Troubleshooting Apple’s iCloud Advanced Data Protection

TL;DR: set your recovery key and contact, pick an iCloud device (I used my phone), log fully out of iCloud, and log back in. Try enabling ADP then.

I tried a month ago to enable ADP on my iCloud account, using the Apple instructions found here. I went to Settings > iCloud > Advanced Data Protection, and did my darnedest. It simply would not work.

I gave up after the utter lack of explanatory messages and silent fails for why ADP would not enable. I tried to add my spouse as my Recovery Contact, but he does not use iMessage or Apple devices. I have someone else I am using for that Recovery Contact, and after messaging them to tell them what I’d done, they accepted the invite and I was able to see they were a confirmed Recovery Contact. I eventually figured out that I had to have a friend with an Apple device who could receive iMessages for a Recovery Contact, but I saw this maddening screen again and again:

Even though I had clearly added and verified my Recovery Key.

If you try to enable ADP without having both a Recovery Key and Recovery Contact set, you may see a completely unhelpful message that said “Something went wrong. There was a problem turning on Advanced Data Protection. Try again later.” Here’s the Apple Support Forums thread on this topic. You may also only see a blue button that says “Review Recovery Methods” which then simply closes without telling you what next steps to take.

The legendarily good Apple user experience has fallen completely over on this one. It’s as if the rollout of this was tested only by people deeply experienced with Apple devices and logic, and full implementation was left as an exercise to the end user.

The ADP settings screen does not tell you that you must BOTH have a Recovery Key and a Recovery Contact.

So, for fixes, here are the first steps to try:

  1. Are all your devices updated to the minimum required operating level?
    • iPhone with iOS 16.2
    • iPad with iPadOS 16.2
    • Mac with macOS 13.1
    • Apple Watch with watchOS 9.2
    • Apple TV with tvOS 16.2
    • HomePod with software version 16.2
    • Windows computer with iCloud for Windows 14.1
  2. Have you considered removing any devices that are currently unneeded from your iCloud account? I removed my Apple Watch 4 because it’s trivial to restore it and fewer devices might be better.
  3. Did your Recovery Contact accept the invitation? It’ll say “Request Sent” under their name if they haven’t yet accepted. That request is sent via iMessage, with no option for any other method of sending the request.
  4. Have you set the Recovery Key, then logged out of iCloud on your device, and logged back in? When you did, did the Recovery Key show as set and On?

That’s what worked for me. If you get here, you’re probably golden. Good luck!

That’s a nice cyber you’ve got there. Shame if something were to happen to it.

It should deeply concern us that cyber insurance is becoming less available.

The CEO of Zurich Insurance (the company that denied Mondelez’s USD 100m claim after NotPetya on the grounds of it being warfare) says “What will become uninsurable is going to be cyber,” and he asks “What if someone takes control of vital parts of our infrastructure, the consequences of that?”

https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

He’s right – and also right that ransomware payments are creating perverse incentives for insurance companies. This is something like the equivalent of submitting a claim to your home insurance for $10,000 when you had to pay that 10k to a criminal threatening to burn your house down, and telling the insurance company that they should be happy that they aren’t paying the full value of your home instead.

Now, the issue here is that there’s no law enforcement agency with the ability to save you from ransomware attacks in the same way that you can turn in a criminal threatening arson, leaving especially small and mid-sized businesses in the lurch. Ransomware is existential for them in a way it is simply not for larger organizations.

The burden will be put on organizations to save themselves from ransomware with what I think is an ever more likely push by USG to ban ransomware payments. Because this ban will not hit SMBs (existential threat) the same way it will for enterprises (closer to a cost of doing business), USG must provide more services at the state and local level for SMBs to prevent and recover from ransomware attacks. I and @ciaranmartin wrote an article on this last year which is still 100% true: attacking critical infrastructure via ransomware payments along any point in the supply chain is a national security risk, not simply a financial one.

https://www.brookings.edu/techstream/should-ransomware-payments-be-banned/

Contempt is the most dangerous emotion

There is an entire world of small and mid-sized businesses that are absolutely helpless in front of the kinds of attacks that we call “basic” in infosec. Invoice spearphishing, BEC, credential harvesting – these are the kinds of things we think of as entry-level hacks.

Ok, I’m a little angry here. I’ve heard a dozen stories this year from professional services providers like accountants and lawyers and MSPs about the jargon, contempt, and expense from enterprise product companies and infosec consultancies.

I’d like to challenge every infosec pro: can you talk to your friends, barista, gardening service, local cafe owner, bookkeeper, day care provider, personal trainer, housekeeper (really, any person whose job is actively being replaced by the gig economy) and find out if their business has implemented 2FA? If they don’t understand what you’re talking about, can you explain it clearly and helpfully enough that they’re happy to become the internal advocate at their SMB for more security?

