve its communications with the president:
  • Spend more time talking about opportunities.  We all give lip service to "opportunity analysis" but the truth is the intel community focuses on threats far more than opportunities.  Entrepreneurs want to control the narrative, not react to others.  Look for ways to frame the analysis as an opportunity for action, not as a response to a perceived threat.
  • Teach him the downside.  If Trump is an effectual reasoner, he is highly sensitive to the downside of any deal.  If you know there is a downside, make sure he knows it too.  If you just think there are some downside risks, expect him to ignore you, however.  The best you may be able to do is to define the field of play with bright red lines.  Don't expect him to give much credence to forecasts, no matter how well thought out and nuanced.
  • Re-think how you communicate estimates.  The IC has spent a good bit of time over the last decade thinking about and revising the estimative language it uses and what that language means.  While all this work has been good, it may be meaningless to Trump.  No matter how well we define phrases like "highly likely" and "virtually certain", it probably doesn't matter to an effectual reasoner.  There may be other formulations (eg Does "X will happen (moderate confidence)" = "X is highly likely to happen (high confidence)"?) that could satisfy both the president and the intelligence methodologists.  It would be worth exploring.
  • Talk to him the way he talks to others.  This may have been tried already but I would think the IC's classified twitter-like service, eChirp, would be a perfect way to communicate with this president.  The PDB would be more of an all day thing rather than just in the morning but "chirping" headlines with links to video or graphics that gave deeper insight would certainly take advantage of Trump's well-known preference for short form communications.  Combined with some of the other ideas on this list, it might offer an opportunity to get the president's feedback before it make the news.

Thursday, May 31, 2018

Interesting Maps: Worldwide Risk, South China Sea, Hurricanes And The Arctic

Lots of interesting maps out there these days.  Here are a few that tell their stories better than most...

Marsh is a insurance broking and risk management firm with a pretty long track record.  Founded in 1871, you have probably never heard of them because they work with big companies to help them figure out their insurance needs.  They do about $6 billion a year and have upwards of 30k employees in 130 countries. 

What I like about them is that they put a lot of their research online.  Obviously, all of it has an insurance "edge" to it (that is probably less exciting than it sounds, by the way) but you don't have to wade through a ton of small print to get to some meaty stuff on just about any region of the globe.

Which is why their Political Risk Map is so interesting.  You can take a look at a screenshot of part of the map below but to find out what all the pretty colors mean and to see the rest of the world, you are going to have to go to the site itself.


Marsh Political Risk Map
Drilling down into just one part of the globe - in this case, the South China Sea and environs - requires a more nuanced view of risk and there are a few, very good, recent, mapping tools to help make sense of it all. 

The first was put together by the Asia Maritime Transparency Initiative.  AMTI is housed within the highly regarded Center for Strategic and International Studies and offers a substantial body of analysis on issues in and around the South China Sea.

Particularly impressive is the map below (just a screenshot - click the link for the interactive version) that lays out all of the claims and counterclaims to various chunks of ocean in the area.

AMTI Maritime Claims Map
Equally impressive is the very detailed and highly interactive reporting done by the talented people at Reuters Graphics.  Their article, Concrete and Coral is an excellent primer for those not familiar with this hotspot.  I have taken a screenshot of one of the many graphics but it does not do the article justice.  You really have to see it to get the full effect.

Concrete and Coral
One more hotspot and one more map!  This time it is the Arctic Sea, which, because of ice loss due to climate change, has become yet another slowly growing crisis.  While much of this crisis revolves around resource extraction and which country owns what, it is worth noting that there are a lot of people who make this part of the world their home as well.

GRID-Arendal was formed in 1989 in an agreement between Norway and the UN.  In their own words, "We transform environmental data into credible, science-based information products, delivered through innovative communication tools and capacity building services."  Their maps (and the accompanying text and data) on indigenous people in the Arctic Circle certainly accomplishes this goal.  Again, I provide just a screenshot of one of the many maps and resources they have provided below.  Check the entire site for more!

Indigenous Peoples Of The Arctic
Finally, as most Americans (particularly those in the south) know, it is hurricane season again.  Many areas are still trying to recover from last year's devastating series of hurricanes and the good people at NOAA are already saying that this year is likely to be as bad or worse.

NOAA provides a very cool interactive mapping tool that let's you examine historic hurricanes and their tracks in a number of different ways.  I was curious, so I set out to find how many hurricanes had impacted the Erie, Pennsylvania area (where I live)  Much to my surprise, there were five since 1955!  Check out the full site to search for your home town.

NOAA Historical Hurricane Tracks


Wednesday, August 30, 2017

Dax Norman Just Passed Away And That Is An Enormous Loss. Here's Why.

Dax Norman died on August 20, 2017.  My deepest sympathy goes out to his family.

I called Dax a friend but, as happens sometimes, we had not had a chance to speak for quite a few years.  

I do know, however, he was a good man.  Don't take my word for it; just check out the many comments that have already been added to his obituary.  All the things that people say about him - that he was a gentle man, that he was kind and generous, that he willingly gave his time, that he was an excellent teacher and mentor - are all true.

For those of us who teach and think about intelligence analysis, however, he was more.  He was one of the best thinkers I knew on how intelligence should work.  

I met Dax shortly after I got out of the Army in 2003.  He was looking for a University to do some unclassified research on technology trends and Mercyhurst wound up with the contract.  While not a huge contract, it was large for us back then.  It also started a multi-year relationship with the US government that helped many students test and hone their skills as junior analysts.  Any Mercyhurst grad who ever spent any time on one of the so-called "summer projects" owes that experience either directly or indirectly to Dax.

Dax made innumerable contributions to our national security in his decades working for the government.  One of these contributions that I always found most significant is the work he did on open source credibility back in 2001.  Facebook did not even exist back then and Dax was one of the few thinking about the problem that we call today "fake news".  More than just think about it, though, Dax came up with a rigorous system for evaluating the credibility of online sources long before anyone even thought that they needed such a thing.  His work is still online for anyone who is interested.  For Mercyhurst students, of course, it has been modified and enshrined as the much beloved (?) online source evaluation sheet that accompanies each and every online source used in our reports.

I have more stories, of course, and others will tell theirs as well.  The long and short of it all is that Dax was one of the good ones.  There aren't enough Daxes in the world and he will be missed.  

If you knew him, you can post your thoughts or memories on an online sympathy wall.  If you are in the DC area there will be a service on 6 SEP.


Monday, August 28, 2017

RFI: Looking For Descriptions Of The Intelligence Process

I am looking for relatively recent, short descriptions of the intelligence process from as many different sources as possible.  An example (from US Joint Publication 2) of the kind of thing I am looking for is in the image to the right.  

I am NOT looking for images, just descriptions.  My first preference would be from official (public, obviously) documents but I will accept anything that has been published.  

I don't care what language it is in.  In fact, I would LOVE descriptions of the process from other countries or disciplines (e.g. Law enforcement or business).  You can attach the sources in the comments to this post or send them to me at my university email (kwheaton at mercyhurst dot edu). Please do not hesitate to share!

Thanks!