darwinrlo
commented
5 years ago Open darwinrlo opened 5 years ago
darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago 
ellislau
commented
5 years ago What do you think is the reason for the insufficient priority? A lack of understanding? The role of money in elections? Something else?
I think data breaches and cybersecurity has only come to national attention in the last few years, in which at least partly it's the Republican Congress that's blocking legislation, so it may or may not be too early to tell if a Democratic-controlled Congress would be able to turn things around. Most bills relating to data privacy and consumer protections were only proposed in the last 2-3 years and have been sponsored by Democrats, but don't seem to even have gotten to committee consideration (based on a casual perusal of https://www.congress.gov).
The biggest one to get media attention and a vote was probably this legislation relating to suing Equifax, split down party lines: https://techcrunch.com/2017/10/24/congress-votes-to-disallow-consumers-from-suing-equifax-and-other-companies-with-arbitration-agreements/
darwinrlo
commented
5 years ago it's the Republican Congress that's blocking legislation
(Please don't interpret this as pushback.)
Can you give specific instances?
ellislau
commented
5 years ago The Equifax link that I included is probably the best example, here's another link describing it: https://www.nytimes.com/2017/10/24/business/senate-vote-wall-street-regulation.html
I would also argue that Republican's blanket attitude towards deregulation prevents a Republican Congress from enacting such consumer protections.
ellislau
commented
5 years ago I'm not sure if it's the relative recency or if legislative proposals are getting de-prioritized in committee, but I don't have many other instances of actual votes. I do think it says a lot that despite Republican control of congress, I can barely find any Republican-sponsored bills for consumer data security. https://www.publicknowledge.org/news-blog/blogs/analyzing-congress-response-to-data-breaches-do-proposed-bills-protect-you https://www.pbs.org/newshour/nation/equifax-breach-congress-unlikely-pass-new-rules-protect-consumer-data
darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago @ellislau
I do think it says a lot that despite Republican control of congress
Can you be more explicit about what it says?
My guess is you mean to imply that Republican congresspeople do not prioritize cybersecurity. That is a valid explanation that should be considered. Another one is that Republicans are loathe to solve things using legislation and prefer instead to lean on the free market to weed out incompetence: Security issues, after all, are a weakness that can be exploited by competitors, whether new or existing.
I would suggest from here that we consider the implications of each explanation -- if this is true, what other things would also be true? -- and strengthen/weaken our belief in each explanation accordingly.
darwinrlo
commented
5 years ago On that note, consider this new entrant into the free market:
ellislau
commented
5 years ago @darwinrlo
I do think it says a lot that despite Republican control of congress
Can you be more explicit about what it says?
1) There are more Republicans in office than Democrats. 2) Republicans have spent time passing bills unrelated to cybersecurity. 3) Pretty much all cybersecurity bills are sponsored by Democrats.
Another one is that Republicans are loathe to solve things using legislation and prefer instead to lean on the free market to weed out incompetence.
This statement assigns values and reasons to Republican (in)action without evidence. Otherwise, you're effectively saying what I said, that Republicans may be prioritizing the absence of regulation above consumer protections, and that they have de-prioritized cybersecurity below their threshold for action. Consider Republican tariffs and support for oil and farm subsidies. The most recent farm bill expanded eligible recipients (https://www.washingtonpost.com/business/2018/12/11/congresss-billion-farm-bill-is-out-heres-whats-it/). We could debate what Republican's care about more than the free market and cybersecurity, but I think it's pretty clear cut that they haven't demonstrated any care for cybersecurity whereas Democrats have.
To return to your original statement that infrastructure security ought to be but currently isn't prioritized by those in power, evidence suggests that it's because of Republican leadership.
darwinrlo
commented
5 years ago This statement assigns values and reasons to Republican (in)action without evidence.
To clarify, my response was not intended to be complete. In fact, my intention was explicitly that the conversation would continue. See:
I would suggest from here that we consider the implications of each explanation -- if this is true, what other things would also be true? -- and strengthen/weaken our belief in each explanation accordingly.
Which in my mind includes, among other things, producing and weighing direct and indirect evidence.
