Wednesday, September 30, 2015

Jeb Bush is a cyber-weenie

Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.

For example, his recent position opposing "NetNeutrality" regulations says this:
these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their services
Uh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.

Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.

Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.

A better example is Jeb's position on cybersecurity. His position is essentially that we need to create a Cyber Police State to solve the problem. He opposes the free market, wanting government regulate business cybersecurity. He uses terms like "public-private partnerships", which are terms invented by Democrats to justify over-regulation.

One position paper talks about the CISA bill:
We are not powerless unless we choose to be. It would be a start for the President to show leadership on Capitol Hill, and to throw his weight behind the House’s effort to improve cybersecurity information-sharing between the government and the private sector — a critical impediment to cybersecurity according to experts.
Uh, what "experts"? I am a top expert. I know the other top experts. I know of no expert who believes this -- except those who have close ties to the government. Most experts oppose the CISA bill in question, as a violation of civil liberties that would have an insignificant benefit to cybersecurity.

Beyond the "sharing" features of CISA, the bill would almost certainly contain amendments that will make us weaker. Cyber-weenies in government can't tell the difference between cyber-criminals and cyber-defenders. These amendments that attempt to crack down on cyber-criminals inadvertently threaten cyber-defenders. The current law already has a minor chilling effect on cyber-defenders -- rather than fixing that problem, the proposed changes would create a huge chilling effect.

Cyber-issues are important. Instead of farming out position papers to flunkies with little knowledge of cyber, they should get competent people. For example, the controversial Derek Khanna is a policy wonk who is not a weenie on cyber issues.

Here are some off-the-cuff cybersecurity policy suggestions. While not much thought has gone into them, I claim they are vastly better than Bush's. They are based on Republican principles, as well as cybersecurity expertise.

1. Retaliate against China

In reality, most cyber attacks from China are not directed by the government. It's just that they encourage a culture that rewards people who hack America. But we do have have clear evidence of the Chinese government conducting cyberwar against the United States, such as the DDoS on GitHub.

Retaliating in cyber-space itself is a bad idea, as that legitimatizes cyberspace as a battleground for attacks against us. But we should retaliate in other ways, such as trade restrictions. In the near term, this will hurt the United States, too. But in the long run, China needs to fear consequences for it's unrestricted hacking against us. Without consequences, China will never stop.

2. Government fix thyself

Before government tampers with the free market, they need to solve their own cyber issues first. We can't expect the government to "promote best practices in the private sector", as Bush wants, unless they first implement those best practices in the government sector.

That the OPM hack happened is inexcusable. It's not simply that OPM failed at "best practices", but that the data never should have been Internet-accessible in the first place. I point to this policy because it's radically different from Jeb Bush's. Disconnecting a department's computers from the Internet is a radical policy that doesn't happen because of internal resistance. It takes a strong leader with a competent cyber team to overcome such resistance.

Bush's solution to OPM, firing the leaders, is attractive, but incomplete. You also fire leaders who don't deliver on other demands, such as easy access to data from other departments. Sometimes these demands are incompatible. It's often the leaders above departments who are fault, giving subordinates an impossible task. It's the sort that says "I don't care about the obstacles -- just make it happen". What you've created is an environment where the leaders choose the option that will keep them in job the longest. That means doing the insecure thing now, to avoid getting fired now, and hope hackers don't find out until they've moved onto some other job.

3. Get a technical cyberczar

From Bush's brother through Obama, all cyberczars have been cyber-weenies with essentially no technical knowledge. Indeed, the current cyberczar prides himself on his lack of technical knowledge, believing (falsely) that it allows him to see the bigger picture without getting bogged down in details.

In truth, he's right that most problems aren't technical in nature. A cyberczar skilled in technology, but unskilled in government, will have a lot problems. But here's the thing: everything starts as a technical problem. Government has a culture of cyber-weenies with nobody, from the top on down, being competent to solve technical problems. Teams remain dysfunctional because their leader doesn't have sufficient technical skill to know that lacking technical skills are the problem. Change needs to start at the top, meaning establishing a minimum set of technical credentials for the cyberczar, then among those qualified choose the best bureaucrat.

4. Support the defenders

Right now, because of government cluelessness, the defenders are under attack. CISA amendments threaten them. CFAA extensions threaten them. Export restrictions threaten them. Corrupt copyright interpretations threaten them. Civil lawsuits threaten them. The recent executive order declaring a "cyber state of emergency" threatens them. Heck, the president has arrogated to himself the power to drone strike a cyber-expert he feels may be a threat to national security.

I scan the entire Internet looking for things like Heartbleed (a famous vulnerability), and report what I find to the cybersecurity community. But I exclude military systems from such scans, because our military threatens me. This doesn't stop the Chinese, of course. Therefore, the Chinese know about such weaknesses in our military systems, but the American people don't.

This is an application of what's known as "Kerckhoffs's principle", which underpins cybersecurity, which promotes openness and transparency -- a principle opposed by cyber-weenies in government who believe in keeping everything secret, even from defenders.

Empowering defenders is almost a 2nd Amendment thing. Current government policy takes away power from the defenders, trying to give government a monopoly on cyber-defense.  Good Republican policy should be the opposite, to do more to empower the people to defend themselves.


Reasonable people can disagree about policy. My point here isn't to declare the best policy. My point instead is to highlight the flaws in Jeb Bush's policy. His people have created positions that are typical government insider generalities, demonstrating no actual expertise in the subject. He declares that the next leader of this country needs to solve this problem -- while demonstrating he isn't the leader to do so.

Disclaimer: I've donated $10 to the Jeb Bush campaign, and will vote for whichever Republican candidate wins the primary over any Democrat (except Trump, of course).


Anonymous said...

Very good analysis. Jeb Bush is the quintessential RINO (Republican in Name Only) - it has been accurately pointed out that his actual policy positions are almost indistinguishable from Hillary Clinton's. They would make excellent running mates.

Every time I hear Jeb speak I think of him as George W.'s evil twin - he wraps up everything conservatives and libertarians didn't like about his brother in a neat package, and without any of the things we did like. His policies are neither conservative nor Republican, but he thinks they are both, which makes him dangerously deluded.

I am especially glad you mentioned the connection between protecting the rights of cyber-defenders and the 2nd Amendment - as much as people in the predominantly left-wing "tech world" would be pained to admit it, the exact same arguments apply. From a moral standpoint, weapons are weapons, whether cyber or physical. New technologies don't create fundamentally new ethical situations; rather, they just frame old ones in new ways. But by claiming that a situation is "unprecedented", politicians can justify making up their own ethical rules that maximize their power.

xkcd had it right (though I imagine Mr. Munroe would be mortified to hear this): "we" had it backwards when fighting the classification of cryptography as weapons. Instead, we should have stood upon our 2nd Amendment rights to keep and bear un-backdoored crypto. :-)

Number 6 said...

Honestly, neither political party, and the majority of the politicians on all levels of government, understand nor truly care about Information Security until some big news story hits, or something like the OPM hack happens, and even then, they refuse to listen to the real people in the field.
I have left messages for both my senators (one from each party) and my House Rep, and always get a canned response back saying they care and that I do not understand the bills/policies with no explanation of them whatsoever.
Unfortunately, unless you have enough money to flash in front of them, they will never listen to those in the know.