Mudge now shares some of his thoughts about why the Government tends to stay with the same contractors even after their tech findings have been compromised.
I was having dinner – a lot of these stories are because I’m outside having dinner somewhere, I don’t cook. So I was having dinner with an old friend, and his company goes in and cleans up APT after big well-known names get compromised, whether they’re Government contractors or commercial organizations. And he posed a really interesting hypothetical. We were just shooting the crap back and forth, and he said: “Hey, what do you think about the following chain of events? First, RSA gets compromised. Networks defended by their tools are vulnerable and, as a result, a defense contractor gets compromised. Said defense contractor, if you look up on Wikipedia, is the one who made this really cool stealth drone. Later a really cool stealth drone goes missing over a Middle Eastern state. What do you think about that chain of events?” And I’m like: “That’s terrifying!” He’s like: “Yeah.” And I’m like: “No, no, for an entirely different reason.”
Look at it this way: I have no clue, that’s a hypothetical and there are a whole bunch of rumors about what had happened. But let’s assume that as a country or a large organization, your advantage is technology. You can field the fastest and the best technology so you’re ahead of everybody. That’s you advantage – newest, most advanced toys. Someone else steals some of your tech. What do you have to do? You’ve got to replace it with newer tech, right? You’ve got to keep your advantage.
So, suppose a Government contractor gets some of the super tech stolen, what does the Government customer actually need to do? Well, the Government in that case – and this is all a game theory hypothetical – need to pay someone to make the next version so that the people who just stole it don’t achieve parity, so that they’re not even. They could go to some other Government contractor, because of course, you know, the one in question just lost everything. But they actually most likely won’t, and here’s probably why.
They initial contract for very expensive research efforts can take a long time to put in place. You’re talking over a year, sometimes you measure it in years rather than months. Part of the coolness of CFT is that we’re measuring that in days. Imagine if you’re under something – sequestration is what we’re under now – it can take even longer. So, if a Government agency wanted to start a new program to replace tech, that’s essentially starting the same program to do the same thing that you are already paying somebody to do, a) it’s tough to get permission to do that, because you’ve got to go justify taxpayer money and hear: “Well, we just gave you the money to do that” in response. And b) when you spin it back up you’re going to have to redo a lot of work; you’re going to have to redo the contracting that you already had in place; you’re going to have to spin people up to speed on management side; you’re going to have to re-spin up the tech side; and you’ve spent years putting that in place.
So, why wouldn’t you just go back to the people that you already have a relationship with, already have a contract with? They already know what they lost, or maybe you know what they lost and stuff, and you can tell them because they’re your customer. So you just pay them to give you the next thing. Remember, they’re not financially incentivized to go fix how they were actually compromised in the first place or clean it up. Because staying with the really familiar solution or situation is comfortable, which makes this a trap that a Government funding source can actually be particularly susceptible to.You can view this on a case-by-case basis, and kind of staying with the same contractor, it can even make sense. But if you step back and listen to what’s been talked about in the media, you may see something that’s a larger picture that seems like an endless list of technologies and IP (intellectual property) being stolen. And each time it happens, that company is in a situation where there’re really no penalties or reprimands for it. On the contrary, they’re actually rewarded with more funding, because their customer needs to make the next tech to replace the stuff that just got stolen, to replace the stuff that just got stolen, to replace the stuff that just got stolen.
So yeah, game theory is a bitch, because if you look at it from this angle – and part of the neat thing about game theory is you can fall into game theoretics without realizing that you’re doing it – Government contractors can actually be in a situation or are actually in a situation that they’re financially incentivized in some places not to listen to their network sys admins and not to really deal with the problem perhaps the way with the drastic changes that need to be made.