The State of Cybersecurity

and should continue to do so. Um. Yeah, we're we're talking about cybersecurity because because President of Wilma did, yes he did. The President of the United States of America had his State of the Union address, which is when the president, if you are not from the United States, were perhaps just our politically, uh, completely separate from anything that goes on, a little bit lost and confused perhaps,

or maybe maybe you haven't been to the internet. Maybe you live as a hermit often the distance and you only get human contact through podcasts, in which case, hey, thanks for choosing ours. But yeah, every every year the president has this this forum where he begins to to address how the country is doing and what his administration or her administration. Should we ever get a female president.

I'm sure it's someday, someday, any any year now, but anyway, that is when the president will lay out plans for what is going what the government will focus on in the following year, assuming the rest of the government plays ball, because again the United States government, it's not just the president, sure, but but it's kind of saying what's important. Yeah, yeah,

And I personally kind of side note. I feel like this has become less critical to politics now, in this this our information age, than it was, for example, fifty or sixty years ago, when people didn't really have direct and continual access to everything bloody going on in the

government all the time. Yeah, that's that's a good point because earlier you would hear the president essentially during the State of the Union address and after any major event like a catastrophe or not even not not necessarily something bad, but usually it had to be something big, and then the president would end up addressing the nation about it. But in this case, we now live in a world where we get this information on a fairly continuous basis.

I mean, you could follow the president on Twitter and get information or just the twenty four hour news coverage of what's going on the government's out there too. Anyways. State the Union kind of traditionally seen as a big important event here in the US. So during the State of the Union, one of the many points the President addressed was cybersecurity. Now that was not the the the entire focus of the speech. In fact, it only took up a small section about a minute and a half.

I think. Yeah. In fact I can I can read out verbatim what he said because the text is available on the on the Internet of all things. So here's what President Obama had to say about cyber security. America must also face the rapidly growing threat from cyber attacks. We know hackers steal people's identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets.

Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. That's why earlier today I signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs, and our privacy.

Now Congress must act as well by passing legislation to give our government a greater capacity secure our networks ended to our attacks. So really, this of course just served to alert the nation to yes, we are aware of the problem, and yes we are going to do something to respond to this problem. But of course the speech was not the right venue to go into detail about what that was going to be, right right, These these kinds of speeches aren't really used for extreme detail of

any kind. It's it's more more hey stuff, Yeah, hey, problem, we're gonna fix it. How are we going to fix it? Look over here at the Chewbacca. Um. Yeah, And this is regardless of who is in power. It's just that's the way, that's the way it works. Yeah, we We are, by the way, trying very hard in this episode to to not let any of our personal politics enter into this discussion. Sure, so this is this is actually us

being being as fair as we possibly can be. And if we wind up making a little bit of fun of any given administration, it's not Yeah, it's not politically motivated. Now in this case, it's motivated by our knowledge of how technology works, how policy works, and how those two things don't necessarily mesh very well. Uh. And that that's regardless of what your political stances, whether you're conservative or liberal, no matter what it's it's just the technology is kind

of a political uh, just as a tool. Now you can use it for political means. But anyway, getting into this, we we really wanted to talk more about the Executive Order itself because that's where the approach that that Obama

wants the government to take. That's where that's where it comes from, right right, And UM, I I read I read a great write up that Michael Daniel, who is Obama's cybersecurity coordinator, wrote up about it, UM and he was just saying that that basically the Executive Order breaks down into three parts and that's um basically just uh, it covers information sharing first off, which means that it really wants the different segments of the government to work

with all of these private companies that run run our technology infrastructure and our power infrastructure, UM to share information about any any cyber threats that are going on. And UM, yeah, that's the first big section because obviously the issue here is that sometimes the government gets information, but depending upon the classification of that information, they may not be able

to share it very on a very wide distribution. And beyond that, sometimes when you get information in the government, it's really hard for the information to escape the government.

