Trickle Down Technology

There are lots of technologies that we have in our daily lives that originated from a military application.  GPS, for instance, was developed by the military and then approved for use by civilians.  And that’s great – I use GPS all the time, and am thankful to have it.

Another example of this technology trickle-down is cellular phones – something that I’m sure most of us wouldn’t want to live without.  The HMMWV, on the other hand (Hummer for civilians) I could easily give up.  There was even a short-lived show on the History Channel about this stuff, “Tactical to Practical.”

Now, we’re seeing another technology trickle down from the military to civilians – but in an interesting way.  With props to BoingBoing, the Houston Police Department unveiled, though apparently unwillingly, a new Unmanned Aerial Vehicle – also known as a drone.  Check out a great piece of reporting on the incident in the following video:

This same drone made a great splash when it debuted with the United States Marine Corps in Fallujah, Iraq:

The UAV is small and tough to see, said Marine officials. The contractors put the mufflers pointing up so that the enemy couldn’t track the aircraft by sound. The Marines operate the aircraft at a very low altitude.

The cameras — either for day or night — have enough definition to identify individuals and show if they are carrying weapons.

Houston Police representatives said that they are not “ruling anything out” about the potential applications for the drone.

While this video may be making its rounds now – it is actually from a report done in 2007.  I haven’t been able to find any information to follow up on the report, and can’t confirm whether or not the Houston Police Department is actively using these drones or not.

Like this week’s earlier post about the threat of cyber espionage, items like this make it easier to simply adjust your actions on the assumption that you are always being watched.  This pains me, to be sure, but I suspect that it is much closer to the reality than not.

As we continue to see the expanded use of military technologies in civilian settings, and as our global military engagements continue, America will be faced with some very tough issues about what is acceptable domestically and what is not.

My only hope is that these issues are discussed openly, in public, and with full disclosure about their applications and intended uses.  There’s nothing wrong with employing technology to fight crime and serve the public good, but let’s remember Kyllo v. US,

Where, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment“search,” and is presumptively unreasonable without a warrant.

For the record, infrared cameras are readily available for the ScanEagle mentioned in the video.

Spies Inside Your Computer

Some interesting articles lately about the threat of cyber espionage coming through the supply chain.

Essentially, this amounts to the threat that Chinese-made computer equipment could have holes (or Trojans, or backdoors, or malware, or whatever) that would either allow a malicious (assumedly Chinese) user to access the compromised computer or that would automatically exfiltrate data back to a location the malicious user can access.

Problems like this strike at the heart of the issue of all national security (or corporate security, for that matter) issues: trust.  How do you know that the computer you just bought won’t send all your data to China?  You have to trust the manufacturer when they say it won’t.  Can you trust them?  Maybe.  Maybe not.  After all, another Chinese spy was just convicted this week – these things are happening.  Combine that with the fact that some of the most popular machines on the market today are all made in China, and you can see how this could happen.

For the record, the Mac mini, Macbook Air, Macbook, iMac and Macbook Pro are all manufactured in China, as are the latest netbooks from Dell.

Lest we jump to conclusions, or grow overly paranoid, let’s think rationally about ways to prevent our data from heading overseas.  One industry writer suggests that the best way to avoid this is to

stop buying Chinese computer products today. Until this issue of Chinese cyber-espionage has been cleared up and cleaned up, I simply couldn’t justify buying or using hardware that might be working against me. If you consider it for a minute, I think you’ll agree.

This is a great theory, but extremely difficult to do in practice.  Can you buy an entirely American made computer?  Sort of: ZTSystems assembles and services their computers in the United States.  Their systems are fast, and would be great machines, no doubt.  But the parts?  They’re all from China or Taiwan.  The graphics card? Made in Canada, with parts sourced from China.  The network card?  Made in Taiwan.  The other parts are not listed as being any particular brand, indicating that they, too, are made in China.

Other devices, like USB Picture Frames, have already been verified as containing Chinese malware.  What makes anyone think that other devices wouldn’t also do this?  It’s low hanging fruit, difficult to spot, and easy to maintain plausible deniability.

I’ve heard from several professionals that this is a very real concern for US businesses and government entities, with no apparent solution on the horizon.

Where does that leave us?  With the need to be careful and conscious about the data we put on our computers.  It’s often easier to assume that anything you put on a computer is compromised and operate from that standpoint.  You’ll find yourself being more careful, something that never hurts in today’s day and age.  There are some tools that can help you along the way, but ultimately a solution to this problem will have to come in the form of data-centric, or even built-in, security.  We must move towards a model where our data is intrinsically protected, as it is created, regardless of location – this would eliminate the worry when it becomes compromised in ways like this.  We’re not there yet, but I suspect there are those who are working on it.

In the meantime, give some thought to what your data means to you and what you might do if it were lost, breached, or compromised.  It’s an enlightening experiment.

Crowdsourcing National Defense

Several very interesting articles have come out lately discussing various attempts to crowdsource national defense functions, both in the United States and in the United Kingdom.  While crowdsourcing is a very interesting and powerful technique, applications like this run an enormous risk and must proceed with extreme caution.

