Re: Information Security and Politics

vt100 · ‎11-12-2020

There is a tendency in our industry to remain "professional" by divorcing ourselves from politics. Well, looks like it is becoming more difficult to keep doing that in light of current developments. Today, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency unequivocally took a stand against disinformation: https://arstechnica.com/tech-policy/2020/11/report-white-house-pressuring-cisa-to-stop-debunking-ele...

"White House officials have asked for content to be edited or removed which pushed back against numerous false claims about the election, including that Democrats are behind a mass election fraud scheme. CISA officials have chosen not to delete accurate information."

Since we are bound to protect society, I find CISA's decision commendable (they treat disinformation generated by either side equally).

The scope of the Information Systems should probably be expanded to include the information provenance and accuracy before we can talk about preservation of its confidentiality, integrity and availability.

CISOScott · ‎11-13-2020

Can they address the other censoring that is going on too? Can they address the one-sideness of the American media as well? I think not and think that they should stay out of it or truly address both sides. There is a reason people hide what they do in the darkness.

jmikesmith · ‎11-13-2020

We cannot and should not "divorce" ourselves from politics. Politics requires the participation of technology professionals to inform policy decisions. See https://public-interest-tech.com/.

Mike Smith

CISOScott · ‎11-13-2020

I know we are supposed to keep politics off of the site so let's look at this scenario from an information security point of view and the parallels to cyber security.

So in information security when we see abnormalities it causes us to be suspicious. When we see numerous instances of any of these things it really rises above the normal expected behavior and any good cyber security professional would become suspicious and support a full investigation. If you were asked to perform a security assessment of a company and you saw all of these things below, what would be your assessment?

If we see a spike in activity that rises above the norms, we suspect wrongdoing. So normal would be, let's say a turnout of 50-60%, but in certain areas it is 90-110%. Yes, some areas above 100%. Nothing suspicious there. There might be a valid reason, like same day registration, but why only in certain areas? Wouldn't we expect this behavior to be normalized? If these spike only occurred in certain areas where one group had control wouldn't that make it more suspicious? Fox guarding the henhouse paradigm?

If we see people minimizing down their computer screens when security walks in, we suspect wrongdoing. Why would you be nervous when security walks into the room? Or why would you prevent someone from watching your activities?

If we see people closing doors and hiding their activities, we suspect wrongdoing. Again, what could you be hiding?

If we see a group of employees going out of their legal authority to help one group, but not another group, we would be suspicious and suspect wrongdoing.

If we see people trying very hard to make it harder for monitors/auditors to perform their job, we suspect wrongdoing. Why would you purposely prejudice the work of the auditors or monitors? What could you be hiding?

When you do not require 100% user identification and it is very easy for people to pretend to be other people and succeed at impersonating that user, you would be suspicious and suspect wrongdoing.

If we see a process that is easily manipulated and is hard to be verified afterwards, we suspect potential for wrongdoing. No upfront verification of people being sent ballots, multiple ballots received at the same address, dead people receiving ballots, or worse than that, dead people REQUESTING ballots?

If we see machines that have been rejected by one entity for insecure cyber security configuration THREE times, but then are used by others, we suspect the potential for wrongdoing.

If we know that a process can be manipulated so that verification of fraud can be almost impossible to detect, after a certain event takes place like separating the mailing envelope with the postmark on it, signature required for verification, etc., AND you have that event happening while the auditors/monitors are being excluded, you would become suspicious and suspect wrongdoing is going on. Oh, AND once the unverified for legality votes are mixed in with the "legal" votes it becomes almost impossible to desegregate them later, you understand why an insider threat might want to delay/obstruct monitoring/auditing for a certain amount of time.

When you have a process that allows for anyone to go around and gather votes and potentially change them before submitting them in certain areas, you have a process that is ripe for fraud and abuse. You would have a right to be suspicious.

When you have auditors/monitors being told to go home as no more counting would be happening that night, and after they leave, counting resumes, you would be suspicious and suspect wrongdoing.

Then when you have a Public Relations campaign using absolute words like "Widespread" in order to minimize the suspicious behavior and try to say that no improper behavior is happening because it is not widespread; you become suspicious and suspect wrongdoing.

