What Will It Take?

What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the problems? It’s not enough for the average person to be afraid of cyberattacks. They need to know that there are engineering fixes—and that’s something we can provide.

For decades, I have been waiting for the “big enough” incident that would finally do it. In 2015, Chinese military hackers hacked the Office of Personal Management and made off with the highly personal information of about 22 million Americans who had security clearances. In 2016, the Mirai botnet leveraged millions of Internet-of-Things devices with default admin passwords to launch a denial-of-service attack that disabled major Internet platforms and services in both North America and Europe. In 2017, hackers—years later we learned that it was the Chinese military—hacked the credit bureau Equifax and stole the personal information of 147 million Americans. In recent years, ransomware attacks have knocked hospitals offline, and many articles have been written about Russia inside the U.S. power grid. And last year, the Russian SVR hacked thousands of sensitive networks inside civilian critical infrastructure worldwide in what we’re now calling Sunburst (and used to call SolarWinds).

Those are all major incidents to security people, but think about them from the perspective of the average person. Even the most spectacular failures don’t affect 99.9% of the country. Why should anyone care if the Chinese have his or her credit records? Or if the Russians are stealing data from some government network? Few of us have been directly affected by ransomware, and a temporary Internet outage is just temporary.

Cybersecurity has never been a campaign issue. It isn’t a topic that shows up in political debates. (There was one question in a 2016 Clinton–Trump debate, but the response was predictably unsubstantive.) This just isn’t an issue that most people prioritize, or even have an opinion on.

So, what will it take? Many of my colleagues believe that it will have to be something with extreme emotional intensity—sensational, vivid, salient—that results in large-scale loss of life or property damage. A successful attack that actually poisons a water supply, as someone tried to do in January by raising the levels of lye at a Florida water-treatment plant. (That one was caught early.) Or an attack that disables Internet-connected cars at speed, something that was demonstrated by researchers in 2014. Or an attack on the power grid, similar to what Russia did to the Ukraine in 2015 and 2016. Will it take gas tanks exploding and planes falling out of the sky for the average person to read about the casualties and think “that could have been me”?

Here’s the real problem. For the average nonexpert—and in this category I include every lawmaker—to push for change, they not only need to believe that the present situation is intolerable, they also need to believe that an alternative is possible. Real legislative change requires a belief that the never-ending stream of hacks and attacks is not inevitable, that we can do better. And that will require creating working examples of secure, dependable, resilient systems.

Providing alternatives is how engineers help facilitate social change. We could never have eliminated sales of tungsten-filament household light bulbs if fluorescent and LED replacements hadn’t become available. Reducing the use of fossil fuel for electricity generation requires working wind turbines and cost-effective solar cells.

We need to demonstrate that it’s possible to build systems that can defend themselves against hackers, criminals, and national intelligence agencies; secure Internet-of-Things systems; and systems that can reestablish security after a breach. We need to prove that hacks aren’t inevitable, and that our vulnerability is a choice. Only then can someone decide to choose differently. When people die in a cyberattack and everyone asks “What can be done?” we need to have something to tell them.

We don’t yet have the technology to build a truly safe, secure, and resilient Internet and the computers that connect to it. Yes, we have lots of security technologies. We have older secure systems—anyone still remember Apollo’s DomainOS and MULTICS?—that lost out in a market that didn’t reward security. We have newer research ideas and products that aren’t successful because the market still doesn’t reward security. We have even newer research ideas that won’t be deployed, again, because the market still prefers convenience over security.

What I am proposing is something more holistic, an engineering research task on a par with the Internet itself. The Internet was designed and built to answer this question: Can we build a reliable network out of unreliable parts in an unreliable world? It turned out the answer was yes, and the Internet was the result. I am asking a similar research question: Can we build a secure network out of insecure parts in an insecure world? The answer isn’t obviously yes, but it isn’t obviously no, either.

While any successful demonstration will include many of the security technologies we know and wish would see wider use, it’s much more than that. Creating a secure Internet ecosystem goes beyond old-school engineering to encompass the social sciences. It will include significant economic, institutional, and psychological considerations that just weren’t present in the first few decades of Internet research.

Cybersecurity isn’t going to get better until the economic incentives change, and that’s not going to change until the political incentives change. The political incentives won’t change until there is political liability that comes from voter demands. Those demands aren’t going to be solely the results of insecurity. They will also be the result of believing that there’s a better alternative. It is our task to research, design, build, test, and field that better alternative—even though the market couldn’t care less right now.

This essay originally appeared in the May/June 2021 issue of IEEE Security & Privacy. I forgot to publish it here.

Posted on February 14, 2023 at 7:06 AM73 Comments


PaulBart February 14, 2023 7:26 AM

The policy makers, who matter, do take it seriously. That is why Snowden is no longer in this country, and why Assange is slowly fading into non-existence.

Stephen February 14, 2023 7:44 AM

People don’t change unless the cost of doing nothing becomes greater than the cost of doing something. Unfortunately I think you’re right. It’ll take something so big that it can’t be hidden like a train on fire in Ohio.

Stéphane Bortzmeyer February 14, 2023 7:57 AM

I remember Multics and, although it was more secure than Unix (this not difficult), it was also more painful to use. Same thing for VMS, which I remember more (I was sysadmin on VMS).

Kurt February 14, 2023 8:20 AM

“You cannot secure what you do not control”

I don’t think Americans are ready for the level of control of the Internet to achieve the level of security Bruce describes.


PS February 14, 2023 8:45 AM

America won’t handle gun violence, mass death and disability from Covid-19, climate change, tax avoidance by the rich, avian flu, etc., etc. and at least some of those things have immediate, visible impacts. The calculations are all about power and money, not safety, security, health or anything of value to actual citizens. Cyber security is wayyy down the list. I doubt even a big event would make a difference. Is nuking a town with chemicals to open a train line going to change the way US companies run their trains and treat their employees? Nope.

Petre Peter February 14, 2023 8:51 AM

“It won’t matter to them if it won’t matter to us. “ We have to ask about security and privacy at their political campaigns.

As for having trusted communication on an untrusted network…aren’t we still trying to secure email? Technologists must get involved in policy and policy makers have to get involved in technology. At that Star Trek table.