If you can, thanks. If you can’t, ask yourself and your company and your community: what are we doing to protect the half of American workers who don’t work at enterprises large enough to force security measures and profitable enough to pay for them?

Why am I retiring from CTFs?

I’ve talked a lot about how I no longer do “fuzzy mentorship.” (If you haven’t heard the term, it’s generally seen as mentorship that focuses mostly on vague things like good vibes and is endeavored upon mostly for reasons of publicity. I’ve got no more energy for all… that.)

I’d rather do sponsorship: targeted acts of promoting and providing opportunity that allows me to put my influence behind young and/or midcareer women of color. Writing a recommendation, referring for a job, setting up a meeting, and responding to specific questions are some of those very targeted actions that can make a difference.

Here’s how that’s currently manifesting in my life and career in a way that tries to help others.

I’m about to retire, as it were, from competitive Capture the Flag (CTF) hacking competitions. After 5 years of competing within the SANS NetWars circuit, I and my team — NullCastleException — won the international Tournament of Champions in December 2021. My teammates David (@chebuzz) Carlson, Christopher (@tcpsub13eq0x02) Miller, Szymon (@szymex73) Borecki, and fable were supportive and amazing!

The SANS Institute has made some really awesome trophies over the years!

I have been doing CTFs seriously for about ten years, and cannot think of a better way to improve your skills in information security while making great connections and adding lines to your resume than by participating in CTFs. It’s how you can gain experience, face problems that aren’t discussed in textbooks, and try exploits against real-world systems that aren’t just in your sterile sandbox or your company’s lab. I have loved doing this ever since I and my long-time collaborator and good friend Liz (@tanglisha) were on the winning team in LosT’s Mystery Challenge at DEF CON a decade ago.

Left: Tanglisha at DEF CON 20. Right: me and LosTboY at DEF CON 20.

That’s me and Liz with our team’s trophy and our black badges. Since that DEF CON, we kept going in competitions and have had a total blast.

This is us at DefendCon in 2019 where we won the OpenCTF.

We won the OpenCTF at DefendCon in 2019, too. 🙂

There are lots of CTF teams that have highly skilled members but which can also use someone who’s more junior or even differently-skilled. Someone who will simply show up, do the research, and support the team. Do not dismiss this possibility if you are considering where you might find a place in the competitive hacking arena and you’re a bit nervous about whether your skills are enough.

NOTE: It’s sadly also true that many CTF teams somehow mysteriously manage to leave the junior women off the podium or snatch the trophies back when they win something, and later “explain” that as a junior member of the team they were just there as a support, not a real or full team member. I and other women have personally experienced that injustice and there are some horrible missing stairs in the CTF world. However, I also know several excellent CTF teams that treat people with respect and would never do that, and I would love to very specifically connect midcareer women of color to a few of those teams where you’ll get a shot to listen, learn, really participate, and eventually form additional teams. Yes, this is a lot of work, but it’s the single best way I’ve seen for women and BIPOC to be seen as “truly technical” in the field.

Besides, this kind of competition is really, really fun!

DefendCon OpenCTF, 2019

I can’t even describe how much I’ve enjoyed CTFs. The experiences I’ve had at SANS during their NetWars competitions have, on average, been the best. Event architects Tom Hessman, Jeff McJunkin, & Ed Skoudis have been amazing at running the competitions, getting new people unstuck, and challenging veteran players. Our team NetWarsAndChill had a whole holiday decor theme happening at the SANS Tournament Of Champions in DC in 2019.

SANS NetWars Tournament of Champions, December 2019
Team NetwarsAndChill at SANS NetWars Tournament of Champions, December 2019
SANS NetWars Tournament of Champions, December 2019
Team NetwarsAnd Chill at SANS NetWars Tournament of Champions, December 2019
Team NetwarsAndChill at SANS NetWars Tournament of Champions, December 2019

When women and POC interview for technical roles, there is often a person advocating for them. Give that individual a weapon to use on your behalf. “We took third place in my local BSides Open CTF in 2021,” is a two-handed flaming broadsword in the hands of a recruiter trying to get you into a security research or SOC analyst job opening. It says you’re participating in the community, that you believe in teamwork, that you put the effort in, and that you’re connected with similarly enthusiastic colleagues already.

Let this be a way for you to stand out among the hundred other people who are interviewing!

I must emphasize: if you’re afraid you’ll expose your total ignorance, know that I have been on lots of CTF teams, and I — along with nearly everyone else whose sat next to me at the competition tables — constantly struggle with that same fear. We cope with it by being open about what we don’t know and by being generous with teaching people what we do know. These are the friends and colleagues I’ve had with me through this experience and I’m grateful for each and every one of them.

