The Unites States, the world’s most connected nation, and the rest of the world will face a deficit of 1.5 million cyber professionals over the nextfive years whose jobs are essential to protecting critical networks and securing personal information. Fortunately, this crisis also presents a significant opportunity.
Cybersecurity Recommendations Senator Sheldon Whitehouse (D-RI) and Representative Michael McCaul (R-TX) announced they would be introducing legislation that would consolidate federal cybersecurity operations into a single agency under the Department of Homeland Security. Representative McCaul, chair of the House Homeland Security Committee, said the bill would be one of the first pieces of legislation generated by his committee in the 115th Congress. The announcement came during a news conference in which the two lawmakers outlined the recommendations of the Cyber Policy Task Force they co-chaired at the Center for Strategic and International Studies in Washington. They were joined by a number of cybersecurity experts who worked on the task force’s recommendations, including Nico Sell of 533DZ Foundation.
Nico Sell, Founder of 533DZ Foundation and a World Economic Forum Tech Entrepreneur & Anja Kaspersen, Head of International Security, World Economic Forum
First published by The Hill on July 12, 2016
At a time of the global information security crisis, we often hear that in order to achieve stronger security against emerging threats, including terrorism and cyber attacks, we must accept less privacy. This should apply to our communications, financial transactions, and all other internet-powered activities. Many simply assume that more visibility and state control automatically translate into more safety.
Coming at it with different sets of expertise and experiences, we argue against this alleged conflict between privacy and security. And here is why.
For centuries, only a handful of states have had the resources to wreak havoc on a massive scale. Today, technology is rapidly democratizing this destructive capability. Remote cyber attacks can now target any world region, disrupting or destroying digital assets – valuable information networks and physical objects – dams, power plants, and other industrial facilities.
International criminal groups run the bot armies of billions of puppet computers, which belong to unknowing victims around the world, to attack corporate systems. The attribution is clearly no easy tasks when cyber vulnerabilities are involved, thus traditional state-level deterrence strategies often prove futile.
In this complex and rapidly changing security environment, many domestic and international policy-makers appear to believe that the only “defense” to counter these emerging threats is the increased control over population. In their view, the premise seems straightforward – if individuals with destructive intent are able to communicate with complete privacy, it will have a negative impact on the law enforcement’s ability to uncover wrongdoings.
Hence, the security vs. privacy narrative equates privacy with potential for criminality, and security with government access to citizens’ data.
As a result, to keep the public safe, governments scale up the surveillance techniques historically relied upon to enforce security policy. With expanding connectivity, there is no longer the time-consuming need to bug phone lines individually and have human agents read the intercepted conversations. Instead, communications can be hoovered up en masse and analyzed to search the haystack of data for patterns and anomalies that might indicate potential threats.
The key question is whether these policies are effective in reaching their stated goals in a new increasingly decentralized cyber reality?
Recent world events cast some doubt on the effectiveness of this approach. In the aftermath of the Brussels and Paris terrorist attacks, we have learned that the problem has not been the lack of information, but rather ineffective data analysis and failed international cooperation in sharing intelligence in a timely fashion. When the haystack becomes so large, the chances are authorities may miss crucial intelligence.
However, even if data analytics and intelligence sharing mechanisms could be improved, the existence of mass data collection and the ongoing push for encryption backdoors imply that it is technically possible to exploit global networks en masse without creating the attack entry points accessible to others – criminals or foreign intelligence.
Today, the increasing connectivity, advancing technology, and a proliferation of internet-powered devices make it impossible to isolate backdoors to be only useful to particular governments and their needs for investigative powers. At a time when the record numbers of high-impact data breaches are reported almost daily, any and all vulnerabilities are indeed open for exploitation to anyone who can find them – be it in consumer applications, critical infrastructure, or government networks.
With the Web being a global ecosystem, we can no longer segregate it to weaken security for only bad actors, whose possible criminal activities may pose risks to national security. Injecting vulnerabilities in commonly used protocols or services indiscriminately affects the security of everyone using these technologies.
In addition, we are not guaranteed that bad actors will not create their own encryption tools or use stronger security offered by foreign companies. According to a recent global survey of encryption products, only one third of these tools are produced in the US while two thirds are developed elsewhere, with Germany, UK, Canada, France and Sweden being the top generators of crypto tech. The report also found that 44% of over 860 encryption products available are free, and 34% are open source.
In this complex technological environment, citizens, government systems, corporations, and critical infrastructure facilities are increasingly connected and everyone’s security is dependent on the same protocols and hardware while bad actors can still access strong encryption to secure their data. Thus, compromising the integrity of global networks appears unlikely to result in much gain in intelligence capabilities. Hence, the net outcome likely becomes less security and less privacy for all.
