By Richard Thieme
When we wish to look deeply into a subject, it is essential to turn context into content, invisible assumptions into visible structures, background into foreground while illuminating the frame of the picture as well.
Security professional Matt Blaze said, the weakest link in the security chain is often the definition of the problem, and the real definition of the problem is often not the one that is advanced. So we need to know what to do to discover the real definitions, the essential ones, that will flood the problem space with light.
“What is the thing in itself?” asked Marcus Aurelius, an information expert in his own right. “What is its essence? Look beneath the surface; let not the several qualities of a thing nor their value escape your gaze.”
Software and hardware do not simply add tools or processes to our lives – they form habits, and once they become part of the infrastructure, part of the culture, those habits are stealthy. For information technology professionals, whether the ones who build or the ones who secure networks, to become aware that the structures they create shape the behaviors and thinking of people who interact with them is critical.
For counter-intelligence professionals, too, seeing the context is not an option. Context is content, plain and simple. If nested levels of appearance cloaked with deception are misunderstood, it is impossible to hit the real target. The old Cold War and the new one are replete with examples of elaborate ruses run by the KGB, among others, and the level of strategic thinking needed to see what is really happening.
Counter-intelligence is a skill that ought to be taught in schools as necessary for having a clue. Seeing the context and turning it into content is essential for anyone who just plain wants to know what is or might be real. It isn’t an option for outsiders like us either.
I hope to weave together these three domains – information security, counter-intelligence, and the basic human desire to understand what’s going on – in this piece.
Failures of intelligence often result from group think, the peer pressure of political necessity, corporate cultures that force creative thinking into habitual molds to make it acceptable. Then—after an unfortunate event – the tendency to cover one’s butt ensures that the transparency needed for subsequent accountability – which might prevent something similar from happening again – does not take place. Recent political history brims with examples.
I often cite the wisdom of Robert Galvin of Motorola, who said that when a group faced a problem and everyone quickly came to the “right solution,” it was always wrong. The reason, of course, is that a quick consensus is necessarily grounded in the past and past perceptions always fuzz the current data, making it fit prior models. Galvin added that real breakthrough ideas at Motorola during his tenure were always minority opinions at first and sounded crazy when first stated like the notion of a “chip in the head,” a then-radical idea that is now a mundane “medical implant.”
A few years ago I listened to the wisdom of a profiler for the CIA describe the habits of thought she had learned to apply in her work—work that resulted in commendations for helping to track down and prosecute a man who had killed two of her colleagues. I think her practice is worth reviewing. Although we mostly discussed network intrusions, her insights apply to hacking any system including the complex webs of mass media through which much of our working knowledge is spun.
When we looked at a network intrusion, she said, no matter who did it, it was best to look with a “beginner’s mind.” Do not bring preconceived notions to the task. The data when seen clearly always told us what we needed to know. This was true whether investigating serial killers, terrorists or criminal hackers.
A common assumption in the early days was that we faced “a young male hacker,” an assumption that had to be completely disregarded. We learned it worked best not to impose a template on the data. In the instance of the DC snipers, for example, every assumption about their identities was wrong. Yet … we can’t help but bring some preconceptions with us. So corrective mechanisms need to be built in. We need not “group think” but a “group that thinks.”
A former FBI profiler, William Tafoya, echoed this insight. When the Bureau was searching for the Unabomber, Tafoya’s counter-intuitive sketch of a suspect was right on, but contradicted the primary working assumption of the bureau. He calls his throwaway line a fluke, when asked who he thought they were seeking, that the Unabomber was “a monk on a mountaintop in Montana.” But his intuitive leap was a hit because it resulted from processing a great deal of data and then refusing to censor the hypotheses the data suggested.
My friend, the CIA profiler, said that the common belief that network patterns, constituting sets of known predictable behaviors, lead to specific criminal hackers is too narrow and unsophisticated when you observe good attackers. The latter are invisible, like ghosts, vague shapes moving stealthily at night. It is sophomoric, then, she said, to rely on templates because they exclude critical data and make the rest conform to expectations.