Also, my impression is that it is well-documented and well-known that minimizing the size of the federal government, which includes minimizing the number of regulations, as well as relying upon the free market for most things are fundamental principles of the Republicans. Though, if you feel it is necessary, we can take some time to review the available evidence.
Consider Republican tariffs and support for oil and farm subsidies.
These seem like market-related interventions. I'll have to think through it more, but this may not be the contradiction it may seem like at first.
To return to your original statement that infrastructure security ought to be but currently isn't prioritized by those in power, evidence suggests that it's because of Republican leadership.
I agree that Republicans have not proposed bills and that Democrats have. Pushing bills is not necessarily better than doing nothing. They actually have to improve upon the status quo, something we cannot know they do without actually understanding them. Historically, cybersecurity regulations have improved security minimally while significantly raising the barrier to entry to the market while strengthening the position of incumbents, which decreases competition.
To change the subject, allow me to clarify that my primary interest in this topic is in figuring out what a solution would be, one whose trade-offs we are willing to accept and one that is also likely to be implemented, whether it is a public policy solution, a free market solution, or a combination of the two. If you would be willing, I would like to shift our conversation in this direction.
ellislau
commented
5 years ago I think you might be misreading my point, since I wrote at the beginning that
I would also argue that Republican's blanket attitude towards deregulation prevents a Republican Congress from enacting such consumer protections.
I disagree that minimal government is a fundamental principle of the Republicans. Tariffs, subsidies, health care coverage for preexisting conditions, defense spending, drug use criminalization, etc, are all things with Republican support. They are still deciding which items to regulate and which items have priority, and cybersecurity doesn't appear to meet the bar. Trivially, since Republicans aren't libertarians or anarchists, they do not support an actual minimum government. Small government is meaningless in this context - everyone across the political spectrum just wants a particular size for particular priorities. The idea of minimal government is at best simply a modifier on priority.
I think that no alternative explanations to "Republican congresspeople do not prioritize cybersecurity" have actually been presented in this discussion. Prioritizing a free market over cybersecurity, or leaving cybersecurity problems to be handled by free market competition, if that's what Republicans are doing, is the same as not prioritizing cybersecurity. If Republicans perceive that the problem is not big enough to require intervention, given our discussion's premise that we ought to spend more time on cybersecurity, that's the same as not prioritizing cybersecurity.
ellislau
commented
5 years ago my primary interest in this topic is in figuring out what a solution would be, one whose trade-offs we are willing to accept and one that is also likely to be implemented, whether it is a public policy solution, a free market solution, or a combination of the two.
Sure. I had found this comparison of different legislative proposals, it's probably a good place to start: https://www.publicknowledge.org/news-blog/blogs/analyzing-congress-response-to-data-breaches-do-proposed-bills-protect-you Data breach notification and liability and requirements to implement security programs are mentioned among other things.
darwinrlo
commented
5 years ago Since I think it is important for future discussion, let me clarify some things about the Republican viewpoint before we move on.
I disagree that minimal government is a fundamental principle of the Republicans.
"Minimal federal government" is not the same as "minimal government." I actually think I was using the wrong word; "limited" is the more commonly used word and I believe it is more accurate.
Republicans prefer a limited federal government and possibly powerful state governments. See Romneycare. In Republican's minds, it is the governor who has greatest insight into her population and who is best suited to govern it.
For your convenience, here is the original quote so that you can confirm the presence of the word "federal":
Also, my impression is that it is well-documented and well-known that minimizing the size of the federal government... as well as relying upon the free market for most things are fundamental principles of the Republicans.
defense spending
On this example, there is no inconsistency. Defense is one of the limited roles for the federal government envisioned by Republicans. Limited (or minimal) federal government does not mean no federal government. A strong national defense, in fact, is needed so that states can focus on governing their populations, and Republicans are generally happy to allow the federal government to provide it.
health care coverage for preexisting conditions
I am skeptical of this example. I think we may have to drill down into this.
Tariffs
As before, a limited federal government is markedly different from no government. Tariffs deal with other nations, and therefore, it makes sense for the federal government, which represents the interests of the country as a whole, to handle them as one of its limited roles.
