Category: Links

Categories
Links Writing

Building a Strategic Vision to Combat Cybercrime

The Financial Times has a good piece examining the how insurance companies are beginning to recalculate how they assess insurance premiums that are used to cover ransomware payments. In addition to raising fees (and, in some cases, deciding whether to drop insuring against ransomware) some insurers like AIG are adopting stronger underwriting, including:

… an additional 25 detailed questions on clients’ security measures. “If [clients] have very, very low controls, then we may not write coverage at all,” Tracie Grella, AIG’s global head of cyber insurance, told the Financial Times.

To be sure, there is an ongoing, and chronic, challenge of getting companies to adopt baseline security postures, inclusive of running moderately up-to-date software, adopting multi-factor authorization, employing encryption at rest, and more. In the Canadian context this is made that much harder because the majority of Canadian businesses are small and mid-sized; they don’t have an IT team that can necessarily maintain or improve on their organization’s increasingly complicated security posture.

In the case of larger mid-sized, or just large, companies the activities of insurers like AIG could force them to modify their security practices for the better. Insurance is generally regarded as cheaper than security and so seeing the insurance companies demand better security to receive insurance is a way of incentivizing organizational change. Further change can be incentivized by government adopting policies such as requiring a particular security posture in order to bid on, or receive, government contracts. This governmental incentivization doesn’t necessarily encourage change for small organizations that already find it challenging to contract with government due to the level of bureaucracy involved. For other organizations, however, it will mean that to obtain/maintain government contracts they’ll need to focus on getting the basics right. Again, this is about aligning incentives such that organizations see value in changing their operational policies and postures to close off at least some security vulnerabilities. There may be trickle down effects to these measures, as well, insofar as even small-sized companies may adopt better security postures based on actionable guidance that is made available to the smaller companies responsible for supplying those middle and larger-sized organizations, which do have to abide by insurers’ or governments’ requirements.1

While the aforementioned incentives might improve the cybersecurity stance of some organizations the key driver of ransomware and other criminal activities online is its sheer profitability. The economics of cybercrime have been explored in some depth over the past 20 years or so, and there are a number of conclusions that have been reached that include focusing efforts on actually convicting cybercriminals (this is admittedly hard where countries like Russia and former-Soviet Republic states indemnify criminals that do not target CIS-region organizations or governments) to selectively targeting payment processors or other intermediaries that make it possible to derive revenues from the criminal activities.

Clearly it’s not possible to prevent all cybercrime, nor is it possible to do all things at once: we can’t simultaneously incentivize organizations to adopt better security practices, encourage changes to insurance schemas, and find and address weak links in cybercrime monetization systems with the snap of a finger. However, each of the aforementioned pieces can be done with a strategic vision of enhancing defenders’ postures while impeding the economic incentives that drive online criminal activities. Such a vision is ostensibly shared by a very large number of countries around the world. Consequently, in theory, this kind of strategic vision is one that states can cooperate on across borders and, in the process, build up or strengthen alliances focused on addressing challenging international issues pertaining to finance, crime, and cybersecurity. Surely that’s a vision worth supporting and actively working towards.

  1. To encourage small suppliers to adopt better security practices when they are working with larger organizations that have security requirements placed on them, governments might set aside funds to assist the mid-sized and large-sized vendors to secure down the supply chain and thus relieve small businesses of these costs. ↩︎
Categories
Aside Links

2021.5.20

After many months of hope and anticipation, I’m looking forward to finally ditching the (cruddy and privacy intrusive) OS that is built into my TV and enjoying my new Apple TV 4K (Gen 2)! I admit to being disappointed Apple hasn’t transformed the Apple TV into a ‘true’ gaming device, but c’est la vie.

Now the wait begins for the a new Apple Watch

Categories
Links

The Answer to Why Twitter Influences Canadian Politics

Elizabeth Dubois has a great episode of Wonks and War Rooms where she interviews Etienne Rainville of The Boys in Short Pants podcast, former Hill staffer, and government relations expert. They unpack how government staffers collect information, process it, and identify experts.

Broadly, the episode focuses on how the absence of significant policy expertise in government and political parties means that social media—and Twitter in particular—can play an outsized role in influencing government, and why that’s the case.

While the discussion isn’t necessarily revelatory to anyone who has dealt with some elements of government of Canada, and especially MPs and their younger staffers, it’s a good and tight conversation that could be useful for students of Canadian politics, and also helpfully distinguishes of of the differences between Canadian and American political cultures. I found the forthrightness of the conversation and the honesty of how government operates was particularly useful in clarifying why Twitter is, indeed, a place for experts in Canada to spend time if they want to be policy relevant.