Interestingly, the existing mass data collection programs across the world have been long surrounded by secrecy regarding their very existence and the governments’ capabilities to infiltrate information networks. Such secrecy, aside from the public perception that it is undermining the social contract at the core of democratic governance, also puts national governments at a disadvantage by limiting the critical input they may receive from their citizenry in an effort to strengthen national security.
Considering a rise of cyber threats and a dire state of security in most technologies – consumer, enterprise or industrial, and the fact that 85% of all critical infrastructure is privately owned, it appears short-sighted to not actively engage the expert community and a broader public from contributing to this critical conversation. Information security and technology experts may offer valuable insights into the latest research and innovation occurring in the private sector, which can significantly influence the effectiveness of government data collection and defense strategies.
As technology redefines security, who can credibly provide it, and where the cyber attacks might be coming from, there is an urgent need to redefine a new social contract for the cyber age to ensure the sustainability of an increasingly connected global economy and reducing risks to the critical infrastructure.
While it would be unrealistic to expect no state secrecy regarding intelligence activities, the important question to think through is how to ensure that effective safeguards are in place to protect against potential abuse from all parties – government and corporate actors. This requires an agile and fit-for-purpose oversight regime so it is conducted in a most responsible and secure fashion minimizing the probability of citizens’ personal data being misused or compromised.
It is clearly time to broaden the dialogue to engage all stakeholders to think through these complex technological and policy issues, including the private industry that may often be overly focused on indiscriminate collection and infinite storage of consumer data.
There are no easy answers or solutions but one thing is sure: by creating a false tension between privacy and security, the issues that are far more pressing to the safety of global communications and information networks are not being addressed. Collecting more data does not guarantee intelligence efficacy. Surveillance and other intelligence mechanisms can play a legitimate role in curbing malicious behavior online of offline, but these powers should be used sparingly and strategically.
There is a need for greater literacy about security policies’ impact, consolidating and strengthening of the norms around the collection and use of data and a more inclusive dialogue on how to address shared vulnerabilities in a new increasingly decentralized world.
Cyber security is a massive challenge affecting everyone – start-ups, government, corporate systems and consumers, costing the global economy billions of dollars annually. Ironically, the one solution we are seriously considering – mandating encryption backdoors – will undermine the integrity of our networks, as confirmed by information security experts and the government’s own defense and intelligence officials.
For the tech industry to become more effective in making its case for strong security to the public and US policy-makers, we all need to understand and rebut two critical misconceptions currently dominating the policy debate.
“Going Dark” or Blinded by Too Much Data?
The key assumption is that law enforcement does not have enough data to combat crime and must therefore boost its capability to intercept and decrypt web communications. Let’s look into what data the government already has access to and whether it is being utilized effectively.
The majority of global networks – including Facebook, Google, Twitter, and Skype – operate with full visibility into user accounts and often their activities, rendering this data available to law enforcement with a warrant request. That includes metadata, a rich unencrypted layer in our expanding profiles – who we talk to, where and how often, where we spend time and with whom, and what our interests are.
Widespread visual surveillance – from cameras on public utility polls and transport to commercial data collectors time-stamping and geo-tagging billions of photos of license plates – supplies an exhaustive picture of our physical activity. Law enforcement has access to a historically unprecedented amount of information, capable of mapping out countless connections between people, businesses, locations, and things – sometimes with and sometimes without a warrant.
Current trends in technology are only adding to the pool of data that law enforcement can draw from. By 2020, the IoT industry will add as many as 50 billion new connected devices – from smart TVs capable of listening to ambient noise to cars equipped with GPS and voice-activated systems to toys and baby monitors with recording features. Many of these technologies operate with minimal data safeguards, expanding not only the attack surface for criminals but also real-time surveillance opportunities for law enforcement.
“Big Data” is a buzzword for a reason – the majority of tech businesses are built around collecting and analyzing data that people around the globe generate while using services. This trend is unlikely to substantially change in the near future as we add more products feeding data into global systems.
Thus, the quantity of data and information channels available to law enforcement provides ample opportunities to obtain lawful intelligence. However, as investigations following the Paris attacks have demonstrated, governments have yet to establish data analytics capabilities allowing the massive amount of data already collected to be timely and effectively analyzed in order to extract actionable intelligence.