Of course I love my NetWarsAndChill team, including amazing people like Mike Downing and Jacen Kohler! I had great experiences competing with other veteran and respected CTFers like Mike Dee (@mikedee_hacker), Matt (@pseudosec) Kalinowski and ants (@DarkBerryBash), and they’re welcoming to n00bs. The buddy system works, and everyone I’ve named in this post is open and willing to help, advise, and maybe even compete with you!

I’ve been doing this for a decade. It’s time to both pass the torch and move on to sponsoring the next set of amazing competitors. If this avenue of potential opportunity appeals to you, let me know. I have a private list and Signal group of resources, people, and mentors who like introducing people to CTFs. Many of these individuals and teams are explicitly interested in diverse voices and new faces, because they recognize that a team which represents multiple perspectives and backgrounds will always be stronger and more capable than a team whose players are all monolithic and identical.

If you don’t know how to reach me, go find one of my email addresses. That is your first flag to capture. 😉

Good luck!

An education-based approach to curbing CSAM production

Originally published in Brookings TechStream.

March 17, 2022 Savannah Sly and Tarah Wheeler

A bird flies past the U.S. Capitol in Washington, D.C., U.S., on Thursday, March 17, 2022. Photo by Al Drago/Pool/ABACAPRESS.COM
A bird flies past the U.S. Capitol in Washington, D.C., on Thursday, March 17, 2022. (Pool/ABACA via Reuters Connect)

In recent weeks, a misguided legislative initiative to provide children with better protection online has gained momentum on Capitol Hill. In its current form, the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2022—better known as the EARN IT Act—would strip technology companies of protection from liability for child sexual abuse material (CSAM) uploaded onto their platforms by users. The bill is premised on the idea that technology companies aren’t doing enough to combat the presence of such material and need to face the prospect of greater legal penalties to do so.

The bill is deeply flawed, and a chorus of technologists and researchers argue that the bill not only won’t achieve what it aims to do (protecting children) but will also harm a much larger group of internet users in trying and failing to protect kids from being exploited online. One of EARN IT’s key provisions potentially exposes technology companies to liability if their encryption features are found to enable the spread of CSAM—a move that may lead many companies to conclude that offering encryption to users simply isn’t worth it and doing away with secure messaging tools entirely. Such a move would be disastrous for privacy, human rights, free speech, and communities at risk for surveillance. 

EARN IT’s backers are motivated by a desire to help children, but in their attempt to do so, they’ve misdirected their efforts at computer security systems that enable the spread of CSAM as part of enabling all communications of any kind. Rather than focusing on preventing the production of CSAM in the first place, they are attempting to make changes to the security features of modern computing that allow it to be spread once created. The digitally enabled sexual abuse of children is a serious, horrific problem, but addressing it requires a different, more proactive approach. Instead of attacking security systems, policymakers could direct their efforts in a more useful direction: educating children how to be safe online. Investing in childhood education, primary care, adolescent education in consent, community support for ombuds and social work, and appropriate financial incentives for primary caregivers is difficult and expensive—and it works to prevent child sexual abuse. The EARN-IT Act, flatly, will not.

The EARN-IT Act takes aim at CSAM by altering the liability protections of Section 230 of the Communications Decency Act, and it isn’t the first time Congress has sought to regulate the presence of sexually explicit content online. In 2018, Congress sought to address commercial sexual exploitation by passing SESTA and FOSTA, two bills that increased liability for content hosts under Section 230. The result of SESTA and FOSTA was the immediate voluntary shutdown of dozens of websites that sex workers used to advertise and vet potential clients, the ripple effects of which inadvertently increased vulnerabilities to exploitation and violence in the sex trade. When sex trade websites close or get shut down, it is more difficult for law enforcement to identify and combat sex trafficking. Given how badly SESTA and FOSTA backfired, it’s alarming that lawmakers would entertain the EARN IT Act before passing legislation that would evaluate the full effects of these online censorship laws. 

One of the most discouraging aspects of the EARN IT Act is that it does nothing to prevent child abuse from happening in the first place. EARN IT does not bolster preventative tools that can protect young people from harm, such as age appropriate comprehensive sexuality education. Predators lurking on chat sites would have a harder time grooming and exploiting youth if young people were equipped with knowledge about boundaries, consent, and healthy/unhealthy relationships. Ironically, anti-abuse organizations such as the National Survivor Network have suggested that the EARN IT Act may prevent young people from accessing online information about sexual health, gender, and consent that could help keep them safe. Queer youth are particularly vulnerable to the unintended consequences of a bill like EARN IT, especially in light of the many anti-LGBTQ bills cropping up around the country. Given that an estimated 9-10%  of youth in the US identify as LGBTQ, it would be difficult to overstate the potential harms of this bill.

