Mark Piper, Principal Explorer

22 August, 2024

The other day, I made reference to Daniel Ellsberg's letter to Henry Kissinger in 1968. In the letter, Ellsberg outlines the impact of having access to above Top Secret information (or as we would call it today, Special Compartmentalised Information). That is secrets that are so need-to-know that they are often with extremely limited distribution, oversight and written record.

Ellsberg points out that not only will Henry feel foolish for criticising previous decisions because he didn't have that information, on a longer timeline he himself will not only feel others the fools for not having the sensitive information he now has, he will struggle to trust advice from those who are not read in. 

This might only sound applicable to someone advising high profile decision makers in the halls of government, but it’s not. There are incidents, programs and weird mishaps that have happened over my time that have never reached the media or public in any way. Some are buried, lost to the sands of time. Others are ongoing. Most people are not aware of them because, well, it’s a secret.

I think Ellsberg's letter is not only applicable to government workers, but also businesses because I see failure to heed his warnings on a regular basis. 

I want to take a look at what I think some of his key warnings are and how we should be wary of them no matter our role in government or business.

Information Excitement

The first time you learn a given secret (or obtain access to a “library” of them), it can be a rather exciting affair. Insights to knowledge you had no idea existed. This excitement is more often than not very short lived as you get down to business and realisations of this knowledge set in.

Confirmation of a suspected secret can be particularly exciting. To have access to a new secret you suspected might have been the case, but was never confirmed until now. "I KNEW IT!" you shout. Occam's Razor confirmed. It just makes sense. But OF COURSE that's the case.

Then comes the crash as you feel like an utter fool. This crash is like no other. It's a pit of despair. It's a feeling that you've been made a fool of over an extended period of time (often by those you trust). Even though, realistically, you never would have had access to this privileged information before now, it hits hard.

There is no better public example of this than some of the information that was made public as part of the Snowden leaks. Many examples, such as "SSL added and removed here! :-)" were first one of awe and excitement. OF COURSE the NSA would hoover the data up at the point it was unencrypted! That’s what an intelligence organisation would do!

However, this was quickly followed by the crash. The little post-it note style observation made an entire industry of engineers, risk analysts and consultants feel like fools[1]. I know this because I was one of them. We had failed to advise appropriately because we considered it out of the realm of reasonable effort for an attacker and we were wrong.

This has also happened in non-public examples numerous times throughout my working career. It can be exciting to learn a new bit of information, but it can also hurt. We need to acknowledge the hurt and support each other more when it happens.

We need to re-frame that we make the best decisions we can with the information we have at the time and keep going.

Information Superiority

Information superiority plays out in two extremely common ways throughout the tech industry and associated communities.

First, it's easy to dismiss anyone's view on a given subject when you have not only secret, but critical detail that the other person does not have. How can they be acting as 'informed' on this subject when they are not across this issue? 

We see this a lot when it comes to vulnerabilities and exploit development. Many of the talented and leading exploit developers no longer operate in the public domain and stay in the dark. If their work is not public, how can you be sure a given potential vulnerability isn't exploitable?

Secondly, the knowledge of a secret can be a powerful weapon. A tool to weld. Unfortunately we see this all the time and increasingly used by vendors for marketing and sales purposes of their capabilities and services.

You know something they don't know and you are going to make it clear that the other party is misinformed and do not know what they are talking about - they should trust you without question, because you can't provide any more details.

"Don't run XYZ exposed to the internet" you advise, and when asked for justification you say something like "oh, I can't say anything more than that, just trust me".

This is you standing in a position of information superiority.

You might shake your head and say "no, I would never do that!". I truly believe we all do at some point in our careers when handling secrets. I know I certainly have. I even caught myself doing it recently (thankfully however, with nothing particularly sensitive or important).

There's just something buried in our DNA and the nature of human beings which encourages us to let others know that we know something they don’t know. We must remain vigilant against it at all times.

Overestimating the value of a secret

We have a real habit of thinking because the secret has come from a trusted, private source that it must be accurate.