So in other words, this is supposed to lay the groundwork to allow the government to share information with entities that are critical to our infrastructure, and also going the other way, giving giving those entities, uh basic incentive, thank you so much, incentive to also share any information that they have about some cyber texts, any cyber attacks that might be occurring back to the government so that the government can do more to help out right, And we'll

we'll dive into more about how that's a challenge in a little bit because as it turns out, you know, it sounds, yeah, totally everybody like like we just got attacked, we should let the government know. But I'll get into why a lot of companies don't really necessarily see that as the best option, right right, All right, So that's part one. Part to UM kind of outlines a flexible risk based package of core practices based on existing standards

of cybersecurity. Yeah, so this is looking at there there are several organizations already that are working toward the best practices for cybersecurity, and so this is kind of trying to to say, let's take a look at all of this stuff and and pick and choose the best out of all of it and use that as the framework for what everyone should do. That's also possibly going to be a bottleneck, but I'll get to that when we

get a little further into this. Yes. Yes, the third The third part then deals with privacy protections, because when you're dealing with these companies that have a lot of private citizens data or even their own private corporate data or you know, or or on the other end from the government, the government doesn't doesn't want anything sensitive to

end up being revealed that they don't want to give out. Right. Yeah, you know, companies have proprietary information for example, So let's say that a cyber attack focuses on something that involves proprietary information, information that is necessary for that company to keep secret. It's a trade secret. It's something that allows them to do business the way they do it and make money and make money. Yeah. So for example, just this is a random example that I just thought up

right now, but the Google algorithm. Okay, because Google algorithm, that's essentially the the the recipe that tells Google how to rank search results on any given query. Well, that's a that's pretty useful information to have, especially if you're building websites. But let's say that cyber they the Google suffered a cyber attack and part of the information that was compromised was this Google algorithm, which is kind of like their their secret sauce. You know, it's it's not

not published, right, is the mathematical Horsey sauce. Yes, it is, Yes, it's it's part of their eleven Herbs and spices, and so they don't want the information getting out. And if they were to report the information to the government, it's possible that part of the distribution of information to everybody else, you know, saying like, well, Google was attacked, so these other companies need to be aware of this as well.

The worry is that the algorithm itself would become part of that information distribution and then Google loses its advantage in the marketplace. That's that's just a simple example, and it may even be unrealistic in the sense of what we're talking about here, but it's just to kind of illustrate, uh, why the government needs to take this into account when

formulating policy. Yeah, and and so those are the basic three parts and uh, and the administration is really big on on saying that you know that that they want to work really hard with with companies and with the different government organizations to make all of this as sensical and um, not like work, more like sharing and hugging. Yeah, there needs to be sharing and hugging well while standing shoulder to shoulder to keep the cyber attackers at bay.

And you know, and so they say that they worked with with over two companies directly and and fifteen million employees and all kinds of crazy numbers like that, trying to trying to work to get this information together. And and to be fair, we should also point out that these are it's a directive, but again it does not lay out step by step how this is going to happen. It's more like saying to specific departments within the government, Hey, this is what I want. Here's the result I want.

You have two hundred and forty days to return to me the result I want go And it's up to that individual department to determine what are the steps that it needs to take in order to meet the requirements

of this executive order. Uh. This is also something that I've seen critics point at, saying, a lot of the time tables that are discussed within the Executive Order are not necessarily realistic because you're talking about navigating such a complex issue, not just from the technology side, but from the existing policy side. That uh, that in order to to find something that satisfies the needs of the Executive Order and does not violate any of these other entities

that are already out there is a huge challenge. And two hundred forty days, which is just one of the deadlines. There's some that are like a hundred twenty days, depending upon what it is. But it's just it's just not enough time, right and especially considering that if you've been paying attention to the news at all, and say the past existence of reality, you may have noticed that the different parts of American political system don't necessarily work together

extremely well, and so so things. I mean, for for example, there was a Cybersecurity Act last year I believe that tried to go through Congress. It made it past No, that was the other one. It got failbustered by the Republicans. They were saying that it was going to place too much of a burden on the companies, that it would affect, and and all kinds of stuff like that has been going on for the past three and a half years, or really since the mid nineties when computer networks became