It Is well-established that victims of child abuse are usually harmed at the hands of someone in or connected to their family, and preventing abuse at home starts with adults taking responsibility, being active in the lives of young people, and learning how to identify signs of abuse. Decreasing stress and offering pathways to treatment by ensuring families have access to stable housing and healthcare may do more to curb abuse at home than a bill like EARN IT ever could. EARN IT plays whack-a-mole with CSAM instead of actively stopping it from occurring. 

EARN IT will never be able to eradicate the increasing practice of young people taking and sharing intimate photos and videos of themselves, and preventing such material from circulating online would be better done through education. This material, referred to as self-generated child sexual exploitation materials (SG-CSAM) is the result of youth having increased access to media and communications technology. While EARN IT may attempt to stop SG-CSAM from being circulated, it’s more important to have realistic conversations with youth about the enduring nature of digital media and the risks of sharing intimate media of themselves. In our increasingly digital world, arming youth (and adults) with education about risks to privacy is critical. Additionally, we must collectively stop victim blaming people who have their nude photos non-consensually or illegally shared with the public, regardless of their age or occupation. 

Just as SESTA and FOSTA did not stop sex trafficking (and in fact may have made things worse), EARN IT will not stop child abuse materials from coming into existence. EARN IT may in fact make it harder for law enforcement to locate CSAM files being circulated. Once it becomes known that encrypted services are no longer useful for transmitting CSAM, abusers will pivot to other tools, such as snail mail or niche platforms, to circulate offensive materials. A move toward such platforms or an embrace of ordinary mail would make CSAM investigations even more difficult than they already are. 

A lingering question yet to be addressed is exactly how CSAM materials will be identified, should EARN IT pass. EARN IT will stifle sexual expression and hinder consenting adult sex workers from making a living online but not actually solve the problem of CSAM. How would an abuse video of a 16 year old be differentiated from a legal video created by an 18 year old? Given the complexity of of this task, it’s likely that many formerly encrypted services would bar the transmission of any erotic or explicitely sexual content. EARN IT could mark the death of sexting as we know it. Not only does this violate sexual expression freedoms, but it prevents adult sex workers from supporting themselves financially through the relative safety of online work. Sex workers who produce pornography already maintain records proving that everyone in the film is of age and consents to being filmed. Law abiding webites that host pornographic content already require proof of age documentation, reducing the odds that CSAM will end up on their platforms. 

For decades, cryptographers have made the case that the compromises politicians seek in encrypted computer systems—to crack down on CSAM or to listen in on the contents of terrorist communications—can’t be made without consequences for the broader computer security ecosystem crucial to businesses and citizens. This conflict—between the demands of politicians on the one hand and encryption on the other—has become a fact of modern life, and the EARN IT Act is merely its latest iteration. There are no technologists who can tell you how to safely and securely enforce this new EARN IT Act—because it’s not possible. As a recent Washington Post piece noted, the EARN IT Act  has made strange bedfellows of Big Tech, free speech activists, industry groups, sex workers rights activists, the infosec community, and civil society groups, all of whom are united in their belief that this legislation is infeasible and a net negative. On the other side of the debate are law enforcement groups, moral crusaders (primarily the National Center on Sexual Exploitation, which before it rebranded was known as Morality in Media), and some well-meaning abuse victims organizations looking to crack down on CSAM. But even for the latter group, EARN IT will not do what they hope and will instead make CSAM prosecutions substantially more difficult. 

If lawmakers want to curb rates of CSAM production, we must create policies that prevent CSAM upstream, rather than increase the attention and resources to downstream mitigation that can never catch everything. Washington state recently passed a measure mandating age appropriate comprehensive sex education in schools which will help students understand consent, safety, and “choose healthy behaviors and relationships that are based on mutual respect and affection, and are free from violence, coercion, and intimidation”. Educational policies in schools such as age appropriate sex ed will do far more to prevent the creation of CSAM than reactive like EARN IT ever would.

Politics, it’s often said, is the art of compromise. A life in politics teaches the art of the partial achievement. When politics bumps up against a universal constant, or a truth of math and physics, politicians often simply cannot grok that there are things they can’t change, can’t bargain against, can’t shift, can’t manipulate. Encryption is one of these things, but in this latest iteration of the three-decade long fight between technologists and politicians seeking to limit the availability of encryption technology, political leaders with a genuine interest in curbing the spread of CSAM would benefit from seeking solutions that actually address the problem. Educating children how to be safe online is the first step to reduce the prevalence of abusive material online. 

