Bruce Schneier skewers an imaginative fear-mongerer.

Department of Homeland Security Secretary Janet Napolitano has been all over the map on national ID issues. As governor of Arizona, she signed a memorandum of understanding with the Bush DHS to implement “enhanced driver’s licenses” in her state. These are licenses with long-range RFID chips built into them. But then she turned around and signed legislation barring implementation of the REAL ID Act in Arizona.

Now, having taken federal office, she again favors REAL ID — or at least under its new name: PASS ID. (Her efforts to put distance between REAL ID and PASS ID have not borne fruit.)

In some respects, PASS ID is worse than REAL ID. It would give congressional approval to the “enhanced driver’s license” program — invented by DHS and State Department bureaucrats to do long-range (and potentially surreptitious) identification of people holding this type of card. Back home, the Arizona legislature has just passed a bill to prohibit the state from implementing EDLs.

So the former governor of Arizona, who has both supported and rejected national ID programs, now supports a bill to approve the national ID program her home state rejects. Napolitano seems to be taking the national ID tar baby in a loving embrace.

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and — blamo! — I’m a cybersecurity expert.

Not really — but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us — houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way — thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people — and that’s rather integral to terrorism — by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies — especially to address threats that don’t even have a strategic logic — would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D‑WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure — the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity — which is impossible — I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services — and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability — when products or services fail to serve the purposes for which they’re intended, including security — sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies — co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft — argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it — we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources — that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Security guru Bruce Schneier comes down on the strictly pragmatic side in this essay called “Fixing Airport Security.” Because of terrorism fears, he says, TSA checkpoints are “here to stay.” The rules should be made more transparent. He also argues for an amendment to some constitutional doctrines:

The Constitution provides us, both Americans and visitors to America, with strong protections against invasive police searches. Two exceptions come into play at airport security checkpoints. The first is “implied consent,” which means that you cannot refuse to be searched; your consent is implied when you purchased your ticket. And the second is “plain view,” which means that if the TSA officer happens to see something unrelated to airport security while screening you, he is allowed to act on that. Both of these principles are well established and make sense, but it’s their combination that turns airport security checkpoints into police-state-like checkpoints.

The comments turn up an important recent Fourth Amendment decision circumscribing TSA searches. In a case called United States v. Fofana, the district court for the southern district of Ohio held that a search of passenger bags going beyond what was necessary to detect articles dangerous to air transportation violated the Fourth Amendment. “[T]he need for heightened security does not render every conceivable checkpoint search procedure constitutionally reasonable,” wrote the court.

Application of this rule throughout the country would not end the “police-state-like checkpoint,” but at least rummaging of our things for non-air-travel-security would be restrained.

I prefer principle over pragmatism and would get rid of TSA.

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess. Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/​August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

The New York Times has an interesting story on President Obama’s continuing failure to follow through on his “Sunlight Before Signing” promise. On the campaign trail, he said he would post bills online for five days before signing them. Two dozen bills now have his signature, and only one has been posted for five days before signing.

The article (and accompanying video) fixes on a couple of reasons why the president might be excused from carrying out the promise. One is the technical difficulty of managing potentially hundreds of thousands of comments. The promise did not include a promise to publish comments, though — much less to read them (though it would be politically astute to appear to do so). In my view, the difficulty of administering a public comment system — which was not part of the promise — does not excuse the failure to post the bills Congress presents to the president for five days before he signs them.

A second excuse is that posting bills online would be ineffectual. Ellen Miller of the Sunlight Foundation is quoted saying, “There isn’t anybody in this town who doesn’t know that commenting after a bill has been passed is meaningless.”

I have done my level-best to illustrate how a five-day hold at the White House would have good effects on reducing earmarks, parochial amendments, and other shenanigans — such as congressional approval of bonuses to AIG executives.

Miller’s preferred approach — placing a similar hold on bills before they leave Congress — would have a similar effect — but nothing dramatically more open. Just as under a presidential hold, members of Congress and Senators would be more reticent to introduce potentially controversial amendments. Just as under a presidential hold, they would carefully avoid a blossoming of debate about their pet projects at the end of the legislative process. A congressional hold would change the upstream behavior of the politicians — just like a presidential hold would.

A presidential hold and a congressional hold are both good ideas, and they are not mutually exclusive. The presidential hold has a key advantage: The president has already promised it — to the cheers of American voters.

The New York Times story reports a small step toward meeting the actual terms of President Obama’s pledge:

“In order to continue providing the American people more transparency in government, once it is clear that a bill will be coming to the president’s desk, the White House will post the bill online,” said Nick Shapiro, a White House spokesman. “This will give the American people a greater ability to review the bill, often many more than five days before the president signs it into law.”

If this means posting links to bills on the Thomas legislative system from White​house​.gov, this is something the White House has done sporadically, and it would increase transparency by a small margin if it were regularized. The administration should establish a uniform URL where bills are posted so that every American can easily find every bill the president signs. But, in terms of fulfilling President Obama’s promise, “posting a link from White​House​.gov to THOMAS of a conference report that is expected to pass doesn’t cut it.”

I think this is grudging progress toward implementation of President Obama’s “Sunlight Before Signing” promise. In the video, the author of the Times article has the best line illustrating why the White House deserves modest congratulations for taking this step: “It’s a lot easier to promise to change Washington than it is to actually change it.”

The fact that North Korea is a monstrous tyranny is well-known. Google Earth is helping map that tyranny in extraordinary detail, from the opulent palaces of the elite to the horrid labor camps for the victims. 

Reports The Independent:

US researchers are using the internet to reveal what life is really like behind the closed borders of the world’s last Stalinist dictatorship

The most comprehensive picture of what goes on inside the secret state of North Korea has emerged from an innovative US project. The location of extraordinary palaces, labour camps and the mass graves of famine victims have all been identified. The online operation that has penetrated the world’s last remaining iron curtain is called North Korea Uncovered. Founded by Curtis Melvin, a postgraduate student at George Mason University, Virginia, it uses Google Earth, photographs, academic and specialist reports and a global network of contributors who have visited or studied the country. Mr Melvin says the collaborative project is an example of “democratised intelligence”. He is the first to emphasise that the picture is far from complete, but it is, until the country opens up, the best we have.

Palaces

The palatial residences of the political elite are easy to identify as they are in sharp contrast to the majority of housing in the deeply impoverished state. Though details about many palaces’ names, occupants and uses are hard to verify, it is known that such buildings are the exclusive domain of Kim Jong-Il, his family and his top political aides. Kim Jong-Il is believed to have between 10 and 17 palaces, many of which have been spotted on Google Earth:

1) Mansion complex near Pyongyang

This may be Kim Jong-Il’s main residence. His father lived here surrounded by the huge, ornate gardens and carefully designed network of lakes. Tree-lined paths lead to a swimming pool with a huge water slide, and next to the complex there is a full-size racetrack with a viewing stand and arena. There is a cluster of other large houses around the mansion, forming an enclosed, elite community. It appears to be reached via an underground station on a private railway which branches off from the main line.

The new technology is creating a new variant to the old saying: you can run, but you can’t hide. Tyrants can run their countries but they can’t hide their abuses.

We still have yet to figure out how to toss thugs like Kim Jong-il into history’s trashcan. But better understanding their crimes is an important part of the process.