Chapters
Shownotes Transcript
Hello everyone, this is Tom Uren and I'm here with Le Grac. G'day, how are you Grac? G'day Tom, I'm good and yourself? I'm well. This week's Between Two Nerds is brought to you by Thinkst.
I have an interview with Marcos Laviero of Thinkst out on the channel this week. We talk about how Thinkst looks at incident reports to try and figure out if there's anything that the company is missing to make their honeypots bigger and better. So, grrk! This week we thought we'd tackle how organizations learn. In particular, how secret organizations learn.
And you've been reading a book, I understand, all about mafia organizations? Yes. It is called Mafia Organizations, and I highly recommend it. It's very, very well written. Things that came up as I was reading it is some of the parallels between mafias and intelligence agencies. And you as a former intelligence man, no doubt, immediately that resonates with you. You go like, yes, absolutely, we were mafia. Mobsters...
What was interesting to me is that you messaged me and you were talking about the difficulty of learning and you were talking about the mafia. And what struck me is that my first thought was I never really got that sense working in an organization that learning was a problem. And so I was curious about why that may be. But anyway, tell us about learning in the mafia. Okay.
And you're kind of talking about learning operationally, right? Right. So this is organizational learning. It's not the foot soldier learning. Naturally, you just go to university and you get your MBA, you specialize in mobster administration. But rather like as an organization, particularly they're concerned about their security, protecting their secrets.
And so the way that an organization learns, like a typical business in the illicit world, would be it makes a mistake and then it will do sense-making. It gathers all the intelligence it can about what happened and what went wrong. It'll try and put that together and figure out, like make sense of it. For the Mafia, it's basically like...
Like, okay, we will ship cocaine hidden inside tires and we will import that into Rotterdam and ship it out from there. And then when the tires thing stops working, okay, now we're going to use potted plants or canned pineapples or something else to back it into.
But if all of those fail, then you might look at this series of errors and say, okay, the problem is that if we use a cargo ship, it will have to go through the magic drug detector that they have at Rotterdam, and that will always catch us. So what we need to do is find a way that doesn't use cargo ships so that we can avoid having to go through this magic drug detector.
You can either do these sort of minor tactical changes where like they're checking in tires, so now we're going to use canned fruit. Or you can do the strategic change, which is that Rotterdam is not safe to use anymore. We need to find a different port and we need to stop using ships. We need to use something else. And these would be like procedural changes.
And these sorts of things are hard to learn in a security-centric organization with a lot of secrecy, because the way that you maintain secrecy is by heavy compartmentation. Right. So it's not really hard to learn. It's hard to disseminate. Right. Well, part of it can be hard to learn because if, for example, the entire cell gets
gets taken out, the intelligence gathering portion of sensemaking can't happen because you don't know what all the things were that they did wrong. You just know that they ceased to exist at some point. Well, it's clearly one thing that's different between an official intelligence organization is you don't often have entire sections disappear because of law enforcement action. What happened to Russia Desk? So the way it worked
Where I worked was like you had compartments where you got a brief and usually it was a very pretty high level thing. Could you just give us some concrete examples of what those compartments looked like? No, is the short answer. The longer answer is it'd be some high level thing where...
It would be the Australian government does this thing. Hands out cotton candy to... It could be something like that. Like, this is not an example, but we hand out cotton candy to sources and they tell us secrets. Right.
And so that's a very broad thing, right? It doesn't really tell you anything much except that the fact of this thing happens. And now I'm not going to go through what some of the compartments were, but if I did go through them, you'd probably go, oh yeah, of course. Yeah.
But being in the compartment is the endorsement that you're allowed access to the sort of operational details of any particular thing. Right. So if you were on the cotton candy compartment, you would be allowed to know when cotton candy stuff was happening. Right. Yeah. We tried this flavor of cotton candy, and it turns out that the Russians really hate that flavor. So we're not going to use that flavor again. Right.
Right, right, right. And so those compartments were, well, many of them were quite large. And then you would have smaller ones that were more operational, like tied to a particular thing. So that would be more about, this is how we produce the cotton candy. Well, that's sort of the bigger compartment. And then once you're in that bigger compartment, you might get read into a particular operation. And that operation might have a lot of secrecy. But, you know, something goes wrong in that operation, right?