Savannah Sly is an advisor to the Woodhull Freedom Foundation and a sex worker rights advocate who resides in Seattle, WA. @SavannahSly
Tarah Wheeler is a contributing editor to TechStream, a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, an International Security Fellow at New America leading a new international cybersecurity capacity building project with the Hewlett Foundation’s Cyber Initiative and a US/UK Fulbright Scholar in Cyber Security for the 2020/2021 year.

4 Truths About Cybercrime (and the research to back them up)

Original post on Medium.

I was recently asked by someone involved in policymaking for a short bulleted reading list on cybercrime and how to understand the major issues since they didn’t come from a technical background. I started writing the email and then realized I might as well post it here so I can refer back and possibly update. This is massively simplified and is my short hot take if I’m given one minute to explain a problem to someone who doesn’t have a lot of time but has to act on issues related to cybercrime.

  1. When you experience cybercrime, the police probably can’t help you. If you think the cybersecurity staffing shortage is bad in industry and government, try your local sheriff. You are often required to report a crime to secure social help after being victimized, and that experience is rarely a positive one, especially for marginalized persons. The police in general will treat a report of a $250 purse theft differently than a report that $250 was phished from your bank account, even if you know precisely who did it. If you don’t know where the cybercrime was committed or originated from, the police will tell you that you can’t report it. In general they will refer you either to social services or tell you to report an online crime to the FBI (who generally won’t lift a finger for $250). This refusal to accept reports locally by the police and lack of action from the FBI makes these crimes invisible. There’s effectively nothing anyone can do if you’re a victim of cybercrime other than report you as a statistic. (If you need to, here’s where to report to the FBI). Here, read this. Also, advocate for clear jurisdiction over internet crime and fund the people investigating it.
  2. Going dark is a myth. The complaints that the FBI and other law enforcement organizations have over the use of encryption on personal devices are about their convenience, their backlog of investigations, and in general a lack of technical people inside their organizations, not truly about responding to potential crimes. The FBI and other law enforcement organizations should consider creating an appealing workplace environment with market-rate salaries to attract some technologists rather than trying to sue their way into slowing down technological innovation so they can keep pace. LEOs can get into phones whenever it’s actually important for them to do so. Note: domestic cybercrime is a different conversation in terms of policy than in espionage, where the ability to access and read a device in another country could be important. However, note that the technology to remotely access and decrypt devices and communications is the same whether being used by a local sheriff’s deputy or the CIA — so authorize its use carefully. Here, read this. Also, fight backdoors in encryption.
  3. We have a domestic law preventing the creation and training of people who could help with the cybercrime problem. We already have the names of crimes like theft, fraud, and abuse of the public trust. Saying it’s somehow worse to do crimes with a laptop instead of a mailbox only works because prosecutors and juries are frequently able to be convinced that computers are apocalyptically mysterious wizard boxes instead of some sand and steel that we bossed around until it did what we told it to do. The 1986 Computer Fraud and Abuse Act (CFAA) is the cause of much pixel spillage, but suffice to say that it’s a terrible law that penalizes security researchers and doesn’t stop real criminals. It’s primarily used to sprinkle magic cyber dust over a stack of criminal charges against a defendant to scare juries, with a lovely secondary use of threats of prosecution for intellectual property theft against former employees of a monopolistic company afraid of competition. Smart young people have died in this country due to the CFAA. Here, read this and this and this. Also, repeal and replace the CFAA as fast as possible.
  4. Policymakers who don’t understand technology not only make bad law, but they scare others from wanting to help and enable bad actors to flourish. I try to be a reasonably tactful person, but there’s something especially blithering about the idiocy of politicians who think that because they cannot read HTML that it’s encryption (“I can’t read Spanish, so this Mexico City newspaper must be deliberately hiding its meaning from all English speakers!”). Or, that someone with the skills to notice that an entire US state has published the Social Security numbers of all their teachers and the kindness to tell someone so must be a computer criminal. Intentionally ignorant policymakers who take out their own inadequacies in understanding technology by either mocking or hurting techies or by trying to somehow declare that politics is determining the outcomes of math are dangerous. When policymakers don’t understand the fundamentals of technology or how the online world works, it makes them a figure of ridicule and unable to perform the oversight function necessary to regulate and protect the public. Here, read this and this and watch this. Also, if the policymaker you’re talking to has no intelligent technical people they’re listening to, empathetically find them some to talk to — or, if they have no interest in learning new things, back slowly away and primary the hell out of them next time.

Thanks for comments on this to @KendraSerra and to other distinguished colleagues unnamed here.

An Oeuf With Blockchain, Already

Blockchain Eggs

I created a short video and slide deck to help illustrate how a blockchain works. This is not about Bitcoin, but is intended to help people who aren’t as experienced with Merkle trees understand that the idea of a blockchain is to be able to independently verify where and when a thing happened without being able to go back and alter it to make something else have happened instead.

