Cybersecurity Issues for the Next Administration

On today's Internet, too much power is concentrated in too few hands. In the early days of the Internet, individuals were empowered. Now governments and corporations hold the balance of power. If we are to leave a better Internet for the next generations, governments need to rebalance Internet power more towards the individual. This means several things.

First, less surveillance. Surveillance has become the business model of the Internet, and an aspect that is appealing to governments worldwide. While computers make it easier to collect data, and networks to aggregate it, governments should do more to ensure that any surveillance is exceptional, transparent, regulated and targeted. It's a tall order; governments such as that of the US need to overcome their own mass-surveillance desires, and at the same time implement regulations to fetter the ability of Internet companies to do the same.

Second, less censorship. The early days of the Internet were free of censorship, but no more. Many countries censor their Internet for a variety of political and moral reasons, and many large social networking platforms do the same thing for business reasons. Turkey censors anti-government political speech; many countries censor pornography. Facebook has censored both nudity and videos of police brutality. Governments need to commit to the free flow of information, and to make it harder for others to censor.

Third, less propaganda. One of the side-effects of free speech is erroneous speech. This naturally corrects itself when everybody can speak, but an Internet with centralized power is one that invites propaganda. For example, both China and Russia actively use propagandists to influence public opinion on social media. The more governments can do to counter propaganda in all forms, the better we all are.

And fourth, less use control. Governments need to ensure that our Internet systems are open and not closed, that neither totalitarian governments nor large corporations can limit what we do on them. This includes limits on what apps you can run on your smartphone, or what you can do with the digital files you purchase or are collected by the digital devices you own. Controls inhibit innovation: technical, business, and social.

Solutions require both corporate regulation and international cooperation. They require Internet governance to remain in the hands of the global community of engineers, companies, civil society groups, and Internet users. They require governments to be agile in the face of an ever-evolving Internet. And they'll result in more power and control to the individual and less to powerful institutions. That's how we built an Internet that enshrined the best of our societies, and that's how we'll keep it that way for future generations.

This essay previously appeared on Time.com, in a section about issues for the next president. It was supposed to appear in the print magazine, but was preempted by Donald Trump coverage.

Posted on October 14, 2016 at 6:20 AM • 39 Comments

Comments

AlanOctober 14, 2016 6:45 AM

You want the government to regulate more so that the internet is less controlled by government, has less censorship, less propaganda, and less surveillance? I'm not sure it works that way...

Andre DevereauxOctober 14, 2016 7:24 AM

But governments will never do any of these things because it is against the self interest of people in government. We can only expect more government and corporate: surveillance, censorship, propaganda, and control. The internet was only free in its early days because government thugs didn't see it coming. They know it is here now.

ASROctober 14, 2016 7:37 AM

No prospective US administration has any constructive role. Fortunately the civilized world is on it, and as the US keeps forfeiting standing and influence it will happen. As always, it's more comprehensive when it's set in a human rights framework.

http://www.ohchr.org/Documents/Issues/Opinion/Communications/InternetPrinciplesAndRightsCoalition.pdf

To enjoy it people will need to escape the privatized US version of China's great wall (Facebook, Apple, Yahoo, etc.)

Zohar OxenhandlerOctober 14, 2016 7:38 AM

Just read up last week that the government of Singapore created a really comprehensive cyber security strategy. Seems like they have the correct direction.

Clive RobinsonOctober 14, 2016 7:51 AM

@ Bruce,

Before you can have any of that you have to investigate the what and the how of corrective action.

The big problem is that of requiring a "directing mind" before effective corrective action can be applied.

As we have seen over and over with the finance industries "fines alone" are not effective as corrective measures. Large corporates especially, just see them as "part of the cost of business" or just another tax to be avoided by one deceptive measure or another and clawed back via other trickery or by punitive action against their "tied in" customer base.

There needs to be real criminal sanctions involving significant jail time for those who have alowed inappropriate activities. However such legislation should not be to wide in scope where it becomes available as a tool of discrimination by those in government against those it finds anoying in some way.

It's a hard ask to get such legislation right, but without it large corporates and other unsuitable entities will find ways to ignore the legislation. Or worse use the legislation to carry on discriminitive activities to their benifit against others in the industry or against customers.

For instance the use of software licences and mediation clauses prevents users getting effective product liability protection The likes of the DMCA are being used to close down existing custom and practice, where those who have purchased tangible products find they are locked out of using them for anything other than that the manufacture deems appropriate, including maintaining it's usefull life beyond the pitiful FMCE life cycles of six to eighteen months.

