Thread by Robert Graham

twitter.com
1 Recommender
1 Mention
Recommend
Post
Save
Complete
Collect
Thread
🧵Biden has released his "National Cybersecurity Strategy". It's just police-state thuggery designed to kill innovation on the Internet. It says it wants innovation -- but only on their terms, with the jackboot of police-state oppression on your neck.
www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
Here's a quicker summary.
1. Sure, the government has an interest in protecting critical infrastructure. But the reality is that critical infrastructure is more at danger from physical attacks and accidents than cyberspace.
www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administratio...
In other words, critical-infrastructure protection is less a pressing need and more of an excuse to justify government oppression. It's the cyber bogeyman where they dream up big conspiracies to justify their police-state actions.
There's not particular reason to combine "cybersecurity" with "infrastructure security". Infrastructure security is mostly about non-cyber things. Yet, the two are combined in CISA to scare you into accepting the police-state.
2. The big private companies like Microsoft, Google, Cisco, Apple, and so on are doing a great job "disrupting threat actors". They do this because the government is hapless and incompetent at doing this themselves. They resent this.
Thus, the startegy is about the government trying to get more control over the private companies, to get more involved. This is going to HURT such efforts, not HELP. It's the old sarcasm "we are from the government and are here to help". It's about control, not solutions.
Also, this section is about using the excuse of ransomware to gain more control over cryptocurrency.

What it isn't: going after ransomware groups where they hide, like inside Russia. The one thing that's uniquely a government duty they refuse to do. Because it's about control.
3. They want to impose software liability and secure development on companies. This will KILL innovation.

It's like rockets. NASA has long taking the approach that they should never have a rocket explode, under any circumstance.
This leads to enormous costs and decades-long delay.

SpaceX did the oppose, just started tossing rockets into the air and watching them exploded due to various mistakes. They learned a lot from this.
As a result, SpaceX has the most reliable and cheapest rockets.

Same with software innovation. Innovating fast and fixing problems later is the way to do things. That makes shipping security flaws that in retrospect look obvious.
Every security flaw in retrospect looks obvious. There's no possibility of "software liability" that just doesn't kill innovation completely, doing the same to software what we did to rockets since the 1970s.
They have an alternative, a "safe harbor" for companies that demonstrate "secure development" practices -- so you aren't liable if you prove due diligence.

But "secure development" is garbage. It's one of those fads like "Agile" that sounds good in theory but fails in practice.
Agile is great theory. It should be what we strive to do. But when people apply it in practice, it's either done in name-only, or it's done poorly with bad leaders. Only 1% of those who do Agile do it well.
Same with "secure development". There's lots of good stuff there, it's the direction we should be going. But when when the bureaucracy tries to follow it closely, it destroys innovation.

Every good idea in software development becomes toxic when done to the extreme.
The industry doesn't need the jackboot of government thugs pressing down on their necks to make "secure development" work. They are already improving. Software development practices have steadily improved year by year without government help.
4. They want to "reduce systemic technical vulnerabilities". There aren't any. There are instead only political factions that blame somebody else for the problem.

