March 28, 2008
False Sense of Security
Earlier this week, a report began to circulate that confirmed what many had already suspected: less than one percent of commercial flights in the U.S. had a so-called “air marshal” aboard.
Air Marshals, or in-flight security guards, have been around for decades. But it wasn’t until September 11th, 2001, that the concept of air marshals really took hold. The story cites a number of anonymous sources, all claiming that the actual number of air marshals on U.S. flights is appallingly low. Add it to the steady stream of media stories that expose lax security at airports, train stations, and ports.
What’s more interesting than the story itself, however, is another issue it raises: the difference between perceived security and actual security. For centuries societies have known that the mere threat of security can be an effective deterrent to illegal activity. Empty police cars slow drivers down and remind them of the potential for getting a ticket. Defunct video cameras are often enough to ward off a would-be thief.
The same concept applies to transportation security. And the media plays an important role in supporting (or, in this case, sabotaging) the ruse. After 9/11, media stories were splashed across the front pages, detailing the elaborate (and expensive) new security measures that were theoretically being put into place around the world. These stories were willingly fed to the media, which dutifully played its part in letting any and all bad guys know they had better think twice about their line of work.
But the truth is that many of those security measures were merely red herrings, hyperbole designed to deter the bad guys, not catch them. If these agencies really wanted to catch the bad guys, why tell the press how they’re planning to do it? And it’s all fine and good until the press goes and peeks under the covers.
The really interesting thing about all this is that the perception of safety is at least as important as the reality, and in many cases, the two are indistinguishable. In this regard, security is a state of mind, and an important one. The perception of security keeps people going to work, shopping in the stores, and trusting their fellow man. Even if that sense of security is a false one.
March 21, 2008
The Politics of Security
In case you haven’t noticed, there is an historic presidential campaign underway in the United States. All the usual political issues are being debated (foreign policy, healthcare, the economy) as well as a few new ones (race, gender, and religion.) Well, now you can add security, privacy, and espionage to the list.
Yesterday we learned that three contractors from the U.S. State Department improperly reviewed the passport files of presidential candidates Barack Obama, Hillary Clinton and John McCain. Their motives are anyone’s guess, as is the information to which they were privy. And all politicking aside, there are number of security issues raised by this breach of privacy.
For example, officials were made aware of the breaches only after they had already taken place. And the breaches took place on three separate occasions, in January, February and March. The State Department says its security measures worked properly to alert officials the breaches. But it’s hard to imagine security measures that would allow three different breaches, each a month apart, to the same file. And State Department officials were notified of the latest breach only after a reporter called to question them about it.
This brings up two important aspects of security: 1.) what happens before an event, and 2.) what happens after.
Let’s take the first question. According to Jeff Jonas, Chief Scientist of Entity Analytics at IBM, “the world is a big competition, and when you’re competing, you want the best the best tools and the best data. But not only do you want the best data, but you want it first. We’re talking at the speed of light. You need to make sense of the data as it’s happening so you can respond at that moment.”
This, of course, is the concept of shrinking the amount of time between when a breach occurs and when it is first detected. Jonas believes that not only can that time be instantaneous, but through smarter application of data analytics, it can be eliminated entirely. Needless to say it’s complicated, and incredibly technical, but we’ll get more into that as the deep dives progress. Suffice to say that three breaches in three months is not quite fast enough.
The second issue is, in some ways, equally important. Security breaches will always happen. It’s part of life. But how a government, company, or individual, reacts to a security breach is absolutely critical. Speed is of obvious import, but so is communications. Both can make the difference between a security breach and a public scandal (and lawsuits.)
Life, in all its facets, continues to serve up interesting fodder for our discussions on Security and Society. Feel free to add your own!
March 11, 2008
Security and Society is admittedly a big topic, even for a GIO. So as a group, we have been struggling to whittle down the many moving parts of this focus area, so that we can have coherent and productive discussions. So far we’ve settled on a handful of sub-themes, such as the delicate relationship between security and privacy, or the impact of global interdependence on security.