This is also about promoting the free market, one of the prized tools in the Republican tool belt, as it relates to American citizens. There is a notion of "economic nationalism": Tariffs on imports promote home-grown companies, which may not be able to compete with companies from countries with significantly cheaper labor costs.
subsidies... drug use criminalization, etc, are all things with Republican support.
This leaves two things. I will have to drill into these, but I agree that there may be hypocrisy and that, on some issues, Republicans may be driven by emotion as opposed to reason. We can never be reminded enough that each individual viewpoint has blindspots.
I think that no alternative explanations to "Republican congresspeople do not prioritize cybersecurity" have actually been presented in this discussion.
I agree that Republican congresspeople do not prioritize cybersecurity, which is part of the original premise of the post, and acknowledge that there are efforts on the Democratic side, which would indicate they have made it a priority.
I am of course aware of some of these efforts already, and I think what I had in mind but did not articulate was I am not seeing anything anywhere near close to satisfactory. It is clear to me that many people beyond the senators who are working on this problem, who do not have the background that people like you and I have, are needed to guide the nation toward a viable solution.
darwinrlo
commented
5 years ago Data breach notification
I think this is great.
and liability and requirements to implement security programs are mentioned among other things.
I am skeptical of the federal government getting into the actual practice of security. This is beyond their core competency, and while nominal mitigations may improve the situation, I suspect it would not be enough and would come at too great a cost.
I will drop additional thoughts on this topic at a later time.
ellislau
commented
5 years ago The presence of the word "federal" was beside my point. "Minimal", "limited", and "fundamental principle" are meaningless in this context of measuring priorities because these words abstract away from the fact that there is still some threshold at which point Republicans will take legislative action, some set of priorities that Republicans weigh legislation against. As another example, Republican leaders never say they want to repeal Social Security or Medicare, only reform it, which is conceding that some form of it is necessary and desired by their constituents. Consider that half the Republican house originally voted for Medicare https://www.ssa.gov/history/tally65.html.
Republicans prefer a limited federal government and possibly powerful state governments... In Republican's minds, it is the governor who has greatest insight into her population and who is best suited to govern it.
This is again just a preference that's regularly weighed against competing priorities. I found this article https://scholars.org/brief/how-congressional-lawmakers-both-parties-preempt-state-power-achieve-partisan-policy-goals/, https://www.washingtonpost.com/news/monkey-cage/wp/2017/06/23/both-democrats-and-republicans-care-about-states-rights-when-it-suits-them/ that argues that both parties similarly preempt states' rights, with Democrats tending to enact "floors" and Republicans tending to enact "ceilings", but sometimes the other way around (unfortunately the research paper is behind a paywall). For example, in 2001 Republicans passed a electric bicycle amendment with this clause: "This section shall supersede any State law or requirement with respect to low-speed electric bicycles to the extent that such State law or requirement is more stringent than the Federal law or requirements." Republicans also attempted to preempt various states' more stringent emissions laws.
defense spending
On this example, there is no inconsistency. Defense is one of the limited roles for the federal government envisioned by Republicans...A strong national defense, in fact, is needed so that states can focus on governing their populations.
Now this is getting more specific, which is good. I'm advocating that, in the context of trying to generate explanations for why Republicans have been inactive on cybersecurity, it's not useful to say "Republicans believe in limited federal government", which is subjective, or "Republicans believe the free market will take care of the problem", which to me just rephrases the question to how Republicans decide which problems to intervene in versus letting the free market solve. Instead, "measurable explanations" that directly relate costs or priorities would be more useful. For example, "Republicans don't believe that cybersecurity issues are big enough to affect states' ability to govern," or "Republicans don't believe that cybersecurity is a national defense issue."
I'd like to suggest limiting appeals to individual Democratic or Republican principles, since doing so doesn't account for how strong some principle is practice, how one principle measures up against other principles, how a principle gets de-prioritized for political compromises and corruption, and how the principle changes over time. If possible, it'd be better to reference statistics.
ellislau
commented
5 years ago and liability and requirements to implement security programs are mentioned among other things.