a really integral part of business. Yeah. This this is a complicated issue because on one hand, you're talking about protecting a lot of private entities, and private entities do not have any connection to the government other than paying taxes. Honestly, as I'm sure we're all aware, but anyway, these private entities don't necessarily have any other connection to the government. They're not run by the government. It's not a socialist

kind of structure. It's private structure. Uh. But that means that they you know, how far can the government come in to try and protect these entities When the entity itself is in control of something that's vital to the operation of business or national security, then there it is in the government's interest to come in and say, look, I know that we don't have any uh any call and how you run your business, that's not our job, but we need to protect it because how your business

performs affects the citizens of this country. So I guess we can start diving into the example order. Did you have something else you wanted to mention before we did that? And that's about it, all right, So here's the here's

an opening paragraph from part of the executive order. Does the policy of the United States to enhance the security and resilience of the nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business competentiality, privacy, and civil liberties.

We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing, and collaboratively develop and implement risk based standards. As a as a mouthful, fascinating, that was so thrilling. It was, Yeah, it's it's it's it's not quite legally ease, it's not it's not so dense as to be uh, completely inoperable. You can't understand a word of it without having like

three lawyers on your team, but it does. It does make it kind of you know, it's it's this very formal sort of language. Part of the issue here also is that some people argue that the terms are not narrowly defined enough to make it meaningful. For example, you talk about operators of critical infrastructure, um, they there are some people who say that that's not specific enough. You know, you don't you know how what? What? What is infrastructure?

Are we talking? Are we talking just things like power grids? I mean that would clearly be critical infrastructure. Does it extend to UH to telephones, does it extend to dams? Or doesn't extend to UH? To cybersecurity firms? Because if you're talking about something now that where you're really trying to protect people from cyber attacks, does that mean does that extend to the point that cybersecurity firms become part of this critical infrastructure because they are the protection against

that sort of thing. Um. I'm sure that those kind of definitions will be worked out. And sometimes this sort of legislation or these executive orders I should say, not not legislation, but this executive order. And sometimes these things are are vaguely worded on purpose to try and have the broadest possible application, and then you narrow it down as it's put into practice. And that's the feeling that I get from this, and especially since they're kind up

going like, yeah, do this thing and you work it out. Yeah. So I'm gonna go through a little bit kind of point by point of some of the sections here, and then after I do that, we'll we'll kind of talk about some of the the not just criticisms, but just

some of the observations people have made about this. So, so it begins by talking about distributing reports of detected cyber security threats to private sector companies as long as those reports do not endanger investigations and law enforcement efforts

and they are unclassified. So, in other words, when the government gets, say a report that there's a threat, a cyber threat, uh, this is what would allow the government to send that information out to the various parties that could be affected by this cyber threat and to kind of give them a heads up saying, look, we've detected that there's some operation in let's say China, whether it's state backed or it's a group of hackers who are working on their own or whatever, or maybe it's a

Russian group that looks like it's working out of China. This is complicated. We can't really be sure because the way the internet works in the way hackers get around this sort of thing. But they've detected that there's this credible threat, and they've detected what the potential targets are. This part of the executive order gives the government the

ability to say, hey, heads up, it's coming in. And this is actually an expansion of a currently existing program um called the Defense Industrial Based Information Sharing Program, which I believe currently exists to allow government contractors to receive

real time reports about these threats. Right, and so again, the reason why they say it can't endanger investigations is clearly, if there's a like UH and a law enforcement group, whether it's it's the United States or it could be some UH international type of UH law enforcement group looking into the problem, then by sharing information, you could compromise

that that investigation. So it's a delicate thing. It's it's not something where every single time there's going to be a threat, there's automatically going to be a report generator that gets sent out. It's going to be a case by case basis. The next section talks about how classified reports will go to critical infrastructure entities that are authorized

to receive them. So there will be some privately held companies that will be authorized to receive classified information, assuming that classified information relates to that entity in some way. I think it's also talking a little bit about trying to expedite the process of getting clearances for appropriate uh A individuals and also state and government representatives to give

