Technology issues represent an enormous threat to our nation. From an open Internet to the protection of our infrastructure from foreign attack, technology has a huge impact on our economy and on both individual and national security.
My background in Information Security and Project Management gives me a direct understanding of many of these issues, both their scope and depth and potential approaches to protect Marylanders and our nation from internal and external threats enabled by technology without crippling our ability to use technology to its fullest potential.
The Internet provides great opportunities for new ventures, giving services ranging from online movie and music streaming to real-world food delivery and car rental instant reach to consumers all over the nation. The current administration has threatened this important resource by its repeal of the 2015 Net Neutrality rules.
Without these rules, businesses face uncertainty about the costs and quality of service involved in reaching each user, as these may differ between ISPs even in the same area, requiring complex business negotiations. The certainty of an open highway with fair access to all allows Spotify to assume all high-speed Internet users are potential customers, allows Domino's to assume anyone in the cities they serve can order a pizza, and allows Eat24 and Delivery.com to assume both hungry users and the local businesses can connect up through their online services with a predictable experience and cost.
We must guarantee an open Internet with a policy of Net Neutrality, or else consumers will receive a false choice between carriers capable but unwilling to support new ventures and carriers willing but incapable of doing so, while new types of businesses will suffer the fragmentation of access to their customer base. Without Net Neutrality, high barriers to entry lock small businesses out of competitive markets.
Fortunately, many areas of Net Neutrality have strong bipartisan support. Republicans introduced a bill prohibiting the selective blocking or throttling of Web sites immediately after the repeal of FCC rules. Such policy must include strong language to prevent any form of degradation to any traffic, not just Web sites.
Other provisions are more-contentious. Republicans favor allowing paid prioritization—so-called "fast lanes"—while Democrats do not. Republicans also favor regulating ISPs lightly, which would strip the FCC of the authority to enforce regulations similar to the 2015 rules; Democrats prefer classifying them as common-carrier telecoms so the FCC can instate stronger rules without new legislation.
The Republican proposal also prohibits states from passing their own, more-strict Net Neutrality rules—which, in all honesty, would just be a symptom of weak Federal regulation. The Republicans don't intend such a prohibition as a vehicle to drive a stronger push for better Federal policy, however; they intend it as way to block stronger regulation at all levels, favoring large ISPs over consumers and small businesses.
Even within the context of disallowing paid prioritization, there's the question of acceleration by colocation, as with Netflix locating caching servers within Comcast's network to ensure a high quality-of-service at all times—which is different than simply giving Netflix a "fast lane", and yet still provides a method by which Netflix, Spotify, or Hulu could buy a more-advantageous position for themselves.
Some ISPs have done innovative things with prioritization, and could improve service in particular contexts. Comcast accelerates large downloads above the speed of basic service. T-Mobile's Binge-On feature allows users, at their discretion, to receive streaming video at reduced quality without impacting their high-speed data cap. With packet ordering, ISPs could reduce stuttering in VoIP and media streaming without altering bandwidth usage.
Some have also done contentious things—notably, T-Mobile's aforementioned opt-out video streaming feature, and their Music Freedom feature which exempts streaming music from data caps. T-Mobile lets any streaming service join Music Freedom and doesn't charge providers for the privilege, while AT&T gives you free streaming if the content provider pays. The latter clearly puts services without deep pockets at a competitive disadvantage, while the T-Mobile service lends itself to more debate.
From observing these examples, I suggest a basic starting point, a minimum of protections from which we must not give ground:
- Basic fairness:
- Raised bandwidth caps, packet order prioritization (QoS), and billing exemptions—including data cap exemptions—are all forms of prioritization.
- Any form of prioritization:
- must be non-discriminatory. For example: enhanced VoIP and media streaming stability must apply to all such traffic or all such detectable traffic.
- must not increase one user above their basic level-of-service at the expense of degrading the service of any other user.
- must not increase access to one service at the expense of degrading access to another service—including degrading the entire network for other traffic when the prioritized service experiences heavy use.
- Prioritization of specific content:
- Any prioritization which alters content—such as T-Mobile's Binge-On—must allow the user to opt-out without further penalty.
- Any prioritization of specific types of content:
- must be included in all end-user service levels, and not an add-on package or a feature of higher-tier service.
- must be free-of-charge to the content supplier. Integration requirements are okay: T-Mobile Music Freedom, for example, may require services such as Spotify to integrate with a caching service at T-Mobile, so as to lower the network usage costs to T-Mobile without imposing new usage charges onto Spotify et al.