Winter February 14, 2023 9:12 AM

@PS, All

The calculations are all about power and money, not safety, security, health or anything of value to actual citizens.

Indeed, power corrupts and money is the vehicle that does it.

Remember the immortal words of Texas GOP Mayor Tim Boyd during the Texas Freeze that killed hundreds of Texans after the collapse of gas and electricity utilities:


In a widely-circulated Facebook post that has outraged many, Boyd told town residents to stop complaining about the cold weather that has left millions across Texas stranded without power.

“No one owes you or your family anything; nor is it the local government’s responsibility to support you during trying times like this! Sink or swim, it’s your choice!” Boyd wrote in the post on his Facebook page, which was later copied on the Mitchell County Issues community forum.

“The City and County, along with power providers or any other service owes you NOTHING! I’m sick and tired of people looking for a d— handout!”

He went on to write that anyone complaining about the cold must be lazy and products of bad parenting.

Joe February 14, 2023 9:19 AM

But policy makers do take cybersecurity seriously… for government and military applications. Of course, not all government entities have good cybersecurity, but there are some branches of government with very good security, far greater than I’ve seen from any corporation. If I had to guess, some government institutions may have exceptional security relative to others because they can be framed as relevant to “national security”. Ultimately, it’s much less of a technical or systemic problem, and much more of a people problem. So maybe one approach is to solicit the help of those who know how to sell to people, especially to government – sales, marketing, lobbyists, etc. Ask them to figure out how to frame the problem of cybersecurity in the same vein as “national security”, something that these policy makers [pretend to] care deeply about.

Denton Scratch February 14, 2023 9:50 AM

the Ukraine

The country’s name is “Ukraine”. The use of terms like “The Argentine” and “The Ukraine” implies that these places are not countries, but territories, contested places, or even places shared by several countries.

Ukraine is an independent country. It is not shared, unoccupied or some kind of borderland.

Mammon February 14, 2023 9:50 AM

What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously.

It would require that those policy makes suffer personal tangible monetary loss.

Or, alternatively, nice juicy profits, preferably anonymous, as a “reward” from taking this stuff seriously.

And some of them might even listen if Putin tells them to.

scot February 14, 2023 9:54 AM

Making any elected official found mishandling sensitive information ineligible to re-run for office might be a good start. If the people at the top don’t take information security seriously, how can anyone below them be expected to?

EMF February 14, 2023 9:54 AM


re: that statement by Tim Boyd.

Yet the government wants people to support its electoral processes, to pay taxes, and to send their children to fight in its wars

dbCooper February 14, 2023 10:33 AM

“For the average nonexpert—and in this category I include every lawmaker—”

@Bruce, normally you don’t paint with a wide brush. Senator Ron Wyden of Oregon is expert enough to call out folly when he sees it. A few excerpts from his Wiki page bears this out, https://en.wikipedia.org/wiki/Ron_Wyden

In August 2017, Wyden was one of four senators to unveil the Internet of Things Cybersecurity Improvement Act of 2017, legislation intended to establish “thorough, yet flexible, guidelines for Federal Government procurements of connected devices.”

In June 2011, Wyden announced his Geolocation Privacy and Surveillance Act in partnership with Representative Jason Chaffetz. The bill would establish a legal framework for the sharing and access of private tracking data by corporations, individuals, and federal agencies.[136]

Wyden was the first politician in Congress to stand against the controversial Stop Online Piracy Act (SOPA) (in the House) and the PROTECT IP Act (PIPA) (in the Senate)[137] on the grounds that it would “step towards an Internet in which those with money and lawyers and access to power have a greater voice than those who don’t.”[138] Wyden delayed PIPA in the Senate by placing a hold on the legislation in 2010, which prevented it from being considered by the full Senate even after it was unanimously voted out of the Senate Judiciary Committee. Wyden’s hold was credited with “[g]iving time for the Internet to rally against” SOPA and PIPA.[139] With Representative Darrell Issa in the House, Wyden also introduced the Online Protection and Enforcement of Digital Trade Act as an alternative to SOPA and PIPA.[140]


In September 2018, Wyden was one of five senators to sign a letter to United States Secretary of State Mike Pompeo urging him to employ more multifactor authentication measures in order to secure the State Department’s information systems and seeking answers on how the department would boost its security after the Office of Management and Budget designated the department’s cyber-readiness as “high risk” as well as what the department would do to address the lack of multifactor authentication required by law and for statistics detailing the department’s cyber incidents over the preceding three years.[79]

In December 2020, in light of the 2020 United States federal government data breach, Wyden renewed calls for the introduction of mandatory security reviews for software used by federal agencies.[80]

Mind Your Own Business Act

In October 2019, Wyden proposed The Mind Your Own Business Act to allow the FTC to issue penalties for first-time privacy violators of up to 4% of annual revenue, like the European regulation GDPR.[145]

Additionally, see his positions on the PATRIOT ACT v2 and v3.

BCS February 14, 2023 10:50 AM

To answer the opening question: they never will do enough. That’s not something that governments can, will or probably even should do. By the rapidly evolving nature of the problem, it’s not something government will ever be good at.

The major problem with governments trying to “solve” this sort of problem is that legislation encourages people to comply with the mandates of the legislation, not with its goals. Write a law saying people need to do X, Y and Z and you will get X, Y and Z and nothing more, despite that being obsolete before the law goes into effect (if it was enen the right thing to do to begin with). And when thing go wrong, people will correctly point at the law and say: “we did what you told us to”.

Likely the best solution that could be legislated would be some sort of civil liability. If the liability is set correctly, people will figure out how to mitigate it. People will buy insurance for it and insurance agencies will figure out what it really takes to address the problem and create major financial incentives to do so.

You might go one further and encourage companies to publish what liability coverage they have. “We’re self insured” translates to “people who’s job is assessing risk think we are to risky to do business with”. “We have full coverage by well-known-agency” translates as “we are verified to be doing what the experts say is best and keeping up with that as it changes”.

And all that without the government creating much if anything in the way of regulation beyond truth-in-advertising.

Aaron February 14, 2023 10:57 AM

Perhaps, on some level, the older generations (baby boomers, gen x) were relying on their children & grandchildren (millennials, gen z), who grew up in a far more technological world, to be savvy, aware and knowledgeable enough to solve the problem from the ground up.

