A Cybersecurity Policy Agenda

The Aspen Institute’s Aspen Cybersecurity Group — I’m a member — has released its cybersecurity policy agenda for the next four years.

The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White House, federal agencies, and Congress should zero in on the most important and solvable problems. To that end, this report covers five priority areas where we believe cybersecurity policymakers should focus their attention and resources as they contend with a presidential transition, a new Congress, and massive staff turnover across our nation’s capital.

  • Education and Workforce Development
  • Public Core Resilience
  • Supply Chain Security
  • Measuring Cybersecurity
  • Promoting Operational Collaboration

Lots of detail in the 70-page report.

Posted on December 11, 2020 at 6:57 AM15 Comments

Comments

29,031.7 ' December 11, 2020 9:24 AM

Policy Agenda = Political Agenda

The government is the key mechanism to solve cybersecurity problems
(and most all problems in society)

Clive Robinson December 11, 2020 7:58 PM

@ Bruce,

Without “Supply Chain Security” the rest is for naught.

But as I’ve been saying for decades now,

Security is a Quality Process.

That is for any endevor / project security has to be in place and have full managment buy in “before day zero”. If it’s not or does not have full managment buyin then it will with high probability be an insecure endevor or peoject.

It’s no different from a one man project all the way through to the largest of departments, security as a process has to be in place “befor day zero”.

Internet Individual December 12, 2020 1:33 PM

We need to backup a bit and start by asking some tough questions about the “internet” and its intended purpose(s). We sort of just deployed this pandora’s box technology and decided everyone needs it because of some seemingly arbitrary “stuff it can do” It does your Netflix, order stuff from amazon, Facebook friends, google stuff.

There are much unintended consequences of this technology. Everything the internet touches is now a potential attack vector. We should first get answers to some basic questions such as:

What is the comprehensive objective or purpose of the internet, long term? Is there one? Or is the philosophy “The Internet is the canvas for each artisan to paint whatever they can imagine”?

Who exactly is the internet intended for?

Does everyone need it? If so, why?

Is it the intention to “make” everyone need it?

Should we allow the daily functions of society to be conducted online only?

Should Russia, China, Iran, etc. be able to access American institutions such as banks, government agencies, schools, businesses, and utilities 24/7? What are the risks vs the rewards? Who is benefitting from this approach?

Should we keep analog or physical alternatives working incase of crisis or disaster situations? Such as USPS?

Does Joe Smith at home really require the same internet that Amazon.com or an international corporation needs? It may all be the same internet, but does it have to be that way?

Do our utilities and other domestic infrastructure really need connected to the internet?

I get the notion that the overall mentality regarding technological innovation is; “innovate first and ask questions later.” And largely, that has worked to date. From the mindset of being an American Citizen, in my opinion the internet has overall negatively affected life in the US for the average citizen. I think about it as, the United States had more to lose than anyone else. And decided it might be an excellent plan to let everyone in the world, including enemy states, criminal organizations, pirates, a direct and near-instant means to help themselves. Tech companies benefited and became richer than many countries. Those corporations got to call the shots and make the rules. Took advantage of every inch, like the tape measure was going out of style. Now we are living with those consequences. But hey, we got Netflix and Facebook. From my perspective and armchair-view into the future, there are bigger issues ahead. The assault on Communication itself, which carries profound implications that will rock humanity at its foundation.

Clive Robinson December 12, 2020 4:16 PM

@ Internet Individual,

We need to backup a bit and start by asking some tough questions about the “internet” and its intended purpose(s).

A question for you,

“Who earns the interest or benifit of the cash in your pocket, or otherwise floating around outside a financial institution?”

It has a name, but that’s not realy important, the effect of who profits and who loses however is.

In effect the question is “What’s the value of money in transit and to whom?”

Now ask the same question about those bytes of data whinging their way around the Internet.

The fact they have value of some form even it’s just that byte that puts a twinkle in the eye in that picture of a cute kitten is not in dispute.

But how about “your bsndwidth” and all thay javascript pulling down all that Marketing Malvertising?

It’s your bandwidth, thus it’s reciprocal your time, thus your irreplaceable life, that is being stolen from you[1]. As well as PPI and heaven alone knows what else like bitcoin mining killing your CPU with heat death and larger electricity bills.

They in effect claim they own not just your data bytes but your computer, your personal data and what ever else they can steal from you.

When you start viewing things this way, you start to realise not just that the Internet companies are more repacious than loan sharks, they actively bribe the legislature to make it mandatory.