If I had a stereotype in mind, she confessed, I always blew it. Always.
So look at all of the data and focus on what is left behind. Focus on the evidence. Track back from “What were they after?” to “Who is likely to want that or do that or be that?” Covering one’s tracks completely is rare because a person entering a system always has a m.o., whether the system is physical or a computer network. Unconsciously or consciously, the patterns of their actions reveal their identities over time.
Such an approach is not trivial. It requires intense concentration and constant self-monitoring. The analyst is the real tool, and without the ability to step back and observe how that tool is used, how the analyst has been framed to approach problems, the tool will implement the assumptions built into it without thinking about them. Tools are extensions of the self, even when the tool IS the self. Tools are also extensions of organizational cultures and probe reality with all of their preconceptions built in.
And because there are a thousand puzzle pieces but no box with a picture to guide us, the degree of clarity required is exceptional.
So, she said, I learned not to form a pattern too quickly. I learned to interrupt my thinking when I reached for premature conclusions. A real profiler is the opposite of the popular conception of someone who leaps to conclusions as portrayed on television dramas. If you leap too quickly, you always have to unlearn what you thought you knew. You have to empty the cup, as the Zen story has it, to be teachable. You have to see the cup before it is filled so the shape that imparts form to whatever it contains can be discerned.
The way to do this is to observe yourself. But because no individual can factor in all of their unconscious assumptions, a team approach is needed. But the team must also observe itself or have specialists designated to question its assumptions. Someone must say: Wait! Stop! Interrupt! and help people distinguish what they think they see from what the data suggests.
Enterprises and individuals alike must build in an openness to heresy.
Ask, is this really true? Or does it seem true? Does it feel right because “everyone thinks so,” because it has been repeated so often, or because an authority says so and we had better go along with what they want?
Stop yourself from completing the loop too quickly. Ask at each step: how do I feel about thinking this? What am I missing? If my hypothesis is true, what other things must also be true, and how do they hold together? Did I conclude too quickly that “this particular kind of breach” must come from “that particular kind of person?” Especially with insiders, did I look for someone who does not fit the expected pattern? Always ask: who am I to know that, think that, be that, do that – without sufficient data?
Where do my conclusions and beliefs originate? How did they lead me to define the problem – and therefore the solution?
And if technologies shape social, psychological and cultural spaces, as I said, security and intelligence work in turn shape technologies. When the battle space is the hive mind of a global society, security and intelligence are thermostats that regulate the dynamic flow of information and data. Identities created at top level – the level of nation states, say – devolve into implicit commitments among practitioners to prevent the chaos which is always threatening to break out in the global system, forging new, more uncertain identities as a matter of course. Those identities do not have names, not yet. But in the trenches, deals get done on the basis of what one can do, what data one can deliver, not who one says or even thinks one is. Identities prior to action are always disguises. False flag operations are run not only on others but also on oneself, in good “Scanner Darkly” fashion.
So if others can not always be accepted at face value, neither can applications like hotmail or Google that filter information into our lives or the organizational identities behind them. Who built them, and to what multiplicity of ends? In all networks, electronic and human, boundaries blur and we occupy multiple nodes in multiple nets at the same time. Unless we connect all the dots, the pattern of the stars can be a bird or a bear and there is no point of reference for determining which.
So this profiler’s approach seems to apply to everyone seeking the truth in a world of disinformation, misinformation, and muddle. Depending on the scale or level of operations, the more difficult task is to understand the real identity of the organizational structures one confronts, whether a trans-national corporation, media or entertainment conglomerate, a university, a criminal enterprise, a state or non-state spin-off. All those terms are just names for public consumption. Only actions observed at depth and rendered in complex maps can reveal the real end of the enterprise.
Security professionals know that the apparent organizational structures in which attackers are embedded are veiled with deceptive claims, and false links to support those claims are distributed widely online and off in sophisticated ways. For example, if nodes from which sophisticated phishing attacks originate seem to be located in online China, are they sources of state-sponsored espionage, non-state freelance hacking, or organized criminal hacking? China, we know, is a “dark guest,” uninvited but present at many parties, the number one hacker enterprise in the world. But Israel is number two. Does that make Israel an enemy instead of a close friend? All those documents delivered by Jonathan Pollard to the Israelis – were they all used to map our intelligence efforts or were they bartered to whoever for whatever might be of value?