DaveOctober 14, 2016 10:15 AM

You mention propaganda but not its cousin, the proliferation of "echo chambers" where erroneous or one-sided commentary in mostly closed groups. The two are closely related as propagandists can use this to their advantage. But not all echo chambers are fueled by propagandists, and they are just as dangerous, in my opinion.

parabarbarianOctober 14, 2016 10:15 AM

I think that Bruce is dreaming the Utopian dream again. Historically, big corporations and big government go hand-in-hand. Big corporations regularly lobby for more regulation -- hence bigger government -- because they love those regulations that erect barriers to entry for small competitors.

This is Baptists and Bootleggers with Bruce playing a Baptist role.

ShazOctober 14, 2016 10:24 AM

Fourth: Less advertising. Or at least less intrusive advertising.

These days probably half my time browsing is spent fighting with sites to get around intrusive advertising to get to the content. Clickbait, paywalls, scripts...I just want some time on the web where someone isn't trying to sell me something and being obnoxious about it.

This idea that we have to monetize every aspect of life just fills every nook and cranny and clock cycle with useless crap, taking time and effort from actually doing things that matter.

TedOctober 14, 2016 11:12 AM

I believe this tweet essentially supports your position of well-applied effort.

@SecAwareCo: Orgs try #infosec crash diets w training after being hacked or audited, but crash diets don’t work! Make lifestyle changes instead. #ChatSTC

(all the tweets from yesterday’s global chat)

Also, great article. Reassuring, vibrant, and will hopefully generate meaningful conversations for everyone involved.

DanielOctober 14, 2016 12:18 PM

I've been thinking about this issue lately myself and it seems to me that there is a strong argument that those who are involved in cyber-security need to vote for Trump. Why? If Clinton is elected what we can expect is more of the same government slow-walking security issues, snide comments about who is the adult in the room, and a general slow disintegration of privacy. On the other hand Trump is such an authoritarian that he will throw cyber security and privacy issues into sharp relief. To be blunt Clinton might save more lives but Trump is better for the livelihoods of security professionals.

To be totally fair I don't expect things to get better under either administration, it's simply a question of whether one prefers a slow burn or an explosion. More profit in the explosion, me thinks.

Ross SniderOctober 14, 2016 1:17 PM

@Schneier

If you want to call on the next administration to fix these things, you need to be honest. Accuse the US government for it's *huge* internet propaganda programmes instead of just listing our adversaries.

The US labeled "War of Ideas" should be mitigated as much as possible so that no great power, including the Americans, feels the need to escalate their propaganda.

Please also note that the business model of the internet is propaganda - influencing people's choices and perceptions is THE income mechanism of the internet.

Surveillance and influential messaging are sibling capabilities. The internet is founded on both and the US performs both.

Otherwise: agreed. Making the internet a civilian space - more like a library - would go a long way toward civilizing the world. Today so much military law applies (via information systems and elsewhere) to civilian everyday life that it's hard to construct a good model of what our American society presumably is supposed to look like, and where the space for civil society could function if it were given a chance.

Zig N. ZagginOctober 14, 2016 1:31 PM

What Bruce describes so well is all out attack and multi-front war on every conceivable personal data point of everyone in the whole world.

And the governments that should be working feverishly to protect us are instead attackers.

There oughta' be law about abuse of our electronic data, there oughta' be a lot of laws, but there won't be. If anything the governments and corporations will meld towards a monolithic adversary.

Except, targets, users, citizens, people, men, women and children mostly don't care about any of this because the internet is fun and it's convenient. No one actually bleeds or even necessary is aware they are under attack.

What will the "next administration" do?

Double down on the attacks of course. Who would dare stop them?

Oh, there will be a rag tag bunch of cyber geeks who will valiantly throw an occasional rock or rotten tomato, but they will be branded as paranoids and heretics. It's always that way with the war on your mind.

ps: Wonderful article Bruce! Right in every respect. Well, except the next administration doing anything to stop it.

Rob PhillipsOctober 14, 2016 1:54 PM

Use TOR and get over it. Little slower but it's over 50% of the the internet that cannot be data mined with Google and others. Don't dload anything cause speed is stupid slow. But it's the info! How do think journalists got their stuff out of Egypt or China? Don't be stupid. Bruce is though.

Clive RobinsonOctober 14, 2016 2:34 PM

@ Rob Phillips,

Use TOR and get over it.

There used to be a saying about Microsoft products,

    What ever the question is... The answer is not Microsoft.

When it comes to security the same, can be said of Tor. I thought that was now clear to anybody who could read about the FBI funding a certain US University a big chunk of loose change.

Thus the GS man is reading your traffic so as you say "Get over it".

