May 22, 2008
The Internet Immune System
Metaphors can be useful constructs. When employed properly, they can help us understand something that is complex and confounding by comparing it to something analogous and familiar. In the Taipei deep dive on Security and Society, we tapped into the immune system metaphor, diligently comparing Internet security to the security systems that govern the human body. And the exercise helped us identify some undeniable weaknesses in the world of digital security.
We spent most of our time in Taipei talking about digital security (though we did touch on the intersection of digital and physical security…more on that later). And the immune system analogy is certainly not a new one. After all, we call malicious code “viruses.” Computers get “infected” and need to be “quarantined.” So when participants began comparing network security to the SARS outbreak that hit this area hard 5 years ago, it wasn’t all that surprising.
But what was surprising was how the conversation illuminated some of the gaps in today’s digital security, and how we might take a lesson from the marvelous human immune system. For example, our immune system is not overly concerned with preventing viruses from entering the body. It is concerned, however, with controlling, containing, and assimilating the virus as quickly as possible once it is discovered. One participant called it “an ecological view of security, rather than an absolute view.” By that he meant, we should be focused on maintaining the overall health of the body, keeping the immune system strong, rather than tilting at windmills by trying to prevent any and all attacks.
The “body” in this case could be seen as an individual computer system, or the entire network. And the concept is that by allowing a steady series of small attacks on different parts of the system, we gradually strengthen the overall network. It’s not unlike biological evolution, and you could argue that we are in the midst of an accelerated version of digital Darwinian as we speak.
Another area in which the immune system analogy worked was that of detection and response. When the human body is infected, there are a series of universally recognized signs: fever, cough, sneezing, fatigue, nausea. These symptoms alert us that our immune system has been engaged, and we know to get extra rest, avoid other humans, or go to a doctor. But in the Internet world, victims rarely even know they’ve been victimized. Data gets stolen, PCs are compromised, and credit card numbers are bought and sold, but most people are lucky if they ever find out, let alone with an early warning. The symptoms are subtle, and sometimes undetectable.
If you are one of the lucky ones (and I say that with tongue firmly in cheek), and you are somehow made aware you’ve been victimized online, then what? The human body kicks an elaborate defense system into gear. A virus is reported to the authorities (the immune system) and then immediately acted upon. But where is the analog in the digital world? If you bring your PC to the police station, and file a report that says “someone has accessed my system illegally,” they would probably laugh you out of the station. But why? Who are the authorities on digital crime? And why shouldn’t there be an enforcement body that is as powerful as cops walking the neighborhood beat?
“We really need to work on systems that can alert someone when they have been victimized,” said Rama Subramaniam of Valiant Technologies, a digital forensics company based in Chennai. “The police also need to take on a role so that these crimes can be properly investigated and prosecuted.” This sentiment mirrored the thoughts of Tokyo’s participants; that legislation around digital crime is severely lacking.
It also shed light on the fact that the worlds of digital and physical security are not all that different, but for some reason remain separate. Crimes that take place online have very real consequences in the physical world. Which begs the question of why the same law enforcement agencies that police the physical world should not also be policing the digital world?
We ran this immune system metaphor into the ground before it was all over, but that’s not to say that it wasn’t useful. For instance, one participant noted that right now we have a hodgepodge of security systems for the various constituents on the network. Each has wildly varying levels of quality and effectiveness (not to mention cost.) But there is no international immune system, a security system that is looking after the overall health of the system. And that could cost us all dearly some day.
May 17, 2008
The Global Village
It is often said that in Japan, safety and water are always free. But after our third deep dive on the Security & Society focus area, held here in Tokyo, the feeling around the room was that only the latter remains true today.
Of course, Japan is still one of the safest countries in the world. But many of the Japanese participants in this session expressed grave concern that in today’s rapidly globalizing world, the approaches that facilitated this secure environment in the past -- common social values, community-oriented security -- were impossible to maintain. And that sentiment fueled a compelling, productive day of conversation around the respective roles of community and government in providing security.
The group actually came from all around the Asia-Pacific region. Aside from the Japanese participants -- which included representatives from Toyota, Nissan, Bank of Tokyo, Chuo University, and the Ministry of Internal Affairs and Communications – there was a venture capitalist from Australia, a security expert from Visa based in Singapore, and an innovation consultant from Malaysia. And each brought with them a unique perspective on what government can and cannot provide when it comes to security.
One of the basic functions of government is to provide a safe and secure living environment for its people. Some do this better than others. Some do it by building and maintaining strong law enforcement agencies. Others by cultivating common values and a culture of security. But the participants in this dive seemed to feel that the changing threat landscape was getting the best of many governments.