That’s an oeuf for now.

PDF Slides here:

Video here:

https://youtu.be/e3IQkk5myPA

Where are the women in cybersecurity leadership roles?

This post originally appeared on the OECD Forum’s site.

It’s easy to feel like everything has already been said about why we need more women in cybersecurity. I’ve been explaining the economic benefits of hiring women as engineers, bringing in women as senior information security leaders, and going to work for women as board members and national influencers for a long time. 

I felt so much like I didn’t know what was left to say on women in cybersecurity. Women in my field have been pointing out the efficiencies, the improved problem space, and the improved outcomes for years. 

So I went and asked my husband what to say.

Stay with me on this one. I said, “I can’t think what’s left to say on the topic. Women have been decreasing in their representation in cybersecurity C-suite roles and board memberships for years, and the entire trend of women in technology and engineering positions has been steadily decreasing, at least in the United States, since 1984. There’s been no real improvement on about 1% women in senior engineering positions holding steady for a decade”. And my lovely spouse said to me, “Well, if you’re writing a piece for the OECD, what’s happened with the European numbers over the last year? What’s happened to women in cybersecurity according to the statistics during the pandemic? Can you talk about that?” I was drying a dinner plate and I stopped, shoved the plate and the towel at him, and ran to a keyboard because I realised what the problem was.

Reader, I cannot. I can’t talk about what happened to senior women in cybersecurity during the pandemic because they’ve all disappeared. 

It will be decades before the career gaps experienced by women and primary caretakers during this pandemic are fully erased, and we’re back to the “normal” gender pay gap. 

During the pandemic, every technical woman with children I know has stepped back from her job. Every single one. She’s already being paid 81% of what her male spouse is being paid, if she’s a married parent. Women who are primary caregivers are buried in childcare, family care, and the absolutely never-ending drudgery of cleaning the house. Their spouse makes more than they do, so it makes sense that if one spouse must pull back from the workforce, it should be the one making less money.

It’s a cruel and economically inefficient joke that during this worldwide pandemic, the women and non-gender binary people who have the most to gain from upskilling and negotiating new salaries and charging ahead in the workforce—because the difference between their realised and potential values is so much greater due to discrimination—are the ones losing the most ground. 

It will be decades before the career gaps experienced by women and primary caretakers during this pandemic are fully erased, and we’re back to the “normal” gender pay gap. 

In the early 1990s, Nobel Prize-winning economist Amartya Sen posited that there were more than 100 million missing women in the world based on sex-selective abortions, undereducation and health care provision to women, and a multitude of factors that prioritised the health and education of boys over girls. As academics, professionals of all kinds, essential workers and health care experts are again noticing that women are going missing, we have to ask ourselves: so what? Why does it matter that women are missing from cybersecurity? 

I have pointed out that the potential gains in efficiencies in salary and benefits for women being properly compensated are far higher than for men. But without the perspectives of diverse professionals in cybersecurity, gaps and problem spaces remain unidentified and, statistically speaking, are larger than they would be with the active participation of all the potential perspectives in the field. Inventions arising out of mixed teams, or women-only groups, appear to have wider technological breadth (and may therefore be more economically valuable) and higher impact from a technological viewpoint than those in which only men are involved.

What can we do to solve this situation?

  1. When vaccines for COVID-19 come out, lobby to have child care workers in as early a priority tier as possible, in order to support primary care givers for children and families (most of whom are women) to have an outsised impact on economic gains.
  2. When hiring and creating leadership roles in the next decade, acknowledge women and primary care givers/workers as being so essential that human beings couldn’t do without them, let alone companies. 
  3. Make your protections against groupthink in your organisations robust and antifragile by ensuring that you have more than one diverse voice in each section/team/location of your organisation. Millennial men expect to spend as much time as their spouses on child and family care, so don’t be surprised if requests for family leave come from an unexpected quarter. Hire, promote and sponsor multiple people from all parts of society, education and the gender spectrum to strengthen your organisation’s impact and resilience.

Finally, none of this is fair. Stop trying to make it fair: instead, try to make your solutions just and robust. No single organisation can fix all of the horrors and unfairnesses visited upon women and families during this period of global mourning and recovery—but each person can choose to see the future as different than the track we are on now. Women belong everywhere in cybersecurity to make the world more efficient, to make problem space more known and to keep the world safer than it would be without our voices added to the chorus.

NATO, We Want To Go To War With You

Originally on Foreign Policy, December 22nd, 2020.

Wargames can provide essential cybersecurity training for soldiers. But they won’t succeed unless the players confront real, independent hackers.