I am skeptical of the federal government getting into the actual practice of security. This is beyond their core competency, and while nominal mitigations may improve the situation, I suspect it would not be enough and would come at too great a cost.
I agree. I think it's at least possible to implement tech-literate requirements. It doesn't help that tech moves so fast and that there are so few tech experts in politics. But I'd also still be skeptical of the cost-benefit. At least for private sector cybersecurity (as opposed to say election security), I don't think the US population knows what it wants or fully understands what their information is worth, and from that perspective any legislation may be premature.
darwinrlo
commented
5 years ago Haha, this conversation is starting to explode in a lot of different directions again. It's all very important and all ground we need to cover eventually, but as we've discussed before, we need to figure out some way of prioritizing what we choose to drill into it at any given moment. Let me pause a bit at this juncture and see if I can propose a solution.
darwinrlo
commented
5 years ago Let me pause a bit at this juncture and see if I can propose a solution.
I started another issue for this and will be dumping my thoughts in there. Feel free to do the same.
(The good thing about using GitHub is that there's an API. At some point, I see us building a graph from the issues.)
The presence of the word "federal" was beside my point.
I understood your point and I agree with it. To clarify, I was not addressing that point; I was pointing out an error in your understanding of a point I was making. Not to imply that your response was wrong though: It served as a reminder to me that I do need to address someone's main point prior to addressing other points.
To take a step back, I have come around to appreciating the turn that this conversation is taking because I think it's hitting on concerns that cross-cut substantially all issues. I propose we keep this thread the way it is and I'll start a different one for actual cybersecurity/data-privacy policies and interventions.
darwinrlo
commented
5 years ago From the WaPo article:
The parties enact different types of preemptions. Republicans are more likely to impose what are known as “ceiling preemptions.” These laws cap the amount of regulation states can enact on a particular issue. For example, a ceiling preemption might prohibit states from setting new or more stringent emissions standards for a particular industry.
"Ceiling preemptions" is one possible explanation (theory) for their behavior that is suggested by the data. But I don't think it's the likeliest one. To take the one example they gave, which is presumably the strongest one, it would be within the purview of the federal government, as envisioned by Republicans, if the regulation in question had to do with interstate trade or commerce, or trade or commerce with other nations. See the Commerce Clause, which is part of Article 1, Section 8, of the Constitution and consists of the Foreign Commerce Clause and the Interstate Commerce Clause. For your convenience, here is the pertinent text:
The Congress shall have Power... To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes
So, from my perspective, this can be explained by what the Republicans themselves would say. Although the "ceiling preemptions" model would seem to have high accuracy, my guess would be that, if we looked at the data itself from the "purview of federal government is that which is granted by the Constitution" model, we would get something that is not only higher-accuracy but also much more predictive.
Given direct observations O[0], O[1], ..., we must be careful not to accept explanation X just because P(O[0], O[1], ... | X) is high. There might be another explanation Y for which P(O[0], O[1], ... | Y) is also high or perhaps even greater, and we should not forget that our models (explanations) need to make accurate predictions as well. See Richard Feynman:
When you have put a lot of ideas together to make an elaborate theory, you want to make sure, when explaining what it fits, that those things it fits are not just the things that gave you the idea for the theory; but that the finished theory makes something else come out right, in addition.
darwinrlo
commented
5 years ago I think we can use the model you have proposed as a starting point and make it expressive enough to handle other phenomena, e.g.
For example, the model we eventually use has to accommodate examples (data points) such as this, which is a Republican effort to work on cybersecurity: https://www.whitehouse.gov/articles/president-trump-unveils-americas-first-cybersecurity-strategy-15-years/
The National Cyber Strategy identifies decisive priority actions to protect the American people. This strategy makes clear that the Federal Government will never stop defending our interests, and that we will bring every element of American power to bear to protect our people in the digital domain.
It may not be that Congress is the most important branch of government as it pertains to cybersecurity. It seems more likely to me that several branches of government are important, with the Department of Defense being the most important, and that healthy participation from the private sector is needed.
It may also be the case -- and I think we can gather the data to "prove" or "disprove" it -- that Democratic congresspeople simply propose a bill for most things that appear in the news, whereas Republicans are slower to propose bills.
ellislau
commented
5 years ago I'm not 100% sure what it is, but I have difficulties with your communication style.
