Tuesday, April 17, 2012

Should the Government Make Cybersecurity Mandatory?

The heart of U.S. national cybersecurity policy is a reliance on voluntary measures and public-private partnerships for defending the nation's critical infrastructure.

In yesterday's Washington Post, President Obama's senior counterterrorism adviser, John Brennan, made the case again for protecting this critical infrastructure - power plants, refineries, transportation systems and water treatment centers - through better computer network security.

But what really ought to raise eyebrows is his stated opposition to the strictly voluntary approach that has been the hallmark of cybersecurity policy since before 9/11. He writes, "A voluntary system of cybersecurity compliance by critical infrastructure companies is a risk that the American people cannot afford to take".

This echoes the principles in the newly released Cybersecurity Act of 2012, which has bipartisan sponsorship.

The specifics of how it would work would be that the Federal Government would set minimum cybersecurity performance standards - after garnering industry input - and companies who work on or operate such infrastructure would be required to meet them. Those companies who fall short will be "directed" to tighten up their cybersecurity practices. Exactly how they would do so — for example, behind a firewall or a stand-alone network — would be up to the company.

A few problems. First, there's no mention of what the penalties would be for those companies who fail to "tighten up" their cybersecurity practices after not meeting the standards. How punitive would they really be? Second, who exactly would fall under the regulatory jurisdiction of these standards? Defining what constitutes a "critical" cyber asset is extremely problematic and ripe for playing political favoritism. For instance, would only large corporations be subject to the mandatory requirements? How about small businesses or non-profit organizations or individual website operators, all of whom typically lack the resources to deploy top-of-the-line cybersecurity measures?

If the Federal government wants to make certain cybersecurity practices mandatory, these issues all need to be explicitly clarified. Otherwise, the mandate could potentially serve as an existential burden to smaller businesses and websites.

I'm all for beefing up national cybersecurity, and not necessarily against mandatory practices to serve that end. All I'm saying is that the policy, as currently written, needs a far greater dose of transparency.

Tuesday, April 10, 2012

Citizen Journalism in Syria...

Tracking the ongoing violent uprising in Syria has been exceptionally difficult. Syrian journalists have been threatened and arrested by the government, while international news organizations are, for the most part, kept out of the country.

In their place, Local Coordination Committees of citizen journalists have practically become the only source of news inside the ravaged country. These committees have been disseminating information to the outside world using the Internet - including riveting eyewitness accounts and often-gruesome photos.

To maintain an air of credibility, the way it works is that informants on the ground send information and the committees confirm it from multiple sources. A third group then translates the news into English and distributes it online. These local committees were just honored by Reporters Without Borders with the 2012 Netizen Prize.

Because the Western media had largely been shut out from covering events on the ground in Syria, it's quite amazing that any of us can still follow what's happening thanks to these cyberactivists. Reading eyewitness accounts and viewing recent photographs, knowing they've been confirmed by multiple sources, is truly fascinating. Everyone should take a minute out of their day and take a look.

It's unclear how much cyberactivism is ultimately going to matter in this case, given that foreign intervention seems increasingly less likely with each passing week. But sometimes just being informed is a social good in and of itself. It will reap consequences far into the future.

Friday, April 06, 2012

Who is Anonymous? STATS

The hacker group known as Anonymous frequently makes headlines for everything from launching denial-of-service attacks in support of Wikileaks to protesting the SOPA bill alongside Google and Wikipedia.

As they've grown in notoriety, one question has remained... Who is Anonymous? What are the characteristics of its members? As you can imagine, this has not been information easily attained.

Until now.

Last Wednesday, The Nerfherder published a post titled, "Being Code-Literate vs. Being a Good Programmer". For whatever reason, Anonymous' Twitter account - @yourAnonNews - thought it was "great" and tweeted a link to the post.

I was simultaneously flattered and mildly frightened.

Anyway, what's significant is that, in analyzing this blog's traffic patterns, I suddenly have some extremely rare statistics to share on the characteristic makeup of Anonymous. See, their link went mini-viral and generated 89.6% of this blog's traffic for the week. That means we can generate with almost 90% accuracy the following statistics about Anonymous' Twitter followers...

Geographical Origin
United States64%
United Kingdom10%
Brazil < 1%
Spain < 1%

These statistics may not be much, but they're something. Considering the highly elusive nature of Anonymous, let's call it a starting point.