BY TARAH WHEELERAMY ERTAN | DECEMBER 22, 2020, 7:53 AM

A member of the hacking group Red Hacker Alliance uses a website that monitors global cyberattacks on his computer at their office in Dongguan, China.

In recent years, NATO has begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames. But there is something missing. If NATO wants to see what nation-state hacking is like in the chaotic multiactor online world, it needs to practice fending off some actual hackers.

In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1,000 participants and observers from 33 states. Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure. NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.

This was a wonderful opportunity that NATO mostly seized. Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability. But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic. The most recent U.S. Treasury and Commerce Department hacks and the still developing U.S. National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.


Wargames have been used for centuries as a way to train and improve on military strategy. NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning. However, retrofitting the two traditional wargaming models—either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns—into cyberspace simulations just does not work. In the cyberdomain, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics.

The reality of the online world is much more chaotic than the NATO simulations presume. There are independent actors, cyber-criminals, white hats, respected security firms, broken infrastructures, country-sized firewalls, a massive and messy differential in power between the largest and smallest actors, and all the chaos of artificially intelligent tools that can automate overwhelming attacks based on leaked personal data.

Unfortunately, NATO does not include nonstate actors in the annual cybergames. This creates three problems. First, there is no guarantee that an attack will come from uniformed soldiers of a hostile country. Bad actors will use whatever low-cost hacks they can find, make, buy, or steal.

Second—and crucially—defending cyberspace requires people who think differently. Even the U.S. government has reached out to hackers to staff up agencies such as the FBI and National Security Agency, realizing that traditional information technology education does not produce innovative offensive security researchers. Limiting contributions to active military and public sector employees will result in a certain amount of groupthink. It is critical for NATO to include nonstate actors, independent researchers, and respected industry experts (who aren’t solely military contractors trying to pump up weapons sales by sponsoring these wargames).

Third, we in the cybersecurity community have been aware that civilian medical facilities and research stations have not only been fair game but the primary targets of international bad actors for half a decade. After we saw vaccine research stations targeted by North Korea and others at the beginning of the pandemic, we in the industry and the cybersecurity community predicted repeatedly that vaccine production would be targeted by nation-states, and we are now seeing evidence in recently reported successful espionage attacks on Pfizer and BioNTech facilities that we were correct. NATO should include in their cybergames the kinds of urgent current events we are already seeing play out in the news.


In the past, NATO has been caught off guard when its cyber-exercises failed to account for real-world attackers. In October 2018, 50,000 soldiers, sailors, and pilots from 31 countries simulated war off the coast of Norway. NATO’s Operation Trident Juncture did not include cyberattacks in the wargames at all—until real-world Russia actually began jamming the real GPS systems of the conventional weapons being tested on the battlefield as part of the simulated conflict.

Everyone planning the games had previously agreed on the polite and necessary fiction that the computers embedded in their vehicles and weapons—and managing their air, water, fuel, targeting, and health—were not permissible targets in this engagement. Russia’s behavior highlighted the absurdity of NATO excluding the cyberdomain from conflict simulations. Even after this real-world mid-scenario attack, NATO has still not incorporated the randomness of actual cyberspace in its simulations.

Recent attacks on vaccine production facilities show how failing to model cyberthreats appropriately will come back to bite you, and we predict that medical facilities will be a popular target for cyberattackers in the future.

Therefore military and government cyberdefense forces should use hackers’ skills and noninstitutional creativity to help predict attacker tactics.

The organizers of future wargames need to recognize that having independent experts see and participate in wargames means the ability to model opponents other than nation-states, test the scenario and the network under use from a fresh perspective, and ultimately make for a stronger training outcome. Cyberwar is new, and soldiers who have been conditioned to see only clearly delineated battlefields will enjoy the challenge of needing to think orthogonally, strangely, and innovatively.

It is important to build NATO’s ability to monitor, manage, and conduct cyberwar because these simulations often lead to a de-escalation of conflict after capabilities become known to the players (and their potential opponents). The same quality that makes cyberwarfare so rapid and difficult to detect—its relative cheapness in terms of cost and time—also makes it much easier to simulate than naval warfare, for instance.

The international information security community is filled with smart people who are not in a military structure, many of whom would be excited to pose as independent actors in any upcoming wargames. Including them would increase the reality of the game and the skills of the soldiers building and training on these networks. Hackers and cyberwar experts would demonstrate how industrial control systems such as power supply for refrigeration and temperature monitoring in vaccine production facilities are critical infrastructure; they’re easy targets and should be among NATO’s priorities at the moment.

Diversity of thought leads to better solutions. We in the information security community strongly support the involvement of acknowledged nonmilitary experts in the development and testing of future cyberwar scenarios. We are confident that independent experts, many of whom see sharing their skills as public service, would view participation in these cybergames as a challenge and an honor.

