An Obama commission has publish a report on how to "Enhance Cybersecurity". It's promoted as having been written by neutral, bipartisan, technical experts. Instead, it's almost entirely dominated by special interests and the Democrat politics of the outgoing administration.Washington loves Blue Ribbon commissions. This is a Blue Ribbon commission. But the recommendations come from people who don't understand security:
In this post, I'm going through a random list of some of the 53 "action items" proposed by the documents. I show how they are policy issues, not technical issues. Indeed, much of the time the technical details are warped to conform to special interests.
I remember back in the 1990s when a major bank decided to issue a hardware password token device to each of their customers for use in online banking. They spent millions of dollars to buy and deploy the devices, and then many times that on customer service call centers before quietly dropping the program. The commission recommendation sounds good, but ignores the real world experiences that the industry has been through.Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.This would cost at least $100 per person, for 300 million people, or $30 billion. In other words, it'll cost more than Trump's wall with Mexico.
Hardware tokens are cheap. Blizzard (a popular gaming company) must deal with widespread account hacking from "gold sellers", and provides second factor authentication to its gamers for $6 each. But that ignores the enormous support costs involved. How does a person prove their identity to the government in order to get such a token? To replace a lost token? When old tokens break? What happens if somebody's token is stolen?
And that's the best case scenario.
This is a long post which calls out many of issues where the commission just doesn't know what they're talking about. But it's worse - sometimes the commission seems to know what it's doing just fine:
Because there's still a tiny corner of the 'net that hasn't been entirely monitored and subverted by the Intelligence Community. Sorry, I'm way past the point of believing that security programs from the Fed.Gov are in my interest.Action Item 1.3.3: The government should serve as a source to validate identity attributes to address online identity challenges.In other words, they are advocating a cyber-dystopic police-state wet-dream where the government controls everyone's identity. We already see how this fails with Facebook's "real name" policy, where everyone from political activists in other countries to LGBTQ in this country get harassed for revealing their real names.
Anonymity and pseudonymity are precious rights on the Internet that we now enjoy -- rights endangered by the radical policies in this document. This document frequently claims to promote security "while protecting privacy". But the government doesn't protect privacy -- much of what we want from cybersecurity is to protect our privacy from government intrusion. This is nothing new, you've heard this privacy debate before. What I'm trying to show here is that the one-side view of privacy in this document demonstrates how it's dominated by special interests.
Hopefully the new Administration will toss this report in the circular file.