<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dave’s not wrong about this. Cyber policy suffers horribly from the fact that it is disproportionately informed by popular press (i.e. clickbait).<div class=""><br class=""></div><div class="">The American Academy of Arts and Sciences recently published a collection titled ‘Governance of Dual-Use Technologies : Theory and Practice’.[1] This collection covers nuclear technologies, biological technologies, and IT / ‘cyber weapons'. If you read all three sections, it becomes very clear that one of these things is not like the other.</div><div class=""><br class=""></div><div class="">*Number of citations from popular press in each section*</div><div class=""><div class="">Nuclear : 2/143</div><div class="">Bio : 3/125 </div><div class="">Cyber : 27/110</div></div><div class=""><br class=""></div><div class="">You are not imagining things; we really are getting top-tier policy analysis of the cyber domain in which a plurality of sources are clickbait. N.B. I did not count blogs (researcher, vendor, or other) as ‘popular press’; doing so would have pushed the proportion from 25% closer to 40%. There is a further quality distinction among nuclear and bio vs cyber. You will not find the Daily Mail cited in a policy paper about dual-use biological or nuclear technologies, but cyber? Absolutely. That happens.</div><div class=""><br class=""></div><div class="">This is why we can’t have good policies, or often even good policy discussions. Popular press – including tech press – reporting on the cyber domain is frequently riddled with errors and rife with speculation. This is equally true of nuclear and biological technologies, but we’re not crafting civil nuclear agreements based on information from that Wired article you read last year. We don’t do this elsewhere, and should not tolerate it in cyber. </div><div class=""><br class=""></div><div class="">-Mara</div><div class="">__________</div><div class="">[1] The Academy has been around since 1780, and is generally considered to be pretty legit. <a href="https://www.amacad.org/multimedia/pdfs/publications/researchpapersmonographs/GNF_Dual-Use-Technology.pdf" class="">https://www.amacad.org/multimedia/pdfs/publications/researchpapersmonographs/GNF_Dual-Use-Technology.pdf</a></div><div class=""><br class=""><div class=""><div class=""><div><blockquote type="cite" class=""><div class="">On 28 Jul 2016, at 16:01, dave aitel <<a href="mailto:dave@immunityinc.com" class="">dave@immunityinc.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="content-type" content="text/html; charset=utf-8" class="">
<div bgcolor="#FFFFFF" text="#000000" class=""><p class=""><a class="moz-txt-link-freetext" href="https://na-production.s3.amazonaws.com/documents/Bugs-in-the-System-Final.pdf">https://na-production.s3.amazonaws.com/documents/Bugs-in-the-System-Final.pdf</a></p><p class="">Look, I'm sure these (Andi Wilson, Ross Schulman, Kevin Bankston,
Trey Herr) are all good people:<span id="cid:part1.AE64682F.D0673590@immunityinc.com"><authors.PNG></span></p><p class="">But I want to point out that you cannot make good policy
recommendations based on clickbait news articles you've happened
to have read over the years on a subject that is under a ton of
covert protection, especially when none of you have any personal
experience in the field (and even if you DID!). If you want to,
even a little bit, claim that the vulnerability market poses the
kind of danger this paper claims, then you have to say exactly
what percentage of this so called "stockpile" gets used in the
wild by our adversaries. And you have to say why you think that
percentage is too high. Without that data, you have "unsupported
opinions", or as Joe Biden would say, "malarkey". I'm not even
going to go into how "theoretical" their musings on market
behavior in this space are, because this whole policy paper is
trash without any data to back it up.<br class="">
</p><p class="">-dave<br class="">
</p><p class=""><br class="">
</p><p class=""><br class="">
</p><p class=""><span id="cid:part2.EB15FB82.35B2E4AB@immunityinc.com"><notdata.PNG></span></p><p class=""><br class="">
</p><p class=""><br class="">
</p><p class=""><br class="">
</p>
</div>
_______________________________________________<br class="">Dailydave mailing list<br class=""><a href="mailto:Dailydave@lists.immunityinc.com" class="">Dailydave@lists.immunityinc.com</a><br class="">https://lists.immunityinc.com/mailman/listinfo/dailydave<br class=""></div></blockquote></div><br class=""></div></div></div></body></html>