What is crowdsourcing?  Crowdsourcing, a combination of “crowd” and “outsourcing,” is the method by which an organization tries to harness the collective knowledge of many individuals.  This is usually done through some sort of online facilitation (in order to increase the reach and size of the “crowd”), and has been referred to as a number of things, including community-based design, distributed participatory design, and human-based computation.

Essentially, the idea is that the more eyes and brains you have looking at something or working on something, the faster and better it will be done.  Lots of people like this idea, including Netflix, Wikipedia, and the Democratic National Committee.

Two recent converts to the crowdsourcing movement are DARPA and the UK’s Home Office.  Both of these new projects have the possibility to go disastrously wrong, and quickly. Here’s the rundown:

DARPA

According to WIRED, DARPA’s new budget includes a

$13 million dollar project, called “Deep ISR Processing by Crowds,” looks “to harness the unique cognitive and creative abilities of large numbers of people to enhance dramatically the knowledge derived from ISR systems.”

As we have already seen, information sharing is already a  real challenge for the Department of Defense.  Intuitively, does it make sense to further distribute the information collection and analysis process?  The National Security Agency is already building a separate facility simply to store the data that they collect but cannot process.  Do DARPA and the NSA believe that an infrastructure is in place to distribute, analyze, and collect sensitive information and hope to achieve actionable results?  Doubtful.

Furthermore, the hardest part about intelligence work is providing the appropriate context to any particular piece of information.  By further distributing this data, we make the challenge of building appropriate contexts exponentially more difficult, thereby increasing the time and cost to turn data into information, and information into meaningful action.

Home Office

In a pilot program that makes DARPA’s look like child’s play, the Home Office announced a new website that will allow individuals to anonymously report online activities that “spread hate and violent extremism.”

According to officials,

The reports are anonymous and are then reviewed by police officers who are part of the new Counter Terrorism Internet Referral Unit, run by the Association of Chief Police Officers (ACPO). A Home Office spokeswoman said that unit would be responsible for determining the intent of the content posted, which would determine whether it is in fact illegal.

In a country where you can be prosecuted for “owning information useful to terrorism,” this seems like Big Brother’s dream.  Now people will be able to report their neighborhood terrorists, or neighbors, without ever having to leave their home.  Conveniently, the form provides a button at the end of the form to immediately start a new form.  Perhaps the next version will include the ability to submit a batch of terrorists at once, thus saving everyone time.

Have someone to report?  Here’s the Home Office site.  If you need help determining who may or may not be a terrorist – the National Counterterrorism Center has an absolutely fantastic 2010 Counterterrorism Calendar (seriously), featuring terrorist groups, methods and tactics, and terrorist profiles.

No word on whether the 2010 calendar features any beach or bikini shots.

Danger!

If we are going to be serious about fighting terrorism or increasing our national security, then we need to move beyond cliche and dangerous proposals like this, or the National Threat Advisory, and put serious effort into a societal-level change in how we conduct our lives, balance liberty and security, and envision our collective future.

Failing that, we’ll all soon be reporting each other with one screen and processing that same information on another.  How long until you see yourself in the information you’ve been crowdsourced?  What will you do then?

Cyber SOTU Redux

Wednesday has come and gone, and we have now all had a chance to hear President Obama’s remarks in the 2010 State of the Union Address.  Before the address, I was hopeful that we might hear something – anything – relating to the situation we face in the cyber realm.  With all of the pressing political issues, we heard lots about jobs, lots about healthcare, and lots about the need for reform and new directions.  We heard a lot, in general – this was Obama’s longest address to date.

One thing we didn’t hear about was cyber.

Sure – there were mentions of National Security, including the fact that the National Security budget wouldn’t be frozen as part of President Obama’s debt-reduction plan, but nothing having to do with our online capabilities, critical infrastructure needs, or cyber defense of any shape or sort.  The closest comment to this issue was Obama’s discussion of the fact that there

are simply philosophical differences that will always cause us to part ways. These disagreements, about the role of government in our lives, about our national priorities and our national security, they’ve been taking place for over 200 years.  They’re the very essence of our democracy.

Unfortunately, comments like this do not make me hopeful that the cyber issue will be addressed appropriately (both in time and in scope).  If we have difficulties wrangling solutions concerning things that nearly every American is familiar with (jobs and healthcare), it is hard to be hopeful for quality policy regarding issues that very few truly understand.

As I mentioned before, Cyber Coordinator Howard Schmidt has been given the challenge of leading this charge.  Today, a piece appeared in NextGov, a site about technology and government.  The article seems to be a fluff piece aimed at quelling the issue that some have about Schmidt’s lack of authority and inability to control a budget in order to engender change.  Does it quell these fears?  Hardly.