The Lady of Shalott

I started this project when I was 19. I remember sitting on the lawn at Carroll College in Helena, Montana, and starting that first stitch up in the top left corner in DMC 420. The Lady of Shalott is a Teresa Wentzler pattern that came out in the late 1990s, and I’ve now finally finished it at the age of 41. The original myth is about Elaine, the Lady of Shalott, a fairy who fell in love with Lancelot and died while floating on a boat down the river to Camelot. It’s a frequently explored myth in Romantic literature, and this version is from Alfred, Lord Tennyson’s poem.

This piece captures the moment just before she looks out to Camelot and her mirror cracks, signalling the end of her life in captivity and her doomed pursuit of Lancelot.

But in her web she still delights
To weave the mirror’s magic sights,
For often thro’ the silent nights
A funeral, with plumes and lights
       And music, came from Camelot:
Or when the moon was overhead
Came two young lovers lately wed;
‘I am half sick of shadows,’ said
       The Lady of Shalott.

This was quite a quarantine finish!

I think I was so motivated to finish this during the pandemic because I thought it was beyond ironic that I was embroidering a woman who was embroidering because she wasn’t allowed to leave her home or dream of going other places.

After completing much of the cross stitching, I had to go through it with a forensic magnifier to check each 10×10 section for missing stitches. I basically lost a weekend doing this! Not that I noticed; we’re still in a pandemic.

I put a lot of myself into this project. Given the Victorian origins of Tennyson and the Romantic poets who loved the Chrêtien de Troyes version of the Arthurian romances, I thought it might be nice to literally put myself into this project. So, Elaine’s hair is mixed with a tiny lock of mine, like a Victorian funeral wreath.

There’s often a really big difference between doing cross stitching, and doing the finishing work of backstitching. The tininess of the stitches in this piece means the contrast isn’t as great as in some others, but it’s still pretty spectacular to see it outlined in high relief.

After 22 years, I was a little afraid that it might just fall apart in the washing solution, but it worked just fine. Probably because it’s all natural fiber. I used The Laundress natural fiber shampoo.

This is the video I watched to make sure my technique, temperatures, and towels were correct before pressing this.

There’s a section in here where I panicked a bit, because I’d used graphite for some of the grid lines.

Here is a totally true reenactment of my feels upon believing I had totally wrecked this project it had taken me 22 years to finish:

John William Waterhouse: The Lady of Shalott

This is Monaco fabric, and I spent several days googling techniques to remove graphite when I realized a simple wash wouldn’t do it. I tried several techniques like erasing it with a craft cushion full of rubber shavings, a pencil eraser, and so forth. I found that trying to erase the graphite gently simply pilled the fabric without actually removing much of the graphite. There are several solutions out there, and they seem to be replicated from site to site, possibly without anyone actually testing them. I’m here to say: the Windex + toothbrush solution is what worked without harming any of the fabric or thread. I was concerned about applying the blue chemical to my fabric, but the soft toothbrush plus 50/50 Windex/water solution worked better than anything without pilling the fabric. Remember: don’t iron your project dry until you’re happy with the level of stain and grid mark removal, or you’ll seal those stains in with heat and steam!

I pressed it before adding the Mill Hill beads, since it’s hard to iron over those glass metallic bits.

Washing done–time for stretching: I pressed it gently dry with an iron on low heat over towels like in the video above. When about halfway dry, I started stretching it gently to get it even and shaped correctly, then ironed it fully dry.

Time to decide on framing choices. At first it seemed that something this intricate and painstaking deserved extremely elaborate gold leaf framing of some kind.

It was fun to select matting that had a linen effect, to correlate with this being stitchwork done on a piece of fabric. But that frame wood was wrong. Instead of going overly elaborate with the wood, I explored a more rustic, plain, distressed wood frame.

This didn’t steal focus from the embroidery and also serves to possibly better reflect the kind of framing that might be done long ago when tapestries hung in castles and manor houses…

I like to have the frame shop cut a piece of foam core with a square cut out of it so that I can use dressmaker’s straight pins to pin over the square, then press it down into the larger piece of foamcore.

We’re going to hang it here in the entryway of our home. I picked an accent wall color that would act as the next outward framing of the piece, and this is me painting it.

And here it is, framed and hung!

But when my husband got a beat up brass lamp on eBay and restored it, and used it to light the piece and the wall, it became spectacular.

Thank you so much to my lovely spouse Deviant Ollam for the work grinding, polishing, restoring, and adding a dimmer function to this old brass lamp to light this piece perfectly!

If you’re interested in the original pattern, it’s by Teresa Wentzler here.

http://www.twdesignworks.com/Designs/los.html