Posts Tagged ‘international relations’
Tufts Democrats: What did you think?
The Tufts Democrats got an earful from me about how US foreign policy on cyberspace hasn’t advanced significantly in fifteen years. I complained that a whole lot of basic questions haven’t been settled, and drew on some key national documents to verify that is the case.
They were more impressed with my rapid-fire interactive summaries of Hollywood takes on cyberwar and cyber dystopia. Or so they tweeted.
Jumbos: what did you think? Please post in the comments. Thanks!
Cyber Shield newest mixed metaphor
This is the latest example of what’s wrong the metaphor of cyberspace for information security. Cyberspace isn’t a space. Cyber attacks don’t involve thrown projectiles or spears. A shield won’t bat them down. The meat of the policy is buried: look how little attention is devoted to the five points in the last paragraph quoted below.
If he had said that installing Norton Internet Security on every computer in America was the definition of a cyber shield, or ordering drone attacks against suspected zero-day-threat writers, or requiring American companies to write back doors for the feds into encryption, or mandating the use of federally issued firmware in critical industries….well, then that would be the definition of a cyber shield. It’s a completely empty term.
US urges NATO to build ‘cyber shield’
(AFP) – Sep 15, 2010BRUSSELS — NATO must build a “cyber shield” to protect the transatlantic alliance from any Internet threats to its military and economic infrastructures, a top US defence official said Wednesday.
Cyber security is a “critical element” for the 28-nation alliance to embrace at its summit of leaders in Lisbon on November 19-20, US Deputy Defence Secretary William Lynn said in Brussels.
“The alliance has a crucial role to play in extending a blanket of security over our networks,” Lynn said.
“NATO has a nuclear shield, it is building a stronger and stronger defence shield, it needs a cyber shield as well,” he said at a forum hosted by the Security & Defence Agenda think-tank. Read the rest of this entry »
Fuzzy Thinking on African Botnets
I call “bull.” African botnets are not WMD, and the solution to African botnets is not to prosecute the lucky few who have computers there. Franz-Stefan Gady is completely out of touch with the realities of IT in Africa. The last thing African governments need is shunt scarce resources into prosecuting cyber criminals, particularly within their own borders. Please do something more useful with whatever resources you have: support export industries, build infrastructure, build a call center or an export processing zone, make jobs, and provide education and health care.
Honestly. Beefed up law enforcement? Where does Gady think most infections in Africa originate? Why would he presume that the botnets are home-grown?
Governments should find ways to make legitimate software available at prices users can afford. That means not taxing software imports, encouraging the use of free and open source software, and ensuring broadband access. Yes, greater bandwidth, and not less bandwidth, is crucial to safer computing. Bandwidth will give end users access to security updates and current virus databases that are prohibitively difficult to download when connections are slow.
Trade Cartograms at UseR! 2010
A bit of shameless self-promotion! I will be presenting my work on trade cartograms at UseR! 2010. I’ll update this with a link to the abstract when it is listed there.
Earlier this year I posted on the use of cartograms to visualize dyadic trade flows.
About UseR!
useR! 2010, the R user conference, will take place at the Gaithersburg, Maryland, USA campus of the National Institute of Standards and Technology (NIST) from 2010-07-21 to 2010-07-23. Pre-conference tutorials will take place on July 20.
The conference is organized by NIST and funded by the R Foundation for Statistical Computing.
Following the successful useR! 2004, useR! 2006, useR! 2007, useR! 2008, and useR! 2009, conferences, the conference is focused on:
- R as the `lingua franca’ of data analysis and statistical computing,
- providing a platform for R users to discuss and exchange ideas how R can be used to do statistical computations, data analysis, visualization and exciting applications in various fields,
- giving an overview of the new features of the rapidly evolving R project.
As for the predecessor conferences, the program consists of two parts:
- invited lectures discussing new R developments and exciting applications of R,
- user-contributed presentations reflecting the wide range of fields in which R is used to analyze data.
A major goal of the useR! conference is to bring users from various fields together and provide a platform for discussion and exchange of ideas: both in the formal framework of presentations as well as in the informal part of the conference in Gaithersburg.
Prior to the conference, on 2010-07-20, there are tutorials offered at the conference site. Each tutorial has a length of 3 hours and takes place either in the morning or afternoon.
Full hearing: US Senate on Cyber War Readiness
Highlights from the US Senate panel on cybersecurity 23 February 2010.
Mary Ann Davidson, CSO (Oracle). Required reading! Ms. Davidson masters the subject in bright prose. This is an excellent indictment of the rush deploy smart grid technologies before we’ve had time to harden them from the types of attacks that routinely take computers off line. Thought experiment: what level of unplanned downtime would you be comfortable with for your house’s electrical power? water? energy? Would you try to save 10% on your electric bill if for a system that you couldn’t be sure would work more than 99.9% of the time?
