Sunday 5 April, 2020

Zoom needs to up its game — it’s playing in the big league now

This morning’s Observer column:

Then there’s the issue of security, and of encryption in particular.

“We take security seriously and we are proud to exceed industry standards when it comes to your organisation’s communications,” says the Zoom website. Any host of a meeting can “secure a meeting with end-to-end encryption”. Well, that’s not quite right, at least if by “end to end” you mean encryption where the service provider has no way of decrypting the content (as, say, with WhatsApp or Signal). The encryption on Zoom communications at the moment is the kind that protects your communications with any website with ‘https’ in its URL. But the content is unencrypted while it is passing through Zoom’s cloud servers.

There may be good reasons for this, but at the very least the company’s website shouldn’t be making exaggerated claims about encryption. It should privilege facts over marketing puffery.

And the moral of all this? Zoom is providing a service of real value in these desperate times, but it needs to grow up. It’s playing in the big league now.

Read on


It’s Zoom, Zoom, Zoom all day long

Rumours, facts, misunderstandings and hearsay about the supposed (in)security of Zoom conferencing has been rife for the last week. Lots of my friends and acquaintances have been asking me about it, in the (mistaken) belief that I know lots about it. I don’t. I only know what I read from trusted and knowledgeable sources.

The Citizen Lab report

Top of my list in this regard is the Citizen Lab at the Munk School of the University of Toronto. It was founded by Ron Deibert, who is a hero of mine, and has for years done sterling work on detecting and unearthing the tools that unscrupulous regimes and companies have developed for snooping on human rights activists, journalists and other good folks. They have now completed a pretty thorough investigation of the cryptographic protocols at the heart of Zoom’s service and published an illuminating report. It makes for fascinating reading if you’re a geek, but the gist is that their research shows that (contrary to the company’s public claims to the contrary) Zoom uses non-industry-standard cryptographic techniques with identifiable weaknesses and is thus not suitable for sensitive communications. But’s it seems ok for non-sensitive uses.

There are also potential security issues with where Zoom generates and stores cryptographic information. While based in Silicon Valley, Zoom owns three companies in China where its engineers develop the Zoom software. Its AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, are transmitted by Zoom servers to all meeting participants. In some of our tests, our researchers observed these keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.

Given the sudden embrace of Zoom by a wide range of sectors across society, it is reasonable to assume that many government’s signals intelligence agencies, as well as criminals, will be subjecting Zoom to the type of analysis we did. Some of them may choose to privately exploit those weaknesses for nefarious purposes and with harmful consequences.

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:

Government communications Proprietary or confidential business activities Healthcare providers handling sensitive / confidential patient information Human rights defenders, lawyers, journalists, and others working on sensitive topics

But the good news is that

For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.

This is a relief because it’s more or less what I’ve been saying to friends and family. It was based on a hunch that the vulnerabilities in the Zoom system would be mainly of interest to state-level actors.

On the other hand, I hadn’t known of the extent to which Zoom’s development work is being done in China, or that data packets and encryption keys seem to pass through servers that are based there. If I were running Zoom, I’d rethink that soonest.

Good advice from Mozilla

Many of the problems that have arisen with Zoom stem from the fact that it has had massive take-up of its free offer — which means that it is now being used by millions of non-technical users who probably know relatively little about online security. So it’s good to see that the Mozilla Foundation (which provides the Firefox browsers) has published some useful tips “to make your Zoom gatherings more private”.

They are:

1. Use your account with the latest version of Zoom. Sign-in and update to the latest version of the Zoom client or app. This will give you access to the meetings that are available to invited participants and ensure that your system has up-to-date security patches.

2. Use password protection. You can make your meetings password protected to prevent people from guessing your room ID and joining.

3. Keep your Personal Meeting ID private. Don’t use your Personal Meeting ID – especially for events you’re broadly publicizing. That will stop people from trying to enter your personal room at other times. Instead, generate a unique meeting ID by scheduling the meeting.

4. “Lock out” uninvited participants. Don’t share Zoom meeting invites or Meeting IDs with anyone you don’t want to join.

