Who Should Have Whose Back? Memo to the Washington Post

No, WaPo: Tech needs to have our backs.

I do not blog as much as I used to, but I found something disturbing in a Washington Post article that was asking whether Kamala Harris will have policies friendly to Silicon Valley.

I have two problems with this article:

  • It would lead the reader to think the Biden administration has had no tech policy.  That’s not true.
  • It seems to imply that the tech companies have done their part in helping society.  They have not.

Let’s start with the first.

The administration has pushed hard in an area no other has: cybersecurity. President Biden issued executive orders to improve the posture of IoT devices and software, by requiring transparency of vulnerabilities for all products sold to the federal government.  DHS, NIST, FCC, and other branches of the government have worked hard throughout the last three years to get our infrastructure on a better footing.  1990s gave us Section 230.  The 2000s gave us an Internet governance model that the Obama administration fought to retain.  The Biden administration is fighting for the safety of our infrastructure.  And that is something that all sectors of society, especially the tech industry, need, as they can’t sell products that are viewed as unsafe.

This brings me to my second point.  The question should not be whether Harris has the  Valley’s back, but whether Tech has our backs.  Social media companies have been all but mute about adversaries like Russia, China, Iran, and North Korea taking advantage of offerings to harm our interests.  They’ve profited over strife and discord in a way never seen, some of which has been sown by those same countries.  At the same time, we all now heavily rely on the Internet infrastructure, as Crowdstrike painfully demonstrated.  And yet the Valley is still playing the same hand they had in the 2000s: “We got this.”

The game has changed.  The only real question is whether tech companies will accept that and work with the next administration and Congress to find new and innovative approaches that work for society.

Thanks, Sam.

On Aoril 27th, we said להתראות to my dear Uncle Samuel Lear. Sam leaves very big shoes to fill. He is seen below with my aunt his wife and girlfriend, my indefatigable Aunt Joan Lear.

Here are a few of my own memories.

You know that fancy digital watch you have on your wrist? In 1973 Sam was the first on his block (and nearly every block) to wear a Pulsar P2 LED watch. That matched the car phone that he had. He was a futurist in many ways.

Sam and other friends started Temple M’kor Shalom, and was very active in the Jewish community for a good part of his life. He was a staunch supporter of Israel at the time, commuting back and forth from Cherry Hill. One of my earliest memories is dropping him and Joan off at JFK. One of my favorite pictures of him is shaking hands with Menacham Begin. Begin was grateful for his support. He had great friends in Israel, and least two of his granddaughters visited through the Birthright program. And it was no surprise to see Israelis present today. I was wrong to think I had come the farthest.

While I can’t say that it was Sam alone that instilled in me a need to be politically involved, he had a role. He and I would regularly talk politics from an early age. On my wall to this day hangs a letter to a 9 year old Eliot from the Nixon White House, thanking me for my letter, in which I suggested that they lock the Israeli PM and the Egyptian president in a room, and not let either out until they had a peace. Food optional. Sam would discuss and debate, and if one listened, one would learn a thing or two.

Eventually Sam would break with Israel. I learned of his discontent one day in the 1990s when I was perusing the Jerusalem Post, and there was a letter to the editor from a man berating the ultra-conservatives for them trying to dictate to him and others about who is and is not a Jew. It was Sam. It wasn’t chutzpah, but protection of his family that motivated him.

It was family – מִשׁפָּחָה – that was most important to him, and he and Joan put it all on the line for us. Times weren’t always easy, but he and Joan were always – always – there. Most importantly his values live on in his daughters and grand daughters. And I must say, as testimony to this fact, a funeral was NOT needed to bring us all together.

And his friendships were only of one type: life long. Friends WERE family. It was wonderful to see friends of his from Lear-Mellick like Rita. To those who were his friends, I can only say, .שָׁלוֹם חברים

I don’t believe in the Orthodox Jewish notion of righteous ones, or צדיקים. Some strive to be righteous. Sam was about as righteous as they come, and religion was but a part of that. Sadness washes over me at the magnitude of this loss. I am eternally grateful for every moment we had together.

Democracy in America is under attack

Washington Crossing the Delaware, Emanuel Leutze (American, Schwäbisch Gmünd 1816–1868 Washington, D.C.), Oil on canvas, American
Washington Crossing the Delaware

On this day, July 4th, 1776, our founders gave birth to a democracy through great strife that other societies have envied and about which they have dreamed. Today, that democracy is under attack.

Thomas Jefferson had lifted some words from John Locke to declare that-

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness

The Declaration of Independence

Embedded in the very notion of democracy is that there should be strife, in terms of choices voters may have. It was this choice the founders made, and it was this choice the founders gave us. Its basis was and remains consent of the governed. Back then, white male landowners could vote. It took more strife, The Civil War, to establish that all men could vote; where America turned in on itself, but ultimately reaffirmed that government must be, as Lincoln so aptly said, “of the people, by the people, for the people”. And it took yet more strife for women to achieve the right to vote, and yet more strife to those rights.