The presence of the word "federal" was beside my point.
I understood your point and I agree with it. To clarify, I was not addressing that point; I was pointing out an error in your understanding of a point I was making.
If you're pointing out errors in phrasing that was beside my point, and also never acknowledging the actual point, then I have to assume that you don't understand my point.
My biggest point was the following:
In the context of trying to generate explanations for why Republicans have been inactive on cybersecurity, it's not useful to say "Republicans believe in limited federal government", which is subjective, or "Republicans believe the free market will take care of the problem", which to me just rephrases the question to how Republicans decide which problems to intervene in versus letting the free market solve.
Maybe that point isn't important to you, but acknowledgement of the point is what I was looking for, and not acknowledging it was what caused me to keep diving deeper into it.
We're constantly talking past each other. Take this statement you make and repeat in different forms:
I would suggest from here that we consider the implications of each explanation -- if this is true, what other things would also be true? -- and strengthen/weaken our belief in each explanation accordingly.
Given direct observations O[0], O[1], ..., we must be carefully not to accept explanation X just because P(O[0], O[1], ... | X) is high. There might be another explanation Y for which P(O[0], O[1], ... | Y) is also high or perhaps even greater, and we should not forget that our models (explanations) need to make accurate predictions as well.
It's like your admonishing something about my communication style but I have no idea what. And I should know you're not doing that, but then I have no idea why you add it to the discussion. The trivially true point that any explanation could still be false doesn't seem to contribute to the discussion, unless you're specifically trying to reign in the discussion by saying that we're getting ahead of ourselves. Technically, I've barely asserted the truth value of any explanation here, beyond "Republicans don't prioritize cybersecurity", which really is more of an observation than an explanation. I'm not asserting the truth value of the "ceiling preemption" explanation, I'm just pointing out what I believe are poor explanations ("Republicans believe in limited federal government", "Republicans believe the free market will take care of the problem") that gloss over the cost-benefit analysis that must be happening.
ellislau
commented
5 years ago To be fair, I also want to know what about my communication or discussion style you think could be improved.
darwinrlo
commented
5 years ago Ah, thank you for that. These are important things to talk about.
There's a lot to respond to there and I'm not sure which one to take on first. I do think one of the areas we could improve upon -- and I think you've pointed this out too in the past -- is the number of points we make during each turn. I actually had some ideas this morning, which I hope to flesh out in the pertinent issue.
Perhaps I should solicit your input. Are you able to choose a single point you'd like me to address first?
ellislau
commented
5 years ago For what it's worth, it wasn't my intention to bring up new points, just that each time I felt like my original point wasn't successfully communicated, I felt compelled to try new ways to express my original point with new accompanying examples. Secondly, I might have multiple responses to a single point/paragraph, which can cause the number of points to multiply.
From my perspective, it all started with this part of the thread:
My guess is you mean to imply that Republican congresspeople do not prioritize cybersecurity. That is a valid explanation that should be considered. Another one is that Republicans are loathe to solve things using legislation and prefer instead to lean on the free market to weed out incompetence: Security issues, after all, are a weakness that can be exploited by competitors, whether new or existing. I would suggest from here that we consider the implications of each explanation -- if this is true, what other things would also be true? -- and strengthen/weaken our belief in each explanation accordingly.
And I know you've expressed agreement with the statement "Republican congresspeople aren't prioritizing cybersecurity," but at that point in the thread, turns out I had 3 separate responses I wanted to make.
Maybe I can distill it down to this: I don't think generalizations, i.e Republicans are "generally" loathe to solve things using legislation, move the discussion forward (generalizations may also spawn off additional points that we're not as interested in discussing). I don't know if you have a preference for how we approach discussion, but I'd prefer to be evidence-centric with something like, "My confidence in X is low, do you have more evidence for X", or "I have evidence against X", or "I have evidence for alternative Y." It's also possible to continue without specific evidence if both of us agree, e.g. "Data breach notifications are good."
darwinrlo
commented
5 years ago I'm going to slow this down quite a lot here. We are clearly not in sync. This is actually not a bad thing -- I think, once we have reconciled our viewpoints, we will be rewarded all the more.