What we’ve ended up with is knowing that just because humans grew up in a technological era doesn’t mean they can grasp it any better then someone who didn’t. Humans are still and will always be the limiting factor. All while the tools and methods that enable cyber attacks to continue to improve generation to generation.

Winter February 14, 2023 11:08 AM


Yet the government wants people to support its electoral processes, to pay taxes, and to send their children to fight in its wars

Note all those politicians who greet the Flag and avoided war service, or whose children avoided war service.

The Texas Freeze also brought to light many Republican heavyweights who were leaving the sinking ship and flew to warmer places. Supporting their freezing voters from the warmth next to the swimming pool.[1]

[1] ‘https://nymag.com/intelligencer/2021/02/ken-paxton-and-ted-cruz-both-left-texas-amid-freeze.html

Canis familiaris February 14, 2023 11:31 AM

@Denton Scratch

The country’s name is “Україна” – at least, that is what most of the citizens of that country call it themselves. The Ukrainian language lacks a separate definite article for nouns.

The politics of using a definite article as part of what people generally call a country in English is weird.


Basically, if you don’t want to offend someone, go with their preferences, whether or not it has any grammatical, etymological or historical justification. The “République de Côte d’Ivoire” will thank you.

Rick February 14, 2023 11:34 AM

This is exactly right and true for moving forward on anything. There needs to be an acknowledgement of a present bad situation and the negative consequences (pain). Then there needs to be the vision of a better situation and that bring the desired positive outcomes. Then, and only then, with credible and believable approaches can you build a bridge from the past to the future. True for cybersecurity, privacy, climate change, etc. Bruce highlights the key requirement of a believable path – without that status quo reigns.

Clive Robinson February 14, 2023 12:27 PM

@ Bruce,

Re : Logic of design improvment.

Can we build a reliable network out of unreliable parts in an unreliable world? It turned out the answer was yes, and the Internet was the result.”

Consider that question in both a more abstract and logical way.

Then consider,

Can we build a secure network out of insecure parts in an insecure world? The answer isn’t obviously yes, but it isn’t obviously no, either.”

You are actually making a faux assumption that there is some real difference between “reliable” and “secure”…

If I was to say there is no difference in reality[1], then if the answer is genuinely “yes” to the first question it also has to be genuinely “yes” to the second. Likewise if the answer is genuinely “no” to the second question then the answer given to the first must also be “no”.

People need to realise a fundemental fact,

“Neither reliability nor security are intrinsic properties of an object, they are ‘built in’.”

Whilst it’s easier to see this with “security” than it is with “reliability”, both are actually “Quality” issues that arise as part of the design and manufacturing process of all the components that go into the finished system or product. Every method you use to increase reliability transforms into a method you use to increase security and the opposit is true.

Sometimes it’s hard to see the transformation, when this happens it is usually because you are considering two or more methods as one, thus have not reduced it to the fundemental methods[2] involved.

I just wish people would realise this, as it stops mistakes being made that actually appear to improve say reliability but actually reduce it and security as well.

[1] There genuinely is not a difference between “reliability” and “security” when you strip away the irrelevances that language causes. Fundementally they are the same and are subsets of a more general issue. What method works for one has an identical method for the other you just have to find the transformation. So at the end of the day the only difference is just the way you stand and observe the issue and the language you use to describe it that is different.

[2] Consider an example, puting tiles on a roof to keep out the weather is actually fundementally the same method used for putting cladding on the walls of a building. Perhaps more surprising to some is that it is the same method fundementally that a damp proof course in a wall or damp proof membrane under a solid floor works.

Joe Blue February 14, 2023 12:28 PM

Bruce, I admire your wisdom, your insight and in this case, your naiveté. There’s no way American politicians will ever make any meaningful moves on cybersecurity, not even if someone hacked every nuclear reactor in the country and melted them all down at once. For God’s sake, they can’t make any meaningful moves to keep children from being murdered in their school classrooms! If actual children getting actually shot doesn’t spark change, there’s no cyber-anything that will ever move the needle.

I wish it were not so. Perhaps someday our politicians will care more about their country than they do about getting retweeted. But I despair of it ever happening during my lifetime.

Winter February 14, 2023 1:20 PM

@Joe Blue

For God’s sake, they can’t make any meaningful moves to keep children from being murdered in their school classrooms!

That is because their people need their guns to prepare for the collapse of society. When the Zombie Apocalypse/Great Reset/Final Ethnic War arrives, their kids will be thankful they kept their weapons.

But seriously, who are these people thinking of when they say they need to defend their families? When I hear their arguments, all I hear are Nixonian dog whistles.

So some occasional school massacre is a small price to pay for that ultimate ability to kill. And we still can arm the children (worked well recently).

ResearcherZero February 14, 2023 1:22 PM

Probably some major incident that cripples major infrastructure.

Getting a mob-a-knobs to attend a security briefing cab be like trying to drag a child to the dentist.

People can not purchase food without EFTPOS. The little magnetic strips will not work without power. As in New Zealand currently:

“Transmission companies around the country reported damage to substations and power networks.”

“with geopolitical tensions rising to high levels, it is not wise to just rely upon good luck”

Companies should push for assurances that our infrastructure can rapidly recover after a cyberattack before the cyberattack, and have those assurances verified by independent auditors.

MarkH February 14, 2023 1:33 PM


Denton Scratch has it correctly — the traditional English usage “the Ukraine” is generally understood by Ukrainians to cast their homeland as a mere appendage to the Russian empire.

For this reason, respectful usage omits “the” … it’s just Ukraine.

ResearcherZero February 14, 2023 1:39 PM


Young people in country towns have not figured out yet that Uber drivers do not carry cash.

Zuckerberg’s experiment at bringing everyone together, has instead resulted in turning everyone into blithering idiots. He did behave a little like a sociopath when he was a child, but I guess we will just have to wait until he grows up, then see what happens. Free market principles.

Clive Robinson February 14, 2023 2:02 PM

@ ResearcherZero,

Re : Zuckerberg

“He did behave a little like a sociopath when he was a child”

That is what they call “A serious understatement” beyond that “of mear sarcasm”.