5. Utilize the “mute all” feature. Using the “manage participants” function, you can mute all participants. You should not unmute them again without telling them that’s what you’re doing.

6. Stop unwanted content from being shared. You can stop participants from sharing their screen, or if necessary, stop their video. This is helpful if you’re inviting lots of people you don’t necessarily know so that someone can’t maliciously share content – a practice now known as “zoombombing.”

7. Respect chat privacy. Decide ahead of time if you will save the chat or record the video of the meeting and make sure all participants have agreed and know how you plan to use that information. Recording and saving chats may have legal implications so make sure you’ve checked into that before enabling these options.

All good advice.


Quarantine diary — Day 15

Link


This blog is now also available as a once-a-day email. If you think this might work better for you why not subscribe here? (It’s free and there’s a 1-click unsubscribe if you subsequently decide you need to prune your inbox!) One email a day, in your inbox at 07:00 every morning.


Friday 21 March, 2020

If you might find it more useful to get this blog as a daily email, why not subscribe here? (It’s free, and there’s a 1-click unsubscribe). One email, in your inbox at 07:00 every morning.


It’s the Spring Equinox!


Boris Johnson’s fianceé is pregnant and they’re living in the same house. So shouldn’t Johnson be in quarantine too?

After all, the government’s advice is that pregnant women should self-quarantine (even though there doesn’t seem to be any evidence that they are more at risk). Concealing him from public view would at least stop us being subjected to the Bertie Wooster nonsense he talked yesterday about getting this virus blighter beaten in 12 weeks. He sometimes seems incapable of engaging his brain before opening his mouth.


The Net is now vital infrastructure. So it must be protected during this crisis

As more and more people have to stay — or work from — home, the Internet is is now really part of society’s critical infrastructure. So we need to make sure that it can continue to carry the increased load that’s heading its way. That means that, in the end, some uses will have to take priority over others. I’ve been ranting for weeks that HD streaming of entertainment content should be de-prioritised, and was relieved to see that the EU has come round to that view. So it’s good to see that Netflix and YouTube announce that they will reduce streaming quality in Europe for at least the next month to prevent the internet collapsing under the strain of unprecedented usage due to the coronavirus pandemic.

Sky News reports both companies saying that the measures will affect all video streams for 30 days. “We estimate that this will reduce Netflix traffic on European networks by around 25% while also ensuring a good quality service for our members,” a Netflix spokesperson said in a statement. A spokesperson for Google, which owns YouTube, said: “We will continue working with member state governments and network operators to minimize stress on the system, while also delivering a good user experience.”

The Financial Times reports that in Italy, the first country to enact a full lockdown, there has been a three-fold increase in the use of video conferencing, which, alongside streaming and gaming, drove a 75 per cent rise in residential data traffic across broadband and mobile networks during the weekend, according to Telecom Italia. And the Spanish telecoms industry issued a warning at the start of the week to urge consumers to ration their internet usage by streaming and downloading more in off-peak hours.

This is going to get worse. What’s happening — predictably — is that whereas Internet use tended to spike in the evenings, now it’s higher (sometimes much higher) throughout the day. So we now have another curve that we need to “flatten”. And it’s possible, therefore, that the EU will have to revisit its Net Neutrality rules as a consequence.


How to Make Your Own Hand Sanitizer

Recipes from Wired magazine. I think I’ll stick to soap and water.


How will we know when we’re through this?

A question that Steven Levy asked during his interview of Larry Brilliant. (That’s the Larry Brilliant of eradicating smallpox and the famous TED talk about how to deal with pandemics.) His mantra: detect early, and respond early.

Here’s his answer to Levy’s question:

The world is not going to begin to look normal until three things have happened. One, we figure out whether the distribution of this virus looks like an iceberg, which is one-seventh above the water, or a pyramid, where we see everything. If we’re only seeing right now one-seventh of the actual disease because we’re not testing enough, and we’re just blind to it, then we’re in a world of hurt. Two, we have a treatment that works, a vaccine or antiviral. And three, maybe most important, we begin to see large numbers of people—in particular nurses, home health care providers, doctors, policemen, firemen, and teachers who have had the disease—are immune, and we have tested them to know that they are not infectious any longer. And we have a system that identifies them, either a concert wristband or a card with their photograph and some kind of a stamp on it. Then we can be comfortable sending our children back to school, because we know the teacher is not infectious.

