[hackerspaces] Fwd: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[hackerspaces] Fwd: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government

Cecilia Tanaka

- - - Begin forwarded message - - -

Date: July 15, 2016 at 3:21:32 PM EDT
From: Herb Lin <[hidden email]>
To: "'David Farber ([hidden email])'" <[hidden email]>, ip <[hidden email]>
Subject: Call for input to President's Commission on Enhancing
   Cybersecurity - bridging the trust gap between the IT community
   and the US government

Dear IPers -

You may know that President Obama has established a commission to
consider how to strengthen cybersecurity in both the public and
private sectors while protecting privacy, ensuring public safety and
economic and national security, fostering discovery and development
of new technical solutions, and bolstering partnerships between
Federal, State, and local government and the private sector in the
development, promotion, and use of cybersecurity technologies,
policies, and best practices.  (See
https://www.whitehouse.gov/the-press-office/2016/02/09/executive-order-commission-enhancing-national-cybersecurity.)
I am one of the 12 designated commissioners.

Recognizing that trust is hard to build and easy to destroy (and a
variety of things have happened over the last 20 years have occurred
to do the latter), one issue that has come up is the enormous gap of
trust between the U.S. government and the information technology
(IT) community, from which many IPers are drawn.  This rift is not
helpful to either side, and I'd like to solicit input from the IP
community about what you think the government can do or refrain from
doing to help bridge that gap.

It would be most helpful if you could three things in your response:

1 - Your best examples of things the government (and what part of the
US government) has done to alienate the IT community specifically.
(Or, at the very least, show how the examples you provide connect to
the interests of the IT community.)

2 - Things that the U.S. government could realistically do in the
short and medium term (i.e., 0-10 year time frame) that would help
bridge the trust gap.  If your answer is "Don't do dumb things!", it
would be better and more useful to provide *examples* of what not to
do.

3 - Things that the U.S. government could realistically do in the
longer term to do the same.

Please send your responses to [hidden email].  (I set up this
email address, but I'd like to keep the traffic separate from my
non-Commission work email.)  I promise to read as many as I can
individually and share what I learn with the commission membership.

Also, feel free to circulate this call for input to anyone else you
feel would want to comment.

Thanks much

Herb

=======================================================================
Herb Lin
Senior Research Scholar, Center for International Security and Cooperation
Research Fellow, Hoover Institution
Stanford University
Stanford, CA  94305  USA
[hidden email]
650-497-8600 office || 202-841-0525 cell || 202-540-9878 fax
AIM herblin (any time you see me)
Skype herbert_lin (usually by appointment)
Twitter @HerbLinCyber
This message was sent to the list address and trashed, but can be found
online.

- - - End forwarded message - - -


_______________________________________________
Discuss mailing list
[hidden email]
http://lists.hackerspaces.org/mailman/listinfo/discuss
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [hackerspaces] Fwd: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government

Walter van Holst
On 2016-07-18 02:56, Cecilia Tanaka wrote:

> - - - Begin forwarded message - - -
>
> Date: July 15, 2016 at 3:21:32 PM EDT
> From: Herb Lin <[hidden email]>
> To: "'David Farber ([hidden email])'" <[hidden email]>, ip
> <[hidden email]>
> Subject: Call for input to President's Commission on Enhancing
>    Cybersecurity - bridging the trust gap between the IT community
>    and the US government
>
> Dear IPers -
>
> You may know that President Obama has established a commission to
> consider how to strengthen cybersecurity in both the public and
> private sectors while protecting privacy, ensuring public safety and
> economic and national security, fostering discovery and development
> of new technical solutions, and bolstering partnerships between
> Federal, State, and local government and the private sector in the
> development, promotion, and use of cybersecurity technologies,
> policies, and best practices.  (See
> https://www.whitehouse.gov/the-press-office/2016/02/09/executive-order-commission-enhancing-national-cybersecurity.)
> I am one of the 12 designated commissioners.
>
> Recognizing that trust is hard to build and easy to destroy (and a
> variety of things have happened over the last 20 years have occurred
> to do the latter), one issue that has come up is the enormous gap of
> trust between the U.S. government and the information technology
> (IT) community, from which many IPers are drawn.  This rift is not
> helpful to either side, and I'd like to solicit input from the IP
> community about what you think the government can do or refrain from
> doing to help bridge that gap.

A few things:

- Stop using "cyberwar" or "cyberattacks" etc. as the framing for
infosec issues. A much more useful frame is infosec as an analog to
public health. Infosec breaches can be potentially be as disruptive as
outbreaks of infectious diseases and every node in the network can be a
part of the problem, just like every citizen can be a carrier of a
disease.

- Start focusing on incentives for *positive* infosec practices instead
of repressing security research  (e.g. CFAA, recent trade secrets
legislation, lack of reverse engineering exceptions in US copyright
law), for example by thinking about strict liability for vendors that do
not have a form of source code disclosure and for service providers that
do not respond to vulnerability disclosures. Again, from a "disease
control" perspective, the public interest in having a (even remote)
possibility of noticing and fixing security issues overrides any
interests in keeping code proprietary.

- In that vein, mandatory breach notifications under (near future) EU
Data Protection rules are already shifting the landscape in the EU, it
might be worth looking into that example.

Regards,

  Walter
_______________________________________________
Discuss mailing list
[hidden email]
http://lists.hackerspaces.org/mailman/listinfo/discuss
Loading...