In particular, the legislative and penal systems that address digital crimes are dangerously immature. “When it comes to security and crime, there are two major disincentives,” said Dr. Lynn Batten, a Professor of Science and Technology at Deakin University in Melbourne. “First, there are the protection systems, like the vault at the bank. The second is the judicial system, which says if you get caught, you will be put in jail or worse. But as we move into the digital Internet age, that second component has been very weak. Businesses have been challenged to come up with great security technologies, but where is the government analog? Some of these cyber crime cases are entirely dependent on expert witnesses because no one else knows about this stuff. And many of these cases take place across national borders, which highlights the many problems with international law.”
Earlier in this GIO focus area, we talked about the role of incentives in providing security. But equally important, as Dr. Batten points out, is the need for effective disincentives. There was also a prescient warning from one participant against relying too much on government to provide security, because, among other things, the government will often turn to industry to aid in the cause, sometimes inappropriately.
For example, purchasing the book Mein Kampf, Adolf Hitler’s autobiographical account of his political ideology, is illegal in Germany. But should merchants, Internet service providers, and payment system vendors be responsible for reporting online purchases of this book from inside of Germany? There are countless examples like this, where industry has access to information that would be helpful to governments endeavoring to secure their nations. The question is to what extent should these businesses cooperate?
“Government is probably the least capable organizations in terms of dealing with modern security threats,” said Hamzah Kassim, the Chief Executive Officer of The IA Group, a consultancy based in Kuala Lumpur. “In the future, it will be communities that are more powerful in this regard.”
This idea of community-based security is not dissimilar to the discussions we had in Moscow and Berlin. We all know what this means in the analog world: because there is transparency in a community, i.e. we all know each other and what we look like, there is a collective set of values that guides good behavior. And those that eschew that behavior are ostracized. But what does that look like in the digital world, where anonymity is a fundamental part of the experience? Is there a digital scarlet letter than could follow a user from place to place? Is there a cyber code of ethics that will someday emerge?
In some smaller online communities, there is some effective self-policing that takes place. Second Life, World of Warcraft, and Wikipedia all demonstrate the power of collective self-managment. But the Internet allows a single person to assume many identities, rendering traditional community-based policing useless, or at best temporary. Also, as Hiroshi Maruyama, the Director of the Tokyo Research Lab for IBM, said, “Can you trust the wisdom of a community? Or are they just a mob?”
There was a lot more that came out of this deep dive, including a fascinating conversation about the potential of mobile technology, and some important discussion on the tradeoffs between security and privacy (including some very cool biometric solutions from here in Japan.) More on that later. And stay tuned for the results from the Taipei dive next week.
May 08, 2008
Late in the day at the Berlin deep dive, we let participants choose a topic that they would like to discuss. The group chose Mobile Security, which is a fascinating, but at times confounding, subject. Here’s what happened:
At first, the group struggled mightily with the topic. As often happens, many of the participants bemoaned the current state of mobile security. There were comments about how terrorists use mobile phones to set off bombs and coordinate movements. There was some fear around sending sensitive information over the airwaves (despite the fact that sending information wirelessly is no more or less secure than sending it over wires.) And there were many that talked of how easy it is to steal mobile phones and the information on them.
It went on like this for a while until Marshall Behling, director of business development and strategy at Verisign, a GIO partner, put an end to that talk by simply saying: “Every new technology has the inherent ability to be used for good or evil.” Well said. Now let’s get on with it.
What came next was a far more thoughtful, progressive conversation that yielded some interesting ideas about we can use mobile technology to our collective advantage. First, we started thinking about the uniqueness of mobile devices. What is it about them that we could leverage for better security: they are pervasive (nearly everyone’s got one, some people have two); they’re personal (we carry them in our pockets, and this is a hugely important characteristic); they are increasingly powerful and functional (phone, camera, email, video, web); and they will soon have blazing fast connections to the Internet (WiFi, WiMax, 4G).
With this arsenal at our disposal, we began to discuss the potential all kinds of security applications. For example, you could issue localized security alerts that could be sent to all the mobiles in a given area. If there were a terrorist threat, a warning and a short set of instructions could be sent out, potentially saving lives. On the flip side, concerned citizens could send security alerts to law enforcement, even snap photos or stream audio and video of an event in progress. Some of this is already being done, though it’s not as organized or sophisticated as it needs to be.
Time constraints prevented us from doing much more than scratch the surface on this front, but you get the idea. When you combine a powerful, networked technology with the notion of personal responsibility (see last entry) you get some pretty compelling possibilities. We’re looking forward to exploring these ideas in our upcoming dives in Tokyo and Taipei, where the technology is highly advanced. Check back next week for a look at the results of the Tokyo dive.