So in a way the Internet is becoming an illegal tax to turn you from a “freeman” to a “serf”[2] tithed in forms most can not comprehend.

So, when you say,

From the mindset of being an American Citizen, in my opinion the internet has overall negatively affected life in the US for the average citizen.

You are perhaps understating the situation rather more than you might at first think.

[1] If you doubt this try turning off both cookies and javascript in your browser. You would be surprised how many web sites still deliver the content you want with no click through “Accept our sacrifice your first born terms, click here to die” boxes. Also just how much faster, especially the likes of news sites that do you the real favour of not downloading high res photos etc as punishment 😉

[2] Serf : noun, 1) a person in a condition of servitude, required to render services to a lord. 2) a person commonly attached to the land owned by the lord and transferred with it. 3) a person held in bondage or slavery without the benifit of slavery of food and shelter.

xcv December 12, 2020 4:32 PM

@Clive Robinson

“Who earns the interest or benifit of the cash in your pocket, or otherwise floating around outside a financial institution?”

Cash in my pocket gives me the option to spend it now on something or save it for later.

If the banks are closed or shut down, I may not have either of those options.

Options are worth money, because they give a person flexibility and the ability to change one’s mind, or alter one’s plans in response to changing circumstances.

lurker December 12, 2020 5:57 PM

@Internet Individual

What is the comprehensive objective or purpose of the internet, long term?

There may have been such for DARPAnet, I never looked back in the day. But then a political decision was made to monetise it. We live with the result of that.

Wesley Parish December 13, 2020 12:57 AM

Supply Chain Security
Promote security transparency.

I see a major problem with any attempt to implement that seriously. You can see the same reasoning in the way software is patented without giving the example of a sample implementation in the same way that manufacturing patents require blueprints of the machinery to be patented.

In other words, you’ll find yourself dealing with a lot of little Gollums of whatever size, shrieking “Thieveses! We hates them, we hates them, we hates them for ever!!! Precious!!! My Precious!!!

You might have to put them on IPR-detox first.

And Promote financial support for free and open source software. will only confirm them in the paranoia brought on by that addiction.

Clive Robinson December 13, 2020 5:41 AM

@ xcv,

Cash in my pocket gives me the option to spend it now on something or save it for later.

That only works in low inflation economies. Don’t try living in a hyper inflation economy on cash in your pocket.

Quite a few years ago I had to go on business to a failed economy country in Africa. The advice I’d been given was only carry low denomination USD don’t take anything above a ten and pay the hotel in advance before you fly there. Also to buy anything I needed as soon as I could as early morning was better, as you could haggle/bargin as the shop keeper “marked up” for the new day, as they would two or three more times during the day…

Luckily the USD I carried saw me through, but I’m glad I’d paid the hotel bill in advance, the room was nice being part of an international chain. But each morning walking through the lobby to meet the driver I’d see the room rate had jumped from the day before by around 10% and after my less than a week stay if I’d paid at the end it would have cost as much again, and I’d have needed a suitcase just to carry the cash.

Watching the prices rise around 5%-15% a day in the shops was back then a little under a decade and a half ago shocking. One side effect was it “cut the stock lines” down to just one or two basics, there was no choice, you just payed as in thinking about looking in another shop the price would go up long before you’ld get there…

But as you can look up it got worse a lot worse and within a couple of years due to Presedent Robert Magabe so mismanaging the country[1] you did not have sufficient fingers on both hands to count the number of zeros in the inflation rate, and ATM machines were crashing because they could not have enough zeros typed in to get enough money out to buy a loaf of bread…

At that rate of inflation money becomes effectively meaningless as people do not want it almost halving in purchase power in the length of time it takes to pull it from your pocket… There was a joke about “how you could not burn money fast enough to keep up with inflation”.

Even though at one point illegal, most people used money from other countries. As far as I’m aware even now Robert Mugabe is dead his legacy is still hyper inflation with something like ten or so other countries currancies in use. With the USD being used by around 60% of the population.

[1] You can look the history up but basically Robert Mugabe was determined to stay in power any which way he could. And the price of that was “Danegeld” not to invading hords but to soldiers that had faught in the wars Mugabe had in effect started. Because the ex-soldiers demanded “land” Magabe kicked out those that owned and ran the farms successfully and which were realy the only people keeping the country afloat. Those that got the land only knew how to “lord it up” not run a farm. So food production dropped dramatically down to bellow starvation for the populous. And so the “buy off to stay in power” policy went on and on in a downward spiral all due to one man’s desperate clinging to power…

JonKnowsNothing December 13, 2020 11:04 AM

@ xcv @Clive

re: hyperinflation and the cycle of rising prices

There are loads of histories about periods of hyperinflation. One country had to pay their workers 2 or 3 times a day because if they waited until end of the day the prices of basic foods (bread etc) would outstrip their wages.