If these events were happening during a cybersecurity assessment you would write a very bad report on the company involved, wouldn't you? You would write up failures in policy, in oversight, in auditing, and management. You would start investigations, possibly criminal in nature, on employees. You would recommend such policy changes as address verification before sending out ballots, death notice updates to voter roles, voter removal for address changes, preventing ballot harvesting, and require 100% identification verification. You would suggest auditing and monitoring changes be made so that auditors/monitors could not be excluded from their oversight responsibilities. You would require that no counting be done without monitors present. You would not allow mysterious shipments of ballots to arrive during the night. You would have secure methods for transporting the ballots and not just have them showing up in boxes, bags, etc. You would even suggest the termination of several of the officials involved for impartial treatment. You would recommend that the company come up with national standards that affected all of their corporate locations to eliminate corruption in a few places, even if the corruption was not "widespread".

It amazes me to see how people can change their view on legality or morality to fit their narrative when they want to win. It gives credence to the adage "Power has the ability to corrupt." It is also amazing to see how certain people in high positions can get away with what would put you and I in jail.

I remember my first encounter with voting fraud was in high school. They had passed out ballots to vote for homecoming King and Queen. A few of the popular kids went around and collected the ballots. On the way to class I saw them in a side hallway erasing votes and checking who they wanted to be King and Queen. And it turned out just how they wanted.

tmekelburg1 · ‎11-13-2020

@vt100 wrote:
There is a tendency in our industry to remain "professional" by divorcing ourselves from politics.

I always found this silly. You can remain professional and still have an opinion on a particular side. The professional part comes into play when trying to see from their perspective and agreeing to disagree if need be. Politics is ingrained into our everyday lives, whether it's office politics or professional. But if people want to waste their time and effort to avoid it, go right ahead.

Today, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency unequivocally took a stand against disinformation

Personally, I think it should be a civic responsibility for everyone to fight against disinformation. I'm glad CISA decided to do this. I'd expect them to do the same thing if a foreign country was the source of the disinformation as well.

vt100 · ‎11-13-2020

@CISOScott There is no question in my mind, that we can do with some serious improvements in the voting process, specifically, by implementing a country-wide practices and controls.

That being said, I am not a fan of unsubstantiated allegations by either party. If there is a proof, I want to see it documented, presented to the courts unsealed and be able to monitor the proceedings.

In terms of media, I have never seen such a horrible job being perpetrated (not an accidental choice of a word), as it was during last 8 years. There are no longer news, just opinions with snippets of the information advancing each side's agenda.

Up until recently, I could at least trust WSJ to be unbiased, but the opinions they are lately running are decidedly swinging further from the center.

I am not taking a stab at any one party in particular, but the birth of the unmonitored echo chambers like Parler, we are in danger of exponential proliferation of misinformation. What this will result in is implementation of China-like draconian clamp-down on communications unless we are willing to let these platforms that, whatever stripes they are, be easily subjected to manipulation by foreign adversaries. Whatever faults Twitter and FB have, at least they have means of countering these threats, even if they have done awful job of it in the past.

vt100 · ‎11-13-2020

@CISOScottRespectfully, I disagree with that logic: It is akin to say that unless you know everything that is false, you should not flag anything you know for a fact to be false. We all are now living with the unintended consequences of the 1st Amendment that are being misused and abused by the media and social platforms. Unless there are consequences for generation and proliferation of either false or incomplete information, there is no stopping the catastrophic consequences of those actions.

The only way I see that happening is if we stop the real-time social media postings altogether (until verification and clarification is done by moderators) and if the conventional media channels are to be held liable for any incomplete or false data they are disseminating. Baring that we'll reap chaos.

AndreaMoore · ‎11-13-2020

Thank you for keeping this conversation civil and focused on the ethical implications for cybersecurity professionals (note our Monday keynote at Security Congress will be Bruce Schneier discussing the topic of Public Interest Technologist).

While our community guidelines generally discourage political discussions, we thank you for the respectful exchange so far. We will keep an eye on this discussion, and will not lock or remove it while it remains professional and constructive.

ISC2 Community Manager

vt100 · ‎11-13-2020

@AndreaMooreThank you Andrea. I am looking forward to the input of the community focused on our responsibilities in these unprecedented times and under current and future circumstances. We tend to focus on cybersecurity vs. information security, but to recognize the difference is to remain relevant. Otherwise, the technical analogy of our efforts is the functionality of IPS without HTTPS/TLS inspection and OCSP.