Backdoor for Only Exceptional Circumstances
With its access to countless data streams and targeted information sources, the government is now faced with an urgent need to secure public and corporate information systems. Both are now a high target for foreign state actors and criminals alike. Following OPM and other major breaches of national networks, it became clear to many within the defense sector that maintaining the integrity of encryption is key to securing data in transit and at rest and it must become a national security priority.
However, no matter how numerous and loud the expert voices are in confirming that it is technologically impossible to limit backdoor privileges to one party without making the whole system vulnerable, some officials continue to dismiss the tech industry as uncooperative and uninventive, completely rejecting the mathematics behind strong crypto. Unfortunately, the result of this misunderstanding is a demand to force the private sector to work against public interests, which may cost us all a gravely compromised national cyber defense.
Due to the lack of security awareness, for many non-technical folks this argument remains too abstract – simply an obstacle to providing law enforcement with a backdoor access it wants. Meanwhile, a case where an intentionally built-in backdoor was possibly repurposed against US government systems is currently under investigation by the House Oversight Committee. A severe vulnerability discovered last December in Screen OS by Juniper Networks – employed across government agencies and global corporations – may have allowed foreign hackers to infiltrate networks and decrypt traffic. As with many cyber intrusions, especially of this magnitude, it is hardly a trivial task to determine when the breach occurred, what information has been compromised and whether hackers still retain a persistent presence within the network.
A Changing Cyber Space: Security For All or For No One
When vulnerability is injected into technology used worldwide, it becomes everyone’s liability. If mandated, today’s crypto backdoor is likely to become a “ticking time bomb,” open to exploitation by foreign intelligence and criminals harvesting data and communications. With the Web being a borderless global space, intelligence needs to be targeted, expensive and therefore accessible to only the most sophisticated state actors. Otherwise, we risk weakening everyone’ security to harvest data without a cause to the detriment of our own rights, economic freedoms, and political stability.
The demand for compelled cooperation to alter technology against public interests has a powerful negative impact on the relationship between the industry and the government. It not only limits the possibility for every-day open and effective collaboration, but also creates a deep distrust at a time when cyber threats are rising, requiring all of us to work together to strengthen the security of our critical information systems.
Unless we are prepared to live with the consequences of inadvertently enabling foreign nations and hackers to exploit a government-mandated backdoor, we must shift the national dialogue to examining how law enforcement can effectively use and secure the data it already has access to. The government and the tech industry can work together to enhance national security by applying innovative technologies and data safeguards to critical networks, rather than battling over access to data which most likely will not assist lawful investigations, but will guarantee weaker security for all.
January 21, 2016
Messaging app Wickr promises secure communications that cannot be snooped on by anyone, including spy agencies. That’s great for anyone who wants privacy, but is it also a gift for wrongdoers? Reuters reporter Julian Satterthwaite put the question to Nico Sell, Founder of 533DZ Foundation, on a trip on the Davos cable car.
January 20, 2016
But openly providing personal information online can result in identity theft, said Nico Sell, co-founder of Wickr, a smartphone app that says it provides military-grade encryption of peer-to-peer text, photo, audio and video messages.
"Think about the digital footprint that you're leaving online everyday and try minimize it in ways that are easy enough for you to do," Sell told CNBC's "Squawk Box" in an interview from the World Economic Forum in Davos, Switzerland.
In one of the most visible aspects of her own privacy measures, Sell wears sunglasses whenever cameras are around. "It's really not for facial recognition, it's more human recognition," she said. "It's amazing people from high school won't recognize me [with glasses]. I take off my sunglasses and walk around and [other] people don't recognize me."
Sell believes she's not alone in wanting to remain as anonymous as possible. She said younger teenagers generally look to protect their online presence perhaps more than their older classmates or the 20-somethings and 30-somethings who share their lives with abandon.
Wickr says it does not collect user data. As more and more people seek privacy online, Sell said, "The business model that will rule the next decade is one that is not made off of big data because big data is really hard to secure."
"I think hoarding it will cause more harm," she added, referring to sites that use personal data to sell advertising.
As an offshoot of the for-profit Wickr, Sell has created the nonprofit 533DZ Foundation, which advocates for secure communications around the world.
"It's a real mistake to say privacy and security are not on the same side," Sell said, reacting to questions about whether Wickr app provides terrorists with the ability to conduct untraceable communications.
"Those people fighting terrorists use Wickr everyday," she continued. "I'm also all about protecting us from terrorists. And this is how we do it, by having secure communications."
Sell said there's no "backdoor" into Wickr's platform. "It makes both dealing with law enforcement a lot easier because we don't have anything that we could give them. It makes a lot easier to defend from hackers."