that stuff. Yeah, exactly, yes. So this this again is kind of like cutting away some of the red tape that would exist between information and the and the entity that would most benefit from receiving it, uh in a

in a cyber attack kind of situation. It would also expand the Enhanced Cyber Security Services Program to all critical infrastructure sectors, which is a voluntary information sharing program and it offers this is where you were talking about, it's offering the cross fight info to the private sector folks, but also it's a sharing program that is supposed to encourage companies to share information between each other to say, uh, there's this cyber attack that we've we've detected and it

could affect your industry as well as ours. So the idea is that it's supposed to encourage these companies to participate, but it is voluntary. We'll get into that when we get into the criticisms. Um Also, beyond the security clearance being expedited, we have private sector experts will be invited to come and speak to the government on a regular basis to keep the government informed about cyber risks and

the best practices to respond to them. Now, this is essentially the part of the executive Order that recognizes the fact that the people who hold positions of power in politics may not be technologically qualified. They maybe savvy, but even a technologically savvy person would not necessarily be up

to date on the latest cyber threats. And so this is this is to give the government the chance to maintain a an ongoing dialogue with experts in the cybersecurity field so that the best policies are formed as a result, and that the best practices are formed as a result, because what works today may not work in three months.

It's a funny thing about technology. And then, uh, the next section is the one that's all about privacy and civil liberties because apparent that it's it's a really big issue in the idea that a lot of these companies have a lot of our data, not just corporate data, but our personal data. So think about it like power companies, gas companies. Uh, you've got you've got credit card companies.

You should you know, all sorts of vendors out there have information, social networking companies, all of these have personal information that could put citizens at risk if that information were shared to a broader audience. So that's the part where the executive Order says, Okay, we want this culture of sharing. We want to be able to get the information to where it needs to be so that we can protect ourselves, but we don't want to do that

at the expense of personal privacy and civil liberties. We don't want to violate anyone's privacy or expectation to privacy. Um, so we don't want a credit card company to send information to some other entity that just so happens to have the the all the credit card numbers, names, addresses, credit scores of everyone who's a customer with that credit card company, because that would be a bad thing. And so one of the things that this this requires is

a regular assessments in public reporting of any kind of mishaps. Yeah, so it's an ongoing dialogue again with the government to make sure that this is done an appropriate way, because I mean, obviously, when when people start to worry about security. It's it can be I won't say easy, but it's possible that you overlook other concerns that you should really

take into mind when you're trying to protect yourself. We we usually see this in the wake of some sort of actual attack, where an attack happens and then we just want to respond to that and make sure it doesn't happen again. And you can easily set aside other concerns that you really need to keep in mind the whole time. Well, before we move on to the rest of the executive Order, I think now would be a good time to take a quick break and thank our sponsor,

and now back to the show. So the next section is all about consulting and getting various departments to talk to each other to improve security measures, so when one group sees something that's working, it can communicate that with other groups. It's kind of it's kind of this idea of UH inciting cooperation between departments and other entities. Then there's a section. I've got a direct quote here, and the Secretary of Commerce shall direct the Director of the

National Institute of Standards and Technology UH for here. Henceford known as a director to lead the development of a framework to reduce cyber risks to critical infrastructure, henceforth known as the cybersecurity Framework. The cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business,

and technological approaches to address cyber risks. That's essentially saying you have to take everything into consideration and make it into a cyber security approach that takes all of that into account and works, which is huge. I mean, that's just incredibly complex. I mean, policy alone is complicated, yes, a little bit. And then you've got technology, which is

constantly evolving. So what by the time you're finished drafting a policy, it may be that the technology has so Now, granted, I'm not blaming anyone for this, because it's just that's just how reality is. And I don't know how else you could word this in a way that would make sense and and get across the importance of what needs

to be done. Yeah, and and that is that is a good I mean, I feel like they've got enough of a cautionary air about it that it's not just you know, they're not just sitting there quoting Tim Gotten going well, make it work. But yeah, yeah, but it does kind of start to set in how enormous this issue is. It's also enormously important, So I'm very glad that the government is looking into it, and they have been looking into it. That whould also I'm sure we

kind of alluded to it already. This is not the first time the government has looked at cybersecurity, but it's it's you know, they're seeing it as it's just going to get increasingly important as time goes on. Next, they said that the Cybersecurity Framework shall provide a poritized, flexible, repeatable, performance based and cost effective approach, including information security measures and controls, to help owners and operators of critical infrastructure, identify, assess,

and manage cyber risk. This is also a huge thing.