Categories
Links

Facebook Prioritizes Growth Over Social Responsibility

Karen Hao writing at MIT Technology Review:

But testing algorithms for fairness is still largely optional at Facebook. None of the teams that work directly on Facebook’s news feed, ad service, or other products are required to do it. Pay incentives are still tied to engagement and growth metrics. And while there are guidelines about which fairness definition to use in any given situation, they aren’t enforced.

The Fairness Flow documentation, which the Responsible AI team wrote later, includes a case study on how to use the tool in such a situation. When deciding whether a misinformation model is fair with respect to political ideology, the team wrote, “fairness” does not mean the model should affect conservative and liberal users equally. If conservatives are posting a greater fraction of misinformation, as judged by public consensus, then the model should flag a greater fraction of conservative content. If liberals are posting more misinformation, it should flag their content more often too.

But members of Kaplan’s team followed exactly the opposite approach: they took “fairness” to mean that these models should not affect conservatives more than liberals. When a model did so, they would stop its deployment and demand a change. Once, they blocked a medical-misinformation detector that had noticeably reduced the reach of anti-vaccine campaigns, the former researcher told me. They told the researchers that the model could not be deployed until the team fixed this discrepancy. But that effectively made the model meaningless. “There’s no point, then,” the researcher says. A model modified in that way “would have literally no impact on the actual problem” of misinformation.

[Kaplan’s] claims about political bias also weakened a proposal to edit the ranking models for the news feed that Facebook’s data scientists believed would strengthen the platform against the manipulation tactics Russia had used during the 2016 US election.

The whole thing with ethics is that they have to be integrated such that they underlie everything that an organization does; they cannot function as public relations add ons. Sadly at Facebook the only ethic is growth at all costs, the social implications be damned.

When someone or some organization is responsible for causing significant civil unrest, deaths, or genocide then we expect that those who are even partly responsible to be called to account, not just in the public domain but in courts of law and international justice. And when those someones happen to be leading executives for one of the biggest companies in the world the solution isn’t to berate them in Congressional hearings and hear their weak apologies, but to take real action against them and their companies.

Categories
Links Writing

Pandemic Burnout in Academia

Virginia Gewin, writing for Nature:

Even before the pandemic, many researchers in academia were struggling with poor mental health. Desiree Dickerson, an academic mental-health consultant in Valencia, Spain, says that burnout is a problem inherent in the academic system: because of how narrowly it defines excellence, and how it categorizes and rewards success. “We need to reward and value the right things,” she says.

Yet evidence of empathetic leadership at the institutional level is in short supply, says Richard Watermeyer, a higher-education researcher at the University of Bristol, UK, who has been conducting surveys to monitor impacts of the pandemic on academia. Performative advice from employers to look after oneself or to leave one day a week free of meetings to catch up on work is pretty superficial, he says. Such counsel does not reduce work allocation, he points out.

Academia has a rampant problem in how it is professionally configured. To get even a short term contract, now, requires a CV that would have been worthy of tenure twenty or thirty years ago. Which means that, when someone is hired as an assistant professor (with a 3-6 year probation period) they are already usually more qualified than their peers of the past and have to be prolific in the work that they contribute to and output, and do so with minimal or no complaints so as to avoid any problems in their transition from assistant to associate professor (i.e., full-time and sometimes protected employee).

Once someone has gone through the gauntlet, they come to expect that others should go through it as well: if the current generation can cut it, then surely the next generation of hires should be able to as well if they’re as ‘good’ as the current generation. Which means that those who were forced into an unsustainable work environment that routinely eats into personal time, vacation time (i.e., time when you use vacation days to catch up on other work that otherwise is hard to get done), child rearing time, and so forth, expect that those following them do the same.

Add into this the fact that most academic units are semi-self governing, and those in governorship positions (e.g., department chairs, deans) tend to lack any actual qualifications in managing a largely autonomous workforce and cannot rebalance work loads in a systemically positive way so as to create more sustainable working environments. As a result of a lack of formal management skills, these same folks tend to be unable to identify the issues that might come up in a workforce/network of colleagues, and they are also not resourced to know how to actually treat the given problem. And all of this presumes they are motivated to find and resolve problems in the first place. This very premise is often found faulty, given that those who are governing are routinely most concerned with the smooth running of their units and, of course, may keep in mind any junior colleagues who happen to cause ‘problems’ by expecting assistance or consideration given the systemic overwork that is the normal work-life imbalance.