Without the details of the targets or what you were doing, what went wrong could be spread in that broader compartment. Right. So it's, I guess, Matroska dolls. Unless law enforcement actually caused the entire compartment to vanish.
And so I also feel like there's a difference between the technical nitty gritty that's particular to any one operation versus the what went wrong, which is a bit more generic or it's not even necessarily what went wrong, but what went right as well. Right.
So, like, if something goes wrong, it's very unlikely to be we forgot to put the do not disturb sign on our hotel room and the cleaning lady walked in while we were debriefing the colonel or something like that. And so the whole thing got blown. Right. You know, therefore, everyone should take away that, you know, don't forget to put up your do not disturb sign.
It's not going to be a sort of specific minor thing like that of a slight oversight that you can just remember. It's going to be something more substantive in like operational design or like an advancement in the counterintelligence capabilities of the opposition and so on. Yeah, I guess to put it in your smuggling drugs analogy, it would be if you're in the broader compartment, you know that we smuggle drugs and we've had difficulty smuggling them
through these ports with these techniques but you wouldn't know we're going to send it at 2 p.m on the following Thursday on this ship right and you know it's going to get picked up by this person yada yada yada yada
So that kind of seems like a good compromise position. So terrorists have the exact same problems, right? They need to do organizational learning. They need to have security and secrecy. But they need to learn very fast because otherwise they don't exist very long. Yeah, yeah. The incentive is very, very high. Right.
So the ways that they solve it tends to be quite interesting. So, for example, you can't learn a lot about what went right with a suicide bombing. Right. There's not a lot of information about that afterwards. What they do, so like the jihadi ones, they would have what they called imams. And as far as I know, they may have been, but imams.
Essentially, it would be people who are not inside a specific cell and they would be moving from cell to cell carrying the knowledge of things. So they would do the, if you ran a cell that did an operation that was successful, the imam might show up and talk to the head of that cell.
and sort of learn from him. Right, that sounds kind of like an assigned mentor or something like that. Right, and then they would take that away and it would be then redistributed. One of the things that helps is that terrorist organizations have a surprisingly large amount of documentation. Right. So like they write manuals, they will have internal memos, like not massive amounts of them, but they will absolutely have strategy documents.
Right. I mean, like if you're trying to inspire people to a cause of action, like you need strategy documents, you need something to inspire them. Right.
I mean, so a lot of that tends to be cultural as well. You want to give people the idea of the vision with cultural things like songs and the stories of great people and just all the sort of cultural stuff that gets people into it. And then you can groom them to be what you want afterwards. This thing I thought was absolutely fascinating. Yeah.
There's three types of secret for an organization according to this thing and I thought that these were really good So one of them is dark secrets. Mm-hmm So a dark secret is if people know about it, it will make us look bad, right? Right, so I want to not let it be known that I'm smuggling cocaine into the US Like that will make people think less of me. What would be a dark secret for the CIA for example?
Then there's strategic secrets, which is sort of how we operate and what we're planning to do. And they need to be kept secret because if people knew them, they could counter our organization. Right. So that's just the, like as strategic secrets go, that's just the standard stuff that we think of as secrets. Yep. And then the third one is called inside secrets. Okay.
And this, it's a little bit weird, but it's sort of the, it's the things that you know that make you an insider, right? So like if you work at an intelligence agency, you know that people wearing the purple colored badges are contractors and people wearing the green badges are like administration staff and people wearing the red badges are allowed to go into the secure compartmented rooms for stuff. Yeah. Right.
And that you would know that this is how you fill out these reports. And this is the secret handshake that we give. And here's how you hold your hand when you're at a cocktail party to let other people know that you're also a member of the intelligence agency and so on.
And that's sort of quite interesting because some of these secrets are very, very important for mafias. Like the inside secrets, like having the sort of these rituals and these ways of speaking and these ways of performing mafia or performing mobster. You need other mobsters to read that, but you don't want other people to know to spoof that. Right. You don't want people impersonating it. Right.
And so, for example, one of the rules that the mafia in the US has to prevent people from impersonating a mafia person for like a protection or something, you're not allowed to say I'm with the mob. You're not allowed to say I'm mafia. So the way that you intimidate people is you go into a business and you'll be like, I'm Sammy Two Cheeks. Talk to people about me.