He is a prime example of,

1, Primary narcissism
2, Base sadism
3, Primary psychopathic behaviour

As for “Machiavellism” I see traits of it. So he hits the score card high on the “dark tetrad” of societaly undesirable and so far incurable mental defects…

But… because he makes money for people with equally as bad traits he is seen as someone who should be celebrated if not lorded as a “role model” for “The Great American Dream”…

I will leave others to draw their own conclusions about what that says about the US Education system and how they want US Society to be…

Ted February 14, 2023 3:01 PM

What’s notable to me is that @Bruce’s contribution to IEEE appeared around the same time the Biden administration issued EO 14028 (Improving the Nation’s Cybersecurity).

I’m trying to find some follow up on the outcomes of this EO.

Has it addressed any of the concerns laid out here?

In 2022, Brookings remarked that the EO was less like a map to improved security and more like a survey for its construction.

Considering all the complexities and developments in this space, are we still able to take incremental baby steps towards security?


JonKnowsNothing February 14, 2023 3:21 PM

@Denton Scratch, MarkH, All

re: Translation Failures

There are all sorts of oddness that happens when you translate between languages. Modern languages, Ancient Languages, Hieroglyphics, Rock Art, all get wonky when you try to restate their local names and meanings into other language formats. Even L-R / R-L / U-D can get into a bind.

American English uses “THE” a great deal, more than in British English.

  • USA I was in the hospital vs I was in The Hospital.
  • UK I was in hospital

It doesn’t quite get the right nuance in American English if you leave out THE

  • I went Ukraine
  • I went to the Ukraine
  • I visited Argentine
  • I visited the Argentine

But this version does work using British English to establish the “state of being”

  • I was in Ukraine
  • I was in the Ukraine

We don’t put THE in this variation.

  • I was in the Heaven
  • I was in Heaven

I feel very sorry for people learning American English, we have so many regional versions to learn. French is much easier. There is a list of rules (short) and a list of exceptions (very long). Just memorize all the exceptions and Bob’s Your Uncle.

Now, of you really want to get into a modern tussle over names try these on for boxing gloves

  • Latino, Latina, Latinx, Latinos, Latinas, Latinxs Where the masculine ending O/OS includes all M or mixed M/F/X groups.

Be mindful that not everyone who speaks Spanish or comes from a Spanish speaking country is from from Amérique latine.

  • French Amérique latine: Thought to be coined by French Emperor Napoleon III.

MarkH February 14, 2023 3:55 PM


How about “I went to Ukraine?”

Works fine, no article required.

Even in Russian, the usual way to denote presence in a sovereign state is to use the preposition corresponding to “in” (в) — but traditional Russian usage made an exception of using the preposition corresponding to “on” (на) for Ukraine, as though it were some generic open space.

Russian speakers who respect Ukrainian independence now use the в to denote presence there.

It’s not that complicated.

W February 14, 2023 4:13 PM

That is the problem with academics. You think things will change in the way you want them to. That is not how it will happen. The big Event will happen, and they won’t respond by preventing companies from collecting and hoarding datasets A,B,C. No. They will respond by making encryption illegal. They will respond by banning all VPNs. They will respond the in the ways you see as even worse than the current regime of, “Do Nothing At All Cost.” You academics never learn. You only enact change when you are the on in power and empowered to make them.

MattM February 14, 2023 4:47 PM

I’m astonished that the Equifax breach didn’t get the efforts to replace the social security number with something more secure off the ground. Everybody was talking about it, but then one day everybody stopped talking about it, and the matter was seemingly dropped. Does anybody know what happened to that discussion?

It’s a 9-digit number that you have to give to everybody, but it also has to be kept secret. It’s an absurd concept that doesn’t hold up in the modern world. The secrecy of a 9-digit number is the only thing standing between you and chaos. Why can’t we use some sort of smart-card based cryptographic authentication like federal employees use with CAC cards? Your existing social security number could then be a public index to look up the public key associated with your card.

Jonathan Wilson February 14, 2023 4:51 PM

It doesn’t help that basically every law enforcement and intelligence agency on the planet has a vested interest in weaker cyber-security so they can spy on everyone.

modem phonemes February 14, 2023 4:51 PM

@ Clive Robinson

Every method you use to increase reliability transforms into a method you use to increase security and the opposit is true.

Can you please explain further?

Reliability seems to relate to perpetual performance according to a specified standard. This implies that the standard has to be such that this is actually practically possible.

But security seems to include an element of standard that says that only prescribed uses by prescribed persons are possible. This standard seems to be ultimately impossible because at the final level substitution of persons can never be ensured against.

Clive Robinson February 14, 2023 6:55 PM

@ modem phonemes,

“Can you please explain further?”

When you take it far enough down to the foundations, “reliability” and “security” are all fundementally about “access”.

So “reliability” is about “having access to function” and security is about “having access to objects”.

In the physical object world “function” is implemented by “physical objects” and security is likewise about “physical objects”.

In the information object world fundementally every thing is a “Bag of Bits”(BoB) though few work low enough to have that as their daily reality. You were however probably told at one time,

programs = data + algorithms

And later got told,

data == algorithms


data == code

Hence the basic design of the von Nueman computer architecture.

So any method I take to prevent tampering with data, works as well for ensuring code functions as intended.

This remains the same as you go up the computing stack only the language used tends to change.

Do you need me to expand it further?

JonKnowsNothing February 14, 2023 6:57 PM


re: How about “I went to Ukraine?” Works fine, no article required.

Yep works fine if you are using British English. You will get a demerit if you write that in a School/College/University Essay in the USA.

Of course that presumes you are the one writing the essay and not using AI-Plagiarism-Bot.

It’s like using British Spelling vs American Spelling. Quaint to use in the USA, you might skate by if your Prof has a sense of humour…

Paul Lock February 14, 2023 7:06 PM

Good Sir,

I could enumerate the similarities between your plight and mine, decades of waiting for action and all the rest, but I would rather draw your attention to the fact that we are certainly not the only two people waiting for meaningful policy and legislation. This begs the question, if so many are not receiving their just due of good government, then what are we all doing wrong?

Watching the wheel turn again and again, is akin to madness, yet we continue. Are we not bold enough? Are our expectations flawed or unrealistic? Are we using the tools at hand to best advantage? Is it up to us to do something? If not who’s job is it?

I feel very strongly that those that can, must. A bunch of us are enjoying peak wisdom on an astounding array of subjects. Our pet issues are constantly unresolved due to a small set of root causes.