CISOScott · ‎11-16-2020

@vt100 wrote:
@CISOScott There is no question in my mind, that we can do with some serious improvements in the voting process, specifically, by implementing a country-wide practices and controls.
That being said, I am not a fan of unsubstantiated allegations by either party. If there is a proof, I want to see it documented, presented to the courts unsealed and be able to monitor the proceedings.
In terms of media, I have never seen such a horrible job being perpetrated (not an accidental choice of a word), as it was during last 8 years. There are no longer news, just opinions with snippets of the information advancing each side's agenda.
Up until recently, I could at least trust WSJ to be unbiased, but the opinions they are lately running are decidedly swinging further from the center.
I am not taking a stab at any one party in particular, but the birth of the unmonitored echo chambers like Parler, we are in danger of exponential proliferation of misinformation. What this will result in is implementation of China-like draconian clamp-down on communications unless we are willing to let these platforms that, whatever stripes they are, be easily subjected to manipulation by foreign adversaries. Whatever faults Twitter and FB have, at least they have means of countering these threats, even if they have done awful job of it in the past.

@vt100 And I will respectfully disagree with you on your views of Parler and FB/Twitter. I am going to disagree with you and try to use my logic but will not attack you personally. There is a huge bias campaign going on and in the US, 6 companies control 90% of the media and there is HUGE groupthink going on. Even the so-called "fact checkers" are biased. I am surprised anyone would be against free speech and Parler. So what if people spread misinformation on it? I see tons of misinformation on FB/Twitter that goes unchallenged because it either doesn't directly go against it's narrative or it increases traffic that it can use to claim their awesomeness in size. Lots of fake accounts using clever misspellings to link to malware sites that Twitter/FB can't seem to or just won't clean up. Tons of scams that FB/twitter let spread rampantly, but if someone even speaks about voting issues, whether for or against, they get slapped with one-sided "fact checking". I even got put into Twitter jail for 3 days just for liking some posts that I agreed with that were against the WHO current opinion at the time (back in February 2020). I DIDN'T post anything, I was just liking posts that shared my same sentiments. None of the posts I liked expressed any hate or things you would expect that violate "community standards". Wouldn't journalistic integrity WANT to know how many people were feeling the same way about an issue so if there was enough interest they could actually investigate instead of being fed talking points of conformity?

So, I also recognize that FB/Twitter own their platforms and can censor/"inform"/misinform who and what they like. They have that right, but don't tell me that if folks get tired of being censored and wish to move to another platform that they are not being censored on, that they don't have that right and label it an "echo chamber". That is dishonest if someone truly believes in free speech. You say moving to Parler will force us into a China-like draconian lockdown by moving to an uncontrolled platform, so people just shouldn't move on from FB/Twitter and just accept the censorship we have, rather than being forced into censorship later. Wouldn't this be the same thing as a China-style draconian lockdown?

Isn't free speech supposed to allow people to speak freely? Look, every society has it's share of idiots and "wackos". Having studied psychology I also know that there are people with serious mental health issues (and I wish we could remove the stigma of going to mental health professionals as being weak or crazy). We should monitor and take appropriate action if they go too far with their thoughts and they start advocating violence. Having worked for a US major law enforcement agency I have seen the "tin foil brigade" and conspiracy people as well. But don't they have a right to have their views? Now I am not saying their views may be 100% right and even wrong people are entitled to their views, but to force them to be shutdown because they do not agree with your views (or whomever is the thought police at the moment) is wrong. If we force people to hide their views or not report activity that is harmful to others for fear of being either not believed or labeled as wackos, then we risk losing the ability to audit ourselves as human beings. I have seen plenty of stuff that goes unpunished because someone had money, fame, knew how to play the system against itself or were in control of the system of justice. If their behavior is allowed to be hidden because information is controlled then again we lose the ability for justice.

I am against white supremacy and other hate groups as I see their views as hate filled and wrong. And really, if they would go for some psychological help they could resolve the issues that are causing them to be filled with hate, but I digress. But I still allow them to have them, I just counter them with logic. When they turn violent or suggest violence then I feel law enforcement should monitor them and step in and break them up/prosecute them as needed. Again I would like to see them forced to go seek mental counseling to see if they can understand the reason why they are filled with hate or have a need to belong to a group filled with other like minded individuals. And I am not talking about a Clockwork Orange style forced re-education style program.

It is amazing to see how one rather large group of people is upset about the rapid emergence of Parler and their constant barrage of how it is "dangerous" to allow people to congregate and share ideas in an app/platform that is not controlled by the 6 companies that currently dominates the information market. That to me seems like a draconian style of control.