That's why it's understandable that the members of the Solarium have embarked on a marketing tour, doing podcast after podcast and panel after panel to sell not just the ideas in their paper, but the idea that these things have a hope of getting implemented. It may even be true! To that end, it's good to look at many of the ideas with a critical eye, and in depth.
Some things immediately stand out:
- Six paragraphs of absolute cowardice on the End-2-End encryption issue
- The document portends a heavy lift and massive investment in CISA which is under DHS
- So so so much about norms - which in certain circles is like going to a scientific convention and talking about astrology
- The section on adding liability to software vendors (4.2) is a difficult task, to say the least.
Each of these items requires a massive paper to analyze. The lack of a stance on E2E encryption while at the same time throughout the document giving the standard polemic on public private-partnership evidences that the Commission was not of the view that the overall technical community needed to be wooed - that you can on one hand go to war with the community on major issues key to their worldview, and on the other hand recruit, retain, and partner with them. This is not how the world works. They missed a once-in-a-decade opportunity.
For CISA - which is under DHS - there are two major issues:
- Can CISA handle the lift? Can they scale up and do all the things recommended in the report? Being able to hire and manage that many contractors alone is difficult. We have to assume everything this document asks is going to be done under someone else other than Chris Krebs...
- Will industry ignore that they sit next to the EXTREMELY UNPOPULAR immigration arm of DHS, which has tainted DHS's whole image to an almost unrecoverable extent.
The software liability issue is complex but any detailed look at it can talk about how weird many of the ideas on this section are. As Perri would say "There are too many issues in this section to list." Although, to be fair, a future blogpost will do so.