Even better, Ms. Davidson points out a crucial flaw in education. Computer science is applied mathematics, and few departments teach young programmers how to write secure software. If university departments don’t teach secure programming, we will need professional certifications to substitute, as with medical residencies, CFA exams for financial analysts, and professional societies for engineers and architects.
Vice Admiral Mike McConnell (Booz Allen Hamilton). Sound byte: “If there were a cyber war today, the United States would lose.” Some excellent recommendations for training a new class of software engineers, security professionals, and managers. Don’t be distracted by the salacious and unwarranted assertion at the outset. The rest of the testimony is good, and nobody is better informed than the Admiral.
Dr. James A. Lewis (CSIS). A couple of interesting metaphors. He compares cyberspace to a condominium and to a shopping mall, meaning that the space is all privately owned, and that neighbors have a compelling interest in one another’s behavior. Therefore all should be willing to submit to greater regulation. I’m inclined to agree with Borg’s statement (below) that government regulations are unlikely to keep pace with the rate of innovation. Rather than ask the government to certify that buildings are safe, wouldn’t we be better off with private certification of a standard of risk, as we currently do with automobiles, houses, and financial management? Computers and especially software are endlessly complicated, and don’t lend themselves well to the same type of governance as broadcast media and airplane safety.
Lewis also makes a crucial overstatement when he says that there are no rules on the Internet or that the Internet is a wild west. Actually many national and state authorities have control over Internet commerce, fraud, and even transborder crimes. At a more fundamental level, Lewis’ lawless vision of the Internet is fundamentally at odds with Internet governance over every layer of the Internet, from the development of hardware standards and Internet protocol, to the assignment of names and numbers, to the software that runs servers and home desktops. Re-read Lessig, and see if you can imagine the Internet truly without rules.
Scott Borg (US-CCU). Focuses on 3 central problems: (1) the conflict is already here; (2) cyber conflict threatens future American prosperity; (3) fixing markets is the key to improving cyber security. I agree with Borg, but then I’m biased.
Rear Admiral James Arden Barnett, Jr., Ret. (FCC). An interesting point of view. I don’t have any problem with DHS assisting the country with situational awareness, but the philosophy of defense is extremely centralized. The greatest specific policy errors of homeland security in the last ten years have been efforts to provide one-size-fits-all information and requirements from a central national office: the national threat level scale, vastly increased expenditures on passenger screening at airports, and advice on creating a safe room for chemical gas attacks inside your home. There are too many computers, and too many businesses to expect that federal marshals can secure their IT infrastructure for them. Effective homeland defense will require businesses and individuals to have cheap, effective, and secure choices to accomplish the things they already know how to do: run their businesses and their households.
Another failed attempt to resurrect deterrence for cyber war
Cyber war creates far more than its share of Maginot strategy. How is it that we can hope to make deterrence work without the three elements that supported it during the nuclear age? McConnell’s article dated this coming Sunday (2/28/10) [sic] outlines three conditions, and then claims that the failure of these conditions isn’t really a problem. It’s a giant problem. Future cyber warriors will not suffer from our empty threats to respond with catastrophic cyber or conventional weapons.
During the Cold War, deterrence was based on a few key elements: attribution (understanding who attacked us), location (knowing where a strike came from), response (being able to respond, even if attacked first) and transparency (the enemy’s knowledge of our capability and intent to counter with massive force).
All three of these conditions fail.
Export Trade Clusters
This post, as with the prior ones on trade clusters, aims to help visualize patterns of trade in the OECD from 50 years of partner trade statistics. The data is rich, meaning we should be able to develop rich intuition by exploring it visually.
These slides follow the method laid out in Jong-Eun Lee, “Two Maps for the World’s Trade Integration,” Applied Economics Letters, 11:4 (2004). All computations were performed in R.
Space is a terrible metaphor for cyber space
Physical metaphors for cyber space create pernicious mistakes of intuition about strategy. The lay of the land determines a great part of battlefield strategy. Cyber space is as unfamiliar and surprising as a trip through the looking glass, frustrating many efforts to understand cyber strategy by way of analogy to physical space. Writing about cyber strategy would be greatly improved by careful attention to the shape of the battlefield. The battlefield is a vast, multi-layered network and not a physical terrain.
Problems with the metaphor of space for cyberspace
- Single physical location fails in two directions. One actor can be located in more than one location. One location can exist in more than one physical jurisdiction, or in the global commons (e.g., satellite Internet link to offshore platform).
