In the summer of 1953, President Dwight D. Eisenhower convened an influential set of task forces called Project Solarium. The initiative, named for a private sunning room atop the White House, was to devise strategies to counter the Soviet threat at the onset of the Cold War. Its work would form the basis of U.S. foreign policy for decades to come.
After a year of deliberation, the Cyberspace Solarium Commission, Congress’s bipartisan cybersecurity advisory group inspired by Eisenhower’s efforts, has just released its review-and-rethink of U.S. cybersecurity policy. The 182-page report, published today, makes a blunt, if unsurprising, assessment: “The U.S. is currently not designed to act with the speed and agility necessary to defend the country in cyberspace.”
The commission aims, like a scowling bootcamp sergeant, to whip America into shape. Many of the commission’s more than 75 policy recommendations seem like no-brainers. Here are a few:
- Require paper audit trails for all election ballots (for anyone who disputes this, just look at last month’s fiasco of a Democratic caucus in Iowa)
- Reinstate a national cybersecurity director at the White House (this position was eliminated two years ago by former Trump National Security Advisor John Bolton)
- Pass a national data security and privacy protection law to clarify regulations around data collection (see Europe’s GDPR)
- Create special House and Senate committees devoted to overseeing the government’s cybersecurity efforts (let’s have some accountability)
- Assess the vulnerability of nuclear control systems (yes, please)
While the report offers plenty of sage counsel, its big shortcoming is its failure to articulate a clear-eyed position on encryption. Law enforcement has long maintained that it requires access to encrypted data for investigative purposes, but technologists, businesses, and cybersecurity experts warn that any “backdoors” will be abused by hackers and spies, undermining everyone’s security. The Solarium waffles in its attempt to negotiate internal disagreement over the issue. While the group espouses the virtues of “strong encryption,” it goes on to call the tech “a double-edged sword” that needs new “solutions.”
The equivocation could have been avoided. When Eisenhower put together the original Solarium, he split it into three task forces. That allowed each to develop diverse proposals for checking Soviet power, including more extreme options, like military action. The new Solarium, with its one-size-fits-all approach, missed the opportunity to do the same on encryption.
It’s a pressing matter. The Senate is currently weighing a proposal that could erode encryption. (See the EARN IT act, a piece of legislation ostensibly designed to prevent child exploitation, but which could end up subverting people’s privacy and security.) The Solarium passed the buck here. But the U.S. should adopt every other one of its policy recommendations yesterday.
Robert Hackett
Twitter: @rhhackett
Email: robert.hackett@fortune.com
THREATS
Computer virus. Two people who attended the security industry's RSA Conference in San Francisco last month have tested positive for the coronavirus. They were employees of the Foster City, Calif.-based cybersecurity company Exabeam, which said in a statement, "If you came in contact with our staff, please be vigilant in monitoring yourself for symptoms." One of the men, said to have had a heart condition, has been placed in a medically induced coma in Connecticut, his home state. A number of companies—AT&T, IBM, and Verizon—had previously pulled out of the event due to concerns over the contagion.
Dropping like flies. While RSA Conference kept the lights on, other events aren't taking chances with the highly infectious virus. The video-game industry's biggest event, E3, has been called off in Los Angeles. Tech-fest SXSW in Austin, Texas, is, after its cancellation, apparently refusing to refund thousands of tickets. Music-Bacchanalias like Coachella are being postponed too.
Doctor, doctor, give me the news. For the first time, Twitterapplied a "manipulated media" label to a tweet on Sunday, testing a new policy to call out fakery on its site. The tag was added to a misleadingly edited video shared by White House social media director Dan Scavino and retweeted by President Trump. The clip made it seem as though former Vice President Joe Biden, the Democratic presidential frontrunner, had endorsed Trump for reelection. Twitter's move follows Facebook's takedown of Trump campaign advertisements that misrepresented the U.S. Census last week. Still, a lot of people think social media companies aren't doing enough to fight misinformation.
Appeasing, appalling. As noted in yesterday's Data Sheet, viral video app TikTokhas hired Roland Cloutier, the former chief security officer of payroll provider ADP. ByteDance, the Chinese social media company that owns the app, is planning in May to open a "transparency center" in Los Angeles to counter criticism about how it moderates content and handles data privacy and security. Speaking of transparency, Whisper, an anonymous secret-sharing app, left an unprotected database online, allowing anyone to access the ages, locations, and other details of its users. Popular VPNs and ad-blockers are hoovering up people's data too.
Patch extravaganza. Shipping fixes to 115 software flaws, Microsoft had its biggest ever Patch Tuesday this week. Cybersecurity companies like Cisco and Fortinet are warning people about one still-unpatched vulnerability—rated highly severe and "wormable"—in the latest version of Microsoft SMB, a file-sharing protocol. Non-technical details of the security hole accidentally leaked online. On the bright side, Microsoft and several partners recently brought down Necurs, the world's largest spam and malware botnet, which is believed to have infected more than 9 million computers.
ACCESS GRANTED
Cities everywhere are getting jam-packed with surveillance technology. The watchful eyes of security cameras—and facial recognition software—threaten to vanish public anonymity for good. Can fashion fight back and reclaim people's privacy? Take a tour of the expanding wardrobe of the digital resistance in this quirky New Yorker feature.
Tom Goldstein, an associate professor of computer science at the University of Maryland, took an “invisibility cloak” from a pile on a chair in his office and pulled it on over his head. To my eye, it looked like a baggy sweatshirt made of glossy polyester, printed with garish colors in formless shapes that, far from turning Goldstein invisible, made him impossible to miss.
FORTUNE RECON
How high-frequency algorithmic trading programs can make bad stock market days even worse by Adrian Croft
Coronavirus may finally force businesses to adopt workplaces of the future by Erin L. Kelly and Phyllis Moen
Conferences go online amid coronavirus fears—minus the hallway schmoozing by Alyssa Newcomb
NFL taps Take-Two to make video games for the first time since 2004 by Chris Morris
Where A.I. jobs are exploding in number (it’s not in Silicon Valley) by Jeremy Kahn
ONE MORE THING
URLs have become a fact of life; if you want to get online, you must use them. Ever wonder how they came to be? An employee of Cloudflare, a San Francisco-based Internet infrastructure firm, has penned a veritable screed about their evolution. If you have the time, dive in to learn why, for instance, you may email me at robert.hackett@fortune.com, but not at robert.fortune@com.
File this under why the Internet is the way it is.