Why shouldn’t we engage with these root problems? If not us then who?

Regards and Respect,
Paul Lock

MarkH February 14, 2023 7:28 PM


“You will get a demerit if you write that in a School/College/University Essay in the USA”

No. Just no.

No more than if you wrote, “I went to France.” It is perfectly grammatical in both instances.

… Unless your instructor drives a Tin Lizzie, uses an ear trumpet, and answers the phone by saying “Hoy! Hoy!”

The Merriam Webster dictionary — the default in U.S. courts for the meaning of words that are not specifically legal terminology — lists “the Ukraine” as a variant used “chiefly formerly.”

Reminder: we’re in the third millenium.

MarkH February 14, 2023 7:34 PM

@modem phonemes:

To answer your question somewhat differently, the most accomplished hacker I’ve met (an expert at evaluating systems for vulnerability to unauthorized access) told me, “if you can crash a system, you can break into it.”

I remember being startled at the time, but it does make sense. If by inputs, queries, or other interactions you can cause a computer system to “break”, you have triggered behavior the designers did not intend.

Gaining unauthorized access is a variant on that.

Basic reliability engineering inherently improves security. If every module validates all inputs (rarely done in practice), then a myriad of doorways are closed to system attackers.

JohnB February 15, 2023 12:07 AM

My personal view, is that companies don’t take cybersecurity seriously any more than as a liability-box-ticking and insurance-requirements-covering guideline.

Until recently I was a programmer with a major game developer, which is developing an entire new programming language/ecosystem – and I’m left with zero confidence in their ability to secure any of it (indeed, I was effectively let go immediately after providing probably the most thorough report on the deficiencies of their planned release of this new system/language thus far – the cynical side of me wonders if there’s a connection between my report and being let go).

When I look at stuff like HackerOne and its universal adoption by all major programming companies, it’s obvious that the entire programming industry only cares about gig-ifying security programming work – reducing exploit discovery to low paid gig-work – and will only hire programmers to do automated fuzz-testing to cover liability/insurance/’look-as-if-doing-something’ requirements – and won’t pay for continued/active/non-automated exploit testing, as well as more major projects like adapting more secure languages e.g. research and moves towards utilizing Rust instead of C++ etc..

It’s simply not economical for companies to care about security. William K. Black – who more often wrote about financial fraud a decade ago – regularly used the term Greshams Dynamic, for a situation where it’s more profitable to ignore regulatory standards (and even engage in fraud), and where this gives a competitive edge over companies who would uphold proper standards – and that’s precisely the dynamic I expect the entire tech industry to take, towards security forever into the future.

ResearcherZero February 15, 2023 2:11 AM

@Clive Robinson

Every time I asked Mark about relationships between people, or safety aspects of how such a platform might work, he returned to ‘the pitch’. Apparently all of these problems would sort themselves out once ‘everyone’ was ‘brought together’, or at least within an illusion of ‘togetherness’.

The culture of organisations can at times be more than a little dysfunctional, driven by personalities at many different levels, sometimes even – the boss.

“Two aspects of a company’s culture have outsized effects on the security of its information: the organization’s tolerance for inconvenience and the degree of collaboration across business units and among employees.”

“Security and convenience are inversely related. An organization’s willingness to tolerate inconvenience has a profound effect on the security of its information.”

“as Kirchner flew around the world on his private jet to play exclusive golf tournaments, meet celebrities and discuss buying an English football team, his 100 or so employees back in the States were going on almost two months without pay.”


Press This Button to Remotely Engage Door Opener

“Product manufacturers can help by clearly stating the level of security their product provides in comparison with the technology or component they seek to advance.”

“The most concerning dilemma is we are transitioning security with convenience all the time. …in the short term, we have to sacrifice some convenience to achieve a high-security level. Surely through this, many businesses can decrease the cybersecurity issues in the present and the future.”

Get it wrong and the grid can collapse again.


JonKnowsNothing February 15, 2023 2:29 AM

@MarkH, All

re: by any other name…

I suspect this sort of discussion comes down to the Oxford Comma (1)

re: “I went to France.” It is perfectly grammatical …

Yes: I went to France
No: I went to the France

Yes: I went to the French Riviera
No: I went to Riviera

It often comes down to exactly what you are translating and what you mean with in the translation. Normally, Official Translations, especially diplomatic ones, do not include any “emotional content” in the translation. It’s all very tedious and dry. Contemporary Translations include “emotional content” translations that are not exact copies of the text. They translate things like idioms rather than the words.

  • Don’t count your chickens before they hatch (English)
  • Don’t count the bears before you have skinned them (French)
  • Don’t count your boobies before they are hatched (American James Thurber)

Sometimes we end up in the odd world of the subjunctive, which we don’t recognize much in English anymore but the subjunctive is used quite a lot in other countries. We also don’t use the familiar tense in English except in biblical writings. Thee and thou, may, might are very big in other languages but sound really weirdo in American English. Tons of archaic words get pulled into Hollywood movies but whence come they?

The “state of being” plays havoc in American English. To be or not to be…

  • J’ai fini
  • Je suis fini

Both can translate to “I am done”. The first means: I have completed (a task). The second is: an over emoted death scene in a Hollywood Western.

English is so malleable, that we can barely understand each other.


1) Oxford Comma or Serial Comma

  • In English-language punctuation, a serial comma (also called a series comma, Oxford comma, or Harvard comma) is a comma placed immediately after the penultimate term in a series of three or more terms.
  • For example, a list of three countries might be punctuated either as “France, Italy and Spain” (without the serial comma) or “France, Italy, and Spain” (with the serial comma).
  • … usage also differs somewhat between regional varieties of English. British English allows constructions with or without this comma, whereas in American English it is common and sometimes even considered mandatory.

MarkH February 15, 2023 4:24 AM

My last word on the matter: a much younger me worked with a much older gentleman who had long lived in a former slave state. After I had heard him call people “coons” enough times:

Mark: Dick, do you consider yourself a racist?

(very long pause)

Dick: No.

I don’t call people coons, and I don’t call Ukraine “the Ukraine,” and I watch out for other demeaning or belittling language.

When we were younger, it was “the Ukraine.” Language evolves. That usage is now deprecated.