The deeper issues are generally reserved for specialists. People get uneasy when these contradictions and challenges are discussed. It gives us headaches.
But … if by “attacker” we also mean those who assault our desire to have a clue by making it difficult or impossible to see the bigger picture, then every entity that distorts the truth is the enemy of the body politic and the essential human enterprise which is to understand our world. When the “guardians of the interface” to our information about reality do the distorting, does the enemy become all of us, too, then? Are we denied access to information not only for security reasons but to prevent transparency and accountability as well? And does that turn an investigative reporter into the equivalent of a terrorist?
“What is the thing in itself?” asked Marcus Aurelius. This is still the question that must be asked if one seeks to know what is going on. Counter-intelligence – seeing the sources of the information we receive, playing the “great game” because we must – becomes a de facto requirement for being minimally informed.
Ask, is the organizational identity what it seems to be? Who is served by their actions? Who profits? Do we know who directs the enterprise, as opposed to who seems to direct it? Are there hidden links between the directors? Follow the money – to what relationships does it lead? Is any of this information available through media and research or must one be a specialist or have clearances to know?
This effort too is not trivial and requires constant attention and self-monitoring. Who has time for all this, much less the energy needed to contend with the dissonance of knowing that this approach is appropriate to the task? Even watching the “news” requires such an attitude these days, doesn’t it? In a recent celebration of sixty years on the air, the news interview program “Meet the Press” ran a montage of VIPs who had appeared on the program. What was striking was that with one exception every single one was lying. Every talking head down through the decades addressed issues with obfuscation, distortion, evasion, everything we have come to expect in a world of spin, PR, and propaganda. Before our eyes, “history” turned into sequences of spin. So when the current candidates for president subsequently appeared in clips, doing the same thing, bobbing and weaving, saying little, it was clear that we have been watching an ongoing charade presenting itself as a responsible news program for decades.
As the historian at the National Security Agency said when I asked what history we really shared … “Anything up until 1945.”
The speed of the leader is the speed of the team. The current administration does not believe that transparency or accountability through meaningful congressional oversight are good things. Only time will tell if a two-term limit on the presidency and a two-party system for checks and balances is sufficient to redress the consequences of obsessive secrecy and the view that constitutional law is an option or whether the kinds of scandals that resulted in the Church and Pike Committees in the seventies will be needed – if they are still possible, if they are not managed out of existence by sleight-of-hand and distraction.
It is not paranoia but common sense to recognize that designer scenarios make up the scenery of our lives. The more granular one gets in an examination of the cultural landscape, the more uncertain the visible evidence becomes. A coast line that looks long and smooth from orbit becomes a series of twists and turns, any one of which might look like a solid wall but can be in fact a door to another level or dimension of simulation or designer reality.
By advocating that profiler’s approach and level of discipline I am advocating something that unfortunately does not sell well in this society. Look at book racks in any of the big boxes and you’ll see what sells. Comfort, a feeling of security and simplistic thinking sell. Perplexity, complexity and sources of dissonance do not. Yet it is my experience that reality ultimately digests best and unreality causes constipation, or worse.
No one said it would be easy, did they? We may not be able to win this game of knowing what’s going on at an elemental level, but if we want to play, that profiler’s insights are as good a guide as any to how to do it. As the devil said in Woody Allen’s “Deconstructing Harry,” “Sometimes you’re up and sometimes you’re down. In the end, the house always wins. It doesn’t mean you didn’t have fun.”
The Second Edition is a periodic reflection by author and speaker Richard Thieme. Subscribe (or unsubscribe) by writing to [email protected] and stating subscribe (or unsubscribe).
Richard Thieme (www.thiemeworks.com) speaks and writes about the issues of our times, with an emphasis on technology, media, security, intelligence, and spirituality in all of their human and cultural dimensions.