All of this is part of a rigorous research process that includes soliciting input from dozens of experts, both inside and outside of IBM. But you never really know what you’ve got until you put it to the deep dive test. So we asked some of the best strategic thinkers in the world to hash it out for themselves, and give us a sneak peek of what this GIO is going to look like.
As part of a meeting of the Corporate Strategy Board, a membership group of leading senior strategy and corporate development executives from around the world, we ran a “mini” deep dive on Security and Society in Chicago last week.
We had CSB members representing a major investment bank, a technology producer, a consumer appliance maker, an insurance firm, a construction company, and others take a slice of time out of their normal CSB duties to run through the topic with us at warp speed. And we weren’t disappointed.
To keep things as wide open as possible, so as to surface whatever ideas first came into our participant’s minds, we opened up the discussion with this simple question: How do you see the biggest security challenges evolving over the next 3-5 years?
It didn’t take much prodding to get the conversation flowing. And given the level of insightful and articulate analysis among the group, it was clear that this was a subject that took up considerable real estate in the minds of these strategists. Here is a quick glimpse of the gems that surfaced in just 90 minutes of discussion:
• The cost to attack and disrupt is decreasing, while the cost to secure is increasing.
• Younger generations have poor judgment when it comes to exposing personal information, which could have implications over their lifetime. We’re in the equivalent of “free love” era for exposing information.
• Why doesn’t our increased ability to track and observe behavior make us more secure? (This is the debate over whether less privacy equals more security.)
• Those that live “off-the-grid” are the only ones that can limit their security exposure. How much would you pay to get your anonymity back?
• Most national defense organizations are using antiquated, Cold War ere technology. They need to be detecting threats from the “edges” and communicating that information back to central command.
• It is a false assumption that you can be safe, and the need to feel safe drives poor investment choices.
• Information technology, and the ability to work from anywhere in a knowledge economy, could have a profound effect on the populations of major urban areas, where security risks tend to run higher.
This is just a sampling of what came out of this lively, albeit brief, discussion on Security and Society. It shows a broad range of concerns, to be sure. But it also demonstrates some creative problem solving, some new perspectives on addressing security, and even some opportunity inherent in the challenges that face an insecure world. Most importantly, the Chicago mini-dive validates that the world is ready to apply fresh thinking to global security issues.
March 05, 2008
It’s an attention grabbing headline, to be sure: “Did iPods Cause a Crime Wave?” And while there may be evidence to suggest that the popularity of the diminutive music players has indeed resulted in an increase in theft, there is a far more interesting angle to the story.
In this article, The Urban Institute, a Washington think tank, posits that because iPods combine three elements present in most crimes, it is responsible for a spike in robberies in 2005 and 2006. The theory goes like this: when you put a motivated perpetrator together with easy prey and a high likelihood of not getting caught, voila, you get crime. In the case of the iPod, you have a compact, valuable, device that is easily resold; easy targets, with headphones sporting the iPod’s patented “mug-me” white; and virtually no security built into the device. And, the argument goes, that’s too tempting for many would-be criminals to resist.
The institute’s suggestion? Consumers should demand more security options in their digital devices. But it opens an interesting discussion. Who should be responsible for the security of products once they leave the shelves? And what level of responsibility do consumers themselves have for the securing their devices? You can almost see the lawsuit coming: Man Sues Apple After Getting Mugged: Claims the iPod Made Him A Target.
This, of course, is absurd. The most efficient way to find the right level of shared responsibility between producer and consumer is to let the market decide. If people grow tired of having their iPods stolen, perhaps they will stop buying iPods, which would force Apple to add security to the devices. But one of the beautiful things about the iPod is how easy and effortless it is to use. Anyone can learn the interface in minutes. And when you start adding security measures to an elegant device like that, it gets inconvenient.
Perhaps that’s the lesson in all of this. For some products and services, built-in security is necessary. For example, no one buys a car without locks. You wouldn’t even consider it. But for other products, security is downright inconvenient. I get frustrated when my bank asks me to change my online password too often. I know why they are doing it, but I’d be lying if I said I hadn’t thought about switching banks because of it.
Consumers want security, but they don’t want the hassle of it. They want it to be easy. And companies don’t want their products and services to earn a reputation of being easily stolen. So the interests are aligned. And the responsibility is shared.