Innovation Files has moved! For ITIF's quick takes, quips, and commentary on the latest in tech policy, go to


With PrivacyCon, FTC Packs the Stage with “Yes People”

The Federal Trade Commission (FTC) hosted the first annual PrivacyCon in January 2016, an event designed to highlight the latest research and trends for consumer privacy and data security. The FTC’s stated goal was to bring together “whitehat researchers, academics, industry representatives, consumer advocates, and government regulators” for a lively discussion of the most recent privacy and security research. Unfortunately, not only did the event not reflect the diversity of perspectives on these issues, but the whole event seemed to be orchestrated to reinforce the FTC’s current regulatory strategy.

First, the “data security” side of this discussion was almost non-existent in the agenda. Of the 19 presentations, only 3 were about security. Given that the FTC has been flexing its regulatory muscle on corporate cybersecurity practices, this was a missed opportunity to delve into important cybersecurity research that could inform future oversight and investigations.

Second, the FTC mostly selected papers that jibed with its current enforcement agenda. As Roslyn Layton, a visiting fellow at the American Enterprise Institute, noted recently, of over 80 submissions that the FTC received for PrivacyCon, it selected 19 participants to give presentations with

Read the rest

FedTalks 2013: Highlights and Observations

The FedTalks 2013 conference, held June 12 in Washington, brought together a motley crew of government officials, tech company executives, military contractors and civic IT experts to discuss “how technology and people can change government and our communities.” The speakers, ranging from Senator Mark Warner (D-VA) to famed impostor Frank Abagnale (more on him below) came from similarly broad backgrounds. Here is a quick rundown on some highlights and observations from the conference:

FedTalks, Innovators Listen, a federally-supported platform for civic innovation competitions, came up several times, including in U.S. CIO Steve VanRoekel’s keynote address on increasing government efficiency. The site—itself a public-private partnership with technology competition company ChallengePost—encapsulates a theme that pervaded FedTalks 2013 and that’s particularly relevant in the data science sector: as long as government agencies lack the expertise to design and implement data collection mechanisms and disciplined analytics themselves, they will need to get help from external sources. Acting GSA Administrator Dan Tangherlini made the excellent point that in addition to the value created by the winning entries on and similar platforms, other contestants often generate economic value that dwarfs the prize money being

Read the rest

Library of Congress reading room

We Need More than a “Good Samaritan” Law for Cybersecurity Information Sharing

With the Senate planning to vote on cybersecurity legislation in early June, opponents of the legislation are stepping up their opposition. During the Memorial Day recess a coalition of groups plan to pressure members of Congress to oppose the two Senate cybersecurity bills: S. 2105, the Cybersecurity Act and S. 2151, the Secure IT Act.  These groups assert that the information-sharing measures included in the bills will violate individual privacy rights. While much of the debate about information sharing has focused on the privacy aspects, some have basically argued that information sharing has little to no value for improving cybersecurity. For example, Jim Harper at Cato Institute has complained about “the fetishization of information sharing on Capitol Hill.” In his view, the government should have a minimal role, if any, in promoting information sharing for cybersecurity purposes. Instead we should “let competitive pressure drive cybersecurity, rather than collective, government-run cybersecurity information sharing programs.”

While I agree that information sharing is not the only, nor even close to the most important, aspect of improving cybersecurity, it is still highly relevant. For example, although the number of zero-day attacks was down in

Read the rest

A "Wordle" of NIST

Improved Metrics Should be Primary Goal of FISMA Reform

Cybersecurity policy generally focuses on one of three areas: 1) federal agencies, 2) critical infrastructure (which sometimes overlaps with #1), or 3) “everything else.” While much of the debate about cybersecurity legislation in Congress has been about the latter two, reforming the security policies and practices of federal agency is important as well. The Federal Information Security Management Act (FISMA) is the primary policy that specifies the security requirements for information systems managed by federal agencies. This year will mark the 10-year anniversary of FISMA which was signed into law as part of the E-Government Act of 2002. As we approach this milestone, it seems clear that agencies are better off today than they were 10 years ago, but more progress is needed. In particular, FISMA should be improved so that agencies report on security performance, not just security compliance. The purpose of FISMA was to institutionalize the information security programs that agencies had begun to develop as part of the Government Information Security Reform Act (GISRA). Under GISRA (and later FISMA) agencies were required to develop a comprehensive security plan for their IT systems. This included creating a risk-based,

Read the rest

Whack-A-Mole Security: Bad Policy, Bad Legislation

The recent disclosure of a confidential Congressional document has at least one congressman calling for a ban on peer-to-peer (P2P) file sharing software, but a closer look at the problem reveals that this effort would merely be treating the symptoms, not the disease.

First some background. Last month the Washington Post revealed that more than thirty members of Congress and staffers were under investigation for possible ethics violations, including for “accepting contributions or other items of value… in exchange for an official act.” While this revelation was shocking, perhaps even more shocking was the means by which this information was leaked — the information was downloaded from the Internet. As detailed by the Washington Post and the Committee on Standards of Official Conduct in the U.S. House of Representatives, a low-level committee staffer had saved a copy of a confidential House ethics committee report on her personal computer while working from home. Unfortunately, the staffer was also running a peer-to-peer file sharing program and inadvertently saved the file in a folder that was shared with other users. By saving the file in a shared folder, the staffer made the document available to all other

Read the rest

Thoughts on 4th of July Cyber Attacks

While most Americans were watching fireworks on July 4, hackers launched what would turn in to a multi-day denial-of-service attack against U.S. websites. The Associated Press reported that the cyber attack knocked out the websites of several government agencies including the U.S. Treasury, Secret Service, Transportation Department and the Federal Trade Commission. In addition, the attackers targeted the websites of the White House and the Pentagon but neither was severely disrupted.

The attack later expanded to a number of other websites including the New York Stock Exchange, NASDAQ and the Washington Post. South Korean websites were also added to the list with many of the targets experiencing outages during the same time period. South Korean intelligence officials believe that North Korea initiated the attacks and today U.S. officials confirmed that the IP addresses of many of the attacks originated from North Korea. Officials have cautioned, however, that there is no evidence that the Pyongyang government was involved.

Recent troubles with the forthcoming system designed to protect the U.S. government’s networks, Einstein 3, indicate that relief is probably not on the way. As the Wall Street Journal reports, the next version

Read the rest

Cybersecurity Challenge Calls for Multilevel Plan

On Friday, May 29, the Obama administration announced the results of the 60-day review on cybersecurity conducted by Melissa Hathaway and laid out new priorities for cybersecurity.

Overall, the report delivers a solid overview of the current challenges and presents next steps for grappling with them. Key portions of this strategy include creating a “Cyber Czar” to oversee national cybersecurity initiatives; public-private partnerships to better share data and resources; efforts to create and retain a skilled cybersecurity work force; and plans to increase public awareness of cybersecurity threats and challenges.

The report’s near-term action plan also includes updating the national strategy to secure cyberspace; developing a framework for additional research and development of security technology; and preparing a cybersecurity incident response plan.

The fact that the Obama administration is making this a priority speaks volumes about the growing need to secure our critical infrastructure. With two wars, a growing nuclear threat from North Korea, and a still-struggling economy, the President already has more than enough to keep him busy. But many important policy objectives of this administration rely on digital infrastructure — from modernizing the healthcare system with electronic medical

Read the rest