I mean, it's it's it's a it's a tall order because you're talking about an approach that is going to work in The approach ideally should work in every case across multiple industries, because the idea of it being repeatable means that it can't be something that, oh, because this threat was the specific to this industry, then it can't work for over here and or or even just that because our approach work for this threat but the reason why it worked for this threat was because of x

uh that you know, that might mean that it's not repeatable. So it's a very challenging thing. Again, I'm not saying it's impossible, but you know, and again and there's not much they could What else are they gonna say, like produce an infinite number of responses that can work in any given situation, depending upon which response you're using in which industry. I mean, that just wouldn't work. Oh no, no,

And they do talk a lot about scaling. They want to make sure that this is going to work just as well for for small small companies as well as big companies, and yeah, across the board. But that just makes it harder. Yeah, yeah, in fact, and then the next section says, you gotta do all this without impacting business and privacy. So you have to come up with a way to protect our businesses and our infrastructure in such a way that it's not going to negatively impact

those businesses. So you can't come up with a plan that protects everyone, but it ends up taking a cut of everyone's profits because they have to do spend so many work hours doing this thing. Oh you know, which is why the Republicans last year filibustered that last Act and and and it's tough, I mean uh. And we'll

get into more about wine stuff in a second. Also, the that's where they introduced the idea of the open public review and comment process so that this becomes an evolving policy over time, which again I'm very glad that kind of stuff is built into this executive order. It recognizes that this is a problem that is going to change over time, and you cannot create a policy and expected to be evergreen, and that it's going to that one approach once you've once you've established it is going

to work forever. This is the sort of interesting because there are other policies that were created back when the telephone industry was first coming into prominence that still affect how the Internet works today. And there are a lot

of people who who protest that. They say, look, these were policies that were made for a much older telecommunications network that could do a very limited number of things, and now you're applying it to a much more complex system that is far more sophisticated, and the implications for

how it works are far more complicated. Expecting those rules to apply to this thing is unrealistic, and you've got a lot of that kind of discussion going on, mostly in in uh interest groups that like you know that are forming up about protecting the Internet. But um, anyway,

that's that's kind of a similar thing like that. It built into this is saying let's have this ongoing public discourse so that we can avoid this if if possible, it's gonna be you know, we're gonna see it anyway, because it's impossible to avoid it completely, but at least

they're looking into that. Then you've got the Latin next section where it says the Secretary and coordination with sector specific agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities to get a the program. Um, here's that voluntary program bit again. Okay, I'll say that just until I finished this last one.

Here's my last point. Within one fifty days of the date of this order, the Secretary shall use a risk based approach to identify critical infrastructure where cybersecurity incident could reasonably result and kind strophic, regional, or national effects on public health or safety, economic security, or national security entities

identified as such can then appeal that. So, in other words, if you are the head of a company and the United States government government starts to look at all the companies that are part of this infrastructure and they identify your company as being one of these incredibly critical Yes, not like it's critical because of the services you provide and the likelihood that you would be a target for

a cyber attack. Um, then they could designate you as such and you would be able to appeal because if you are one of these critical infrastructure entities, you're going to have to jump through a lot more hoops than you would if you were not. So companies actually kind of have an incentive to not be one of these things because then they if they are one, they're going to have to conform to more UH specific policies. Right because they are considered critical elements of the infrastructure. It

takes that sticky voluntary term a little bit out of it. Yeah, it does, because if they say, hey, no, really, really you you are super important and if you go down, then the United States is in a lot of trouble. So you are part of this critical infrastructure, whether you like it or not. So therefore, because of this, we

need you to follow these directions. Uh, and other companies might be like, you know, I'd really like it if I had more of a choice, because then I could choose not to do that, and that would be awesome. So that's why there's that appeal process, and that's where we come to the problem with the voluntary nature of much of this policy. The idea here is that again we don't in the United States in particular, there's there's a stigma against the government and private business. And and