It’s not a question of linguistics, it’s a question of dignity and respect.

David February 15, 2023 4:45 AM

Maybe the real question here is “does it matter”?
Clearly for the vast majority of people around the world the answer is “No” otherwise to Bruce’s point there would be the political will to make the necessary changes.
Most people only care about an issue if it directly affects them (or maybe those closest to them), and the ability of those people to effect change is limited due to the relatively small numbers.
So maybe we should be asking ourselves why do we do what we do in information/cyber security. Is it for the greater good, is it because we find it mentally stimulating or is it just that the pay is pretty good?

Clive Robinson February 15, 2023 5:09 AM

@ David,

Re : It’s Privacy that counts.

“So maybe we should be asking ourselves why do we do what we do in information/cyber security.”

I nolonger work in Cyber-Security or Information-Security, though I do still talk about InfoSec as an industry I have interest in.

These days I am about “Information-Privacy” and Cyber-Integrity” as to most people “privacy” and “integrity” have way more tangible meaning.

Why, because if you want people to act on something you have to make it people focused, otherwise you get the “That’s somebody elses problem” response.

PaulBart February 15, 2023 7:49 AM

How many have received there $5 check from Equifax? Did you sustain more personal injury? Did you sue? Or, are you able to sue? Or are you just chasing illusion that you were injured, somehow?

modem phonemes February 15, 2023 9:05 AM

@ Clive Robinson @ MarkH

Re: reliability and security

Thanks for your helpful replies. I probably don’t see the equivalence properly, although it is clear in a general way that increasing reliability results in more security (because unintended behavior is reduced), and greater security implies better reliability (because if something is secure it is reliably secure).

In any case, it seems to be a very fruitful exercise to compare the two, as it leads to consideration of system definition and dependencies, and opens one’s horizon to more causes. It’s a bit like the classical threefold aspect of things, namely, matter, form, and privation.

Winter February 15, 2023 9:46 AM


I probably don’t see the equivalence properly,

The idea is that a “security problem” is just a special case of a program doing something that it is not supposed to do, or does not do something it must do, that is, a bug.

So, it comes down to “security problems are just bugs.” (Linux Torvalds)


He reminded security programmers that “security problems are just bugs.” And, that security hardening patches should never result “in killing processes. The only process I’m interested in is the development process, where we find bugs and fix them.”


Some security people have scoffed at me when I say that security
problems are primarily “just bugs”.

modem phonemes February 15, 2023 11:37 AM

@ Winter

security problems are just bugs

The Benevolent Dictator for Life is certainly correct, but this instance seems to arise from the prior inclusion of “security” as a part of the definition of the program.

I can’t help wondering about the case exemplified by a door. One can have a reliable door in that it perfectly meets the standards of opening and closing, while being usable by anyone and so perfectly insecure.

Winter February 15, 2023 11:45 AM


One can have a reliable door in that it perfectly meets the standards of opening and closing, while being usable by anyone and so perfectly insecure.

Think about a door+lock. Bugs include failing henges, not closing, not opening. In the lock we can have a lock that does not open or closes, or not always opens or closes, or can be (sometimes be) opened without the proper key.

Only a few of these are proper “security” related. All are bugs.

JonKnowsNothing February 15, 2023 11:50 AM

@MarkH, All

re: It’s not a question of linguistics, it’s a question of dignity and respect.

Words are words. They are sounds. Humans apply interpretation to sounds. It’s inside us, that we make the connection. The same sounds in one context is OK and in another it is not, in one language it is OK but in another language it is not. Humans are the ones making the interpretation, sounds are just audio wavelengths.

Humans invented grammar so words connected together follow a pattern that is understandable. It’s evolving and grammar rules are used in software, computer systems as a means of interchange with a machine. If you get the syntax incorrect, you get the wrong outputs. Grammar changes too as well as spellings and meanings.

We can change the sounds and we can alter the interpretation. Sometimes, it makes sense to us and sometimes it doesn’t but these things change all the same.

RL tl;dr

In an area near where I live, the name that has been in use for 100+yrs is considered by some to be derogatory. It’s a name with long historical use both neutrally as in the original definition of the word but also in a derogatory sense. The name as applied by the local indigenous people use it in the neutral sense of the definition.

There are some interesting legal, civil and social issues now in play. The Federal Government has now determined this word is no longer applicable to any Federal controlled lands. (note: there are a lot of words on that list besides this one). They have renamed the area under their control.

The Feds do not have the authority to rename everything, so the issue is not dead-and-done. The local county, the city, the businesses and the people in that area all have claim to use this banished word.

It’s a process that takes time and maybe the name change will “take” and maybe it won’t, sometimes new words will find their way in between the sandwich of OK and Not OK. It will be interesting is the next months to see how well the new name is accepted.

For those interested, the word being banished is:

  • Woman

However, it is not the English noun that is being banished.

Clive Robinson February 15, 2023 12:49 PM

@ lurker, ResearcherZero,

Re : Mark undergoing life changes.

“Many people advise this could be a long wait.”

OK I’ll hold the hammer, but who is going to hold the nails or should it be a stake?

lurker February 15, 2023 1:01 PM

@armchair linguists

I had always assumed it was difficulty with pronouncing the initial vowel that induced the British to prepend “the” to names of numerous countries. Note that in these geographical uses the pronunciation is “thee” rather than “thuh”.

“The Levant” instead of Lebanon is a case of subservient territory following the Anglo-French carve up of the Ottoman Empire.

PaulBart February 15, 2023 1:54 PM

There is a channel run by a lawyer who showcases how wonderfully well engineered the majority of locks are out there in the wild. Yes, a majority are useless. Yet, this a a problem domain that people actually care about and want to protect (homes, cars, facilities).

lurker February 15, 2023 3:32 PM


from Brookings [emphasis added],

… without the information such management is so difficult as to be infeasible beyond harm mitigation after exposure. Artificial intelligence will necessarily play a critical role. Given that the information underlying the labels will be complex, lengthy, and subject to inconsistent validation the lessons from privacy policies are appliable here—few people will read the documentation.

Readers may draw their own inference.

Leo February 15, 2023 4:05 PM


I agree in theory that a security issue is just a bug; the only difference between the two is malice, which isn’t a function of software but of the attacker.

