Final Lessons from the Silicon Valley Cyber Security Summit – Dealing with Data Privacy?

The third and final Cyber Summit panel brought the growing privacy issue to the fore. The esteemed panelists from DC all noted Washington’s keen awareness of damage done from the NSA debacle, which has created a big rift in public trust of the government [not that it was so great before]. There is now timidity around addressing the cyber threat through aggressive legislation that will be seen as too invasive of personal privacy, especially until NSA surveillance practices get cleared up. Senator Chambliss had claimed substantial compromise to that end in the proposed Cybersecurity Information Sharing Act over previous legislative attempts.

 

I just can’t help but think that in the immediate aftermath of a potentially significant attack, we’ll see a Patriot Act-level response out of Congress – the consequences of which would most likely be irreversible. It would be far better for proactive and more balanced legislation to be passed in the very near term, before such an attack could happen. The bottom line is that when people don’t trust their government, they won’t share information the government will need to protect them.

 
Consumer privacy is a whole other issue. Many websites pay lip service to privacy by including obscure links in miniscule font that can take visitors through a maze of pages to an ultimate opt-out page. Facebook changes its policies so often that no one can keep up. The great majority of internet users simply don’t see or use these links. Sanford Reback, Senior Technology Analyst at Bloomberg Government, spoke of the need for corporations to exercise what is known in legal terms as ‘responsible use’ of personal data – and that Washington knows legislation will be needed to enforce this.

 
He noted that ‘policy must catch up with capability and capacity.’ At a Federal level, how long that will take and what it might look like are unknowns, but 47 states and the District of Columbia have already enacted their own information notification legislation. A Federal act would need to establish notification standards but without weakening state laws already in place, and without making it so complicated that businesses wont’ be able to comply. I figure if they’ve been able to get there with Gramm Leach Bliley and HIPAA, we can get there with digital privacy requirements too.

 
There were other great insights and little pearls dropped across the Summit, but a blog post can get too long. A key takeaway for me was that while corporations will always be competitive, the seriousness and urgency of this issue create an unusual “we’re in this together” dynamic that I found hopeful. While government and business can, should and will help, the bad guys and gals are out there, looking for new ways to get at what we’ve got – and that includes YOUR data. The best defense for now is to be active about guarding what you can and help spread the word to your friends and fam. Vaya Con Dios!

Tales from the Silicon Valley Cyber Security Summit – Part Deux

While the policy panel discussion at last week’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.

The good news – cyber presents a great career opportunity! As in, we need lots of help. Now. The not as good news, 40% of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance which will help automate intervention, but there is still a need for people to skillfully apply them, and for others to come up with them in the first place in the face of a never-ending game of new threats. One speaker gave a statistic that only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.

There are a growing number of formal university programs in this area – Mo Qayoumi, President of San Jose State, noted that they are launching new certificate programs in cyber security and big data analysis starting in the Spring 2015 semester, and I found many others online. I was very surprised to hear that only 12% of computer science majors are female, and that population has been steadily shrinking for 2 decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not even thinking about the problem. Hmmm.

Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexandar [former head of US CyberCommand] went calling at least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Cyber Maryland and Virginia’s Mach37, and the many Silicon Valley start-ups trying to make a go.

Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so delegate off to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100M IT budget, 5-15% should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate Boards, there is uncertainty about what to actually do to prepare.

This is obviously a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting national treasures, your home and quality of life, our critical infrastructure and our national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized it thus: ‘the technology that empowers us also imperils us.” Hoping more of us come to understand that and step up.

 

 

What I Learned at the Silicon Valley Cyber Security Summit – Part 1

I was fortunate to attend last week’s Silicon Valley Cyber Security Summit, where I spent 4 hours indulging my obsession with this subject while unfortunately increasing my level of paranoia. The panel discussions were excellent, bringing perspectives from security technology providers, pundits, the Dept of Homeland Security, two Congressmen, two Senators and execs from the outstanding Silicon Valley Leadership Group [#SVLG].

The first discussion centered around progress to date with Obama’s Executive Order (EO) issued in early 2013, and the potential for more formal cyber policy or regulation coming from the Congress.The cybersecurity problem offers a rare opportunity for the public sector to lead in a critical technology domain, but all of the day’s speakers emphasized the requirement for public-private partnership in addressing the challenge. There has actually been some good news around the Cybersecurity Framework, an outcome of the EO being driven by NIST, in which participation is voluntary but to which apparently 3000 private sector representatives have actually contributed. While governments actively push such information to the citizenry, companies need to share a lot more about what’s happening to them, what they’re learning and how they’re defending themselves – competitive concerns are keeping this constrained to date. Still, some progress is being made.

One of the biggest eye openers was the claim by several speakers that the public is just not engaged in this issue and therefore practices poor digital ‘hygiene’. I found this surprising and uncanny in the aftermath of the Target and Nieman’s attacks last Fall, and the August 5 revelation that a Russian crime ring had stolen including 1.2 billion user name and password combinations and more than 500 million email addresses. WAKE UP PEOPLE – this is serious stuff!