Ergo SumOctober 14, 2016 3:54 PM

@Clive...

When it comes to security the same, can be said of Tor. I thought that was now clear to anybody who could read about the FBI funding a certain US University a big chunk of loose change.

Thus the GS man is reading your traffic so as you say "Get over it".

Yes, I can read, but...

In my view TOR is pretty good at preventing hiding the the actual IP from websites and advertisers. For this purpose, TOR is a OK. If the GS man has nothing better to do, but read my traffic to this and other similar website, the jokes are on him...

Ergo SumOctober 14, 2016 4:10 PM

@Bruce...

Now governments and corporations hold the balance of power.

True...

Solutions require both corporate regulation and international cooperation. They require Internet governance to remain in the hands of the global community of engineers, companies, civil society groups, and Internet users.

You are seemingly advocating that the "deplorable" should govern the internet, instead of the governments and corporations. That's just not going happen, especially in the US, where people are told whom to vote for and the masses listen.

It's way too late to change internet governance, there's no entity that would easily give up controlling information. It's way too much power to let it go...

Joe StalinOctober 14, 2016 5:26 PM

So Russia and China are on "social media" with "propaganda".

It is now legal to pump USA propaganda on "social media", foreign media
(Udo Ulfkotte is an example), and USA media (dozens of military generals as network and cable experts pumping the next war and military budget).

Lets clean USA paid for mercs in the medias as well as the Facebook,Twitter,Google CIA/NSA paid spying. The tiny-handed propaganda of the rest of the world is laughable compared to the mighty Wurlitzer played by the USA government.

Anon10October 14, 2016 6:31 PM

Censorship isn't always bad, even from the standpoint of users. Facebook and nudity is a textbook case of that. At most companies, if you get caught looking at Facebook at work, you'll get told to get back to work or maybe written up for goofing off. If you get caught looking at nudity or pornography, even inadvertently, you'll likely be fired on the spot. So if Facebook allows nudity, that gives corporate IT a reason to blacklist the site, if they haven't already, and it makes users too afraid to access it at work, even from their personal smartphones.

DroneOctober 14, 2016 11:33 PM

"If we are to leave a better Internet for the next generations, governments need to rebalance Internet power more towards the individual."

A naive statement. Governments almost never give power back to the people. In-fact the opposite is almost always true.

I can think of only once in mankind's history when a "Government" gave anything like a significant amount of power back to the People: The enactment and evolution of the U.S. Constitution and Bill of Rights. (No, the English Magna Carta Libertatum and French Revolution are not by comparison what I would consider fully realized examples).

It makes me shudder to think that depending on who wins the next U.S. General Election, that historic accomplishment may be effectively tossed in the trash, and replaced with the self-perpetuating permanence of Progressive Socialist/Marxism.

Dave HoweOctober 15, 2016 5:21 AM

To the best of my knowledge, this has never happened, ever.

Any resource seems to go though a series of stages, from early pioneering, though standardization and regulation, to final assumption of control by established power groups (usually by gaining ownership of property rights, then leveraging those to both extend and protect that ownership) - and this seems to be the case with the internet as well.

To roll that back would mean those with power agreeing to give up that power.

VinnyGOctober 15, 2016 6:23 AM

@Alan:
You are correct, it doesn't work that way. "Government" (i.e., those individuals and groups who have arrogated a monopoly on violence and other powers to themselves under one pretext or another) serves only its own parochial interests: those which perpetuate and increase its power. All of the actions that Bruce wants "government" to take are inimical to those interests, and any expectation that such actions will actually happen (now or in the foreseeable future) is a futile waste of energy and time...
-VinnyG

SleuthOctober 15, 2016 1:29 PM

Trump should start by giving a definition of what he means by "We've got problems with the cyber".

I Want To BelieveOctober 15, 2016 1:36 PM

And they'll result in more power and control to the individual and less to powerful institutions. That's how we built an Internet that enshrined the best of our societies, and that's how we'll keep it that way for future generations.

I Want To Believe this, but... I imagine it will only be true in our lifetimes if we get unbelievably lucky.

Ex PatOctober 15, 2016 3:58 PM

CONSPIRACY THEORIES ?

Which only leaves out 'Conspiracy Theories'.

It is a wonderful change from 2001 to 2008 and the rule of Our Dear Leader, Comrade Cheney, to today, when 90% of the comments are openly giving Schneier a frightful kicking for failing to openly acknowledge the US government's known abuses.

One might feel sorry for Schneier, were it not for the fact that he still looks like he's angling for that 'safe pair of hands' government-hack job by refusing to call a spade a bloody shovel - that is, refusing to acknowledge the US government's real conduct, either in illegal war, murder, torture-to-death and genocide, or in internet (in)security. No doubt incorrectly so.

