There needs to be more infosec people. 80k is on the ball on this. If you train a large number of people and they’re well networked, you still get a lot of duds who don’t know critical basics, like how conversations near smartphones are compromised by default, but you also pump out top-performers, like the people who know that smartphone-free dark zones stick out like a sore thumb in 3d space. It’s the top-performers who can do things like weigh the costs and benefits of crowdsourcing strategies like a closed-off forum dedicated to biosecurity, since that cost benefit analysis requires people who know critical details, like how everyone on such a forum would be using insecure operating systems, or how major militaries and intelligence agencies around the world can completely sign-change their evaluations/esteem of GOF research, at unpredictable times, and in contravention of previous agreements and norms (e.g. yearslong periods of what appears to be consensus opposition to GOF research). I think that evaluation can be done, I’m currently leaning towards “no”, but I don’t have nearly enough on-the-ground exposure to the disruptions and opportunity costs caused by the current paradigm, so I can only weigh in.
Bringing more people in also introduces liabilities. The best advice I can think of is skilling existing people up, e.g. by having them read good books about counterintelligence and infosec (I currently don’t have good models for how to distinguish good books from bad books, you need to find people you trust who already know which is which). Actually, I think I might be able to confidently recommend the security mindset tag on Lesswrong and the CFAR handbook, both of those should consistently allow more good work and broader perspectives to be handled by fewer people.
An infohazard manual seems like a great way to distill best practice and streamline the upskilling process for people, but there should be multiple different manuals depending on the roles. There should not be one single manual, Chris and Tessa’s manual is far from optimal upskilling (compared to distillations of the security mindset tag and the CFAR handbook alone), you can even have someone make updated versions and roles on the go (e.g. several times per year per reader). But one way or another, each should be distributed and read in printed form AND NOT digital form (even if that means a great waste of paper and ink and space).
Upvoted.
There needs to be more infosec people. 80k is on the ball on this. If you train a large number of people and they’re well networked, you still get a lot of duds who don’t know critical basics, like how conversations near smartphones are compromised by default, but you also pump out top-performers, like the people who know that smartphone-free dark zones stick out like a sore thumb in 3d space. It’s the top-performers who can do things like weigh the costs and benefits of crowdsourcing strategies like a closed-off forum dedicated to biosecurity, since that cost benefit analysis requires people who know critical details, like how everyone on such a forum would be using insecure operating systems, or how major militaries and intelligence agencies around the world can completely sign-change their evaluations/esteem of GOF research, at unpredictable times, and in contravention of previous agreements and norms (e.g. yearslong periods of what appears to be consensus opposition to GOF research). I think that evaluation can be done, I’m currently leaning towards “no”, but I don’t have nearly enough on-the-ground exposure to the disruptions and opportunity costs caused by the current paradigm, so I can only weigh in.
Bringing more people in also introduces liabilities. The best advice I can think of is skilling existing people up, e.g. by having them read good books about counterintelligence and infosec (I currently don’t have good models for how to distinguish good books from bad books, you need to find people you trust who already know which is which). Actually, I think I might be able to confidently recommend the security mindset tag on Lesswrong and the CFAR handbook, both of those should consistently allow more good work and broader perspectives to be handled by fewer people.
An infohazard manual seems like a great way to distill best practice and streamline the upskilling process for people, but there should be multiple different manuals depending on the roles. There should not be one single manual, Chris and Tessa’s manual is far from optimal upskilling (compared to distillations of the security mindset tag and the CFAR handbook alone), you can even have someone make updated versions and roles on the go (e.g. several times per year per reader). But one way or another, each should be distributed and read in printed form AND NOT digital form (even if that means a great waste of paper and ink and space).