What if we not only trashed (as we will anyway) the failed cybersecurity proposals of the past decades to be rehashed by the President on Tuesday, but proposed an agenda that will not only protect us, but enrich and fulfill us? We have one day, a day devoted to the memory of Dr. King, before the State of the Union on Tuesday to think about cybersecurity. What can happen in a day?
Kudos to the President for taking the unusual step of vetting his legislative proposals — with cybersecurity at or near the top of the agenda — prior to the State of the Union. As expected, they included no new ideas, and while I do not agree with the Electronic Frontier Foundation that they are all bad ideas, that they are outdated — tweaks to familiar proposals on which the side-takers have taken sides — cannot be denied. Still, the responses to the proposals were so much more intelligent when the first responder was a much broader array of side-takers than the cocky spokesperson of the Congressional Majority.
So let them die, but let not their death be in vain as usual; let us try some bold creative destruction. The reason they fail, IMHO, is structural, as revealed in the way that the President had to roll them out. First he had to stop by the FTC, the keepers of the flame of “reasonable security” that burns so brightly for those who believe (1) that corporations are the ones principally responsible for cybersecurity, (2) that cybersecurity is principally about protecting personal information, and (3) that consumers are terribly harmed by credit card breaches. O ye FTC lovers, ye worshipers at the feet of mobled consent orders, see ye not what a dim bulb before which ye prostrate yourselves and call it Common Law? You talk the talk since 1973 in the hope that one day we may walk the walk, even as the world hurtles into a wildly insecure internet of things in which we will be lucky to walk at all (and NOBODY loves a good walk more than I).
The next stop, of course, had to be at the Department of Homeland Security, the NSA being still dangerous ground, because those agencies and others still serve as the keepers of both the offensive and defensive cybersecurity flames, contrary to the recommendations of the President’s own NSA Review Group. The Review Group knew that when the offensive and defensive cybersecurity missions are mixed, the offensive mission generally wins. Perhaps that is why the President’s proposals contains no clear, broad vision for the future of defensive cybersecurity, a vision like the one I am about to offer to you, and to him, right now.
What we need — and can have — as free societies not breeding a mandarin class in a hothouse, secured, lifetime university in Pudong — are citizenries bearing deep cyber-knowledge like Second Amendment advocates envision citizens bearing arms (cyber-knowledge of course being the true weaponry that can keep us free in this century). Widely distributed, deep cyber-knowledge and what we build with it will keep us secure, but the most wonderful thing about cyber-knowledge is that it is the know-how to build ANYTHING in the digital world, so while keeping us secure, it will empower us to be makers, tinkerers, inventors, spreading the wealth and empowerment of Silicon Valley around the world. What we need — and can have — is a free world filled with communities of HACKERS in the original sense, not criminals but tinkerers, inventors, bricoleurs.
A cyber-aware citizenry would not fall for the completely well-intentioned but ill-informed wolf-crying and bad risk assessments of privacy advocates and regulators underlying pronouncements such as (1) that corporations are the ones principally responsible for cybersecurity, (2) that cybersecurity is principally about protecting personal information, and (3) that consumers are terribly harmed by credit card breaches. Like a mushroom in the dark, the benighted consumer is fed a steady diet of privacy manure without being taught cyber-survival skills. I thought I might have a chance of helping a citizenry become cyber-survivors when I got the chance to help the State of South Carolina mitigate the damage caused by its breach of the tax records of 6.4 million individuals and businesses, dating back to 1998, the largest governmental data breach on record. I thought, Hey, this is South Carolina, where a “country boy can survive.” But the pull of Palinite politics was too powerful; they wanted the Government to keep its dirty hands off their credit monitoring, same as their Medicare.
While I was trying, though, I learned about communities that had succeeded more than I could succeed as a lone breach coach to make the citizenry cyber-aware. One such community was San Diego, which gave birth to Securing Our eCity. Yes, I mentioned it in my last post, too, but want to bring it to your attention now as an incomplete and imperfect vision better than the weak tea of self-perpetuating bureaucracies and regulatory capture of which the President appears, so far, to be capable. It is better because it is about a community coming together for defensive security, and trying to teach inconvenient truths about cybersecurity. And here is a closely related but more broadly focused program that has been around since 2013: “100 Resilient Cities” defines resilience as “the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience.”
These visions are incomplete for our purposes because they are not about teaching ethical hacking, and not about teaching digital innovation beyond ethical hacking. Digital innovation beyond ethical hacking is being taught in hundreds of communities, however, thanks to movements like Fab Labs. Do we need centralized cybersecurity at the national level? Of course we do. But can the President of the United States, relatively free of political constraints in his final term, do millions of times better in articulating a vision for 21st Century cybersecurity in his State of the Union Address on Tuesday than to proffer the weak tea that his advisors have given him and that we already know will fail? In my very humble opinion as just one concerned individual among hundreds of millions, yes. Finally, which would Dr. King have preferred, the grant of $25 million to historically black colleges to fund cybersecurity education which the President plans to propose on Tuesday or a vision that children of all races and circumstances be enabled to become ethical hackers and digital innovators?