Note that today Schneier wisely does not suggest that to tell these truths is to peddle 'conspiracy theories'. Possibly after the strong response he got on the 6th of September 2013 when he tried that tack.

- 'Conspiracy Theories and the NSA', by Robert Schneier, 6th September 2013 - Robert Schneier blog -

- https://www.schneier.com/blog/archives/2013/09/conspiracy_theo_1.html#c1693742

S.P.ZeidlerOctober 16, 2016 7:50 AM

"The early days of the Internet were free of censorship"

Well, politics didn't get involved but f.e. in my neck of the woods provider contracts mandated a strict no-commercial-use-allowed policy that was enforced by the respective admins.

What changed is that instead of the despotism of the local admin(s) (which you could evade by going someplace else, or by becoming an admin), you have governmental actors and monopolists who are much harder to route around.

Dr. I. Needtob AtheOctober 16, 2016 8:24 AM

The clear consensus here is that it's pointless to demand that the foxes do a better job of guarding the hen house. In fact, the view sounds unusually naive.

The only solution I can see is technology, and that's where experts like Bruce Schneier come in. The only defense we have left is to better develop and make use of tools to counter these attacks on our privacy and security, because governments are obviously NOT going to do anything to help.

Clive RobinsonOctober 16, 2016 9:25 AM

@ Dr. I. Needtob Athe,

The clear consensus here is that it's pointless to demand that the foxes do a better job of guarding the hen house. In fact, the view sounds unusually naive.

I suspect it is a matter of perspective / outlook.

So instead of "Foxes and hen houses" thing "Poachers and game keepers".

The real problem is the lack of "Eternal Vigilance", most people like to think well of others, which is why con artists can earn a living, and politicians can pass legislation such that they can still receive bribes whilst others will go to jail. Worse they are to busy with their own day to day living to see more than a little into the future. Thus they don't see the noose of the booby trap tighten and they are thus caught, and slaughtered for their own inattention.

Society actually has an inbuilt series of mechanisms to enforce this inattention. On of which is to say the two magic words that turns reason to straw "conspiracy theory". It's a lot like the subject of Godwin's Law but they get away with it due to societal consensus.

Perhaps it's time for a new law to be named for the "conspiracy theory" type "Association Fallacy", as the conspiracy version of Hanlon's razor,

    "Do not invoke conspiracy as explanation when ignorance and incompetence will suffice, as conspiracy implies intelligence."

Is just not cutting it ;-)

jayOctober 16, 2016 10:08 AM

The device password issue is a tough one. Forcing users to create a strong password sounds good, but they will forget them quickly and support becomes a nightmare, and impossible if the company goes under.

A lot of devices can be made more secure by limiting configuration and control menus to work only after PHYSICAL access to the device (press a 'setting' switch or similar). Things like routers, cameras, etc. which are rarely configured anyhow, would be more secure from external attack.

vas pupOctober 17, 2016 11:39 AM

@all:
UK spy agencies 'broke privacy rules' says tribunal
http://www.bbc.com/news/technology-37680058
"Everyone accepts that what the agencies do operationally has to be secret, but the laws that say what they can and can't do shouldn't be secret."
Good point for future US government as well - I guess

Dan HOctober 17, 2016 12:59 PM

Maybe keep Google from creating code? Android and Chrome are consistently on the US-CERT list for high vulnerabilities.

someoneOctober 21, 2016 5:16 PM

Can people, especially informed people who write about the internet stop embracing this proper noun The Internet. You of all people should know there is no one Internet. If we expect to live in a world with a free and well functioning internet public education is key. As we speak, the internet is gradually being ruined and it's largely do to mass ignorance about how it works and the implications of various policies.

I think a world with an actual Internet that is one specific thing that is controlled by a very small number of people and is rife with censorship and propaganda is far more likely than the internet you imagine. Stopping that starts with people understanding there is no Internet, and that we individually and collectively make up what we call the internet. It's not really possible to regulate something that is completely distributed so long as people actually understand that and continue to expand the network or create alternative networks that aren't effected by the regulations at that time.

PeterOctober 28, 2016 7:52 AM

"Third, less propaganda." - writes Bruce -
Followed by exactly that, the usual USAnian propaganda,
parroted Ad nauseam by every single asset of The Evil Empire.

The CIA don't kill people and the NSA don't spy on USAnians - Wanna buy a red suspension-bridge ?

PeterOctober 28, 2016 7:57 AM

@someone :
What you describe as the future internet sounds pretty much like Facebook to me -

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.