I don't think generalizations, i.e Republicans are "generally" loathe to solve things using legislation, move the discussion forward (generalizations may also spawn off additional points that we're not as interested in discussing).
I think it's important to understand the stated principles of a group. While we might iterate on our model of a group's behavior, we can use their stated principles as the initial model.
When we go out to gather data or we are presented with data, even if no model is given, a model is implied. Usually, if no model is given, the implied model is the naive model, which leads to misleading results.
On a side note, once we are ready to return to the topic of whether those in power prioritize cybersecurity, I think I can articulate my viewpoint a bit better. If you are happy with my response or would like to return to that topic, I would be game. In particular, I would address the following head-on:
I think that no alternative explanations to "Republican congresspeople do not prioritize cybersecurity" have actually been presented in this discussion.
darwinrlo
commented
5 years ago I don't know if you have a preference for how we approach discussion, but I'd prefer to be evidence-centric with something like, "My confidence in X is low, do you have more evidence for X", or "I have evidence against X", or "I have evidence for alternative Y."
I wanted to keep my response limited, but I just wanted to say that I think this is a terrific format. And I think we should use it explicitly. I think it is complementary to what I have been proposing, which is strengthening or weakening our beliefs as we consider evidence.
darwinrlo
commented
5 years ago To be fair, I also want to know what about my communication or discussion style you think could be improved.
Here's one thing that can be improved upon.
If you're pointing out errors in phrasing that was beside my point, and also never acknowledging the actual point, then I have to assume that you don't understand my point.
It seems to me like there is blaming going on here. IMO, it is OK that you assumed I didn't understand your point. And it's also OK for me to make a subsequent clarification. Misunderstandings are inevitable; we do not have to make a big deal out of them. We just have to identify when they occur, make a clarification, and move on. Over time, as we understand each other better, I assume their frequency will decrease -- though I have to imagine they will never be eliminated.
And if there was a point you wanted me to address, you can just say, "I was specifically interested in getting your response on point X. Would you mind giving one?" This is a skill I've specifically developed and practiced, and I think we should be able to whip it out without a second thought if it is necessary.
Overall, I want to get away from "human" dynamics... the implicit things that are typically perceived, such as blaming and whatnot. They add friction to forward movement, and in many cases, they actually make forward movement impossible. There is a place for them -- after we've figured things out and need to convey them to other people.
To give a different -- and accurate -- explanation for my failure to acknowledge what you thought was your main point, I was simply going through your post in the order you chose to present your points. And I didn't want to move on to a point without finishing up the previous points.
ellislau
commented
5 years ago I agree it's important to understand the stated principles of a group, but I disagree that this principle ("Another one is that Republicans are loathe to solve things using legislation and prefer instead to lean on the free market to weed out incompetence") should be applied here, because:
With these reasons in mind, I had quickly discounted the principle as any sort of explanation since it didn't clarify anything for me, but I could have better explained this line of thought, and I could have kept its explanatory value more open for debate and clarification.
if there was a point you wanted me to address, you can just say, "I was specifically interested in getting your response on point X. Would you mind giving one?"
Thank you for this suggestion, I will work on doing this.
darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago @ellislau Sorry for the delay, Ellis. It has been on my todo list for a while to respond to this.
but I could have better explained this line of thought, and I could have kept its explanatory value more open for debate and clarificatio
We both did the best we could, mistakes and all, and there's only up from here as long as we continue to work on it.
I'm skeptical of the consistency which with this particular principle is applied
I think to call it a principle is a misnomer. It's really a rule of thumb.
prefer instead to lean on the free market to weed out incompetence
A rule of thumb or a preference. We don't always go with our preference. Our preferred mate may not return our feelings. Or our preferred mate may have negative qualities that would decrease the likelihood of an enduring relationship. We may not go with our favorite, vanilla ice cream, because there's a sale on chocolate.
darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago darwinrlo
commented
5 years ago
It seems to me that we ought to be spending a lot more time ensuring that our infrastructure is secure. This does not seem to be prioritized by anyone in power.