Posts tagged as:

The Problem with “Pessimism Porn”

by on May 23, 2014 · 3 comments

I’ve spent a lot of time here through the years trying to identify the factors that fuel moral panics and “technopanics.” (Here’s a compendium of the dozens of essays I’ve written here on this topic.) I brought all this thinking together in a big law review article (“Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”) and then also in my new booklet, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.”

One factor I identify as contributing to panics is the fact that “bad news sells.” As I noted in the book, “Many media outlets and sensationalist authors sometimes use fear-based tactics to gain influence or sell books. Fear mongering and prophecies of doom are always effective media tactics; alarmism helps break through all the noise and get heard.”

In line with that, I want to highly recommend you check out this excellent new oped by John Stossel of Fox Business Network on “Good News vs. ‘Pessimism Porn‘.”  Stossel correctly notes that “the media win by selling pessimism porn.” He says:

Are you worried about the future? It’s hard not to be. If you watch the news, you mostly see violence, disasters, danger. Some in my business call it “fear porn” or “pessimism porn.” People like the stuff; it makes them feel alive and informed. Of course, it’s our job to tell you about problems. If a plane crashes — or disappears — that’s news. The fact that millions of planes arrive safely is a miracle, but it’s not news. So we soak in disasters — and warnings about the next one: bird flu, global warming, potential terrorism. I won Emmys hyping risks but stopped winning them when I wised up and started reporting on the overhyping of risks. My colleagues didn’t like that as much.

He continues on to note how, even though all the data clearly proves that humanity’s lot is improving, the press relentlessly push the “pessimism porn.” Continue reading →

SHARE: 3 comments

New Paper on the Cybersecurity Framework

by on April 17, 2014 · 0 comments

Andrea Castillo and I have a new paper out from the Mercatus Center entitled “Why the Cybersecurity Framework Will Make Us Less Secure.” We contrast emergent, decentralized, dynamic provision of security with centralized, technocratic cybersecurity plans. Money quote:

The Cybersecurity Framework attempts to promote the outcomes of dynamic cybersecurity provision without the critical incentives, experimentation, and processes that undergird dynamism. The framework would replace this creative process with one rigid incentive toward compliance with recommended federal standards. The Cybersecurity Framework primarily seeks to establish defined roles through the Framework Profiles and assign them to specific groups. This is the wrong approach. Security threats are constantly changing and can never be holistically accounted for through even the most sophisticated flowcharts. What’s more, an assessment of DHS critical infrastructure categorizations by the Government Accountability Office (GAO) finds that the DHS itself has failed to adequately communicate its internal categories with other government bodies. Adding to the confusion is the proliferating amalgam of committees, agencies, and councils that are necessarily invited to the table as the number of “critical” infrastructures increases. By blindly beating the drums of cyber war and allowing unfocused anxieties to clumsily force a rigid structure onto a complex system, policymakers lose sight of the “far broader range of potentially dangerous occurrences involving cyber-means and targets, including failure due to human error, technical problems, and market failure apart from malicious attacks.” When most infrastructures are considered “critical,” then none of them really are.

We argue that instead of adopting a technocratic approach, the government should take steps to improve the existing emergent security apparatus. This means declassifying information about potential vulnerabilities and kickstarting the cybersecurity insurance market by buying insurance for federal agencies, which experienced 22,000 breaches in 2012. Read the whole thing, as they say.

SHARE: 0 comments

My 11 Favorite Internet Policy Essays of 2013 (+ Worst Essay of the Year)

by on December 11, 2013 · 5 comments

Here are a few Internet policy essays I collected over the past year which I thought were particularly well done and worth highlighting once more. They are listed in chronological order:

  • L. Gordon Crovitz – “Silicon Valley’s ‘Suicide Impulse,'” Wall Street Journal, January 28. (“It’s a measure of how far Silicon Valley has strayed from its entrepreneurial roots that a top regulator is calling on technology companies to do less lobbying and more competing,” Crovitz argued. “Rather than lobby government to go after one another, Silicon Valley lobbyists should unite to go after overreaching government. Instead of the “suicide impulse” of lobbying for more regulation, Silicon Valley should seek deregulation and a long-overdue freedom to return to its entrepreneurial roots.”)
  • John Gruber – “Open and Shut,Daring Fireball, March 1. (An absolutely brutal evisceration of Tim Wu’s recent work.)
  • R. U. Sirius – “Cypherpunk Rising: WikiLeaks, Encryption, and the Coming Surveillance Dystopia,” The Verge, March 7.
  • Julian Sanchez – “A Reply to Epstein & Pilon on NSA’s Metadata Program,Cato at Liberty, June 16. (A meticulous point-by-point takedown of an essay by Roger Pilon & Richard Epstein defending NSA’s online surveillance tactics.)
  • Ethan Zuckerman – “Is Cybertopianism Really Such a Bad Thing?” Slate, June 17 (A “defense of believing that technology can do good.”)

Continue reading →

SHARE: 5 comments

CISPA’s Vast Overreach

by on April 17, 2013 · 5 comments

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

SHARE: 5 comments

Marc Hochstein on bitcoin

by on April 16, 2013 · 0 comments

Marc Hochstein, Executive Editor of American Banker,  a leading media outlet covering the banking and financial services community, discusses bitcoin.

