If you have specialized technical knowledge that can inform policy of importance (your call on how to judge that), I encourage you to engage your senators/reps on such issues, or at least connect with the legislative assistants in the offices who cover these issues. Give your senators/rep's DC office a call and ask for the LA (aka legislative assistant) and to brief him/her on the issue at hand. Or at least offer yourself as a resource if needed.
The best part about working in the Senate was being able to call up someone and ask for a briefing on an issue, and most would help out. Those that reached out proactively made life much easier, and, seriously, the squeaky wheel gets the grease in the policy world. Groups like I Am The Cavalry have done great work bringing together cybersecurity experts to raise awareness of, and push action, toward addressing vulnerabilities in systems that, if compromised, could cause major harm (think cars, medical devices, etc.). If you can form a group like that in your area of expertise, you can be more effective. Okay, off my soapbox for now.
Delivering public DoD websites using commercially-signed certificates was nearly impossible until January of this year when DoD CIO signed a memo titled, "Commercial Public Key Infrastructure (PKI) Certificates on Public-Facing Unclassified Web Servers." That memo enabled us to use commercial DV certificates to deliver public-facing .mil websites and will save the taxpayer millions of dollars. The day we got that memo was a very good day; we've been trying to get this change made for literally more than 10 years.
My team and I are passionate about our work, and we refuse to be another typical DoD information system that's down all the time, impossible to use, and only works on some archaic version of IE. The truly frustrating part of this is that we're already doing exactly what the Senator is asking, but I have no way to let him know. Yay bureaucracy.
Here are the links to the blog posts discussing this:
1 - http://publicweb.dodlive.mil/2016/10/06/why-doesnt-my-public...
2 - http://publicweb.dodlive.mil/2017/09/19/still-no-https-for-d...
3 - http://publicweb.dodlive.mil/2018/04/02/https-breakthrough/
Why on earth are so many supposedly important systems _so_ insecure.
For example, TLS on email servers for our military think tanks or the unclassified email servers of our intelligence agencies or militaries.
Not having S/MIME or PGP I kinda understand, but full-blown TLS? I know protocol downgrade attacks / DNS attacks / etc are a thing, but passive surveillance of email traffic is _well documented_ and a thousand times easier than something noisy involving forged DNS responses. Even if there are networks with reliable blackers for actual classified stuff, surely communicating with professors or researchers that lack clearance is also worth protecting, no?
Why is it taking decades to get simple email / server configurations fixed?
Also, why is everything so broken and why does nobody seem to care?
Take QNX for example, the supposedly secure microkernel OS that we put in ever switch, router, car, truck, nuclear power plants, military radios, etc. It had almost all the same vulnerabilities that Linux and Windows had. Broken SRNG, hardcoded backdoor⇧⌥←^h^h "maintenance password", easy privilege escalation. Hell, even the crypt function wasn't a hash! It was just a bit mixer!
What is in the way of someone at the NSA just saying: "No, don't allow this to happen. Don't let them put the operating system into a bunch of stuff that we sell on the market."
Wyden asked Clapper if the NSA collected data on Americans. Clapper lied. According to Snowden's account, that's what set him in motion. Even that account is not true, I want lawmakers to be asking that kind of tough and well thought out question.
Also, GP's timeline is backward. Snowden reached out to Greenwald four months before that hearing.
IANAL, but if you have phone call metadata and you think it's not in scope for GDPR then you'll be disappointed.
Certification Authority Authorization (CAA) DNS records can be used to indicate which CA is authorized to issue certificates for a domain. The CA/Browser Forum requires all certificate authorities to check CAA records prior to issuance.
And what if a CA fails to check CAA records? Revoke their status as an authority? By then attackers may have already obtained highly confidential information from DoD sites.
