LAS VEGAS — The resounding message out of BSides Las Vegas and Black Hat — two information security conferences that took place the week of Aug. 5 — is that government is falling far short in the technology space.
The underlying problem, said Bruce Schneier, a security technologist and fellow at the Harvard Kennedy School of Government, is that policymakers don’t understand the technology and don’t have members on their staff with expertise.
So what both Congress and federal agencies need more of, he said, is public interest technologists on staff, people he defined as those that “combine their technological expertise and a public policy focus.”
This could act as an important counterbalance because, Schneier says, lawmakers don’t understand the way software works, with constant updates and patches of software in the tech space because they are used to a longer, slower process of creating a law.
“I think that makes legislators unsuitable for a lot of this, though I would love to figure out a way to make law more agile,” Schneier said.
Because of the shortcomings in the legislative process, he said, agencies must take the lead on tech issues.
“And that means the agencies are the place where you can have agile policy-making, where the FTC can update their rules every three months ... where the FDA has an iterative process for approving software in medical devices,” Schneier said.
“There’re roles for technologists in both, but that’s going to be the difference today. I’d like to fix that, but there’s a broader conversation to be had about how to do policy in the 21st century,” Schneier continued.
Throughout the week in Las Vegas, speakers pointed to the notorious hearings last year when lawmakers on Capitol Hill hauled Facebook founder Mark Zuckerberg to the Capitol for several hours of testimony and then infamously showed a stunning lack of prowess in technology policy. The prime example of Congress’ shortfalls was when then-Sen. Orrin Hatch, R-Utah, asked Zuckerberg how Facebook made money.
“How is that even possible that that is an okay question? You got to blame that senator and you got to blame his staff,” said Schneier. “So I like to think it’s getting better but then you have stuff like that.”
Aside from the Facebook hearing, Schneier also pointed to the heated discussion between the FBI and Apple over backdoors into the iPhone that occurred a few years ago as an area where government needs to improve its knowledge on technology.
More recently, Attorney General William Barr controversially said he wanted encryption back doors for law enforcement. Schneier said that although the policy may not be good, Barr’s rhetoric represented a shift in how the policymakers talk about technology.
“I thought that his rhetoric was better than we’ve seen before ... he actually said, ‘I recognize that adding this backdoor will make devices more insecure and I think it’s worth it,’” Schneier said. “That’s fine. That’s the right debate to have: how much more insecure and is it worth it?”
Public interest technologists could help the governments shape the policy surrounding these debates, he said. He pointed to election security, blockchain, how 0-day vulnerabitilies should be used by the government and the internet of things (IoT) as immediate issues to address.
“This is all about vulnerabilities and how they are used and how they are fixed and how they affect security,” Schneier said.
Connected devices, a rapidly expanding field and potential target for cyberthreats, could shift government’s role in regulation, Schneier said. According to a Gartner release from 2017, there will be 20.4 billion IoT devices by 2020.
“I see government as largely abdicating its role and [it] needs to come back,” Schneier said. “And I think it’s going to come back with IoT because once the internet starts killing people, government will regulate it.”
With the new dangers of cyberspace, he said technologists in government are vital to policymakers.
“We’ll never get the policy right if the policymakers get the tech wrong,” Schneier said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.