Your link to Menn's article is wrong. It connects to the Arrington article instead of Menn's piece (http://www.reuters.com/article/2013/09/15/us-usa-security-snowden-tech-analysis-idUSBRE98E08S20130915). Regarding financial losses, I think that it's way too early to tell.

Brilliant post, Jeff. I particularly enjoyed your "Beware of Social Media" advice. Thanks for putting your thoughts in print!

I'd be honored to accept. Thanks, Stewart!

You do propose that offensive capabilities be given to the private sector. You may not intend for those capabilities to be used in the extreme but you believe that some latitude is possible, correct? My position is that I have yet to see any evidence that InfoSec companies can determine attribution that's any better than 50/50 guesswork. In my opinion, that's not good enough to give them any latitude in attacking someone else's computer. We probably too far apart in our respective positions to come to an agreement via a blog post but thanks for providing a forum for engagement and discussion.

Hi Stewart, private investigators aren't trained intel analysts, meaning that they don't know how to vet source material using analytic models nor do they apply negative analysis before making a pronouncement about attribution. So technically, no true analysis is being done by private investigators. And, with respect, I've been intimately involved with incident response w/ breaches impacting Fortune 100 companies and can tell you with certainty that TTPs will not lead to "the data that we now lack". For one thing, researchers see what they are mean't to see by the attacker. For another, the only groups that have been identified are aliases for 20 or so hacker crews. We have yet to concretely pin an attack on an FIS or nation state unless that state has overtly claimed responsibility for it. Advocating for offensive actions by private companies is like putting weapons of mass destruction in the hands of children. Poor intelligence analysis leading to failures happens by trained analysts on a regular basis. In at least one case, it led us into a Trillion-dollar war. Can you imagine the potential for wide-spread disruption if companies who think they know who attacked them strike back at the wrong nation state? That's a gamble that we don't need to take when a better defensive strategy will render most attacks impotent.

While collected data on attackers has increased, it remains narrowly focused on the TTPs of low-medium level hacker crews. We don't have an equivalent level of data about acts of cyber espionage from foreign intelligence services or their agents via multiple channels that are ignored by gov't and private sector security firms (i.e., in-country ICT infrastructure, vendors, insiders, social engineering). Therefore, since we can't know sufficient data about who will attack, when, or how, companies and gov't need to treat their critical data differently and completely reject the concept that we can keep an adversary out of our network. What we can do, however, is keep critical data from leaving. Therefore, improved defensive strategies must remain part of any future cyber security framework and offensive actions must only be initiated when attribution passes certain analytic tests applied not by DHS, DOD or the private sector but by trained analysts in the IC where more rigorous analysis is conducted.

RJ, I'm so happy to see you back. I was renovating my home office today and when I saw your book on my bookshelf I decided to look online and see what you were up to. When I saw that you re-opened your blog today, the same day that I decided to check up on you, I just had to laugh, grab a beer from the fridge, and introduce you to all of my Twitter followers. Cheers, my friend.

Great work with multiple applications in and out of government. It also serves to validate the Importance of it's individual components for those of us working in related areas. Congratulations, Jeff!

Thanks for adding "real-time audits" to your list. I've been hammering this nail every chance I get, including last week in India. Hopefully we'll see this become a key component in security architecture sooner rather than later. Keep up the good work, Jeff.