I'll be back tomorrow. Right. And then that business owner is going to have to go and be like, who the fuck is Sammy Two Cheats? And people are going to be like, oh, you don't want to mess with him. You know, he's a made man. So that's the way it's done. Is that you force people to authenticate who they're dealing with rather than the
the person sort of presenting credentials. And just, I thought that was really fascinating that they sort of, the ways of breaking up these secrets as to like sort of what makes you an inside member of the group, things about how the group operates, and then embarrassing stuff that the group has done. What I was thinking about when I read that is it's very hard for an organization to differentiate between a dark secret and a strategic secret. And that like,
If you make mistakes, you're very much going to want to treat them as if they were strategic secrets rather than for transparency reasons. Everyone should know that we tried to do this and we really screwed up and, you know, we should not have done that. That was way out of line. These are the measures we're taking to correct it, to make sure it's not going to happen again. Bob has been fired.
That's the transparency that people want, right? Is we want to know when mistakes are made and we want to know like how they're being fixed. Then there's people like me who are just curious about the inside secrets. What are the cool things that you guys just do internally? And not necessarily the strategic secrets of what are you planning to do, but more of the, you know, how do you make plans? How do you do things like that sort of stuff is interesting.
So as you were talking, I was thinking the inside secret stuff is really replaced by bureaucracy and vetting in a proper bureaucracy. Like you've got a job. Right. You get given a badge. You get an induction in the sense that you get onboarding when you start a job. It's just probably more rigorous than most places because they spend more time vetting you beforehand and verifying that you are who you are and...
making sure that you're comfortable with what you're doing. And they'll say, this is what we do in this organization. This is why it's legal. And sometimes even people would talk about why it was ethical. And so that's kind of... You know, that doesn't feel like as good of an indicator as it should. And so then the strategic secrets were kind of the operational. How do you do things?
And that was kind of captured within compartments and also within people. Right. In a way, there's a way to make decisions that is independent of what you know, in the sense that decision making is a process. Like you need to gather the right information at the right time. But as long as you've got a process for gathering that, that's kind of okay. You know, they make decisions like other organizations make decisions, which is have meetings and...
And if they run well, that's good. And if the meetings are not run well, it's terrible. But, you know, there is actually a way to do things. So, yeah, this is the thing is I think the difference between a mafia organization that is concerned about security and secrecy and it has these inside secrets, strategic secrets, dark secrets, all of this stuff that they're trying to keep.
And then ransomware organizations, which again seem like they're in the rackets, right? They're extortionists. That's mafia stuff. And they're doing like cyber. So that's a little bit like a SIGINT maybe, or it's a little bit like a terrorist organization because they scare people, but they're not. The secrecy that they care about is their identities, but even not that much because they're just sort of safe where they are.
I don't think we're going to see an IPO of a ransomware group, but they pretty much could. Right. And in the sense that you mean that they could issue a prospectus and say, here are the risks to our business. Here's how much money we make. Here's the nature of our business. Invest money in us and we'll give you a return. And it would make no difference to the
outcomes, how badly they affected other people, right? Right, right. I mean, they could literally publish their playbooks, which has happened, right? There's leaks of like, here's how we operate. Here's all the stuff we use. Here's the procedures that we go through. So the number of people protected by that has zero impact on ransomware's ability to operate.
Yeah, yeah. I mean, I guess I was being a bit facetious. It would make a difference because it would get more law enforcement attention, but not because of the fact of the publication. Like the information contained would make no difference. Right. So in a way, they have no strategic secrets. Yep. Right. Like ransomware has no secrets. It's not a secret organization. It's not...
obsessed with security in any way. It's a regular business. Like we know, we don't know the secret formula for Coca-Cola, but we know how Coca-Cola works. Right, right, right. So the individuals involved have secrets, but the organization as a whole has secrets.
Yes. Nothing. There are more transparent than intelligence agencies. Ransomware groups have no secrets. They're like public secret societies. Like membership is secret, but all of the rituals and their practices are public knowledge. Right, right. So they're the equivalent of the stonemasons or... Yeah, the cyber freemasons. There you go.
