[hackerspaces] Fwd: Call for input to President's Commission on Enhancing Cybersecurity - bridging the trust gap between the IT community and the US government

Walter van Holst walter at revspace.nl
Mon Jul 18 09:00:41 CEST 2016 

On 2016-07-18 02:56, Cecilia Tanaka wrote:
> - - - Begin forwarded message - - -
> 
> Date: July 15, 2016 at 3:21:32 PM EDT
> From: Herb Lin <herblin at stanford.edu>
> To: "'David Farber (dave at farber.net)'" <dave at farber.net>, ip
> <ip at listbox.com>
> Subject: Call for input to President's Commission on Enhancing
>    Cybersecurity - bridging the trust gap between the IT community
>    and the US government
> 
> Dear IPers -
> 
> You may know that President Obama has established a commission to
> consider how to strengthen cybersecurity in both the public and
> private sectors while protecting privacy, ensuring public safety and
> economic and national security, fostering discovery and development
> of new technical solutions, and bolstering partnerships between
> Federal, State, and local government and the private sector in the
> development, promotion, and use of cybersecurity technologies,
> policies, and best practices.  (See
> https://www.whitehouse.gov/the-press-office/2016/02/09/executive-order-commission-enhancing-national-cybersecurity.)
> I am one of the 12 designated commissioners.
> 
> Recognizing that trust is hard to build and easy to destroy (and a
> variety of things have happened over the last 20 years have occurred
> to do the latter), one issue that has come up is the enormous gap of
> trust between the U.S. government and the information technology
> (IT) community, from which many IPers are drawn.  This rift is not
> helpful to either side, and I'd like to solicit input from the IP
> community about what you think the government can do or refrain from
> doing to help bridge that gap.

A few things:

- Stop using "cyberwar" or "cyberattacks" etc. as the framing for 
infosec issues. A much more useful frame is infosec as an analog to 
public health. Infosec breaches can be potentially be as disruptive as 
outbreaks of infectious diseases and every node in the network can be a 
part of the problem, just like every citizen can be a carrier of a 
disease.

- Start focusing on incentives for *positive* infosec practices instead 
of repressing security research  (e.g. CFAA, recent trade secrets 
legislation, lack of reverse engineering exceptions in US copyright 
law), for example by thinking about strict liability for vendors that do 
not have a form of source code disclosure and for service providers that 
do not respond to vulnerability disclosures. Again, from a "disease 
control" perspective, the public interest in having a (even remote) 
possibility of noticing and fixing security issues overrides any 
interests in keeping code proprietary.

- In that vein, mandatory breach notifications under (near future) EU 
Data Protection rules are already shifting the landscape in the EU, it 
might be worth looking into that example.

Regards,

  Walter

More information about the Discuss mailing list