It is worth considering that some DoD systems only have whitelisted CAs installed to limit the ability for an adversary to MitM. For example a DoD laptop used in a foreign country, you don't want the foreign government to be able to issue a certificate for a DoD property using their CA (or pressure/steal a commercial CA's signing certificate).
and very disciplined about not using social media while working in the Senate!
It's literally the only agency listed with over 15 sites that is greater than 99% compliance.
Just this month alone I have been 'mandated' to sign multiple documents and complete on-line courses that I can not access due to the Army's making everything only Microsoft compatible. So many sites are years old still making ancient calls to Internet Explorer functions.
The simple act of fixing the certificate issues would eliminate half the frustration right now. The second thing they need to do is mandate that any site has to operate with all the major browsers, and not just ancient versions of IE.
In the UK, the Home Secretary (who really ought to know better) once memorably wittered on about "hashtags" (1). I suggest that Ron Wyden off of Oregon is either or both of well informed and knowledgeable in IT matters.
Here's a letter  from him a year ago urging the importance of two-factor authentication.
Here are his words about the death of Aaron: https://en.wikisource.org/wiki/Senator_Wyden_Remarks_at_Aaro...
You can select 'nginx', then 'modern', and then 'apache' for a modern Apache configuration.
Are the 'modern' configs FIPS compliant?
What browsers/tools does requiring TLS 1.3 break?
Apache mod_nss and nginx support (DRAFT) TLS 1.3.
The changes to allowed ciphers in TLS 1.3 could be implemented by modifying webserver config (e.g. as produced by the aforementioned Mozilla config generator tool). IDK what versions of (unupgraded) browsers that would cut off.
Again, this would be awesome but as a DoD civilian employee...I don't see it happening in a good way
I don't understand how that crookedness happens? I don't think it it wasn't a crooked page placed into a typewriter.. but I also can't explain why it would be printed, scanned at an angle, placed onto letterhead, and then published.
All that said - the senator seems reasonably well informed and asking some good questions - even if his final suggestion for the
US military to use Let's Encrypt made me cringe a little :)
My guess is someone then said "eh, good enough, I can't be bothered going to get more letterhead paper out of the box to feed into the bypass tray, then going to re-print the document from my computer", and took the letter to Senator Wyden for signature. He then signed, and the signed letter was scanned for preservation as a digital record.
That was not my intent at all. I use and love Lets Encrypt's service.
The comment was intended more around the fact that the US Military (and many large businesses) would never, and should never, rely on a free service like that.
Lets Encrypt is great, I love it, I'd personally use it for business - but if I'm that large, I'm going to need a support contract + binding SLA + etc with every IT vendor - Lets Encrypt doesn't do these.
There aren't many US-based large CAs that would be in a position to offer the appropriate thing here, an API that all the DoD's disparate IT organisations can use to sort out certificates for outward-facing web sites, mail servers, etcetera. It would also be nice (for Congress in particular) for this not to add another budget line item.
It appears that IdenTrust (the small CA that cross-signed Let's Encrypt) used to provide services into the DoD, perhaps they still do, and doubtless they'd like a juicy DoD contract for more of that, but are they in a position to offer ACME (or a proprietary equivalent)? Do they handle the scale to just shove 50 000 DoD site certificates out the door like it's nothing (which Let's Encrypt absolutely could)?
Big Hitters in this space today are: Let's Encrypt, Comodo (British, not American), DigiCert (possibly an option), GoDaddy (surely not), GlobalSign (Belgian / Japanese). After that it's all small potatoes, and a five person company that issues less than a thousand certificates per week is not the right size for a DoD national contract.
Long term the US Government had expressed interest via 18F in actually running a "real" CA, to be limited (in clients like Firefox that know how) to the .gov TLD but you can imagine it's not hard to add .mil there. However 18F is not what it once was under Trump. This is not a good time to be in Washington if your goal isn't to stuff as much cash as possible into your underwear and then waddle off into the sunset, so I'd guess the CA plan is back-burnered and maybe dead for good.
In this case, the page was fed through the printer crooked.