April 11, 2008
Power to the People
The 2008 Global Innovation Outlook kicked off in earnest yesterday, and in the shadow of Moscow’s magnificent Kremlin, participants began the long and difficult process of sorting out some of the biggest security challenges facing the world today.
The organizations represented at the table ranged from Aeroflot, Russia’s largest airline, to the Central Bank of Russia. Participants also came from throughout Europe for this dive, including Gas Natural (an energy producer in Spain), UniCredit (the Italian bank), and Synectics (a CCTV provider in the U.K.)
Given Russia’s unique and rapidly evolving economic and political position in the modern world, it seemed only appropriate to begin the deep dive with the obvious question: what will be Russia’s contribution to the future of global security?
Responses to this important question ran the gamut, thanks to the wide variety of disciplines represented at the dive. Here is a sampling of the answers, in no particular order:
• The Russian experience has been quite difficult, and we have learned to survive through communities of mutual support. We have learned how to produce security at the village level. And this is something we could share with the world.
• We have some of the best hackers in the world. They are extremely technologically advanced. Would it be possible to re-train them to use their skills to provide security rather than undermine it?
• In Russia, we have learned many lessons about privacy during the Soviet era. We have already lived in a society in which there was no privacy, and we can tell the rest of the world that it did not make us more secure.
• Russia’s oil and gas supplies are critical to the world’s energy supply. Perhaps the biggest contribution Russia could make is securing and stabilizing those supplies.
Needless to say, the Russian perspective on security is fascinating and instructive. When the group turned to more productive and less philosophical discussions, ideas began to emerge rapidly. A few participants latched onto the idea of building a “secure Internet,” one that wasn’t burdened by the anonymity and openness of the existing Internet.
“I race cars. And when I race cars, I’m thankful for having brakes, because they allow me to go fast,” said Paolo Campobasso, Chief Security Officer at UniCredit. “That’s what having security does for business. It allows it to move more quickly and efficiently.”
Interestingly, there seemed to be some disagreement over whether the openness of the Internet created more or less security. Some folks believe that transparency breeds more ethical behavior. Others think it gives the “bad guys too many places to hide.”
There were many worthwhile side discussions like this one, but one theme came up repeatedly throughout the dive. Standards and regulatory organizations were a common (and perhaps obvious) response to many of the security challenges posed at the dive. It is a natural human response to the daunting nature of the subject; looking for some governing body to impose order on what can sometimes feel like a chaotic security landscape.
It is true that standard definitions of legal behavior across national borders would certainly simplify the provision of security, especially in the Internet age, when criminals based in one country carry out crimes in another. Some participants went so far as to suggest the need for global ethical standards. But everyone in the room knew the feasibility factor for these top-down, regulation-based approaches was extremely low, not to mention expensive.
Everyone agreed that for broad security change to take place, it must happen at the behavioral level, because the weakest link in the security chain is man himself. And as one participant noted, “all the technology in the world won’t bring you more security. Just look at Iraq.” So the group set to figuring out how to affect behavioral change at the level of the individual in a practical and innovative way.
One suggestion was that victims of Internet attacks need to have countermeasures at their disposal. In other words, in the physical world, when your security is breached (a mugging, personal attack, car jacking etc.) there are a number of ways you can respond in kind (carry a gun, fight back, contact police or sue.) There are real consequences that prevent certain types of security threats (not always) in the physical world. But victims of Internet attack are often without any means of recourse, and the perpetrators often suffer no consequences. So ideas for how we could better arm well-meaning Internet users to carry a so-called “big stick,” would be welcome. Protecting yourself is one thing. Fighting back is another.
This is just one idea that represents an important step away from the traditionally heavy-handed, regulation-driven approaches to security, and moves toward a more distributed model. It could work at the community level, or even the individual level. Participants were imagined a world in which people had incentives to take a more active role in the security of themselves and each other. The assumption, of course, is that there are more good guys in the world than bad guys, and through leveraging the collective strengths and aligned interests of those folks, the world could be a safer place.
Now all we have to do is figure out what those incentives might be.
TrackBack URL for this entry:
Listed below are links to weblogs that reference Power to the People:
In Russia, we have learned many lessons about privacy during the Soviet era. We have already lived in a society in which there was no privacy, and we can tell the rest of the world that it did not make us more secure.Well, indeed. How can firms like IBM and Microsoft, which offer powerful privacy enhancing technologies, persuade government clients that people need to be safe online. We need a safe internet, and we need minimal disclosure of our personal details. The supply side has some interesting offerings. But where is the demand?
Posted by: William | Apr 12, 2008 1:27:19 PM
It's a great point, William. And getting people to accept security solutions like that could have its own challenges. Is there a demand for these services at the individual level?
Posted by: Dan Briody | Apr 14, 2008 1:36:02 AM
One aspect of Security not discussed here yet is the need for Validation or Certification of Security in various products. For Software there is a 'Common Criteria' certification methodology that is recognized internationally, however, not yet accepted in Russia. The need to have a country specific certification or accreditation is certainly an expense to do business and an inhibitor to more smoothly moving high quality, secure products into the Russian economy.
It is possible to reach some balance between the strength of security needed in Russia and the internationally recognized common denominator of Common Criteria certifications?
Posted by: Bill Penny | Apr 14, 2008 7:15:18 AM
You raise an interesting question here. Individuals know of identification and security structures, and firewalls as they pertain to networks, in their commercial and national security applications. Individual computer firewalls and anti-virus software aside, I am not sure there is a public sector equivalent to the restricted large-scale network.
The problem becomes how to determine potential demand for things that don't currently exist. Would people be interested in sacrificing some privacy to participate in voluntary identification programs, or non-profit certification societies, if it protected them from predators in certain on-line environments? Would people be interested in a restricted cyber-subspace for financial institutions if it meant they needn't worry about phishing scams when they were doing their banking?
My great concern is that online security problems will grow until they become large scale national, and international political issues. This could set the stage for poorly thought out efforts, myopic laws and restrictions, practically unenforceable codes that cause more harm than good. Most importantly, I fear that many decision makers will conclude that the place to start in efforts to secure the internet is between user's network cards, and the cable outlets and WiFi antennas of this world. This simplistic approach, that problems could be solved if certain types of people weren't allowed to go on-line, is precisely the -wrong- place to start!
Posted by: Tim R. | Apr 20, 2008 12:14:47 PM
As an additional note - The US is seeing it's first large volley of industry-government efforts regarding social networking and predators.
It is being called a watershed - The word that comes to my mind is placebo.
Posted by: Tim R. | May 8, 2008 12:08:48 PM
The comments to this entry are closed.