The door example is a good example of when security IS relevant, and leveraging the wrong door is a security vulnerability.

Using a bathroom door on my bathroom makes sense. Using it at the entry to Fort Knox does not.

Using the wrong door in the wrong place isn’t a bug in the door, it’s a bug in the implementation by getting the threat model wrong.

So far a normal door, what’s the threat model? Is every door wrong, because someone with a sledgehammer can knock it down, and sledgehammers are an easily attained commercial product?

Going back to Bruce’s question, can we build a secure network out of insecure parts? Given an insecure network piece and malice, I don’t see how a secure network is possible. Not because we can’t make “better doors”, but because someone will always figure out a way to use the door in a way we didn’t intend (e.g. using a steamer against a door until the glue holding it together separates).

Clive Robinson February 15, 2023 6:19 PM

@ Leo, Bruce, MarkH, modem phonemes, Winter,

Re : It’s about access.

“Going back to Bruce’s question, can we build a secure network out of insecure parts?”

The answer to that is,

“As all parts are not intrinsically secure, the security in a system has to be built in by design”.

Which is exactly the same as for reliability,

“As all parts are not intrinsically reliable, the reliability in a system has to be built in by design”.

Can we design a system that is reliable all the time? That is it has “100% Availability” we know the answer to that is,

“Entropy has it’s way, and everything fails eventually.”

So the answer becomes,

“It is not possible without external support, or self repairing devices that need raw material input, both of which will eventually stop.”

That is not an unexpected answer when you think about it, it’s what our basic understanding of the universe tells us.

So what @Bruce is talking about in reality is,

“Secure in a finite time period.”

The answer to which as with “Availability” from “reliability” is,

“Within certain constraints yes”.

Because “availability” like “reliability” is a question of the “Mean Time To Fail”(MTTF) versus the “Mean Time To Repair”(MTTR) in a constrained environment.

Why “constrained” because the simplest way to improve reliability is by the old “hot-cold switching”. You design a system with redundancy in it of atleast twice the capacity. When one circuit fails you switch to the second circuit and use that. In the mean time you repair/replace the first circuit.

As long as you have time to repair/replace the faulty circuit before the alternative circuits fail you will have an available system. But there is an implicit further constraint of the probability of more than one circuit failing. Under reliabilty issues we tend to make the assumption that failure is aproximately random, and you get only so many in a sufficiently long average in time. Just as it is with house fires and insurance.

However, as we know with certain types of forest fire we may not be dealing with “random” but the work of entities with “agency” which is what you are implying with,

“Given an insecure network piece and malice, I don’t see how a secure network is possible. Not because we can’t make “better doors”, but because someone will always figure out a way to use the door in a way we didn’t intend (e.g. using a steamer against a door until the glue holding it together separates).”

You’ve forgoton that “security” has one more state than “availability”.

For “security” the network being “unavailable” is an acceptable state.

Thus you need a mechanism to “test” for behaviour that is a “security violation” and this “pulls the plug”. I’ve designed a simplified version of this with the “Garden Path” method of increasing protecting against “outsider attack”, which I have previously described on this blog.

Do pepole want me to go further on this subject as it can be quite long and involved, and was so when I went through it on this blog in the past (see “Castles-v-Prisons”, “CvP” etc). As with back then I’m favour of dealing with it in “bite sized chunks” as the method of explanation.

modem phonemes February 15, 2023 7:10 PM

My new door based method:

You have a good looking door, with a high quality lock, to your nice house, which sits in a biggish yard with an iron fence surrounding it. When someone comes through the fence gate, you observe them. They will inevitably be distracted for a moment or two by the elegant plantings and stone fountain in the yard as they pass. If they aren’t the right people, you throw a brick at them from the second story roof, clonking them nice and solid.

The lock is on case you miss with the brick.

Chris Drake February 15, 2023 8:40 PM

There’s a simple answer to this question:

What will it take?

A law that makes companies who didn’t deploy adequate cybersecurity that was available for the protection of their customers, responsible for the direct and consequential losses of those customers.

Right now, corporations law makes it illegal for companies to waste recourse protecting their customers, and no governments have any responsibilities like this either.

Fix those 2 things (you know – actually create a market for cyber products based on genuine financial need, instead of “nice to have”), and cyber problems will quickly start fixing themselves.

Clive Robinson February 15, 2023 9:17 PM

@ modem phonemes,

Re : It’s about access.

“When someone comes through the fence gate, you observe them.”

Which is the basis for the “garden path” design I mentioned above and I have previously described in more depth on this blog in the past on a couple of occasions.

You in “the US way” call it a “yard” I in “the British way” call it a “garden”[1].

A big difference is your,

“They will inevitably be distracted for a moment or two by the elegant plantings and stone fountain in the yard as they pass. If they aren’t the right people, you throw a brick at them from the second story roof, clonking them nice and solid.”

Is just so “caveman” and quite wastefull of bricks 😉

In the stiff upper lip way, think of the old saying,

“An Englishman’s home is his castle”

What is one of the primary defence mechanisms for a castle?

A moat with a drawbridge.

So my “garden path” method has just that in the electronic form, it simply “opens a relay” pulling up the drawbridge and the communications path a potential attacker takes now leads them nowhere of use.

In reality the relay has segregated the networks with a bit more than just an “air gap”. With a couple of minor tweeks it’s an EmSec level “energy gap” which these days is becomming more and more important[2][3].

Oh and another advantage or two of the drawbridge, firstly if you miss with your brick they can pick it up and throw it back, or just kick your door in frustration, necesitating you to do a little remedial work. Also you avoid the potential of a law suit for damages. Also in times past a potential invader would bring their own “roof” to hide under thus no mater how many bricks you hurled. Hence the use of boiling oil and burning pitch for the more persistant “nucance callers”.

Oh and a moat can also be used as a combined “cess-pit” and “midden” turning it into an early Bio “Weapon of Mass Destruction”. Being hard to cross in protective armour an overly persistant caller could be drowned in it or shot with an arrow without it. Either way their demise would be both unplesant, an an objective lesson to other nusance callers.

To be honest I realy cannot see why we gave up such privacy schemes 😉

[1] There is some argument over the origins of the word “garden” which I do not propose to re-boil. However from a security aspect the fact it is spoken like “guard-them” appeals, which is why I chose it.

