Keep up with new content on the site, receive exclusive content and commentary, and learn about activities within the Straight Talk community.
By David Bray, CIO, Federal Communications Commission
This article is by Featured Blogger David Bray from his LinkedIn page. Republished with the author’s permission.
Back in February 2015, I had the opportunity to travel to Taiwan and Australia as as Eisenhower Fellow to meet with their senior leaders both in industry and government regarding the expected future impacts of the Internet of Everything (IoE). During my travels I actively blogged about what parts of the conversations I could share openly and reached three conclusions that are apropos to what the U.S. now confronts for 2017-beyond with the IoE:
Open Public Service
First, leaders in both Taiwan and Australia indicated concerns the the IoE might allow individuals to create more automated chat bots that could spread rumors faster, do disinformation, or promote unrest via social media. They also were concerned that societies might become increasingly divided with the internet serving as "echo chambers" instead of places where information and ideas from different perspectives could be exchanged openly.
Yet as a possible light in the darkness, when two different protest movements formed in Taiwan a few years earlier, a volunteer group called g0v.tw which produces open source protest movement tools, provided the same open source tools to both sides – focusing to be facilitators of the discussions and intentionally not pick a specific side. Later that same volunteer group produced open source tools to better visualize the government’s data and provided the tools freely to the Taiwanese government.
Taiwan’s g0v.tw is voluntary, with individuals putting in time at night and on the weekends to help code. They have monthly meetups/hackathons to reinforce collaboration, and members living in different regions or those with different focus areas actively self-organize weekend sessions. In my February 2015 blog, I asked could such a self-organizing, voluntary model – namely of open source coders working nights and weekend to assist public service in a manner that transcended partisan politics – succeed in other nations?
Open Source Privacy Services
Second, leaders in both Taiwan and Australia relayed concerns with how the IoE might provide additional avenues for electronic scams or "ransomware" that would hold hostage a user’s computer, smartphone, car, or even electronic house. Note: This was was *before* all the examples we’ve seen in the latter part of 2015 and early 2016 involving U.S. hospitals, universities, and other institutions being hit by ransomware.
I also discussed with Taiwanese leaders the idea of empowering consumers to decide when, where, and in what context their data should be shared with data requestors. This could be done by developing an open source agent or mobile app as a service, allowing consumers to chose to use the service to be their trusted online broker when interfacing with other websites, mobile apps, or online services requesting their data.
Such an open source privacy service and trusted broker would operate solely for the consumer, with no other institutional purpose. It intentionally would be developed with open source code to both establish trust and employ a "many eyes" approach to detect software bugs. Strong encryption for the data handled, not only in transit, but even more importantly when the data is at rest, would also assist with data security.
Consumers could then both set their privacy preferences in one single place vs. on different online platforms and intentionally chose and monitor which data requests they opt to respond to vs. other requests. Most importantly, as part of a larger "choice architecture", consumers would be able to choose what IoE personal data sources they decide should be shared and in what context with other internet sites, apps, and services.
Open Health of the Internet Reports
Third, leaders in both Taiwan and Australia shared concerns that the current approaches to cybersecurity were limiting in that there was no general "health of the internet" report provided on a daily or hourly basis that could inform the cyber-resiliency and preparedness efforts of individual organizations. By producing a regular "cyber-epidemiology" report on the health of the internet, when future IoE events happened, such as increased distributed denial of service (DDoS) attacks or other exploits would occur, multiple organizations and industries could be better prepared and collectively more aware of what was occurring.
Such a report could be akin to how the U.S. Centers for Disease Control (CDC) provides regular updates regarding the start, spread, and conclusion of the flu season each year. The CDC’s reports are anonymized, aggregated statistics. A cyber public health approach could protect privacy and improve IoE resiliency by publicly sharing the equivalent of anonymous cyber signs, symptoms, and behaviors that different IoE devices are experiencing on a regular basis.
Looking Towards the Internet of Everything and 2017
In one of my February 2015 blog posts, as an Eisenhower Fellow I shared three conclusions:
- The Internet of Everything (IoE) will increase the risks of cybersecurity challenges to the average consumer. Whereas historically Taiwan’s government and potentially a few very large companies were cybersecurity targets, increased commercial adoption of the IoE will make the risks of cybercrime, cyber extortion, and cyber intrusion very real to the average consumer. Consumer privacy will also need additional emphasis to protect since IoE devices will generate large amounts of both intentional and unintentional personal data.
