Tuesday, December 6, 2016

New Cybersecurity Commission report not so useful

Maybe even counter productive:
An Obama commission has publish a report on how to "Enhance Cybersecurity". It's promoted as having been written by neutral, bipartisan, technical experts. Instead, it's almost entirely dominated by special interests and the Democrat politics of the outgoing administration.

In this post, I'm going through a random list of some of the 53 "action items" proposed by the documents. I show how they are policy issues, not technical issues. Indeed, much of the time the technical details are warped to conform to special interests.
Washington loves Blue Ribbon commissions.  This is a Blue Ribbon commission.  But the recommendations come from people who don't understand security:
Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.
This would cost at least $100 per person, for 300 million people, or $30 billion. In other words, it'll cost more than Trump's wall with Mexico.

Hardware tokens are cheap. Blizzard (a popular gaming company) must deal with widespread account hacking from "gold sellers", and provides second factor authentication to its gamers for $6 each. But that ignores the enormous support costs involved. How does a person prove their identity to the government in order to get such a token? To replace a lost token? When old tokens break? What happens if somebody's token is stolen?

And that's the best case scenario.
I remember back in the 1990s when a major bank decided to issue a hardware password token device to each of their customers for use in online banking.  They spent millions of dollars to buy and deploy the devices, and then many times that on customer service call centers before quietly dropping the program.  The commission recommendation sounds good, but ignores the real world experiences that the industry has been through.

This is a long post which calls out many of issues where the commission just doesn't know what they're talking about.  But it's worse - sometimes the commission seems to know what it's doing just fine:
Action Item 1.3.3: The government should serve as a source to validate identity attributes to address online identity challenges.
In other words, they are advocating a cyber-dystopic police-state wet-dream where the government controls everyone's identity. We already see how this fails with Facebook's "real name" policy, where everyone from political activists in other countries to LGBTQ in this country get harassed for revealing their real names.

Anonymity and pseudonymity are precious rights on the Internet that we now enjoy -- rights endangered by the radical policies in this document. This document frequently claims to promote security "while protecting privacy". But the government doesn't protect privacy -- much of what we want from cybersecurity is to protect our privacy from government intrusion. This is nothing new, you've heard this privacy debate before. What I'm trying to show here is that the one-side view of privacy in this document demonstrates how it's dominated by special interests.
Because there's still a tiny corner of the 'net that hasn't been entirely monitored and subverted by the Intelligence Community.  Sorry, I'm way past the point of believing that security programs from the Fed.Gov are in my interest.

Hopefully the new Administration will toss this report in the circular file.

1 comment:

Ted said...

Must have been the same bunch of " neutral, bipartisan Tech experts" that worked so diligently on Obamacare .... The Affordable Care Act