What’s required is a full-scale revolt in the very structure of university departments if work-life balance is to be truly valued, and if academics are to be able to satisfy their teaching, service, and research requirements in the designated number of working hours. While the job is often perceived as very generous–and it is, in a whole lot of ways!–because you (ideally) have parts of it that you love, expecting people to regularly have 50-75 hour work weeks, little real downtime, little time with family and friends, and being placed on a constant treadmill of outputs is a recipe for creating jaded, cynical, and burned out professionals. Sadly, that’s how an awful lot of contemporary departments are configured.

Categories
Links

The Value of Brief Synthetic Literature Reviews

The Cambridge Security Research Computer Laboratory has a really lovely blog series called ‘Three Paper Tuesday’ that I wish other organizations would adopt.

They have a guest (and usually a graduate student) provide concise summaries of three papers and then have a short 2-3 paragraph ‘Lessons Learned’ section to conclude the post. Not only do readers get annotated bibliographies for each entry but, perhaps more importantly, the lessons learned means that non-experts can appreciate the literature in a broader or more general context. The post aboutsubverting neural networks, as an example, concludes with:

On the balance of the findings from these papers, adversarial reprogramming can be characterised as a relatively simple and cost-effective method for attackers seeking to subvert machine learning models across multiple domains. The potential for adversarial programs to successfully avoid detection and be deployed in black-box settings further highlights the risk implications for stakeholders.

Elsayed et al. identify theft of computational resources and violation of the ethical principles of service providers as future challenges presented by adversarial reprogramming, using the hypothetical example of repurposing a virtual assistant as spyware or a spambot. Identified directions for future research include establishing the formal properties and limitations of adversarial reprogramming, and studying potential methods to defend against it.

If more labs and research groups did this, I’d imagine it would help to spread awareness of some research and its actual utility or importance in advancing the state of knowledge to the benefit of other academics. It would also have the benefit of showcasing to policymakers what key issues actually are and where research lines are trending, and thus empower them (and, perhaps, even journalists) to better take up the issues that they happen to be focused on. That would certainly be a win for everybody: it’d be easier to identify articles of interest for researchers, relevance of research for practitioners, and showcase the knowledge and communication skills of graduate students.

Categories
Links

Finding a Foreign Policy for the Internet

Justin Sherman and Trey Herr have an outstanding essay that clarifies the need for Washington and its allies to build a cohesive foreign policy for the Internet instead of simply opposing the strategies presented by competitors such as China.1 Poignantly, they write:

Washington needs a foreign policy for the internet that advances a vision for the internet that speaks to the language of trust and embraces the need to focus on the role of individuals, grasps the utility of iterating small changes instead of grand bargains, and embraces the reality that the clock cannot be turned back. This strategic product must do more than reject the sovereign and controlled authoritarian internet model, based on principles of tight state control over internet data routing, tight state control over data storage, and limited content freedom. A foreign policy for the internet must build on not just U.S. government agencies but allies and partners overseas, and leverage the influence that the American tech industry has over internet infrastructure. It must realistically address the shortfalls and risks of a free and open internet but seek to maximize and revitalize that internet’s benefits—across everything from speech to commerce. A foreign policy for the internet should rest on three assumptions; there are myriad others but these three are systemically significant.

These strategies absolutely must be developed and cohere given the importance of the Internet for day-to-day life; the Internet underlies everything from trade coordination, military engagements, and is increasingly lifeblood for civic life or organizing. It is time for the West to make clear what it is for, and how it plans to navigate the challenges that the Internet has wrought, without succumbing to fear or abandoning the democratic principles which have undergirded the Internet and its composition for the last several decades.

  1. Should you doubt that China has a cohesive strategy for the Internet, I’d recommend reading about the prospect of a splinternet forming as a result of China and its allies building out competing standards that prioritize placing control in centralized and obedient-to-government hands. ↩︎
Categories
Links

Towards A Genuinely Progressive Feminist Foreign Policy

Gabrielle Bardall has written an article on the current failings of Canada’s feminist international assistance policy, which is part of the government’s broader feminist foreign policy. In part, she writes:

A feminist approach to democracy development must be more than a simple numbers game to increase the number of women and minority groups in democratic institutions that sustain existing power structures. A feminist approach must instead involve people of all genders working together to advance democratic institutions, processes and values that disrupt those patriarchal power structures and prioritize gender equality across diverse populations and partisan lines. It is measured by the extent to which those institutions and processes are transformed by feminist principles and feminist actors (male and female), not just by the percentage of seats held by each sex.