According to Hochstein, bitcoin has made its name as a digital currency, but the truly revolutionary aspect of the technology is its dual function as a payment system competing against companies like PayPal and Western Union. While bitcoin has been in the news for its soaring exchange rate lately, Hochstein says the actual price of bitcoin is really only relevant for speculators in the short-term; in the long-term, however, the anonymous, decentralized nature of bitcoin has far-reaching implications.

Hochstein goes on to talk about  the new market in bitcoin futures and some of bitcoin’s weaknesses—including the volatility of the bitcoin market.

Download

Related Links

SHARE: 0 comments

Susan Brenner on cybersecurity and bureaucracy

by on March 19, 2013 · 0 comments

Susan W. Brenner, associate dean and professor of law at the University of Dayton School of Law,  discusses her new paper published in the Minnesota Journal of Law, Science & Technology entitled “Cyber-threats and the Limits of Bureaucratic Control.”

Brenner argues that the approach the United States, like other countries, uses to control threats in real-space is ill-suited for controlling cyberthreats. She explains that because this approach evolved to deal with threat activity in a physical environment, it is predicated on a bureaucratic organizations. This is not an effective way of approaching cyber-threat control, she argues. 

Brenner also explains why congressional efforts at cybersecurity legislation are flawed and why U.S. authorities persist in pursuing antiquated strategies that cannot provide an effective cyberthreats defense system. She outlines an alternative approach to the task of protecting the country from cyberthreats, and approach that is predicated on older, more fluid threat control strategies.

Download

Related Links

SHARE: 0 comments

With Obama cyber executive order, we don’t need new legislation

by on February 22, 2013 · 2 comments

Politicians from both parties are now saying that although President Obama took comprehensive action on cybersecurity through executive order, we still need legislation. Over at TIME.com I write that no, we don’t.

Republicans want to protect businesses from suit for breach of contract or privacy statute violations in the name of information sharing, but there’s no good reason for such blanket immunity. Democrats would like to see mandated security standards, but top-down regulation is a bad idea, especially in such a fast-moving area. But as I write:

Yet guided by their worst impulses – to extend protections to business, or to exert bureaucratic control – members of Congress will insist that it is imperative they get in on the action.

If they do, they will undoubtedly be saddling us with a host of unintended consequences that we will come to regret later.

The executive order does most of what Congress failed to do in its last session. What Congress could add now is unnecessary and likely pernicious. The executive order should be given time to work. Only then will Congress now if and how it might need to be “strengthened.”

SHARE: 2 comments

Top 5 Net Policy Issues of 2012

by on December 10, 2012 · 0 comments

Earlier today on Twitter, I listed what I thought were the Top 5 “Biggest Internet Policy Issues of 2012.” In case you don’t follow me on Twitter — and shame on you if you don’t! — here were my choices:

  1. Copyright wars reinvigorated post-SOPA; tide starting to turn in favor of copyright reform. [TLF posts on copyright.]
  2. Privacy still red-hot w ECPA reform, online advertising regs & kids’ privacy issues all pending. [TLF posts on privacy.]
  3. WCIT makes Internet governance / NetFreedom a major issue worldwide. [TLF posts on Net governance.]
  4. Antitrust threat looms larger w pending Google case + Apple books investigation. [TLF posts on antitrust.]
  5. Cybersecurity regulatory push continues in both legislative (CISPA) & executive branch. [TLF posts on cybersecurity.]

Lists like these are entirely subjective, of course, but I am basing my list on the general amount of chatter I tended to see and hear about each topic over the course of the year.

What do you think the top tech policy issues of the year were?

SHARE: 0 comments

Scott Shackelford on cybersecurity and polycentric governance

by on October 9, 2012 · 0 comments

Scott Shackelford, assistant professor of business law and ethics at Indiana University, and author of the soon-to-be-published book Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace, explains how polycentric governance could be the answer to modern cybersecurity concerns.

Shackelford  originally began researching collective action problems in physical commons, including Antarctica, the deep sea bed, and outer space, where he discovered the efficacy of polycentric governance in addressing these issues. Noting the similarities between these communally owned resources and the Internet, Shackelford was drawn to the idea of polycentric governance as a solution to the collective action problems he identified in the online realm, particularly when it came to cybersecurity.

Shackelford contrasts the bottom-up form of governance characterized by self-organization and networking regulations at multiple levels to the increasingly state-centric approach prevailing in forums like the International Telecommunication Union (ITU).  Analyzing the debate between Internet sovereignty and Internet freedom through the lens of polycentric regulation, Shackelford reconceptualizes both cybersecurity and the future of Internet governance.


Download

Related Links

SHARE: 0 comments

Ryan Radia Debates CISPA

by on June 12, 2012 · 3 comments

I’m impressed with the job Ryan Radia did in this Federalist Society podcast/debate about CISPA, the Cyber Intelligence and Sharing Protection Act.

It’s also notable how his opponent Stewart Baker veers into a strange ad hominem against “privacy groups” in his rejoinder to Ryan. Baker speaks as though arguable overbreadth in privacy statutes written years ago makes it appropriate to scythe down all law that might affect information sharing for cybersecurity purposes. That’s what language like “[n]otwithstanding any other provision of law” would do, and it’s in the current version of the bill three times.

SHARE: 3 comments

← Previous Entries

Next Entries →