[2] In the first half of his 1980’s book “Spy Catcher” Peter Wright wrote some very interesting things that people realy should familiarize themselves with. One is the ability to “jump across” open “hook switches” in “Plain Old Telephone System”(POTS) “land-line phones”. Thus the UK security service (MI5) were able to use the microphone in the telephone handset as a room wide bugging device. It worked because a “capacitor” is two metal plates seperated by an insulator. Which if you think about it is the same descriprion of the open contacts of a relay or telephone hook switch. The thing about a capacitor is the higher the frequency of an AC signal you send to it the lower it’s impedence is. Thus to a Radio Frequency(RF) signal just below or just above the MF or AM band (0.5-1.6Mhz) that open switch is of a lowish value compared to the carbon granual microphone. The trick is to use the phone as one half of “a bridge”[3] and inject in the RF signal. The result is it gets amplitude modulated by the changing impedancence of the carbon granual microphone (it also works agains the changing inductance of a “moving coil” microphone).

[3] Most people who have studed electronics know what a Whestone Bridge is (even though it was not invented by him). Well a variation on that bridge is the “Maxwell bridge”,


If you look at the circuit diagram you can see how one half of the bridge is the “telephone instrumment” with the capacitor as the hook switch.

Ted February 15, 2023 11:39 PM


Re: EO 14028

Oh gosh yes. Just looking at the Brooking’s excerpt you quoted makes me feel a little overwhelmed. Implementation and reality are creatures unto themselves. (AI to the rescue, of course, haha 😉)

Thanks to your prompt I started digging around and see there’s a firm who has a running blog series on the implementation of the EO. They’re on their 21st post. I haven’t read very much of it yet. I’m certainly grateful some folks are keeping an eye on it 🙂


Clive Robinson February 16, 2023 5:26 AM

@ Lurker, Ted,

Re : EO 14028

“Just looking at the Brooking’s excerpt you quoted makes me feel a little overwhelmed. Implementation and reality are creatures unto themselves. (AI to the rescue, of course, haha 😉)”

The EO has oh so many problems that I would adopt a very long pole methodology with regards to it.

First up it’s very much a

“Do as I say, Not do as I do.”

As it only applies to “suppliers” not “agencies”, who can carry on with their bad practices (remember the Office of Personnel Managment debacle, the EO won’t stop that sort of thing happening again).

Secondly “self certification” as you might remember with a little nudge from managment, helps aircraft fall out of the air etc. History repeatedly shows of it that,

“Whilst the cat is away the mice will play.”

It’s also one of the first “dred signs” of “Regulatory capture”.

Thirdly look carefully and you will see it is a “MAGA” style manipulation in progress designed to protect US software developers.

There are several more such “banana skins” in the output the EO triggered to make me believe it won’t be much more than either a “fig leaf” or “liability shifter” to the people least able to defend themselves. Which will mean that Open Source Development will take yet another hit in fairly short order.

But of using AI… The claims we keep hearing are,

1, We can not understand how it arives at it’s choices.
2, Every where we look along current AI design training and usage we can find new hidden ways to bias the results.

Do people think that this is really a good idea for security, knowing what managment will do to promote their product and demote the competition?

Oh one last thing to think about. Large corporations use OSS by the bucket load, and they,

“Don’t pay, Won’t pay”

Honestly or fairly. Ask yourself how much of the software or it’s functionality they would have to change to effectively claim it was theirs?

The EO is going to encorage such dubious behaviours not “shine a light on security”, honesty, and probity on system suppliers.

vas pup February 16, 2023 5:50 PM

‘Team Jorge’ ? how disinformation threatens democracy


“Team Jorge’s operations are said to involve the creation of thousands of fake social media profiles on Twitter, LinkedIn, Facebook, Telegram, Gmail, Instagram, and YouTube.

These fake accounts, which !!!allegedly used profile pictures from real social media accounts, were also linked to credit cards and could be used to create thousands of bots that sent mass messages.”

ResearcherZero February 16, 2023 9:13 PM

Can I please have a manual, not a 1 page quick-start guide? In any form. Dear manufacturers, plez?

When there is no manual available from any source, then that surely must imply reverse engineering is an intended feature, and the casing would like to be removed. Sparking from an adapter is a bonus feature.

David Wittenberg February 20, 2023 12:28 PM

Nobody has mentioned Colonial Pipeline. If that wasn’t public enough, it’s hard to imagine what would be. Long lines at gas stations, airlines ferrying fuel on passenger planes, front page headlines.

Matt February 21, 2023 4:52 AM

Active Directory is central to the story of the OPM hack.

I’m not certain research to replace Active Directory would be productive because it’s a proprietary system and any replacement with similar capabilities would also be dangerous.

Microsoft is slowly improving things, and the security of organizations where AD is the weak link improves at their pace.

Clive Robinson February 21, 2023 10:58 AM

@ Matt, ALL,

Re : Active Directory origins.

“Active Directory is central to the story of the OPM hack.”

And many others…

But remember Microsoft took an open source project, and applied “Embrace, Extend, Lock-in” to it to make Active Directory.


Are the exploits in the original open source, or in Microsoft’s proprietary extensions designed to give the “lock-in” of the customers?

Remember that on MS bolt on was the old NTLM protocol from the Microsoft stone age…

Winter February 21, 2023 11:34 AM

@Clive, All

But remember Microsoft took an open source project, and applied “Embrace, Extend, Lock-in” to it to make Active Directory.

There is a nice list of examples from the history of Microsoft

Note also that little, if anything, was orignally developed by Microsoft. Everything they make money of was bought, stolen, or copied:

Windows NT

And everything else:

Clive Robinson February 22, 2023 2:54 PM

@ Bruce, Moderator,

I just tried to post a comment correcting factual in accuracies in the post above from @Paul

There is no reason for it to have been held for moderation, it’s factual and can be checked as such.

JonKnowsNothing February 22, 2023 3:35 PM



The only holds I’ve gotten recently are from naughty words parsed inside regular words. Sometimes it’s a surprise which regular words contain naughty words. Once I removed these dual purpose words the post went through OK.

Like this; rhymes with cement.

  • eas
  • eme
  • nt

Posts that get vaporized later don’t have a spelling problem; more like a topic problem.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.