April 29, 2008
During the Berlin deep dive, an idea surfaced that we hadn’t seen since the Media and Content focus area of 2007. It’s the idea that individuals should be able to control their personal information, the data that companies buy and sell thousands of times over in an effort to market to us more effectively.
Depending on the purpose, this data might include mailing address, email address, telephone numbers, age, sex, income level, employer, purchasing history, credit card number, social security number, bank accounts, etc. In other words, it’s pretty personal stuff…and valuable. When we discussed ownership of this data in the Media and Content deep dives, it was in the context of allowing individuals to better control what content and advertising they receive. One male participant lamented the fact that he frequently received discounts for feminine hygiene products.
But in Berlin, the discussion revolved around improving security by giving individuals more control of what information is released, to whom, and for how long. This, several participants reasoned, would reduce the risk of having that information stored ad infinitum on hard drives around the world. Because, as one diver put it, “electrons are very patient. Once it’s out there, it’s out there.”
Many agreed that in the Information Age, we have all gotten extraordinarily adept at putting our information out there. But we’ve no idea how to get it back. Or how to ensure its accuracy. Several participants suggested some kind of data retrieval service, through which you could reclaim information that was once yours to give. Perhaps the most compelling idea, however, was the suggestion that any time you enter your personal information into a database, you could assign an expiration date to it, ensuring that at a prescribed future date, that information would be destroyed.
These are all great ideas, but at some point the conversation became more about civil rights and less about security. By that I mean, does anyone think that giving the billions of individuals on the planet control over their personal information will make us collectively more secure? In fact, you could make a pretty compelling argument to the opposite effect; that individuals have proven themselves to be poor stewards of their own information, and that the continued popularity of phishing scams is exhibit A.
Of course, this doesn’t mean that we should all throw our hands up and resolve ourselves to corporate ownership of all personal data. But it does mean that we need to be thoughtful about how we approach big issues like this. We have already discussed the strategy of pushing more of the responsibility for security to the edges of the network, i.e., individuals. But can we all really be trusted with that kind of responsibility? Isn't that why we outsourced security to government in the first place? Because, as one participant so eloquently put it, "the problem is humans." Therefore, if security is the end, is personal ownership of data the proper means? And if not, what is?
Once again, the GIO has succeeded in raising more questions than it answers.
April 16, 2008
It’s the Network, Stupid
There is a natural tendency for people, when looking for security solutions, to appeal to some higher authority. In many cultures, we’re accustomed to abdicating the bulk of the responsibility for our collective security to a number of organizations, such as the government, the military (often one in the same), local police forces, our parents, even corporate policy.
Considering how fundamental security is to the well-being of our selves and our loved ones, it’s surprising how willing we are to give up control of it. Perhaps that’s why in our latest deep dive in Berlin, a new concept of security began to emerge, one that builds on some ideas that first bubbled up in Moscow.
In Russia, we called it a more “distributed” approach to security, one in which individuals, with proper incentive, take on an increasing share of responsibility. In Berlin, we called it “sustainable” security. Regardless of what you call it, it’s an idea that has legs. William Heath is the founder of an IT consultancy called Kable, and the brain behind the Ideal Government blog. He participated in our Berlin dive, and described sustainable security, as opposed to what he calls top-down “control-oriented” approaches, thusly:
The idea behind this is quite simple but very powerful. It is the concept of leveraging the power of a network. Just like with information technology, networks are pools of resources that, when connected, are much greater than the sum of their parts. Many people in the security game complain of the “multiplier effect,” the notion that bad guys take advantage of networks to cause damage disproportionate to their resources; viruses that are passed from computer to computer, terrorist cells that splinter and grow.
But a few people in the Berlin dive asked why the good guys have been so slow to leverage the same network effect. Why are we complaining about a lack of security resources when there are countless more good guys in the world than bad guys? Activate all those good guys on security’s behalf and, voila, resource problem solved.
“To fight a network, you need a network,” said Katharina von Knop, an adjunct professor of Terrorism and Security Studies at the George C. Marshall European Center for Security Studies.
It is true that as the many complex networks that make up our modern world continue to grow – think about commercial networks, technology networks, social networks – there will be more opportunity to exploit and attack them. One participant urged us to think about the deluge of new IP addresses that will be added to the Internet over the coming years, everything from your automobile tires to your refrigerator, and how each of those is open to attack.
But by the same token, those new nodes on the network have an ability to report back useful information on possible attacks, sensing threats earlier and taking steps to combat those threats. For example, one participant noted the immense security potential that wireless networks and devices afford us: localized, personalized security alerts; or using picture phones and text messaging as virtual sensors, picking up and reporting back data on potential threats to law enforcement.
Of course, all of this requires a certain level of autonomy at the edges of the network, be that a human being or a refrigerator. Personal responsibility, and collective responsibility, are concepts that will need to gain ground if this “sustainable” security is to work. You could argue, cynically, that humans are already the weakest link of the security chain (one participant said that the greatest point of vulnerability in Internet security lies between the seat and the keyboard.) But humans are also the key to security’s greatest potential. Technology and machines that provide security are amoral, and inherently open to both good and evil intent. But human beings, presumably, know the difference between right and wrong.
There is already some sharing of distributed and centralized security in most areas of life. Individuals buy and maintain anti-virus software (or at least some of us do), but also expect a certain level of security from our Internet service providers. Families lock their doors and install alarms in their homes, but also depend on local police forces and government to provide generally safe living conditions.
