Contributing to the cyber security conversation

 Business, Canada, IT Security, politics  Comments Off on Contributing to the cyber security conversation
Oct 162016

My firm, Institute X, responded and provided a paper to the Canadian Government’s Consultation on Cyber Security. It’s a considered white paper that assumes government should do what it’s supposed to do (public safety and security; and support Canadian industry). We suggest that an “unreasonably” high standard for cyber security and directed support toward the Canadian cyber security industry (e.g., national security-protected procurement) will benefit Canada on multiple fronts.

Download it here: institute-x-cyber-security-consultation-submission-oct-2016.

The unbearable lightness of being… Snowden

 Uncategorized  Comments Off on The unbearable lightness of being… Snowden
Sep 302014

I read the news today (well, on the weekend, actually), oh boy. It seems that the Internet is coming under attack in the East. It made me wonder about the poster child for Internet utopianism: Mr. Snowden, in his lavish or maybe squalid Moscow apartment.

China has, of course, been a strong “administrator” of Chinese Internet for a long time now. Everyone there and here expects the regime to nose in on and strong arm service providers, search engines, portals, and users in their age-old quest to control everything about that society. But we all had such high hopes for Russia after the fall of the Wall in ’89. Democracy and capitalism would roll through the former Soviet Union like Siberia-bound train. It seemed to start pretty well, and then members of the billionaire oligarchy ended up in jail, their assets nationalized. Punk rock girls went to jail. People disappeared. The president, despite following constitutional rules slowly and steadily became an imperial government of one. Flash forward and the old bear is annexing Ukrainian sovereign territory and fomenting insurrection with some soldiers that they lent to (or “allowed” to go fight with) rebels in eastern Ukraine.

During this period, as everyone knows, Edward Velcro-hands absconded with classified secrets of the US and other governments, secured while he was a trusted contractor to the National Security Agency. Instantaneously, in the heady days of Wikileaks and Julian Assange’s 15-minutes of fame, Snowden became a hero to patriotic freedom lovers the world over, not least within the civil rights and other such communities in the US. So roundly loved and lauded was he, that he immediately fled the country first for Hong Kong and then for the loving embrace of Mother Russia. This, of course, so that he would not be tried as a thief and traitor.

The secrets about “Five Eyes” and US/other government surveillance of its own citizens showed clearly that the Western governments about whom he had discomforting information to reveal were not doing very good things–to their own citizens. To make a long story short, the whole episode and Snowden himself always speaking from Russia via video catalyzed and crystalized popular awareness of the dangers of the Internet. That is, it revealed that the Internet is not a utopian garden where there is peace, love, and understanding (except for the Nigerian scammers…), somehow removed from the rest of the world. It also showed that governments were bringing the rest of the world–all that bad stuff–to this electronic Eden.

What was revealed but did not obviously trouble those who were troubled by the trouble that Snowden found himself in was, in fact, that the world is a nasty place. The kind of ugliness that we see on television drama and in movies actually happens someplace in the murkiness of the shadows and behind closed doors. Moreover, it happens because while civil rights and protection from government encroachment on one’s privacy, to pick a popular theme in this situation, is important, national security might trump it. That is, its a judgment call: your privacy or your safety? It is arguable that we elect our governments to fall on the side of our safety when things get rough. But that is not the point here.

What Western governments were exposed as doing was in and of itself bad. But what Snowden exposed was tactical information that eliminated any kind of advantage in a bigger forum–like international affairs. In any case, the point is that although he is a wanted man, he is alive. He propagated navel gazing and pontificating about these subjects to the point that one has to wonder whether the safety issue has been sufficiently, artificially, and probably disastrously poisoned. But that’s enough back story and evangelizing.

Why I thought about Snowden this weekend is because of the laws that Tsar Putin is intending to have enacted. Specifically, Putin intends to extend the state’s right to control the Internet in Russia. The details can be found elsewhere, but the broad strokes are that any individual with a blog read by more than 2000 people will be considered a media outlet and subject to the laws governing media organizations. Portals, search engines, and other service providers online must operate specifically off of servers located in Russia which would be firewalled at the Russian border AND fully subject to the state having unfettered access to all logs and records. There’s more.