I'm not saying that it's unwarranted. I'm not saying that we should have a socialist country where every single business is owned, at least in part or operated by the government. That that's not what I'm saying at all. What I'm saying is that it does mean that in order to preserve this very important, very American idea of private business, we don't let the government just come in and take over and regulate us or or protect us to a

certain point. I mean, it's sort of our business. Yeah, So there's there's a delicate nature here, and it's again it's one of those things where it's it's a very American approach and it's it's tough to work something like cybersecurity in there and not make it a voluntary program, because if we made it mandatory, the government would essentially be saying, look, we're not telling you how to sell your widgets, but we aren't telling you how to protect

your network. And that gets complicated. Even even if it's for the greater good, it's it's a it's a tough thing. And I mean I certainly if I owned a big business, I would be thinking, look, I don't want to have yet another set of policies that I have to uh, I have to keep up with and follow up with and spend my time and money taking care of. Right. I don't want to get certified every couple of years to make sure that I'm following this. Let me do it on my own. It's in my best interest to

make sure that I'm not going to get attacked anyway. Yeah, exactly. That's that's the business owner perspective is saying, look, I don't want to get attacked because if I get attacked, it hurts my bottom line. So I have I have

a market driven reason to prevent attacks. But the on the flip side of that, the United States is saying, look, these attacks are sophisticated, they're coming from multiple points, they are using different methods to attack different systems, and in some cases it may just be that your company isn't a specific target, but it's part of a larger group of targets, and we have to protect the United States citizens.

So there's their valid arguments on either side. Now, making it a voluntary program helps both parties because the government isn't saying, look, you have to follow this out of rules or you can't do business in the the United States, and the business can say, well, do we want to be part of this so that we can help protect our business as well as make sure that in our own lives we don't go home and the power goes off right right. And this is actually kind of in

contrast to UH. Interestingly enough, the European Commission also just in this past week released a bunch of cybersecurity stuff UM and and and there sounds like it might be

a little bit more mandatory. They want to introduce a Computer Emergency Response Team a k A CERT to UH, introduce laws compelling companies to disclose attack details to to this national authority and and that this each each sert would be responsible for defending these companies against attack, so you know, and and it's it's it's in a little bit more of of a planning stage, I think, than than what Obama's orders outlining. But it is nonetheless, you know,

just just a little bit of contrast there. See, I just wonder if the CERTs are a breath mint or a candy mint. That's the first thing I thought. As soon as you said certain, my brain turned off. These are the deep questions that we ask here on tax staffs. Shows you how Jonathan Strickland works, which is that he is distracted by shiny things and puns and mints and mints. Yeah,

they are intensely flavorful. So yeah, I mean that voluntary approach is one of the things that some people are saying makes the Executive Order lack teeth because without without really providing strong incentives, companies have no reason to join this because because in the long run it will be

more work to have to conform to whatever the policy requires. Now, if the incentives are big enough, whether they're you know, tax breaks or whatever, then maybe companies will end up joining because they'll think, well, whatever the work is to conform to the policy. It's going to be balanced out by the incentives. So the incentives, although they haven't been really uh you know, they haven't been listed out yet, it's possible they could be attractive enough for for companies

to join this. But that was one of the big arguments I saw was that by making it voluntary, although every single UM business analysts I saw who said it, they said, well, the problem is it's voluntary, so it's not gonna work very well. But on the other hand, if it were mandatory, everyone would be freaking out. So it's almost like there's no right approach, right unless unless you're able to provide those amazing incentives you could, you cannot make it mandatory and not have everyone riot. Yeah,

so um. The Also they mentioned that the the this framework idea is incredibly complex, and part of that is because they're already a lot of security frameworks that government agencies have to abide by. So there's and I could give you a list of acronyms and not being able to tell you what any of them mean, but I'm not going to insult you or myself by doing that.

