February 28, 2008
As the GIO team attempts to parse the Security and Society focus area into evermore digestible chunks, we are learning that the need for security affects just about every single aspect of our lives. Some we think about often. Some we take for granted. And some only concern us when they hit the headlines. Like this story about securing our food and drug supply.
This particular story is about the production of an esoteric specialty drug called heparin, used as an anti-coagulant during surgical procedures. It’s made from the intestines of pigs, which are farmed throughout the world, by an endless network of micro-producers (otherwise known as independent farmers), none of whom are regulated, most of whom are not even registered with any government.
Because of a recent outbreak of severe reactions to the drug, food and drug regulators are busy trying to trace the supply chain backwards to discover where in the convoluted process a contaminant might have been introduced. The search has led them to China, where they have encountered the impossibly difficult task of investigating hundreds of mom-and-pop pig operations throughout the countryside.
The story is emblematic of how complex and unmanageable supply chains for all manner of products have become. No longer do we buy our goods from the local trades people. Rather we buy our bananas from Costa Rica, our coffee from Africa, and our tangerines from Argentina. Pharmaceuticals are engineered using ingredients from multiple continents and dozens of suppliers. And manufactured goods can sometimes touch four different continents before they arrive at your door. The average consumer has no idea how many different parties contributed to the production of their consumables. And the further we get from the raw ingredients, the more variables get introduced along the way.
Trying to secure supply chains this complex is not for the faint of heart. An un-integrated mosaic of local regulatory bodies is, in theory, overseeing many of these processes. But in truth, there is simply not enough manpower in the world to effectively secure the billions of products on the move around the globe every day. And should it even be the government’s responsibility to police this commercial activity anyway?
Some might argue that shoddy business practices have their own consequences. And certainly companies that have been outed in the press for endangering consumers have been punished by the market before. But how many of them have gotten away with it?
This is going to be one of the toughest questions the GIO will put to its participants this year. Obviously, a market full of terrified consumers is not good for anyone. So can the private sector work more closely with government organizations to ensure the security of supply chains? The ultimate goal is a confident consumer that is willing to spend without trepidation. Because consumers shouldn’t be burdened with the task of discerning which products on the supermarket shelves could be harmful.
February 25, 2008
It seems like everyday we dream up some new way to render ourselves vulnerable to attack, be it physical, digital, or financial. Most of it is in the name of convenience, progress, or self-expression. The world continues to open barriers of all kinds. National borders are quickly and easily crossed. Teenagers bear their souls (and much more) on social networking sites and blogs. It’s enough to make you ask: are we asking for it, or what?
Take the trend towards “cloud” computing. In our endless efforts to design smaller and lighter computing devices, we are forever blurring the distinction between your home PC and the Internet. It is about processing power that resides not in the palm of your hand, but rather on the network.
It’s nothing new. Computer companies have been talking about it for decades. And it has become a reality in many ways in just the last few years. Entire corporate applications no longer reside in a company’s data center. They live on the Internet, accessible with a minimum of effort, just a username and a password. That one day everything but the viewing screen and input device will live on the network is understood. It’s only a matter of time.
But this move to cloud computing cedes more control over the security of data to the companies that house that data. Today, we can protect our most valuable digital assets on a personal hard drive. Whether it is photographs, music, financial information, or just plain work data, because it resides on our own hard drives, each individual is responsible for the safety and privacy of that information if it sits on their C Drive. It is distributed, and thereby less vulnerable to widespread, massive attacks.
The world of cloud computing complicates this simple truth, however. Increasingly we trust our data to data centers that we will never see in our lifetime. Already I have valuable data sitting in hard drives on four different continents. And this trend will only continue. And as that information becomes increasingly centralized, the possibility of a catastrophic security breach becomes greater. At some point, the losses would be so great that it would not be a corporate data loss crisis, but a national, or even global, security crisis.
It raises some very serious questions. For instance, should these private enterprises that house treasure troves of digital information be entitled to government protection? What recourse do private citizens have if a private enterprise, or government, were to fail to protect valuable data?
These are all questions we hope to address during our Security and Society Deep Dives. But your thoughts on these topics, and others, are welcome as always.
February 19, 2008
Compulsive Disclosure Disorder
Merriam Webster’s defines privacy as “freedom from company, observation, or intrusion.” It defines security as “freedom from danger, fear, or anxiety.” And the focus of this GIO blog entry is the point at which the abuse of the former results in a breach of the latter.
When it comes to personal data, privacy and security are terms that are often used interchangeably. They shouldn’t be. Privacy is about being afforded the decision as to whether you want to make personal information public. It’s a philosophy, a lifestyle choice. On the other hand, security is about protecting that information from harmful agents. It’s about keeping it from the bad guys. It’s about keeping your money, and your person, safe and intact.
Privacy is about deciding which things about you are known. Security is about ensuring those things are not used to harm you.
Perhaps no company embodies this complicated relationship better than Facebook. The wildly popular social networking site is subscribed to by more than 64 million users. On each individual’s profile, you can learn, among other things, their birthday, location, full name, nicknames, friend’s names, spouse’s name, what they look like, what they listen to, what they watch on TV, what they had for dinner, and what they are doing this very second. And that’s just a small sampling of the personal data that is up for grabs on Facebook.com.
That so much personal information is readily available on Facebook.com is a clear indication of the state of privacy in the Internet era. Through online mechanisms, people are more comfortable sharing boatloads of information about themselves, and broadcasting it to anyone that might be stopping by. Sociologists might be led to speculate that society needed this kind of an outlet. We must have all been craving some more disclosure in our lives. The Internet just gave us the means.