With false claims of “voter fraud” one party seeks to silence people’s right to vote. This has been tried before. The dreadful Supreme Court decision this past week amounts to license for Jim Crow Laws to rise again. Consent of the governed means that all who are governed must have a vote, in order for the government to be legitimate and accepted.

By imposing more and more voting restrictions, governments of such states such as Arizona, Texas, and Georgia are doing nothing more than removing their own legitimacy. This too will not stand. A tyranny cannot stand, as England discovered.

Should I have that IoT device on my home network?

Yesterday I wrote about my cousin’s smart oven, and the risks of having it networked. Does this mean that you should have no IoT devices in your house? If not, how should you decide which ones are worth connecting? Here are three questions you might want to ask.

Does connecting the device to your network offer you any perceptible value?

Sometimes the answer is going to clearly be “yes”. For example, if you are taking a vacation in the middle of the winter in some cold place, you might want to know that your home’s heater broke down before your pipes froze. Having a thermostat configured to alert you to this fact might prove very useful. On the other hand, if you are in a place where such a concern is unwarranted or you would have no reason to worry about such things, maybe that same device does not need connectivity.

Will the device function correctly without connectivity?

Don’t expect an Amazon Echo to function, for instance. There is a reason why a great many IoT manufacturers are requiring Internet connectivity for their devices: the more intelligence they can move into their servers, the less intelligence is needed in the device itself, making it cheaper to build. If you are going to have a function like this in your house, this is actually an environmentally friendly way to go. Fewer parts require fewer resources used to build and to later dispose. But if a device does function properly and fully without Internet connectivy, why plug it in?

Does that device need continuous Internet connectivity?

You are unlikely to connect and reconnect your television every time you want to watch a video, but maybe you only need that thermostat connected while you are on vacation, for instance, or maybe an appliance needs a firmware update via the Internet. Occasionally connecting a device may make sense. However, take care: if you only plug in devices while you are on vacation, someone may be able to notice that and choose that time to break into your home.

Some Internet routers have the ability to block devices at certain times. Typically this is used to limit children’s access. However, one can also use these filters for other purposes. The problem is that this is nearly as annoying as having to deconfigure devices themselves. I’ll discuss this more in the near future.

Think before you buy!

The risk to your home and your privacy is real. Realistically, however, you will have some IoT devices in your house. Think about what value you derive from them, and what can go wrong if they are attacked before you buy.

New Paris Cyber-Accord: Nice words. What comes next?

The accord and Macron’s words are a bit “aspirational”.

Recently France has taken the initiative to produce what they call The Paris Call for Trust and Security.  This call has garnered signatures of  some 57 countries and and several hundred companies and organizations (including that of my own employer).*  What President Macron and others have recognized is that there is a risk of both state and non-state actors interfering in the lives of  everyday people, possibly causing them great harm.

Every day provides a new example of why protection of our institutions is necessary.  This video was made some time ago.  We’d like to think that security of our infrastructure has improved, but Marriott proved us wrong last week, with over half a billion customer records having been stolen.

The Paris Call seems to address itself to these sorts of civilian attacks, which to me is appropriate. In particular, it focuses on the following areas (I’m condensing just a bit):

  • Protection of critical infrastructure,
  • Protection of electoral processes (Gee, I wonder who that is aimed at),
  • IPR protection,
  • Tools development to prevent the spread of malware,
  • No hack-backs, where people attempt to take the offense as a either a defense or a means of deterrence,
  • Acceptance of international norms of behavior.

The Call does not create or call for the creation of any new mechanism to pursue these points, but rather the use of existing mechanisms.  Instead, what we appear to be witnessing is the creation of a voting bloc inside existing multilateral and multi-stakeholder processes, as well as a non-binding commitment among the signatories themselves to pursue these principles.  It’s all motherhood and apple pie until we understand what the actual instantiation of these principles means.  Does it mean, for instance, an end of free software in order to protect content providers?  Will it require content publishers to actively protect all rights of copyright holders, even if those holders are unknown?

Also, should these principles apply equally to civilians and the military ?  Let’s take for example the Stuxnet attack, where some state actor attacked Iran’s nuclear weapons facility.  Should that attack have been prevented by these principles?  To what end?  Helping Iran gain an offensive nuclear capability?  If the choice was a cyberattack against a military installation versus a physical attack, where people would surely die, I’ll take the cyber attack any time.

There is another big topic that isn’t covered.  Right now governments are all struggling with how to handle cross-border law enforcement.  That is- if someone in Jurisdiction A hacks into or uses a computer in Jurisdiction B to attack a person in a third Jurisdiction C,  who can reasonably ask Jurisdiction B for the data?  This is a massive topic that the Council of Europe has been attempting to address for years.  These are knotty issues, because of the limitations on the powers of each country relating to search and seizure.

In short, while this is nice text, it doesn’t seem to me to accomplish much on its own. 

It does seem to be a slap at Russia and China, two  notably absent countries.  Three other notably absent countries are the U.S., Israel, and Iran.  Coincidence?  I think not.


*The views of my employer surely vary from my own today.