The interview is well worth reading in full.

And when you’ve done that, watch his 2006 TED talk. You won’t regret it.


Why do people keep buying Amazon Ring?

I’ve got a good friend who has an Amazon doorbell and seems tickled pink by it. Normally, this would worry me, but he’s a sophisticated techie and I’m sure his security precautions are good.

But that’s definitely not true for most of the thousands of people who are buying the devices.

The New York Times has a helpful piece aimed at these neophytes. It opens with some cautionary notes, though:

The internet-connected doorbell gadget, which lets you watch live video of your front porch through a phone app or website, has gained a reputation as the webcam that spies on you and that has failed to protect your data. Yet people keep buying it in droves.

Ring, which is owned by Amazon and based in Santa Monica, Calif., has generated its share of headlines, including how the company fired four employees over the last four years for watching customers’ videos. Last month, security researchers also found that Ring’s apps contained hidden code, which had shared customer data with third-party marketers. And in December, hackers hijacked the Ring cameras of multiple families, using the devices’ speakers to verbally assault some of them.

Monday 17 February, 2020

Quote of the Day

In this election there are two sides. One side believes in the rule of law, the other doesn’t. Everything else, to be settled later, once the rule-of-law is re-established.

  • Dave Winer

_____________________________ 

My review of Andrew Marantz’s new book — Antisocial

On today’s Guardian. It’s a sobering read.

There has always been a dark undercurrent of white supremacism in some sectors of American culture. It was kept from public view for decades by the editorial gatekeepers of the old media ecosystem. But once the internet arrived, a sophisticated online culture of conspiracy theorists, racists and other malign discontents thrived in cyberspace. But it stayed below the radar until a fully paid-up conspiracy theorist won the Republican nomination. Trump’s candidacy and campaign had the effect of “mainstreaming” that which had previously been largely hidden from view. At which point, the innocent public began to see and experience what Marantz has closely observed, namely the remarkable capabilities of extremist “edgelords” to weaponise YouTube, Twitter and Facebook for destructive purposes.

One of the most depressing things about 2016 was the apparent inability of American journalism to deal with this pollution of the public sphere. In part, this was because they were crippled by their professional standards. It’s not always possible to be even-handed and honest. “The plain fact,” writes Marantz at one point, “was that the alt-right was a racist movement full of creeps and liars. If a newspaper’s house style didn’t allow its reporters to say so, then the house style was preventing its reporters from telling the truth.” Trump’s mastery of Twitter led the news agenda every day, faithfully followed by mainstream media, like beagles following a live trail. And his use of the “fake news” metaphor was masterly: a reminder of why, as Marantz points out, Lügenpresse – “lying press” – was also a favourite epithet of Joseph Goebbels.


Frank Ramsey

Frank Ramsey was a legend in Cambridge as one of the brightest young men of his time. He died tragically young (he was 26) in 1930, from an infection acquired from swimming in the river Cam. Now there’s a new biography of him by Cheryl Misak. Here’s part of her blurb about him:

The economist John Maynard Keynes identified Ramsey as a major talent when he was a mathematics student at Cambridge in the early 1920s. During his undergraduate days, Ramsey demolished Keynes’ theory of probability and C.H. Douglas’s social credit theory; made a valiant attempt at repairing Bertrand Russell’s Principia Mathematica; and translated Ludwig Wittgenstein’s Tractatus Logico-Philosophicus, and wrote a critique of the latter alongside a critical notice of it that still stands as one of the most challenging commentaries of that difficult and influential book.

Keynes, in an impressive show of administrative skill and sleight of hand, made the 21-year-old Ramsey a fellow of King’s College at a time when only someone who had studied there could be a fellow. (Ramsey had done his degree at Trinity).

Ramsey validated Keynes’ judgment. In 1926 he was the first to figure out how to define probability subjectively and invented the expected utility that underpins much of contemporary economics.