- must be open to all suppliers of that type of content, on request.
- must be technically-capable of supporting the needs of any provider of said content. For example: a service to cache streaming media within an ISPs network must be capable of reporting detailed usage statistics to the content provider, allowing them to carry out business in the same manner regardless of whether the media streams from them or from the ISPs cache.
These proscriptions prevent paid fast-lanes, both paid for by content providers—Netflix, Spotify, Google—and by users of special packages. They also prevent discriminatory fast-lanes: any content-specific service enhancements must apply or be available to any content provider free-of-charge. In this way, ISPs may engage in consumer-driven competition only by supporting entire markets, and not by special treatment of individual content providers. In other words: they can make their service better for all streaming video or no streaming video, but they can't make it better for YouTube and Netflix while denying Hulu and Crunchyroll participation at no cost.
Identity theft is a concern to everyone, especially after the enormous breach at Equifax. I myself have had credit card cloned and used by someone right here in Baltimore, rather than hundreds of miles away, indicating local card skimming. Consumers lost more than $16 billion to identity theft in 2016 alone.
As a specialist in information security, I don’t believe in perfect security. Equifax has been around since 1899 and only suffered a significant breach in 2017. Every system has a weakness; we can narrow the weakness greatly.
A Regulatory Approach
Congress must pass legislation charging our regulatory agencies with selecting the most current, effective, consumer-ready technology standards for identity protection. Technology changes too rapidly to mandate specifics in law; instead, we should require the Consumer Financial Protection Bureau (CFPB) to adherence to the latest cryptographic standards as published by the National Institute of Standards and Technology (NIST).
A Technical Solution
Today, I recommend the CFPB require consumer Credit Rating Agencies (CRAs)—Equifax, Experian, and TransUnion—to fully-support, at no cost to the consumer, FIDO authentication as a requirement for a hard credit check and creation of a new loan account.
FIDO U2F is an open-standard, non-shared-secret, challenge-response authentication protocol. This authentication uses a $20 hardware device called a "Security Key" to verify identity. Each device can store identities for over 1,000 accounts, and selects the correct key based on the challenge. FIDO security keys can interact with phones and computers over USB, Bluetooth, and NFC, and are used by Google and Facebook to allow secure log-ins.
This kind of authentication does not use a shared secret—such as a password, date of birth, or Social Security Number. Instead, it generates two encryption keys. One key, called the "Private Key", is kept secret on the FIDO device; the other, called the "Public Key", is shared. Something encrypted with one key can only be decrypted by the other key.
To authenticate, a CRA such as Equifax sends a challenge—a description of what it wants to authenticate—to the entity opening a new credit account. The FIDO device signals the user for physical confirmation—a button on the device—and, once confirmed, encrypts the challenge with the Private Key, sending the result as a response. The CRA then decrypts the response and verifies that it matches the challenge.
Because the CRA does not possess the private key, a hacker cannot use any information stolen from the CRA to prove their identity. Only the private key allows successful opening of a loan.
Today, an identity thief can open a loan by going to a banking Web site and entering your address and Social Security Number, never showing his own face. Challenge-based authentication prevents this, and moves the problem up one level.
Identification credentials are easier to verify in the real world. Driver's IDs, passports, and other forms of photo ID are harder and riskier to forge, and easier to verify. Strong challenge identification cannot verify who you are, but rather that we have verified who you are at some point in the past.
To pair your FIDO device to your identity at the CRAs, you would go to a bank, show your photo ID, and then plug your security key into a port at the teller. That's it. Now you need that device to open a new loan account; your existing accounts have no such requirement. If you lose it, weak verification such as over the phone can prevent the opening of any new accounts until you again physically present yourself at a bank.
The IRS, the Social Security Administration, and other Government agencies can all use this same pattern, and even use the same device. By federating with each other, the local Social Security office could even allow you to set or clear your keys with the IRS and other Government branches. In the event of a lost key, call your bank and your local Social Security office to cancel all trusts.
This isn’t simply the kind of security Americans deserve; this is the security Americans need. It is the correct way to handle financial identity theft. It’s not a privilege or a right, but a moral imperative. Identity theft is, in the largest sense, not simply a problem of today’s challenges, but a result of our negligence in demanding protections which have been available for decades, and which were rendered cheap and simple in 2013. It is a problem which only exists today by our failure to act in the interests of the American people.