This rarely ends up well for the people or the economy or the country.

Then there is the cycle of rising prices which is not necessarily as fast as having the cost of a loaf of bread outpace your day’s wages but still affects everyone globally.

This is now a global economic problem teetering over the edge and will no doubt start to occupy governments after they can stop thinking about COVID-19 (or wishing they could stop thinking about COVID-19).

These are the stories you hear from older people about the cost of basic items during periods of hardship. Cost of bread, milk, meat. All these items are now tracked by government economists with Big Iron but the stories of the people around you have more meaning.

I remember reading about early period in American History after the start of the Westward Expansion. The pay was $1 per month (one dollar per month). A person could go to their General Store and buy all the items needed for the month. It was a long list of items they could get and still have enough for some Penny Candy.

I remember thinking WOW they got all of that for ONE DOLLAR?

Today I bought a loaf of bread for $6.00 (six dollars).

I cannot buy a month’s worth of food for $1 or $6 or $100….

We see the inflation in the number of bills or ciphers in the account but the real value is in what will it buy?

ymmv

Clive Robinson December 13, 2020 2:40 PM

@ JonKnowsNothing, xcv,

This is now a global economic problem teetering over the edge and will no doubt start to occupy governments after they can stop thinking about COVID-19 (or wishing they could stop thinking about COVID-19).

Don’t as they say “hold your breath on it” Western politicians actually in power appear to be more than somewhat blind these days when it comes to “A tide lifts all boats equally” and in effect running around like lunitics knocking the bottom out of small boats in favour of large, as we have seen with the “Stimulus Packages” and “Quantative easing” etc in recent times.

But I like your other explanations of the effects of hyper-inflation.

Especially,

We see the inflation in the number of bills or ciphers in the account but the real value is in what will it buy?

Yes it’s a concept that you would have thought people could relatively easily comprehend but…

Hence my comments in the past about “fiscal wealth” (in ledgers) and “real wealth” (in natural resources) and how the “value added chain” both works to add utility (industry) and in other hands creates no real increase in utility just inflation (banking/finance).

I used to use the example of a “ton of coal” but a lot of people nolonger see that intuatively. And people seeing intuatively as you’ve no doubt noticed is getting harder around here these days, so much so you have to dumb things down and that creates problems of it’s own…

That is, there is a problem with trying to explain wahat what needs explaning on this blog these days which comes about from peoples assumptions of what they think you are…

@ SpaceLifeForm for instance can be brief to the point of being cryptic to many whilst succinct and to the point to others.

I still remember trying to get across to some one the difference between “failure modes” and “failure probability”… I still think the person did not want to think, just say their assumptions.

After all how hard is it to get the hang of if you have four items that have a binary state then there are 2^4 = 16 modes. With the system always being in one of those modes. But slightly more difficult is each mode has a probability of the systen being in that mode. And slightly harder that often the four items are not independent of each other even though the four items may be identical. Thus think of four switches in a line on a console, the outer two switches have a greater probability of being knocked or state changed than the inner two switches. How much that might be “depends” but it’s something I thought would have been intuitively obvious.

Apparently not… So how to remedy,

If you make a long but accurate description –like this is becoming 😉 — almost like an academic paper nobody reads it… If you say instead say “this is a simplification” and produce something that is more accurate than many news sites including science ones, but short. Even though you warn of simplification and use of a little editing out of real but messy and mostly irrelevant details to get the idea across in paraphrase form, some people jump on it claiming things based on their tiresome assumptions…

I must admit I’ve just about given up dealing with them because they will not stop, they keep trying to find fault or even make false allegations and to be honest I’m getting fed up with it, in effect they are little other than “better dressed Trolls”.

The problem is getting worse and appears to be in part due to the dearth of general commentors like yourself, myself and one or two others these days so the better dressed ones tend to go for the hectoring / bickering approach to “make noise”… Which I’m thinking is best answered by sticking in an over abundance of detail… Because when you tot up the “column inches” it actually takes up less space than all the noise making…

JonKnowsNothing December 13, 2020 3:56 PM

@Clive @All

re: economic breath holding

MSM article about a company in UK returning their “furlough bailout money” intended to provide income to employees during slowdowns, lockdowns and quarantines. They didn’t want to do that.

