Humanity needs the following for cybersecurity and grid safety, particularly in our new era of machine learning and deepfakes.
These would be high-impact causes to fund or contribute to:
Identity Verification and CAPTCHA
We require coordinated efforts to design next-generation ID verification and CAPTCHA systems, potentially using various multi-factor validation focused more on validating that someone is a biological organism rather than someone who has language ability or who knows your Social Security Number.
Efforts: TPM standard, biometrics, Login.gov
Quantum-Proof Cryptography
We must encourage adoption of quantum-proof encryption. Quantum computing has a small chance of destroying all cryptographic infrastructure. That would mean all of our civilizational infrastructure would be compromised, from banking to the military.
Efforts: Open Quantum Safe project
Formal Verification
We must ensure adoption of formally verified and memory-safe computing infrastructure including OSes, TLS, DNS, NTP, SSH, etc.
Efforts: seL4, Project Everest, the Prossimo project of the ISRG, Let's Encrypt, and Prusti for the Rust language
EMP Shielding
We must harden all communications and energy grid infrastructure with EMP shielding. This can be accomplished with basic technology, such as faraday cages. But there is quite a lot of grid infrastructure, and it all needs to be carefully shielded, and that could potentially cost a lot of money.
All the news we are seeing about weather balloons being shot down is potentially related to testing out the US's readiness against a high altitude EMP blast. Such a blast could wipe out all communications infrastructure on an entire continent, and lead to unfathomable destruction.
But it isn't just nation-states that can inflict this damage. Solar storms can produce the same effects, and it is inevitable that we will be dealing with such an event. We need to be prepared, even if the cost is steep.
Efforts: H.R.2417 Secure High-voltage Infrastructure for Electricity from Lethal Damage Act (not passed)
Data Breach Protection
There are many known-faulty central bottlenecks for information security and identity compromise, like the cartel of credit reporting agencies. If we cannot outright obsolete these, we must at least penalize them for security breaches.
For certain extremely important information, like credit reporting systems, zero-knowledge and fully homomorphic encryption may be important. And they should at least try to keep up with malicious actors, who do pursue such things. But such systems are onerous and expensive, and wouldn't be pursued unless it were made urgent.
Efforts: Homomorphic Encryption Standardization, S.2289 Data Breach Prevention and Compensation Act (not passed)
Endpoint Security and Router Security
We should leverage the threat of court fines and insurance penalties to get organizations to decommission obsolete hardware and software, for themselves and their members. It takes decades to roll out core networking upgrades at the moment, but threats are moving fast and that is unacceptable. ISPs should give rewards to those who are in compliance with all the latest security measures.
Gray hat hackers have done such things as remotely exploiting scores of routers purely to perform remote updates and security patching. That is a possible area of help, but isn't organized.
Efforts: Ongoing efforts by many organizations with things like Wifi 6, WPA3, multi-factor auth requirements, Windows 11, etc.
Automated code checking
Automated bots to help open source codebases are now common. They perform static analysis, automated dependency upgrade pull requests, and so on. This model can and has been extended to automatically patch common coding mistakes, and we are just scraping the surface of what is possible
Efforts: Dependabot, CodeQL, Coverity, facebook's Infer tool, etc
Reproducible Builds
Reproducible build systems need to become common, since compromised build servers have been known as a key vector for compromising libraries and vended software. This would allow us to have peace of mind that running a scripted build process will always produce an identical binary that can be reliably checked by others. Thus, when downloading a binary from a server, you can have confidence that it was produced using the source code you expected, rather than just taking it on faith.
Efforts: Reproducible Builds project
Top comments (0)