But the ratio of distributed vs. centralized security may have to change to really make a dent in this issue. And considering how security is a shared concern at all levels (personal, corporate, national, global), and our interests are pretty well aligned (we all want to live in secure environments safe from threats), my guess is that with some well-placed incentives, a lot of ground could be made up. For example, one participant suggested some kind of Cyber-Driver’s License, which would require netizens to pass a basic test before they could surf the web. Just like with real driver’s licenses, if you are reckless on the Web and put yourself and others in harm’s way, there are consequences (maybe your ISP charges more, or you get your license revoked.)
Whatever the incentives, the safer each of us is individually, the more secure the network is as a whole. That goes for thwarting Internet threats, detecting terrorist activity, or catching a petty thief. It’s the neighborhood watch approach, applied globally.
April 11, 2008
Power to the People
The 2008 Global Innovation Outlook kicked off in earnest yesterday, and in the shadow of Moscow’s magnificent Kremlin, participants began the long and difficult process of sorting out some of the biggest security challenges facing the world today.
The organizations represented at the table ranged from Aeroflot, Russia’s largest airline, to the Central Bank of Russia. Participants also came from throughout Europe for this dive, including Gas Natural (an energy producer in Spain), UniCredit (the Italian bank), and Synectics (a CCTV provider in the U.K.)
Given Russia’s unique and rapidly evolving economic and political position in the modern world, it seemed only appropriate to begin the deep dive with the obvious question: what will be Russia’s contribution to the future of global security?
Responses to this important question ran the gamut, thanks to the wide variety of disciplines represented at the dive. Here is a sampling of the answers, in no particular order:
• The Russian experience has been quite difficult, and we have learned to survive through communities of mutual support. We have learned how to produce security at the village level. And this is something we could share with the world.
• We have some of the best hackers in the world. They are extremely technologically advanced. Would it be possible to re-train them to use their skills to provide security rather than undermine it?
• In Russia, we have learned many lessons about privacy during the Soviet era. We have already lived in a society in which there was no privacy, and we can tell the rest of the world that it did not make us more secure.
• Russia’s oil and gas supplies are critical to the world’s energy supply. Perhaps the biggest contribution Russia could make is securing and stabilizing those supplies.
Needless to say, the Russian perspective on security is fascinating and instructive. When the group turned to more productive and less philosophical discussions, ideas began to emerge rapidly. A few participants latched onto the idea of building a “secure Internet,” one that wasn’t burdened by the anonymity and openness of the existing Internet.
“I race cars. And when I race cars, I’m thankful for having brakes, because they allow me to go fast,” said Paolo Campobasso, Chief Security Officer at UniCredit. “That’s what having security does for business. It allows it to move more quickly and efficiently.”
Interestingly, there seemed to be some disagreement over whether the openness of the Internet created more or less security. Some folks believe that transparency breeds more ethical behavior. Others think it gives the “bad guys too many places to hide.”
There were many worthwhile side discussions like this one, but one theme came up repeatedly throughout the dive. Standards and regulatory organizations were a common (and perhaps obvious) response to many of the security challenges posed at the dive. It is a natural human response to the daunting nature of the subject; looking for some governing body to impose order on what can sometimes feel like a chaotic security landscape.
It is true that standard definitions of legal behavior across national borders would certainly simplify the provision of security, especially in the Internet age, when criminals based in one country carry out crimes in another. Some participants went so far as to suggest the need for global ethical standards. But everyone in the room knew the feasibility factor for these top-down, regulation-based approaches was extremely low, not to mention expensive.
Everyone agreed that for broad security change to take place, it must happen at the behavioral level, because the weakest link in the security chain is man himself. And as one participant noted, “all the technology in the world won’t bring you more security. Just look at Iraq.” So the group set to figuring out how to affect behavioral change at the level of the individual in a practical and innovative way.
One suggestion was that victims of Internet attacks need to have countermeasures at their disposal. In other words, in the physical world, when your security is breached (a mugging, personal attack, car jacking etc.) there are a number of ways you can respond in kind (carry a gun, fight back, contact police or sue.) There are real consequences that prevent certain types of security threats (not always) in the physical world. But victims of Internet attack are often without any means of recourse, and the perpetrators often suffer no consequences. So ideas for how we could better arm well-meaning Internet users to carry a so-called “big stick,” would be welcome. Protecting yourself is one thing. Fighting back is another.
This is just one idea that represents an important step away from the traditionally heavy-handed, regulation-driven approaches to security, and moves toward a more distributed model. It could work at the community level, or even the individual level. Participants were imagined a world in which people had incentives to take a more active role in the security of themselves and each other. The assumption, of course, is that there are more good guys in the world than bad guys, and through leveraging the collective strengths and aligned interests of those folks, the world could be a safer place.
Now all we have to do is figure out what those incentives might be.
April 09, 2008
When dealing with an issue as globally important but deeply personal as security, it helps to get as many perspectives as possible. Unfortunately, we’ve yet to find a meeting room big enough to accommodate all 6.6 billion people on the planet. So we’ve done the next best thing.
For the Security & Society focus area the GIO is hitting the streets, stopping passersby and asking them their views on security. We think the views of regular folks -- people that don’t necessarily think about security issues for a living, but share our security needs nonetheless – will add a new perspective to the deep dive process. GIO deep dives typically feature a host of experts from across a wide range of disciplines, but they don’t include the views of the so-called “man on the street.” So without further ado, please watch the video we compiled on Security & Society:
As you can see, the average person thinks about security in many different ways. But they also think about it in some pretty sophisticated ways. We think it’s important to keeps these perspectives in mind when we talk about security strategies at a global level. Because ultimately, if the security priorities we choose to pursue are not addressing human concerns at the individual level, they can’t possibly be considered effective.
Stay tuned for results from the Moscow dive, which is less than 24 hours away.