What you should know from the week of 6/11/21:
- Digital Public Goods
- Colonial Pipeline (yes, still)
- Article V
- Costly Subsidies
Digital Public Goods:
In a fairly short and highly-readable article Richard Pope walks through some risks and limitations of dependence on the tech infrastructure created by private companies.
...we can expect that technology companies will continue to make plays in the spaces traditionally occupied by governments and civil society. Apple reportedly has plans to enter the passport space and have made mention of the role of technology in voting. Google is slowly adding drivers licences to Android. The commodity offerings of cloud providers such as Amazon Web Services, Alibaba Cloud, Microsoft Azure are increasingly in use by governments around the world for things like hosting and databases. But we can expect them to slowly ‘move up the stack’ and start offering more government-focused services — say payment systems or prescriptions.
His suggested solution of public institutions "creating shared infrastructure that solves a common set of problems and enabling in-house teams to focus on the problems that are unique to them" sounds like the right direction, but I believe it needs additional force and scope (although I support any steps in the right direction here).
Governments perhaps find themselves in a position similar to the US in the late 1800s. Railroad tycoons in the 1800s rapidly built transportation infrastructure across the US that was critical for commerce and even military use (as evidenced by the nationalization of the railways during WW1), but concerns over unfair business practices led to the US Congress passing the Elkins Act of 1903, Hepburn Act of 1906, and Mann-Elkins Act of 1910 to regulate the industry.
Closing the railroad thought: it is good for regulation to be imposed on private companies that are building, operating, and governing the critical infrastructure we rely on today for interstate commerce and even governance. However, that regulation needs to come with significant public investment in infrastructure development, otherwise regulation may stifle development in a similar way to how railways have largely languished.
To put a fascinating little bow on this rhetorical detour, the Mann-Elkins Act of 1910 was refreshed in 1934 in the Communications Act, which created the FCC (Federal Communications Commission).
Back to Pope's article, there is growing interest in the government to develop a concept of digital public goods. The Ohio AG recently filed a complaint "focused on establishing that Google’s provision of internet search is properly classified as a common carrier and/or public utility under Ohio common law."
Another good article last week from The Verge covered a similar topic, if you want to read more on this.
Joseph Blount, the CEO of Colonial Pipeline, testified in front of the Senate (linked above) on the 8th and in front of the House on the 9th. Both are about 2 hours, but worth watching. I'll produce a longer-form essay on Colonial Pipeline and a national response to ransomware shortly.
Congressmembers asked some good questions, along with a variety of bad ones.
Eric Geller from Politico also live-tweeted the hearing.
Some of my main thoughts (from public reporting and watching the hearings):
- Blount/Colonial felt an extreme need to CYA on their ransom payments, and as a result overemphasized the value they got from the decryption tool
- Blount/Colonial sidestepped the fact (and I don't think Congressmembers directly asked) that some reputable reporting suggests Colonial's decision to take their pipeline was influenced by their ability to invoice customers, rather than (as Blount largely testified) Colonial's ability to safely deliver fuel.
- Congressmembers got hung up on Colonial's status as a victim of a crime. Colonial is a victim of this attack/intrusion, but the American people are also a victim of Colonial's insufficient security controls/ability to ensure continuity as a critical infrastructure operator.
- I'm not suggesting Colonial be held to an impossible 'unhackable' standard, but Congress should investigate the required cost for Colonial to ensure an ability to provide fuel using manual operators.
- Congressmembers got hung on up if it is Congress/Gov's job to generate regulations for industry, or if industry should be left to establish best-practices. Gov has an easier solution of legislating liability for improper security controls.
- Dan Geer covered this in his 3rd point (addressing software liability) in his Blackhat Keynote in 2014.
Nat Howard said that "Security will always be exactly as bad as it
can possibly be while allowing everything to still function,"[NH]
but with each passing day, that "and still function" clause requires
a higher standard.
- Industry will implement better best-practices if there is liability for not doing so.
This is not actually new, Jens Stoltenberg has previously stated that "In 2014, NATO leaders agreed that a cyber-attack could trigger Article 5 of our founding treaty."
However, this twitterized interview generated some buzz in infosec circles. There is a religious war between former intel community infosec professionals who have very strong views on 'attacks' requiring kinetic effects, and the always-been-private-sector professionals who are much more supportive of conflating 'criminal hacking' and 'cyber attack' into the same concept.
Neither is fully correct, but generally the US population (and, unfortunately and increasingly many US legislators) tends to be too liberal with the term 'cyber attack' while the US Executive Branch tends to be too conservative. Both tendencies are dangerous, and both largely miss the point of conflict in cyberspace today.
Most conflict that is effective at accomplishing state goals will fall far short of warfare. As far as solutions go, Joshua Baron from DARPA presents some excellent ideas on effective way to respond to significant threats to liberal values.
Kevin Roose from the New York Times writes about the increasing cost of previously-subsidized services.
Some of these companies have been tightening their belts for years. But the pandemic seems to have emptied what was left of the bargain bin. The average Uber and Lyft ride costs 40 percent more than it did a year ago, according to Rakuten Intelligence, and food delivery apps like DoorDash and Grubhub have been steadily increasing their fees over the past year. The average daily rate of an Airbnb rental increased 35 percent in the first quarter of 2021, compared with the same quarter the year before, according to the company’s financial filings.
Roose addresses a number of startups that have either gone out of business or increased their costs, and does a deeper dive on the scooter industry:
As of 2019, [the electric scooter company] Bird was losing $9.66 for every $10 it made on rides, according to a recent investor presentation. That is a shocking number, and the kind of sustained losses that are possible only for a Silicon Valley start-up with extremely patient investors.
Bird has since significantly increased its prices to now turn a profit on rides.
However, Roose has a strange takeway from these changes--that the increased costs are 'progressive' and resulting in less exploitation (emphasis mine):
Profits are good for investors, of course. And while it’s painful to pay subsidy-free prices for our extravagances, there’s also a certain justice to it...Getting someone to clean your house, do your laundry or deliver your dinner should be a luxury, if there’s no exploitation involved. The fact that some high-end services are no longer easily affordable by the merely semi-affluent may seem like a worrying development, but maybe it’s a sign of progress.
Roose is right that investors pumping cash into unprofitable businesses to keep them afloat is bad. He is also right in identifying that companies can exploit their workers to seek to mitigate their lack of profitability. Roose makes a big assumption here, though, that the higher prices are a result of progress and less exploitation of gig workers. That assumption drives his thesis.
Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.