The decision to share this information is strictly voluntary. No one forced Facebook members to share their private thoughts with the world. They chose to. But that is not to say that information won’t be used against them. And this is where privacy, or lack thereof, becomes an issue of security.
With a full name, birthday, and location of birth, identity thieves can find all the necessary information they would need to clean out a bank account or book a few dozen air fares on your credit card. And we’ve all seen the television news magazine pieces about online predators and the like.
The consequences of the world divulging information so readily is simple: it heightens the needs for newer, more sophisticated types of security. In revealing so much information about ourselves, we are, in effect, rendering ourselves vulnerable to attack. In the physical world, it is the equivalent of walking through Times Square with a billboard detailing every aspect of our lives.
There is the sense that we have reached a point of no return. People may learn how to be smarter with their digital identities (a colleague just educated me on making my own Facebook profile less tempting to identity thieves…it started with removing my birth date and only allowing friends to view my profile.) But to what extent people will stop sharing information that could be used against them is unknown. My guess is that they won’t. And that means that security against the bad guys is going to have to evolve as fast as the Web 2.0 craze itself.
February 12, 2008
Where Government Ends and Business Begins
Some breaking news here in the United States perfectly illustrates what is sure to be a hot topic of debate during the Global Innovation Outlook Deep Dives on Security and Society.
In this article in the New York Times, we see the result of three year’s worth of debate over whether the federal government should have the authority to eavesdrop on American phone calls without a warrant. The verdict: affirmative.
Three years ago there was a brief wave of moral outrage over the discovery that the National Security Agency had been working with the telephone companies to monitor overseas phone calls. The program was limited to eavesdropping on individuals who were suspected of having terrorist ties. But it circumvented a 30-year old law in the United States called the Foreign Intelligence Surveillance Act, which was specifically enacted by the Supreme Court to prevent the abuse of government wiretapping. It uses a secret court to issue wiretapping warrants, and includes provisions that ensure the warrants adhere to the same rigors of any other warrant.
Today the Senate indicated that it would not only allow the federal government to continue these practices, but that it would grant immunity to the phone companies that cooperate.
This last bit brings into sharp relief the intersection of business and government against the backdrop of national security. There are, of course, private businesses that provide security-related products and services to the government. But there are also those businesses that, by the nature of what they do, handle sensitive data that is of great value to federal and local government security efforts. Communications companies, credit card companies, banks and lenders, rental car companies, money transfer services, airlines and transportation firms, internet service providers, even fertilizer companies. The list goes on.
Though these are all legitimate businesses, they are sometimes leveraged for nefarious purposes. And they will all have to decide some day, if they haven’t already, where the protection of their customers’ privacy ends and their cooperation with authorities begins.
But making that decision can get complicated fast. You may value the privacy of your customers, but maybe you work in a heavily regulated business that depends on expensive lobbying efforts in Washington D.C. Or maybe you’d be inclined to help the government’s cause, but haven’t considered the cost of lost business for not protecting customer data.
It is a critical issue, one with no easy answers. It is part government policy, part business policy (especially as more and more businesses use their privacy policies as a selling point.) Your thoughts on this important discussion are welcome.
February 05, 2008
In researching the Security and Society focus area for the upcoming set of GIO deep dives, there has been a surprising amount of philosophical pondering among the team. On the surface, the topic seems rather uncomplicated. But upon closer inspection, myriad subtleties begin to present themselves.
For example, what does security really mean? Where does personal security end and national security begin? What’s the difference between security and safety?
All of these questions and more will be tackled by far greater minds than our own when the deep dives kick off in April. But in the meantime, there are lots of interesting angles to explore right here on the pages of the GIO blog.
One of those angles is surfacing right now in the Middle East. In just the past week, four undersea communications cables have been cut, disrupting internet service from Singapore to Bangalore, and throughout Egypt and the United Arab Emirates. The cause of the problem is still undetermined, but officials have already ruled out their first explanation: that wayward ships dropped anchor on the cables. With every passing day, sabotage seems more likely.
Whatever the ultimate cause for the disruptions, the phenomenon brings into focus the world’s sudden and nearly complete reliance on global communications, and how surprisingly fragile those communications are. Though telecommunications has been around since the early 1800s, it wasn’t until the advent of the Internet that the power of this medium took hold in a global sense. In a very short amount of time – less than 20 years – the world has grown fantastically interdependent, each region becoming increasingly affected by the actions of its global neighbors. As such, the number of so-called “points-of-failure” has increased exponentially, and our ability to police and secure those vulnerabilities, thereby protecting the critical channels of global commerce, has been greatly diminished.
It is also a stark reminder that no matter how digital we become, communications are still grounded in physical reality. Whether it is satellites, cell towers, or hard wires that run the length of the seas, we still live in a physical world. Damage to those physical structures can result in millions of dollars lost, and lives put in danger. We won't know for weeks how much India's outsourcing call centers have lost due to the service slowdowns of the past week.
One quote from the International Herald Tribune’s coverage of the cable cuts is particularly enlightening. Colonel R. S. Parihar, secretary of the Internet Service Providers Association of India, said “this has been a real eye-opener for us, and everyone in the telecom industry worldwide. Today the cause may have been an anchor, but what if it is sabotage tomorrow? These [cables] are owned by private operators, and there are no governments or armies protecting them.”
Parihar’s point is well taken. It is a classic question of whether the private sector has too much responsibility for the security of the Internet. And what role should government be playing?
The need for collaborative efforts between the government and the private sector in industries that have global security implications is nothing new. But because the Internet has evolved so rapidly, these relationships are immature at best, and in many cases non-existent. Perhaps getting the right players together through the GIO will help.