But there are a lot of security frameworks already and so this policy would have to work, uh, in an alignment with those, because we've already got these rules that that departments in the government have to follow, and so unless they were to get rid of all that in order to streamline it, this would be yet another set

of rules. So you think about it. If you've ever had more than one boss, like at a time, and you have different directions coming from both bosses, and you have to figure out how to complete a project that follows all of these rules, and some of them contradict each other. You know, I've had that. Yeah, that's it wasn't fine. I didn't like that. Just a stressful, frustrating experience. Now expand that out to an entire government department and

you understand why they can get a little antsie at times. Um. Then also there's still some questions about the privacy implications. Uh. While the the executive order does talk about being careful about privacy, it doesn't lay out any specifics on the approach, and so that always makes people a little nervous. Yeah, until until we know the particulars, you can't really be sure that your privacy is going to be uh protected. Yeah, yeah, it's supposed to be but until until I know the specifics,

we can't be sure. And are we going to apply these same security measures to the to the information to get sent out as a result of these security measures, because otherwise it's just it's it's a it's a definite vicious cycle. Uh. And and just you know again, because there's so little detail here, you know, it's it's it's putting a lot of of responsibility on these different departments.

It's hard to say how well this approach will work because honestly, we just have the framework of what it's supposed to do, not how it's supposed to do it. So so it's a little too early for us to say whether or not the policy that comes out of this, assuming that one does come out of it, will be a good one or a bad one. Because when we also have to have Congress way in on this. Uh, this is an executive order, but if we want laws passed,

that's when you start looking to Congress. And a lot of the issues that have happened in the past few years that have to do with security online also seemed to involve intellectual property. Um, and that's I think it's pretty ugly. I mean, we have and sis, these were things that we're not just about protecting the well, that's about protecting businesses use it, but not from cyber attacks

so much as piracy. But you know, that's the kind of stuff that we see have and all the time, because we've got a lot of powerful interest groups that are campaigning very hard with certain members of Congress to put forth legislation that would protect their industries and possibly hurt uh, innocent users of the Internet as a result,

mostly through unintended consequences, not necessary, not not on purpose. Yeah, I mean, but but but just like the Cyber Intelligence Sharing and Protection Act of CISPA UM, you know, failed to make it through the Senate. It was because it was because basically the White House said, in this form we're going to veto it because of privacy issues. Yeah. Yeah, See, it's not an easy problem to solve at all. I mean, there's there are a lot of mind fields around this problem.

So if it were just as simple as let's oh, here here's your problem. Your firewall for the United States wasn't flipped on, let me just turn the switch, then that would be great. Unfortunately that's not the not not the case. So yeah, it's it's gonna be it's gonna

be a tough tough act to to enact. Really, it's gonna be a tough policy to create because to make it effective and yet not violate our privacy or civil liberties well or put too much of a burden on private business, or not give enough incentive for private business to even get involved with it. Um It's it's not an easy thing to do, certainly not. And it also requires a kind of a base level of just people being aware of stuff. I mean, for example, in in

the news this week. Last week there was that kind of hilarious thing where where the emergency alert system was hacked in um On, Tanta, Michigan, California, and New Mexico, I think, and they sent out that um hacker sent out this zombie apocalypse warning. Oh right, right right, I remember that. Yeah, the whole emergency alert the deadhead of risen from the grave, that kind of thing, right right,

I think? I think, yeah, gaker, someone reported that four people proceeded to freak write the hell out, and they definitely called in. Four people called in concern, and of course they may have just called in to ask y'all, did you get hacked? We don't know. We don't know what the nature of the calls were. We just know that four people did actually call in. So whether or not they were truly worried that the dead had risen or they were just wondering what the heck went on,

we don't know. Right. But supposedly, according to the president of the Michigan Association of Broadcasters, UH they routers reported that they believed the hackers succeeded because the TV stations had never changed the default passwords that were installed in their hardware. Yeah, password one to three guys. It's great and and and that kind of thing. I mean, just just basic, you know. It's it's we really need to just educate everyone about how the internet works, maybe, or