- Current approaches to cybersecurity, i.e., relying on human experts to build and maintain "tougher digital locks" and "higher (fire)walls", will not be sustainable as the IoE’s potential attack surface expands. While Taiwan’s military will focus protecting on their systems, and Taiwan’s government their own non-military systems, it’s not clear who will look after companies or individual consumers. Who will guard your grandmother’s car or refrigerator from being hacked, or if it is hacked, who will detect this and then notify your grandmother? A new model is needed that recognizes the exponential growth of the IoE and the challenges of multiple, proprietary interfaces for the IoE layered on top of TCP/IP.
- The IoE will make even more visible the flaws present in TCP/IP and the challenges of guaranteeing any IT system is 100% secure. As Taiwan’s experiences underscore: while certainly one can encourage good "cyber hygiene" practices and preventive measures to reduce risk and improve the overall security health of a system – if a device or system is connected to the internet, it’s at risk, especially from unscripted, 0-day exploits to which there may be no defense until after an attack.
These conversations and the questions raised appear to be very relevant to the world of late 2016 going into 2017 that the U.S. represents today.
In my capacity as an Eisenhower Fellow, it is clear we need new models of encouraging cyber-civic volunteers at national and international levels to help address the impacts of the IoE. We need better solutions to help empower individuals to make contextual choices about their privacy and what data they want to provide in return for "free" apps or other services. Ransomware and increased DDoS attacks and other exploits using the IoE continue to grow as concerns, and as suggested in 2015, we may need to look at U.S. Cyber Challenge as a possible model to encourage hands-on opportunities cyber professionals to "dive deep" into the latest technologies so they each could understand how to improve cyber-resiliency with the IoE.
Taken together, these three concerns indicate that collective we all should consider approaching cybersecurity differently – focusing on cyber resiliency and an approach akin to "cyber public health".
Positive #ChangeAgents and Possible Next Steps
This is now my 24th blog post on LinkedIn and throughout them all there's been a steady theme regarding the need, now more than ever, to empower positive #ChangeAgents, leaders who "illuminate the way" and manage friction of stepping outside the status quo, to help address our exponential era. Our world is changing exponentially: in 2015 there were approximately 14 billion network devices relative to 7.3 billion human beings on the face of the planet. That’s up from just 7 billion network devices two years earlier in 2013. By 2022 there could be 75 billion or more network devices globally relative to 8 billion human beings.
Also by 2022 the estimates are 85% of the humans on the planet will be connected to the internet, up from a tad less than half at the moment. These exponential changes represent why we need to provide spaces for #ChangeAgents to explore new ways to better address the exponential impacts of these trends.
In my capacity as an Eisenhower Fellow, I suggest we consider creating a public-private partnership that provides a space for cyber #ChangeAgents to research and explore approaching cybersecurity differently – focusing instead on cyber resiliency and an approach more akin to "cyber public health". This could be akin to a "cyber CDC" except run as a non-profit focused on providing regular updates regarding the start, spread, and conclusion of the flu season each year -- just on much faster time cycles.
The data would be anonymized and aggregated at a high level, to provide safety from any one organization being pinpointed from the data; think of the Verizon Breach report, which is published once a year and is general anonymized statistics, done ideally on an hourly basis by region and by sector.
There is no textbook for where our organizations or societies are going next with the rapid, exponential changes in technology and services possible as a result. The next seven years will see more change than the last 20 years combined in terms of network devices, data on the planet, and computational capabilities.
As noted in an earlier post, the words "expertise" and "experiments" both have the root "ex peria" meaning out of danger. I've previously suggested we need spaces to experiment and explore employing artificial intelligence to improve how we deliver and receive public services that benefit our local communities, nations, and world. My experiences in Taiwan and Australia prompt me to suggest -- for the collective benefit of each of us as individuals, as organizations, and nations for the future ahead -- we need a public-private forum for cyber #ChangeAgents to experiment with a new, public approach to address the cyber impacts of the IoE on our lives.
Originally published on LinkedIn