I’d never heard of Ramsey until I came on Keynes’s essay on him in his wonderful collection, Essays in Biography, published in 1933. (One of my favourite books, btw.) Given that Keynes himself was ferociously bright, the fact that he had such a high opinion of Ramsey was what made me sit up. Here’s an extract that conveys that:

Seeing all of Frank Ramsey’s logical essays published together, we can perceive quite clearly the direction which is mind was taking. It is a remarkable example of how the young can take up the story at the point to which the previous generation had brought it a little out of breath, and then proceed forward without taking more than about a week thoroughly to digest everything which had been done up to date, and to understand with apparent ease stuff which to anyone even 10 years older seemed hopelessly difficult. One almost has to believe that Ramsay in his nursery year near Magdalene1 was unconsciously absorbing from 1903 to 1914 everything which anyone may have been saying or writing from Trinity.

(Among the people in Trinity College at the time were Bertrand Russell, A.N. Whitehead and Ludwig Wittgenstein.)


The hacking of Jeff Bezos’s phone

Interesting (but — according to other forensic experts — incomplete) technical report into his the Amazon boss’s smartphone was hacked, presumably by someone working for the Saudi Crown Prince.

_____________________________________________ 

Where people have faith in their elections

The U.S. public’s confidence in elections is one of the worst of any wealthy democracy, according to a recently published Gallup poll. It found that a mere 40 percent of Americans have confidence in the honesty of their elections. As low as that figure is, distrust of elections is nothing new for the U.S. public.

The research found that a majority of Americans have had no confidence in the honesty of elections every year since 2012 with the share trusting the process at the ballot box sinking as low as 30 percent during the 2016 presidential campaign. Gallup stated that its 2019 data came at a time when eight U.S. intelligence agencies confirmed allegations of foreign interference in the 2016 presidential election and identified attempts to engage in similar activities during the midterms in 2018.

This chart shows how the U.S. compares to other developed OECD nations with the highest confidence scores recorded across Northern Europe and Finland, Norway and Sweden best-ranked.

Source

_________________________________________ 

David Spiegelhalter: Should We Trust Algorithms?

As the philosopher Onora O’Neill has said (O’Neill, 2013), organizations should not try to be trusted; rather they should aim to demonstrate trustworthiness, which requires honesty, competence, and reliability. This simple but powerful idea has been very influential: the revised Code of Practice for official statistics in the United Kingdom puts Trustworthiness as its first “pillar” (UK Statistics Authority, 2018).

It seems reasonable that, when confronted by an algorithm, we should expect trustworthy claims both:

  • about the system — what the developers say it can do, and how it has been evaluated, and

  • by the system — what it says about a specific case.

Terrific article


  1. Ramsey’s father was Master of Magdalene. 

Friday 14 February, 2020

Bloomberg is going after Trump on his home turf: Facebook

He spent more than $1 million a day on average during the past two weeks on Facebook, according to data compiled by NBC News. The thing is: with a net worth of $61B, he can easily afford to outspend Trump. At one level, this might be reassuring. At another, it’s deeply depressing: it means that only billionaires can play at democracy in the US now. We’re really in Larry Lessig’s Lesterland.


Are unsecured cafe wi-fi networks deliberately hostile to VPNs?

I’m in Bill’s cafe in Cambridge, which offers ‘free’ Wi-Fi — which of course I don’t trust. So I switch on my VPN to find that, mysteriously, it can’t connect to its server. And I’m wondering if this is just some kind of glitch, or a policy by the firm that provides the Wi-Fi. After all, they don’t want clients sending communications that are encrypted and therefore inscrutable for advertising and tracking purposes. In this stuff, only the paranoid survive.


Inside the mind of Dominic Cummings

Cummings is now the UK’s de facto project manager, but what does he actually believe? In a bid to find out, Stefan Collini read (almost) everything Cummings has written in the last decade. His report is fascinating, insightful and thought-provoking. I can say that because I too have been reading Cummings for years. When I say that to people in Cambridge, though, they start to back away — as if I had revealed that I was interested in UFOs. They view Cummings through a blinding haze of visceral dislike. So it’s nice to see a real heavyweight (Collini has written great stuff on CP Snow, the neoliberal ‘reform’ of UK universities and public intellectuals) taking Cummings seriously. Well worth reading in full.