The piece, “New cybersecurity coordinator says he has Obama’s ear,” comes out of the National Journal‘s CongressDaily.  The bulk of the short article is spent attempting to give the impression that Schmidt has enough authority to achieve meaningful change:

Schmidt said he doesn’t believe he has to have control over a budget to make change.  “If the president, the national security adviser, the national economic adviser says, ‘Hey, we need these things,’ things will happen,” he said.

I would read this as Schmidt needs to convince the President, the National Security Adviser, and the National Economic Adviser that something is needed before he can move forward on a large scale project.  For the smaller stuff, Schmidt says that he will be working with

Vivek Kundra, the federal chief information officer who works in OMB and will have input into budgetary decisions.

Unfortunately, this budgetary-based approach to security will render only those solutions which are least expensive, not those that are most effective.  Especially without a budget of his own to control, Schmidt faces the monumental task of convincing others that the projects are worth funding with their own money – money that now cannot be spent on projects of their own.

While cybersecurity is certainly an issue that affects us all, when the basis for decisions is dollars, you’re going to get whatever is cheapest.  And that’s generally not good in any arena, much less with technology.

One positive element of the article and Schmidt’s comments is his idea that we must

stop looking to end-users to be the “policemen of the desktops.”

I couldn’t agree more.  We currently force those with the least security knowledge to navigate the bulk of the security problems.  This is an untenable situation, and likely one of the main reasons that we are so vulnerable to cyber attacks.  While Schmidt and I agree on what must be done, it seems that we differ substantially on how.  Schmidt will look to the private sector

to ensure security is a key part of products and that vulnerabilities are fixed.

I would offer that this market-driven solution will yield results approximately as effective as Schmidt’s OMB/National Security Council/National Economic Council budget meetings do – not very.

Instead, we need to invest in some very serious policy changes in which security responsibilities are directly addressed.  We must determine, as a democracy and as a society, how we wish to divvy up cyber control between industry, military, intelligence, and the general public.  Schmidt notes that

several cybersecurity bills have been introduced. But he did not say whether he supported any particular measures.

In the future, we can only hope that Schmidt would seize on leadership opportunities like this – a chance to publicly support some of the pending legislation, or to suggest changes that would make us all more secure.

In the words of President Obama,

Let’s reject the false choice between protecting our people and upholding our values.  Let’s leave behind the fear and division, and do what it takes to defend our nation and forge a more hopeful future — for America and for the world.

Technological State of the Union

There are many pressing issues that President Obama will address in tonight’s State of the Union address.  One of the issues that has seen some press, but mostly been relegated to the back burner, is the technological policies of the new administration.

You may recall the Cyberspace Policy Review, released earlier this year.  This work, and the resulting document, were badly needed, and also decently well-received amongst the tech sphere.  Some, including Purdue University’s CERIAS head Gene Spafford, took issue with a few things, namely the creation of the “Cybersecurity Coordinator”:

First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs.

Second, the position reports to the National Economic Council and OMB. […] Given the current stress in the economy I don’t expect any meaningful actions to be put forth that cost anything; we will still have the mindset that “cheapest must be best.”

Third, there was no mention of new resources.

Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts.

This position was finally filled on December 21, 2009 by Howard Schmidt – who had previously served as a cyber advisor to President George W. Bush.  Like Dr. Spafford has said, it seems that there is nothing but more of the same in regards to America’s official stance on the digital world.  As they say, if you do what you’ve always done, you’ll get what you always got.

Where does that leave us for tonight’s address?  Ed Felten suggests there are 4 areas which must be improved to make a meaningful difference, and I would tend to agree:

  1. Improving Cybersecurity
  2. Making Government More Transparent
  3. Bringing the Benefits of Technology to All
  4. Bridging the Culture Gap Between Techies and Policymakers

The real challenge here is that each of these four pillars depend on one another, and must all be advanced simultaneously.  If we can bridge the gap between techies and policymakers, surely that will improve cybersecurity.  If we are able to make government more transparent, then that will work towards bringing the benefits of technology to all.  Can we simultaneously make government more transparent, and also improve cybersecurity – especially when so many of our cybersecurity initiatives are led by classified organizations?  Where do we begin?

I hesitate to think that Mr. Schmidt will be the catalyst for this change.  I also hesitate to think that President Obama will have the political capital to drive a meaningful shift in policy or practice – especially with the current struggles over healthcare, jobs, the bailout, or any number of issues.

Does this, then, mean that we must sit and wait for positive change to happen?  What happens in the meantime when Google and China seem to be racing towards the boiling point?  As individuals, who are often left responsible for their own security online, what recourse do we have?

Unfortunately, these are not questions to which I have an answer.  Like the rest of America, I will be tuning in at 9 PM (EST), and listening intently to see if President Obama mentions the state of US Cyber initiatives, and any plans for the future.  If progress on the issues is made as slowly as progress on the selection of the Cybersecurity Coordinator, it would seem that our cyber future may be bleak.  On the other hand, I truly believe that a concerted national effort, not unlike those that created the Space Program, could produce some very real, very positive, and very impactful results.

The floor is now yours, Mr. President.  We’re listening.

This essay originally appeared at Information Space.