Here's what I’m reading this week:
- Evidence mounts of more election meddling than expected: A New York Times report from today focuses on a string of technical glitches that plagued key districts during the 2016 elections. The problems seemed especially pronounced in districts like Durham, N.C., and focused around problems with the electronic polling books that were used to verify voters. When electronic polling books went down, voters couldn't get checked in, and the entire process got delayed. It's hard to assess the impact of glitches like this, and it's even harder to assess whether they really were glitches — or were the result of malicious interference. That's the power of the type of subtle manipulation that Russia targeted at our 2016 elections: even when you find evidence of it, it's hard to tell whether you're looking at real evidence or just unrelated noise.
I'm reading: "Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny."
Some of my best friends are algorithms... : If algorithms are going to decide what loans to advertise, who should get access to special programs, and what stories we want to read, the way they make those decisions are critical. It's long been clear that algorithms can incorporate the conscious or unconscious bias of their developers —and might even absorb bias from the broader society they observe. There's a great piece from the New Republic out this week that dives into how this happens, what it means, and what we can do about it.
I'm reading: "Turns Out Algorithms Are Racist."
New York State cybersecurity regulations: are they enough, or is more needed?: The New York DFS cybersecurity regulations have already sent ripples of impact through the financial sector. By far the most specific and demanding cybersecurity complaince regime of any state regulator, some commenters see them as an early indicator of a new era of increased regulation from industries, states, and federal government. But some are already criticizing them as not going far enough. One piece from SC Magazine this week criticizes them as "not robust enough." All of the criticisms leveled at the regs have been targeted at other compliance regimes before, but seeing them here is a good reminder as regulators wade into cybersecurity. Compliance is an important lever to ensure appropriate security investment, but it's also a blunt instrument, and compliance regimes quickly separate from their underlying goals and take on a life of their own. As cybersecurity compliance expands and organizations struggle to strike the right balance, we'll likely only see more of these challenges.I'm reading: "NY State financial services cyber rules: a first step that falls short."
- Wondering whether to ask a question at a conference?: InfoSec conference goers take note: you could do worse than follow this flowchart's guidance...
I'm reading: "When should you ask questions at a conference?"
- Spies like us: Hollywood seems convinced that cybersecurity experts are either hackers in their parents' basement, or James Bond — sometimes both. But the truth is obviously much more complicated than that. For that matter, the truth is even more complicated than that for real-life James Bonds. For this long holiday weekend, here's a great read on the amateur spies that prepared the way for the Allied Invasion of North Africa at the height of World War II. Back when modern spying was still being created (much as modern cybersecurity is being created today), these individuals were as different from each other as possible, and their story, which paved the way for everything that came after, is a brilliant read. Who among us is paving a similar path for cybersecurity?
I'm reading: "12 Amateur Spies Paved the Way to War Against the Nazis."