I stumbled across a huge Airbnb scam that’s taking over London

Wonderful piece of investigative reporting by James Temperton in Wired. I don’t use Airbnb but I know lots of people — especially younger folk — who do. Wonder how many of them have bad experiences?


A taxonomy of privacy

Landmark 2006 article by Daniel Solove in the University of Pennsylvania Law Review. I love the way it begins:

Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from “an embarrassment of meanings.”

Yep. And that’s still true — fourteen years later.

Monday 27 January, 2020

Does it make sense to confine Huawei to the ‘non-core’ part of a 5G network?

This seems to be the UK’s fallback position to avoid antagonising the Chinese state (though it won’t mollify the Americans). Bruce Schneier has some interesting things to say about this. Sample:

The 5G security problems are threefold. First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it.

Second, there’s so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems.

Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.

Schneier’s view is that “It’s really too late to secure 5G networks”. 5G security, he says,

is just one of the many areas in which near-term corporate profits prevailed against broader social good. In a capitalist free market economy, the only solution is to regulate companies, and the United States has not shown any serious appetite for that.

What’s more, U.S. intelligence agencies like the NSA rely on inadvertent insecurities for their worldwide data collection efforts, and law enforcement agencies like the FBI have even tried to introduce new ones to make their own data collection efforts easier. Again, near-term self-interest has so far triumphed over society’s long-term best interests.

And of course there’s also the fact that there have probably always been US-friendly backdoors in Cisco kit, as this report from the FT the other day suggests.


Sajit Javid and the ‘quiet hegemon‘ he’s clearly never heard about

Javid, who is currently Chancellor of the Exchequer, was grandstanding the other week about how the liberated UK would break free of EU red tape. In an interview with the Financial Times he warned UK manufacturers that “there will not be alignment” with the EU after Brexit and insisted that firms must “adjust” to new regulations.

Not surprisingly, this caused alarm in many business sectors whose prosperity depends on adhering to EU regulations. And so Javid — possibly under instruction from Number 10 — started to row back, saying that the government will only use the freedom to diverge if it thinks the change is worthwhile, and after the pros and cons have weighed up.

The Chancellor has form in shooting his mouth off. I remember that he spoke at the launch of the previous government’s White Paper on online harms. He was then Home Secretary (aka Minister of the Interior) and his speech was less about online harms and more about how he was the tough guy who would stamp out this kind of harm. In effect, it was part of his campaign to replace Theresa May, then on her last legs as Premier.

I viewed his Financial Times interview through the same lens. He’s like Boris Johnson during May’s tenure, perpetually in campaigning mode. There are however, some harsh realities about regulatory divergence that suggest he could be riding for a fall. Today, for example, the CEO of Volvo is reported (by the FT) as saying that certifying his company’s cars for the UK market would not be worth the cost if UK rules diverged significantly from the EU’s. The result, UK consumers would have a smaller range of Volvos to choose from. And there’s an interesting new book out — The Brussels Effect: How the European Union Rules the World by Ann Bradford, an academic study detailing how, in a world increasingly driven by standards, EU standards have quietly become global standards. (Think GDPR.)

In that way, the EU has become a “quiet hegemon” of which it seems the Westminster bubble is blissfully unaware.

Has the NSA really changed its mind?

Hmmm… Fascinating report in today’s NYT:

WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, announcing Tuesday that it alerted Microsoft to a vulnerability in its Windows operating system rather than following the agency’s typical approach of keeping quiet and exploiting the flaw to develop cyberweapons.

The warning allowed Microsoft to develop a patch for the problem and gave the government an early start on fixing the vulnerability. In years past, the National Security Agency has collected all manner of computer vulnerabilities to gain access to digital networks to gather intelligence and generate hacking tools to use against American adversaries.

The foolishness of policy was critically exposed A while back when some of those tools fell into the hands of cybercriminals and other baddies, including North Korean and Russian hackers.

So does this new spirit of cooperative ness signal a real shift in strategy? Or does it just show that the agency was temporarily traumatised by accusations that its unscrupulous collection of vulnerabilities caused hundreds of millions of dollars in damage? Should we believe the declaration by Anne Neuburger, the NSA’s Cybersecurity director, that “We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community.”