It's the plenty of fish in the sea approach where I don't care what the target is. There's plenty of wealthy targets that this approach will work for. And so that approach not being secret, being in fact public, makes no difference. You could even say, I'm going to go after healthcare organizations. You should all watch out. And there's just so many of them and so few of them are paying attention. It wouldn't matter. Yeah, different ransomware groups of
I've said that several times. Yeah. And so, like, just to be super explicit, for an intelligence organization, there's a limited number of targets. So saying we're going to do this in particular is a bad idea. So that's why that's kept secret. Yeah.
Right. So that specificity thing in 2010 or 11, there was a CIA network in Hezbollah that got rolled up. And part of the way it was rolled up was that because Hezbollah controls the telco, because they in Lebanon, they are sort of the government in the south.
So they have access to all of the things that a law enforcement agency would have access to. Like they have a lawful intercept, they have etc.
What they did was when they believed that there were people who were working for CIA within their organization, they got the location records of all of the cell phones in the apartment blocks or sort of in the areas where important people worked for them. So they knew who the Hezbollah mid-level managers were. They knew where they lived.
So they got the location information and then everywhere that had a mobile phone that never moved, where there was someone who basically, if someone had two mobile phones, one of which always stayed at home, right? That would show up because you'd have this one mobile phone that's going around and this one that isn't. And if that one mobile phone would get one message a month, then that would be a strong indication that something dodgy was going on. And then it turned out that the messages that these guys were getting was pizza, right?
And then they would go to the pizza hut and they would meet with their handler for an hour. And basically, so Hezbollah was able to roll this out. It was because...
They knew what to look for. They knew there would be this one mobile phone that was used for communication. And they knew who worked for them, so they knew where to look for these sort of extra mobile phones. And that's the problem for an intelligence agency, right? If CIA came out before that and said, yes, we're using a mobile phone-based security method to contact our agents, that information would be the sort of thing that would directly lead to that exposure. Yeah.
Yeah, that's a good example of a operational procedure that on its face seems sensible, but when you look at it from a different perspective is like, oh, that's not that good.
Yeah. And apparently the sort of thing was that the CIA agents didn't like going to local restaurants. They liked pizza. They wanted to get foreign food. Because, you know, obviously if you're meeting an agent, that's paid for. Yeah.
Yeah, that's right. Yeah. What's the best, most expensive foreign food that I can get once a month? Free pizza from Pizza Hut. Yeah, exactly. That's the sort of thing that on paper you can say like, okay, there's going to be this dedicated phone that's not used for anything else. So it's not going to be connected to anything. It's not going to be used to make any other phone calls. We're going to send a message that has no meaning or connection. It's just a signal and it
And it will trigger this procedure, you know, next Wednesday, come at 1 p.m. I mean, we've spoken about this before, the way that the CIA will do things that and I think you described it as translating something you would do in the physical world into the telecommunications world. And for someone with my background, I would go, that's a terrible way to do things because it stands out like a sore thumb.
Like that behavior is not natural. That is literally the worst possible idea you could think of. Yeah. You know, out of all the things you can do, sending a regular SMS to that guy's regular phone is infinitely better than having him keep a special mobile phone that gets a message once a month. Yeah. But if your mental model is put a white chalk mark on the corner of
wherever, and I will see that and know to be at the place at 9 a.m.
You can see, oh, you know, we're just, it's basically a digital chalk mark if you think about it. Yeah. And it's a special, it's even better because it's a special wall that no one else can see except us because it's just a single mobile phone. Right, it's a private wall. Yeah. Yeah. So, I mean, it's, if anything, it's even more secure. Yeah. Well, we started talking about how secret organizations learn.
And as we were going, I was thinking that, you know, my experience, I never felt that there was a problem. But that very last anecdote makes me think that, yeah, still a problem. It's just that the sort of scope of the problem crosses organizational boundaries. Yeah. Like within organizations, SIGINT organizations get very good at SIGINT because that's what they do. But when you become all-encompassing...
You have these problems of how you share. Right, it's compartmented across, let's say, technical skill sets where one would be with computers, one would be with people. Those are the compartments where the lack of information transfer about secrets starts killing things. I feel like a compartmentation joke of some sort. A compartmentation joke? Is there even such a thing? Yeah, not everyone gets it. LAUGHTER
Thanks a lot, Greg. Thanks a lot, Tom.