This isn't always the case and is compounded by the fact that secrets often have a surprisingly short shelf life. It might be that it's no longer a secret because it's been disclosed via some process or it could be that some parallel event has reached the same conclusion and someone blogged about it. There's a huge number of ways that a secret gets 'invalidated' or proven to be wrong. Once public, correction of the underlying assumption might occur.

When relying on secret information to drive decisions, we must all regularly look around outside of our walled gardens and closed environments and see what's going on out there.

The existence of a secret does not always mean the existence of an accurate secret.

I have personally seen this frequently with decision makers who claim they have the roadmap of a product or vendor to inform a decision. The problem is roadmaps change each quarter and get dated after the first Jira sprint. Projects or resulting activities very rarely go to plan in these cases.

Difficulty to learn from others

As Ellsberg said "What would this man be telling me if he knew what I know?".

This is a fair question, however, as we have seen the information which I have might not always be relevant, accurate or from a trustworthy source.

So how do you know what they are saying isn't also relevant?

This is the conundrum many of us face from time to time and it is critical that we stay open to others ideas and insights as they will often not only prove useful to our own, but invalidate some of what we know.

One area where this shows up is with regards to modern attacker capabilities and risk management decisions. Consider the following scenario….

As a CISO you have subscribed to a dozen threat feeds and briefings and you have access to somewhat fresh, sensitive and privileged information. You know what sophisticated and funded attackers look like this year, and you create your risk profiles and instructions to your teams to match them.

Yet, as you watch high profile breach after high profile breach go down, you are suddenly confused. The news reveals that it is not a sophisticated nation-state threat actor, but instead a couple of teenagers on a telegram channel reaping havoc for your industry peers. 

These kids just happened to have deemed it possible to hit a critical supply chain component and succeeded. The very same component your business relies on. Upon reflection you realise that both internal staff and external consultants had raised concerns regarding the risk of this component, but it didn't have it as a plausible attack scenario because it didn’t match the secret knowledge you have. You dismissed their concerns and now there is somewhat of a black swan event going on.

If you are basing decisions off closed secrets or information sources, you really do need to stay open to information from a variety of sources to inform your actions or risk profiles.

Isolation

Finally, Daniel warns Henry against isolation; something I have personally witnessed and experienced due to not heeding such advice.

It's hard to compartmentalise information a lot of the time and remember what is privileged information and what isn't. One natural mechanism to handle this situation is to assume everything you work with is privileged or secret and stop talking to people.

In the past I have referenced the impact of having access to this so-called 'dark knowledge'. Depression along with alcohol and drug abuse is rampant amongst those who work with secrets. I've witnessed this first hand numerous times over my career.  When we close up, for whatever the reason, we will experience the normal side effects of doing so and that is often isolation and anti-social behaviour.

It's not always so much about what the nature of the secret is that you have holding in your head but the price you pay for carrying it (although, there are obviously those with access to significant, disturbing secrets who suffer the most).

I have previously, and will continue to point people to Richard Thieme's "Playing through Pain: The Impact of Secrets and Dark Knowledge" from Defcon. Richard, as much as he is a unique and colourful character, knows what he is talking about. He has worked with people for many years on the subjects of secrets, and I applaud him for bringing these issues into the open for discussion.

What next?

There are no hard and fast recommendations on how we avoid falling into the traps of managing or holding secrets. 

But I think it's worth having a more open dialog both within business, and wider industries on the impact of managing secrets. I have sat through literally dozens of on-boarding processes for major public and private organisations over the last 20 years and only a few have addressed not only what a secret is, but how to handle them and seek help if required. 

I also believe we can have this discussion and help each other without having to discuss the nature of or details of the secrets themselves. Just like nuclear weapons. The development processes, numbers of and configuration details of nuclear weapons are classified. However their existence and underlying sciences of nuclear energy are not.

We can have an informed discussion.

[1] One upside however is the channeled rage of 10,000 engineers gave us the ubiquitous state of TLS/SSL we get to experience today.