"The more data that you have the more you have to protect," she stressed.
These kinds of discussions about navigating the evolution of the digital age are central to the theme at Davos this year, "Mastering the Fourth Industrial Revolution," as technologies blur the lines between the physical, digital, and biological spheres.
What the US post office teaches us about privacy
George Washington could have become a king, but instead devoted his life to giving power back to the people. This is why his political heritage remains so strong today, inspiring millions around the world to continue striving for liberty and democracy. One of my favorite US presidents, Washington proved that great leaders rule by empowering the people, not by usurping the power.
In the next decade, billions of online citizens will join the web making national borders less relevant and the world more connected. Technology and the hopes it fuels have empowered millions of people across the globe to demand social and political change from some of the most oppressive governments. Yet, the same technology is being used to suppress and monitor more than half of the world’s population that still live under undemocratic regimes and lack basic rights.
The United States Postal Service was one of the most visionary civil liberties ideas of its time – deeply rooted in Washington’s belief that a strong state and society can only exist if every citizen has access to uncensored information and can freely communicate without government’s prying eyes. The Postal Act of 1792 that began the history of a modern post office established free speech and a right to private communications, going as far as imposing the death penalty for robbing mail service personnel. The newly established post office was envisioned to be the antipode of the crown post operated by the British government, which frequently opened and censored correspondence.
The same commitment to privacy and access to free, uncensored information is the reason we started Wickr. Our vision is to bring this service to billions by making strong trusted encryption incredibly easy and intuitive for personal or business use.
Today, we need to breathe new life into Washington’s idea of the post office to provide these basic rights to all 3 billion people already connected to the web, and to those who will be coming online in the next decade. We need to collectively balance our global web to ensure the internet remains a platform for free speech and uncensored information, where privacy and real human connection enable strong social discourse and economic prosperity.
I call that space the private web.
The public web has brought us incredible innovations that have improved lives and celebrated human creativity. But as we all move online, it becomes increasingly clear that the internet requires a long overdue fine-tuning, just as any complex and ever evolving system.
We, as web users, are generating millions of pieces of information about the most personal aspects of our lives on a daily basis, creating dangerous treasure troves of detailed and calibrated information.
Once in the open, we lose ownership of that information, to the point that we do not even know who is collecting it. Businesses increasingly depend on technology, becoming more and more vulnerable to critical data security breaches.
Global financial, transport and security systems are being compromised almost weekly – either through targeted attacks or as a result of poor and outdated safeguards.
To expand the benefits of the internet, we need to continue building the private web – through applications, technology, policies and norms – to power innovation, develop ideas, protect our assets and strengthen human rights for all. Although achieving privacy and universal access to free, uncensored information will always be a moving target as technology evolves, our ability to intentionally choose a right mode of communications, private or public, is a critical step towards bringing George Washington’s vision closer.
Today, it is essential to set the ground rules that will govern our networks and infrastructure systems in the future. Strong encryption is a key component of the private web. Having trusted encryption without a backdoor – for either governments or criminals – will enable us to keep out not only prying eyes of totalitarian regimes but cyber criminals as well.
A recent debate around technology backdoors has raised a critical point. Is it possible to weaken encryption in a way that would only allow access to the “good” government and never to criminals or authoritarian regimes? The answer has been a loud resounding “no” from many prominent technologists. Considering that most American internet companies are operating as global entities that must comply with local laws, we should never adopt a policy that we would not want another government to adopt and take advantage of. If the US government passes a law that requires a backdoor to operate in America, then what would stop the Chinese and Russian governments from doing the same, requiring US companies to give backdoor access to them as well?
Many questions remain regarding how exactly to achieve that vision in the hyper connected, digital world. How will the private and public web coexist? What should the standards of data collection be? How can companies that profit today from leveraging our personal and business information innovate around new business models? How do we establish trust with companies we let host our most sensitive and valuable information? How do we verify public promises companies and governments make about their data retention and usage practices? Who has the duty of care to our children’s data, our health and financial information? How do we promote encryption by default? There are many more questions we all need to consider if, as a society, we value the progress we’ve made and the rights we continue to fight so hard for, both offline and online.
The US Post Office served as a catalyst for building strong political and social discourse. For the first time, citizens were able to engage in political conversations without fear of being persecuted.
Speech is only free when we have direct control of our communications – whether public or private – without the need to self-censor or fear that a piece of communication can be used out of context many years after it was sent.
It is time to invest our energy, creativity and resources into building the web’s private hemisphere to carry on the tradition of private communications, uncensored information and ownership of our assets.