About Edward Zhivago, I wonder if he’s at all disheartened by this turn of events? It’s not like he can complain much about it. Perhaps he’s morally OK with the situation because the Russian snooping and surveillance would follow the rule of law, such as it is? Let’s admire the fact that Putin has no intent of spying on his people from the shadows: he’s fully up front about it. In any case, I prophesy that if he is as smart as alleged, he won’t be making any video appearances at SXSW castigating this unfortunately imposition on the privacy, rights, and freedoms of Russian Internet users. Or, if we do, it will only happen once.

Personal Information as Money

 ethics, IT Security, Privacy  Comments Off on Personal Information as Money
Aug 192014

I’m a fan of bit torrents. To be clear, I rent movies legally; I do not “share.” Still, bit torrents fascinate me because the peer-to-peer system represents thinking for what could be the next great leap in online privacy protection.
The obvious problem with privacy (online) shows up in one of two types of news items. One: a breach of data on some organization’s servers or lost off someone’s USB drive puts thousands or perhaps millions of people’s private information into the hands of unauthorized and probably unsavoury characters. Two: an organization that has amassed privileged, personal information about customers or citizens for some purpose shows its industriousness and uses its “intelligence” to draw undesired conclusions about and harass those same people. In either case, when such a situation is exposed, people feel justifiably violated… even if there is no real harm done.
As I say, these are obvious challenges to privacy. They are not, however, the real issue. Privacy breaches are a symptom and proxy complaint. What’s happening in both circumstances is a breach of trust. In the first case by criminals (or the government) who have larcenously acquired private property (your information), and in the latter by an institution that said “trust us with your important information,” then misused it without your understanding or approval. Blame gets properly directed toward those that have let us down.
Funny that we don’t turn that blame inward. After all, the root of the problem is that we have trusted some organization to keep safe and use only as prescribed something of value to us: our most personal information. At least that’s what we say while we’re railing on about its loss or misuse. But we did let go of that information in the first place, likely without appreciating the potential impact. And probably for not even fifty pieces of silver. So the real problem is that we have ignorantly given up what is dearest to us to somebody else’s keeping. Worse, we gave it to someone or something that is acquiring similarly valuable information from many others and keeping the whole lot in a single place. That creates a treasure trove of value for a thief and a wicked temptation to any other amoral entity.
Is it really any wonder not that there are privacy breaches at all but rather that there aren’t more?
Whether you are reading this as an individual whose information is so entrusted or as an organizational leader in possession of that information, perhaps you’re thinking about information wrong. Chances are that you imagine all this personal information is ones and zeros. Less of a nerd, perhaps in your imagination it is benign sets of discrete data. In any case, “information” is almost certainly an abstraction. Even when rendered as reams of paper (Who else does that anymore?) it has no substance. That makes it very easy to minimize and marginalize.
Try a little thought experiment with me. Contrast and then equate this personal data with cash. Yes, now your (customers’) information is money! Now it has meaning and substance. Doesn’t that change things a bit?
If it’s your information/cash, don’t you take more care with it? Won’t you be a bit more circumspect about where you pull it out, where you put it, and with whom you entrust it—and why? The problem with information (and where this metaphor breaks down, actually) is that it is not a diminishing asset: when you give it up, you still have it. So, perceptually, there is no fine point on losing possession of it.
On the other hand, if you are entrusted with money (information), you now have a fiduciary responsibility for it. Financial institutions (except certain S+Ls, derivatives houses, and mortgage lenders) tend to take their responsibility for their customers’ money seriously. To start with, their customers take it seriously. Then, of course, so does society in the form of strict regulations and governance.
Moral, legal, and economic incentives seem to have the necessary impact. So you don’t often hear about frivolous or cavalier disregard for how a financial institution tends to and uses its customers’ money. And, we don’t hear about too many thefts arising from the interception of bits and bytes that represent real money. When there is such a theft, there are again many incentives to pursue and recover the money, and prejudicially prosecute the crime.
Only a fool expects complete safety and everyone wants some control and means to exert control to get (what’s left of) their money back from those to whom they have entrusted it. The entire system of “tangible” fiat money makes everyone care more about the exchange.
We could do a lot worse than think about our allegedly valuable personal information with the same concern that we give dirty old cash.