or just make sure that everyone cares enough. We'll let people know that there are uh default passwords and they are pretty much standard across all devices of us from a certain manufacturer. I mean maybe that it's admin for one and password for another, but they are standard across. And once you know what those standards are, that's the first thing you try. And you can find them on the internet, that's yeah, So you can find them by

buying one. That's all you have to do is go out and you buy one of each thing and they're not that expensive, Like you buy some routers, they're not that that expensive. By buying each one and installing, you see what the default password is, and then you just add that to your dictionary attack. You know, you make that priority one. So first first round of dictionary attack, use the default password. If that works, your golden if not, moved a step two. So I mean, yeah, it's it's

not good. And then on top of that, like on a related thing, we haven't done an episode about this, but on a kind of related idea about information online and protecting ourselves and making sure we can respond to threats. Another report that happened earlier in it was about the FBI asking essentially asking internet companies for a wire tap

friendly back door into their systems. Now, this included everything from infrastructure to actual corporations, and the FBI said, we want to be able to get in there and check on information when we are looking for things like cyber terrorists or cyber warfare attacks and perhaps not thinking about the fact that every time you you cut a new door in a wall, it's that door can be used by anybody exactly that's the issue here is that inner.

First of all, most of these systems already have back doors, so really it would mean giving the FBI access to them, because you have to have a way for an administrator to get hold of the system so that when something goes wrong, the administrator can fix it. As I learned in the documentary Durassic Park. Yes, very important, that's a good one. Yeah. Also it shows that when you create a security back door that an administrator can get into, a twelve year old girl can hack in because she

knows Unix was that Unix? I think it was Unix, all of that out of I know this, I know, she says, I know this, and then she sits down in types and then by the third thing she's in. Uh, because that's the rule of three in the Internet of Hollywood.

But yeah, the the point here is that by introducing vulnerabilities, you have created the opportunity for the bad guys whoever you want to say are the bad guys, to go and infiltrate a system, so you don't Generally, that's considered by most security experts to be what we call a bad thing, giving more opportunity to people to infiltrate a system is not a great idea. It doesn't help you

be safe. So we've got a lot of focus on this this problem, and I'm at least confident that the government is aware that there are experts out there who can help guide this conversation. Whether they listen or not, that's you know, that that remains to be seen. But I hope that they are careful enough to consider exactly the implications of these these policies so that when they're enacting them, when they start to really build them out, uh,

they are doing it with the most accurate information. And I already think they really do have the best of

intentions as far as cybersecurity is concerned. Whether or not you agree considering you know, the business side of things that that that's different, but but at least from the idea we need to protect ourselves, I think we all agree on that that the cyber threat is a real threat, and it's a growing threat, and as we relying more and more on these systems, it's just going to get even to become an even more attractive target for someone who wants to really wreak some havoc. So for all

those doctor evils, out there. I am not one, No, certainly not. I don't own a cat. So anyway, that's that's kind of the story about where we are right now. As far as the the idea of trying to protect ourselves, I know it was vague, but that's because again the executive order was necessarily even it's all vague right now,

so you know, keep keep checking back. We'll let you know if there are any definite development right and and again I'll be amazed if this, if everyone is able to meet the deadlines that are laid out in this executive order. It would It's not that it's impossible, it would just require a pretty remarkable turnaround. So we'll see how it develops. We'll see how this could potentially impact business, individuals, um and even our our national security. It's an important thing.

And keep in mind, you know, of course, for those of us in the United States, there are lots of other nations that are looking into this as well. Lauren was talking about the European Union looking into ways of protecting uh the the infrastructure in Europe. But this is not localized to the United States as particular approaches. But the problem is worldwide, So we're just gonna see lots of different takes on this system and whether or not any of them work better than others well, which is

let to wait and see. So with that in mind, if you guys have any topics you would like us to tackle in future episodes of tech Stuff, here's what I would like you to do. I would like you to send us an email our addresses tech stuff at Discovery dot com, or let us know on Facebook or Twitter are handled both of those as text stuff hs W and Laura and I will talk you again really soon for more on this and thousands of other topics. Is it how stuff works dot com