It's like how they include "clean energy infrastructure". It's not security but politics.
Biden decries the "slow adoption of IPv6". IPv6 is not a technical solution to anything but a political faction imposing their wants on an unwilling public. It's one those things where they've convinced people it's the morally right thing to do because it's not technically right
They want to spy on you with their "digital identity" system. Right now the Internet is mostly anonymous and pseudonymous. The only "privacy" issues are things you voluntarily disclose. You voluntarily disclose a lot, which is why we have a lot of issues.
Governments are working hard to fix this problem, so that you can't protect your own privacy, but must rely upon government to protect your privacy. Their premise is that you can trust them, the government, but you can't trust big corporations.
By "civil liberties" they don't mean things like the right to protect your own privacy, such as strong encryption and pseudonymity. They mean that you don't have these rights, but that they'll use search warrants only to go after the bad guys.
5. They promise to "forge international partnerships". Translated, this means "extend U.S. hegemony into the digital world". We don't have must international risks from free countries (Europe, Japan, Korea, Australia, etc.). We have risks from Russia, China, Iran, North Korea.
International partnerships thus won't help stop the bad guys from bad countries. It just extends U.S. influence. It's like when the U.S. downed the Bolivian airplane thought to be carrying Snowden. This display of the U.S. hegemony over Europe was sickening.
Now, you won't hear these sort of comments from most of the cybersecurity. That's because they are full of jackbooted thugs who are frustrated that people don't listen to them, and are happy that the government is on their side.
Most of the cybersecurity is corrupt. They don't see their jobs as simple risk analysis, measuring costs vs benefits. They instead see their job as evangelizing cybersecurity, forcing people to be secure against their will.
Security is a tradeoff. It doesn't come for free. More secure products means sacrifices elsewhere. For the most part, consumers are getting the security that they want -- they don't want the sacrifices needed to achieve better security.
You shouldn't be asking people in the cybersecurity about Biden's new policy in terms of how much it helps security. They are jumping for joy for this.

You should be instead asking them about the costs.
And the answer is they know little about the costs. They are evangelists for security, activists. They don't spend much time thinking about the other side.
A typical example supposed "experts" is this CSIS thing.
CSIS is a an organization that politicians pay to shill for their policies, pretending to be an "independent" organization. They are in fact a reverse-lobbyist, paid by government to convince voters.
www.csis.org/events/biden-harris-administrations-national-cybersecurity-strategy
I often criticize CSIS. The easiest way to spot government disinformation is whether they have a quote from CSIS.

Yea, yea, that was a made-up statistic. This entire thread is a bit hyperbolic, I apologize for that. I love agile principles -- I just hate every agile practice I've seen in companies. The ones that do agile best are those who don't claim to do it.

James Lewis, shilling for the government in the talk linked above, talks about how they've recognized the old approach wasn't adequate and we need a new approach.

Actually, the approach is changing every year. We steadily get better at cybersecurity.
For example, 15 years ago, Wifi was unsafe. I could sit silently next to you at Starbucks and get into your Gmail account.

Today, WiFi is secure. You can use WiFi hotspots with very few security concerns.
Defenders are getting constantly better at cybersecurity and anybody telling you different is trying to sell you something.
At the CSIS even, Kemba Walden is talking about "first to market instead of secure to market". It's an outright declaration that we need to kill innovation in the name of security, that we can't ship products that are insecure.
Innovation means cutting corners. It means shipping products that have little security, requiring the buyer to implement the needed security, like sticking behind a firewall. This a good thing.
Their platitudes like "secure to market" or "security by design" means "killing innovation". There's no way a small company doing something new and innovative can make a product secure. Their customers can (such as using firewalls), the vendor shouldn't be expected to.
If customers wanted "secure by design", they would demand that from vendors.
The reason vendors aren't supplying it is because customers aren't demanding it, not because of conspiracy-theories where vendors are trying to profit from insecurity.
Kemba Walden is saying IPv4 was created in 1981, implying its hopelessly out of date.
It isn't. It never will be. The Constitution of the US isn't out-of-date.
We still use the same sorts of wheels as early chariots, those designs aren't out-of-date.
IPv4 is modern because we build modern stuff on top of it.
A prime example is HTTPv3/QUIC. It's a great design that includes security but also a better way of doing NAT (with a connection-ID).
blog.cloudflare.com/the-road-to-quic/
They keep using the platitude that we need to make sure that "security is baked in".
This isn't a thing. It's the model that security is due to some moral weakness, that everyone is being lazy, greedy, slothful, or prideful. They imagine we just need to force hygiene on them.
It's like Homer Simpson trying to appear effective as "safety inspector" who sees his jobs as telling everyone to "safen up!".
Insecurity doesn't happen from moral weakness, it happens because there are very real tradeoffs involved. Finding good compromises between security and those tradeoffs is hard. The best people to figure this out aren't the Homers in government.
Mentions
See All