- Perimeter defenses doesn’t work.
- The analogy to physical movement and distance yields poor intuition about movement in cyber space, e.g., velocity, acceleration, time to penetrate defenses, and maneuver.
- Control of physical objects is a particularly poor metaphor for cyberspace analogs, which requires neither direct physical access nor the attention of an individual. In physical space, individual agents control only those objects within reach; creation of new objects requires logistics, procurement.
- Crucial capabilities for control: autonomy of maneuver, force projection over a territory.
- Changing the physical landscape is time-consuming, expensive, and hard to conceal.
Concepts for cyber security
- Network locations. IP address, physical layer, hardware within the machine (MAC, SIM), organization providing Internet access (ISP, cell network, satellite link), states with governing authority over telecoms.
- Access control, difficulty of forging authentication, multiple factors of authentication, time-based security.
- Network measures of distance. Servers mediating access to a target system. Physical barriers mediating access to a system.
- Manipulation of remote systems is cheap, automated, replicable. Millions of poorly protected machines are widely available.
- Crucial capabilities for control: IT control policies and procedures, jurisdiction, surveillance, and collaboration in law enforcement, counter-intelligence.
- The network topology is a policy choice. Control over topology is shared between governments, business, civil society, and individuals. Topology is actively controlled by actors before, during, and after conflict.
Just as the domain of air warfare required new strategy, so does the cyber domain. The air domain vastly increased the reach of a few actors. Air operations prioritized the defense-industrial base, which could replace assets lost in battle. Together, air and naval power permitted the projection of power at previously unimagined distances.
Hardly anybody [I know] reads…
Bill Easterly, one of the most accomplished and iconoclastic development economists and commentators, may have overreached a bit. He has picked a bone with the Global Forum for Health over their failure to win publications and citations in journals worthy of consideration at tenure review. Isn’t that a strange criterion for judging the success of the Global Forum for Health? They are insufficiently concerned with winning faculty jobs at US universities?
The evaluation has lots of other things to say about them, both positive (they have a lot of meetings!) and negative (“absence of an agreed results framework”).
So the World Bank seems to be following a disturbing trend. It is financing economic research publications that hardly anybody reads, and financing health awareness efforts that hardly anybody is aware of.
This also creates a new challenge for aid watchers – how can we hold accountable an aid agency we don’t know exists? What other dark matter in the aid world is awaiting discovery?
Global Forum for Health is a self-described advocacy organization. If anything, Bill Easterly should be taking the development economics profession to task for its solipsistic criteria for success. In manufacturing industries, the gold standard of achievement is not publications, it is patents. Unfortunately, the economics profession has no equivalent to the patent.
My problem with Easterly’s criticism is the standard for judgment: “…publications that hardly anybody reads.” An astute reader will insert brackets, so it reads “publications that hardly anybody [I know] reads.” Tenure review boards matter primarily to people whose jobs hinge on tenure decisions, and in places that read the same publications that Easterly does.
Academics overseas may have a very different idea of where to publish their research, and what research is credible, and what research is relevant to their careers. Tbe Economist recently stirred up a hornet’s nest with its report on the views of top economists on the profession, who accuse the discipline collectively of dogmatism and sloppy analysis (Barro, Buiter, DeLong, Eichengreen, Lucas, and Krugman). To the extent that publication in the top journals is both extremely time-consuming and something of a beauty contest, perhaps it isn’t reasonable to discount any and all research being done outside the top American journals.
State of the art in AI battlefield ethics
Can programmers specify a sufficient code of ethics to govern autonomous robots in battle? I believe the reasoning falls down in many places.
First, life is much more complex than the proposed codes below permit. “Harm” is an extremely complex concept based not only in physiology but also human dignity, local norms, and learned patterns of interaction. Obedience doesn’t cut the mustard. Second, ethical dilemmas are difficult problems, meaning that experts with a lifetime of experience can disagree on the content of the law, the hierarchy of norms, and the intent of the lawmaker. Third, the responsibility for the robot’s actions cannot rest fully with the robot in our system. Both the manufacturer/programmer and the operator of the robot share in the responsibility for the robot’s actions, and they are full and complete members of society. Dogs and children often put their owners and parents on the hook for negligent behavior, exactly because they lack the ethical competence of full personhood. Since we assume they are incompetent to make good decisions, ethics requires adults to treat them differently. Who would want K-9 commandos, no matter how lethal in combat, to have tactical authority over target identification and lethal use of force?
Dr. Ronald C. Arkin, Regents’ Professor and Associate Dean for Resarch at the School of Interactive Computing at Georgia Tech, was recently profiled in an h+ article…