They paid £500K bonus to 264 of their executive staff (£137M) and wanted to keep the £4.1M furlough money too. They had made much noise about Not Returning The Money…

Then this intriguing statement for an explanation:

“Recognising the public mood requires a much quicker process, we have accelerated this and we will be returning the money before Christmas.”

The public mood??? What a turn of phrase that …

ht tps://www.theguardian.com/business/2020/dec/13/accounting-giant-bdo-makes-u-turn-on-furlough-payback

UK’s leading accountancy firm … BDO operates in 167 countries with revenues of $10.3bn (£7.8bn).

(url fractured to prevent autorun)

JonKnowsNothing December 13, 2020 4:22 PM

@Clive @SpaceLifeForm @All

re:simple vs simplify

Noam Chomsky has railed for years about MSM Concision which is a finely tuned act of non-information or incomplete information or redirected information.

Concision: The Gulf of Tonkin Incident
It involved both a real confrontation and a fabricated confrontation between ships of North Vietnam and the United States in the waters of the Gulf of Tonkin. The original American report blamed North Vietnam for both incidents, but the Pentagon Papers, the memoirs of Robert McNamara, and NSA publications from 2005, proved that the US government lied to justify a war against Vietnam.

There are lots of things that are “simple” and can be explained in a straight forward way. Like building blocks the add up to a bigger structure.

When people do not understand one of the blocks (for a variety of reasons), the structure of thought can wobble when a weak block comes under inspection or question.

One of the many attributes of the exchanges here is that the blocks are explained or can be revisited even if the explanations take longer to type.

tl;dr

One of the attributes of horsemanship is that you never get all the blocks perfectly aligned. If you did you would have a machine with determinant outcomes. Horses are infinitely variable by individual, by day, by time. Same as humans. To achieve harmony is the ultimate goal.

When people skip or misunderstand the building blocks this ends up badly for the horse. The horse is blamed for everything: it doesn’t X or Y or Z. The horse is sold and another horse replaces it but the building blocks of understanding are never corrected. People do the same thing over and over with the same or worse results (because some horses will make more objections).

It is very difficult to get people to Learn. They want lessons and they say all sorts of things about what they want. What they do not want is to “think” “apply” and “learn”.

It’s so much more fun to complain how bad your horse is…

ht tps://en.wikipedia.org/wiki/Noam_Chomsky
ht tps://en.wikipedia.org/wiki/Concision
ht tps://en.wikipedia.org/wiki/Gulf_of_Tonkin_incident
(url fractured to prevent autorun)

Clive Robinson December 14, 2020 12:37 AM

@ JonKnowsNothing, ALL

The public mood??? What a turn of phrase that …

Yes like the old “Big Four” that had Anderson’s in, these “accountants” are supposadly “highly respected” auditors of large commercial companies, government entities and the like. Thus are supposed to understand and apply probity and honesty as well as identify wrong… Not behave like a bunch of… well like you words fail me, on trying to get across the debased dirt crawling money grabbing behaviour they exhibit in a suitably pithy way. Talk about “self entitled” in a “me first and always” culture.

ResearcherZero December 14, 2020 10:02 PM

A solution for the lack of political will to fix the dreadful network security of both sides of the house.

Now if we could only shame both parties into adopting the policy. Oh, what do you know, some kind fellows on the other side of the world already have. How altruistic of them.

What would be funny (in some sort of twisted dark manner), is if a bunch of security researchers already warned both Republicans and Democrats about serious problems with their network security (perhaps 2015 or earlier), and instead of fixing the problem, the politicians decided blaming each other was of tactical benefit.

Small businesses in small rural hick towns often have better security, and where there are problems, they often have the will to fix them. You would imagine that major political parties might consider operational security of having some importance, and national security, they are always banging on about national security.
hxxps://www.bloomberg.com/news/articles/2020-12-14/u-s-government-agencies-attacked-by-hackers-in-software-update

Well if not that then, how about their own personal dirty little secrets.
Critics have warned that a backdoor, once discovered, is open to everyone – regardless of whether they have “permission” to use it or not.
hxxps://www.theregister.com/2020/11/27/encryption_backdoor_petition/

Perhaps responding to reports of worst ever passwords for directories visible on the web, that are named after the user account, and contain sensitive information (large tech companies could also try this). Attending security briefings and not falling asleep during them, worth considering.

A Cybersecurity Policy Agenda sounds like a very smart idea. It will help to stop the bleeding in the supply chain (gushing sounds).

Oh, and repeated reports about certain individuals caring out repeated espionage activities for foreign governments and other serious crimes, probably worth not ignoring that.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.