Good news if she’s serious. And the theft of the tools should serve as a warning against governments’ incessant campaign for backdoors into commercial encryption systems.

A real quantum leap?

This is from the FT (behind a paywall) so it came to me via Charles Arthur’s invaluable The Overspill:

A paper by Google’s researchers seen by the FT, that was briefly posted earlier this week on a Nasa website before being removed, claimed that their processor was able to perform a calculation in three minutes and 20 seconds that would take today’s most advanced classical computer, known as Summit, approximately 10,000 years.

The researchers said this meant the “quantum supremacy”, when quantum computers carry out calculations that had previously been impossible, had been achieved.

“This dramatic speed-up relative to all known classical algorithms provides an experimental realisation of quantum supremacy on a computational task and heralds the advent of a much-anticipated computing paradigm,” the authors wrote.

“To our knowledge, this experiment marks the first computation that can only be performed on a quantum processor.”

The system can only perform a single, highly technical calculation, according to the researchers, and the use of quantum machines to solve practical problems is still years away.

But the Google researchers called it “a milestone towards full-scale quantum computing”. They also predicted that the power of quantum machines would expand at a “double exponential rate”, compared to the exponential rate of Moore’s Law, which has driven advances in silicon chips in the first era of computing.

Interesting that the article was withdrawn so precipitously. But really significant if true. After all, current encryption methods are all based on the proposition that some computations are beyond the reach of conventional machines.

Zero-days and the iPhone

This morning’s Observer column:

Whenever there’s something that some people value, there will be a marketplace for it. A few years ago, I spent a fascinating hour with a detective exploring the online marketplaces that exist in the so-called “dark web” (shorthand for the parts of the web you can only get to with a Tor browser and some useful addresses). The marketplaces we were interested in were ones in which stolen credit card details and other confidential data are traded.

What struck me most was the apparent normality of it all. It’s basically eBay for crooks. There are sellers offering goods (ranges of stolen card details, Facebook, Gmail and other logins etc) and punters interested in purchasing same. Different categories of these stolen goods are more or less expensive. (The most expensive logins, as I remember it, were for PayPal). But the funniest thing of all was that some of the marketplaces operated a “reputation” system, just like eBay’s. Some vendors had 90%-plus ratings for reliability etc. Some purchasers likewise. Others were less highly regarded. So, one reflected, there really is honour among thieves.

But it’s not just credit cards and logins that are valuable in this underworld…

Read on

Want a job? There’s a great future in cybersecurity

From an interesting New Yorker piece by Sue Halpern:

There are currently more than three hundred thousand unfilled cybersecurity jobs in both government and the private sector in the United States alone. Worldwide, the number is expected to be three and a half million by 2021; that year, cybercrime is expected to cost six trillion dollars. Even the United States military is at risk, according to last year’s Defense Department Inspector General report, which found that insecure systems left the country susceptible to missile attacks. This year’s cybersecurity-readiness review of the Navy found that “competitors and potential adversaries have exploited [Department of the Navy] information systems, penetrated its defenses, and stolen massive amounts of national security” intellectual property. And, of course, as we now know, our elections, the essential engine of our democracy, are also poorly defended. “I don’t think any of us are questioning the fact that there is a lack of cybersecurity professionals across the board, in all different types of professions,” Emmel said.

Halpern’s piece was sparked by the fact that, this summer,

the N.S.A. is running a hundred and twenty-two cybersecurity camps across the country. There are camps for girls in South Dakota, Maryland, Puerto Rico, and South Carolina; a camp in Pennsylvania that simulates an airport hack; and one in Georgia that disarms a car hacking. On the last Monday in July, as news broke that a hundred million Capital One bank accounts had been breached, I attended Camp CryptoBot, at Pace University’s Westchester campus, the only cyber camp affiliated with the Navy. A few years ago, the camp director, Pauline Mosley, a professor of information technology, found herself sitting next to an admiral at a conference and used the opportunity to deploy her pre-digital networking skills.

GCHQ, are you listening?