In past professional settings I’ve been critical of Global Affairs Canada’s modes of applying gendered lenses and feminism into foreign policy processes, not because I disagree with doing so conceptually, but because it has so routinely felt non-progressive by focusing less on feminism and more on sex. Bardall‘s framing, of needing to move towards a non-neoliberal concept of feminism, nicely captures my disquiet and does so far more elegantly that I’ve managed in the years I’ve been stewing on this issue. Until a model of feminism is adopted into Canada’s foreign affairs policies that is explicitly anti-patriarchal then any adopted feminist approach will serve to principally adjust who is at the table without striving to redistribute power itself in a more equitable manner.

Categories
Links Writing

A Clubhouse for Whom?

(Photo by Stephen Crowley on Unsplash)

Mark Stenberg has a good assessment of the challenges facing Clubhouse, the newest ‘hot’ social media app that involves individuals having audio discussions in real-time with one another in rooms that are created on the platform. He suspects that Clubhouse may work best in quarantine:

A glimpse of Instagram brings a fleeting burst of serotonin, but a second’s worth of Clubhouse is meaningless. Will you then, at night, leave your family in the other room so you can pop your headphones in and listen to strangers swapping their valuable thoughts on the news of the day?

When commutes and daily life return, people will once again have a few parceled-off periods of the day in which they can listen to audio entertainment. If there are no good Clubhouse conversations at those exact times, the app is far less valuable than a podcast platform or music-streaming service. The very characteristic that makes it so appealing — its real-time nature — will make it challenging for listeners to fold it into their lives when reality returns.

Whether a real-time app that depends on relative quiet and available time, and which is unsuitable for multitasking, survives in its current form as people emerge from their relative isolation will be interesting to measure in real-time once vaccines are widely spread throughout society. But, equally interesting (to my mind) are the assumptions baked into that very question: why not just ask people (e.g., essential workers) who continue to commute en mass and inquire about whether they are, or will be, using Clubhouse? Why not ask those who do not have particularly fungible or quiet lives at the moment (e.g., parents who are homeschooling younger children while working their day jobs) whether the app is compelling during quarantine periods?

To put it another way, the very framing of Clubhouse presupposes a number of affordances that really mostly pertain to a subset of relatively privileged members of society. It’s lovely that some tech workers, who work from home, and journalists who have similar lifestyles are interested in the app. But that doesn’t mean that it’ll broadly interest people, just as most people are dismissive of text-based social media applications (e.g., Twitter) and even visual-based apps (e.g., Instagram).

But, at the same time, this may not matter. If the founders are aiming for growing and sustaining the existing platform and not for the typical Silicon Valley viral growth, then their presently suggested modes of deriving profits might work. Specifically, current proposals include, “tipping, subscriptions, and ticketing” which, if adopted, could mean this is a social networking platform that doesn’t rely on the normal advertising or data brokerage models which have been adopted by most social media platforms and companies.

Will any of this work? Who knows. Most social media companies are here today, gone tomorrow, and I bet that Clubhouse is probably in that category. But, at the same time, it’s worth thinking through who these kinds of apps are designed for so that we can appreciate the politics, privilege, and power which are imbued into the technologies which surround us and the ways that we talk about those technologies.

Categories
Links

Externalizing Costs- The Table Saw Edition

Steve Gass, a physicist and lawyer by training, gave an interview about SawStop, which is a table saw that’s designed to detect and immediately stop and retract the blade if it detects human flesh. He discussed how and why he created it, but also addressed the pressing social need it serves: there are around 150 injuries a day with table saws, and about 8 of them are amputations.

Given that he’s designed a technology to massively cut down on these injuries,1 you may wonder why it hasn’t been widely adopted. The reason, unsurprisingly, is that other table saw manufacturers just externalize the harmful social costs of their products. As Gass notes in his interview with MachinePix Weekly:

The fundamental question came down to economics. Almost a societal economic structure question. The CPSC says table saws result in about $4B in damage annually. The market for table saws is about $200-400M. This is a product that does almost 10x in damage as the market size. There’s a disconnect—these costs are borne by individuals, the medical system, workers comp—and not paid by the power tools company. Because of that, there’s not that much incentive to improve the safety of these tools.

As depressingly normal, even if companies did want to integrate Gass’ technologies it’d add somewhat to their current bill of materials and, as such, run the risk of making their products less competitive in the market when juxtaposed against other companies’ table saws. With the result being a massive cost to the economy that is borne by taxpayers and insurance companies.

  1. Pardon the pun. ↩︎