Senator Saxby Chambliss (R-GA) extolled the virtues of his and DiFi’s Cybersecurity Information Sharing Act bill, which made it through the Intelligence Committee but still faces stiff opposition from privacy advocates. While speaking at length about the urgency of the issue, Sen. Chambliss then went on to say that Congress would only be working a whopping 3 weeks between now and the November Election!!!!!  Two weeks for the Senate, one for the House. Wish I could get paid with great benefits for not working. Post-election will be a lame duck December, then the Freshman class must be educated on the issue. And then of course there were the references to don’t overregulate, etc. that will expose the usual partisan split. Bottom line, passage of a bill is unlikely anytime soon.

Everyone agreed that what would spur Congressional action would be a real crisis – a big attack that causes some real national pain. Let’s hope we don’t have to endure that to get something meaningful . It is also possible for Fed agencies like HHS, DHS, the SEC and others to impose cyber regulations within their domains – some are already doing so. And States are stepping up too, with a plethora of unique policies that will be nigh impossible to follow if you happen to do business nationally. Beyond the US, each country will have its own policies as well.

For me, the core issue behind all of the discussion was TRUST – people don’t trust the government, businesses don’t trust each other OR the government, the government doesn’t trust other governments … One speaker even joked that in the Silicon Valley, the NSA is seen as an ‘advanced persistent threat.’  Everyone is waiting for something BIG to happen, which it will sooner or later. Let’s hope later.

My next post will take up the 2nd worry point – the lack of a talent pool to address this mess!

Net Neutrality Comment Period Winding Down

July 15 is the deadline for public comment on the FCC’s proposed changes to net neutrality regulations. In this 60 day period, the FCC is reporting they have received close to 675000 comments so far – that’s a BIG number. Perhaps one of the more influential statements came today from The Internet Association, a consortium of Silicon Valley heavy hitters who banded together (at least in this forum) a year and a half ago to lobby on behalf of the industry’s interest. In an email issued this morning, they strongly advocated for retaining an open internet, espousing three tenets:

1. Internet Users Should Get What They Want, When They Want It
The Internet should be free from censorship, discrimination and anticompetitive behavior, protected by simple and enforceable rules that ensure a consumer’s equal access to the content they want.
2. Internet Users Should Get What They Pay For
Broadband subscribers should get the bandwidth they are paying for – content should be treated equally, without degradations in speed or quality.  No artificial slow lanes.
3. All Networks Should Have Equal Protection
No matter how users choose to connect to the Internet, net neutrality rules should apply universally on both wireless and wireline networks.

It remains to be seen how much influence the ‘voice’ of innovation may have – many big companies are included in this group and they stand to gain from less competition, but still see the value in fostering the new.

Should be an interesting week…

First Steps Toward Privacy Policy?

Regardless of how one feels about Edward Snowden, he certainly has brought the privacy issue to the forefront. While the NSA has been in the eye of the media storm, private industry’s collection of personal data is on the coat tails. In President Obama’s speech last week, he alluded to directing one of his advisers to “lead a comprehensive review of big data and privacy.” That most likely will be targeted at the incredibly sophisticated Marketing practices now conducted by many corporations – and “Big Data” is just getting started.

People are becoming more aware of how much information about them is being tracked. If you compound the NSA  debacle with the impact of the 2013 holiday season Target data breach (I personally had to replace my debit card), the privacy issue is becoming a lot more real for average citizens. Government moves slow – but it looks like it is starting to move on this issue – and that most likely will mean some changes for the companies (big and small) who have gotten quite used to collecting, using, selling information about us as a core business model.

I invite visitors to revisit my white paper from last Spring where I shared some thoughts on what potential policy changes around Big Data and privacy could mean for marketers and communicators.  It included a useful piece of advice from Tim Keller, a law partner with Lindquist and Vennum’s IT, Internet and eCommerce practice (in Minneapolis), and author of the blog Big Data and The Law: “To prepare for radical shifts in data management policy, have as much knowledge about your data as you can, so when a legislator says you can’t have it, you throw away as little as possible.” It might be time to start thinking a little harder about that.

Clowns to the Left of Me, Drones to the Right…?

Interesting time as always at last night’s gala Media Predicts: 2014 (#MP14) – where Silicon Valley PR folk hobnob with tech media elite. Always fun to hear next year’s predictions, catch a little gossip, and look back at what predictions were way off base last year! Shout out to PRSA Silicon Valley for putting on this event – it’s a lot of work and always well done.

One of the hot discussion topics was Amazon’s drone delivery vision – while Bezos went on 60 Minutes last Sunday to describe what he sees as feasible by 2015, a Monday faux news story had floated that such delivery was imminent – it got yuks for the best PR stunt of the week. Still, the visionary Bezos sees this as in the realm of the possible in the not too distant future. Who knows if it will be, but the very idea of it begs policy consideration on multiple levels, and fast.

Seriously, commercially owned flying objects buzzing around my house – or my head? Will have to start carrying a baseball bat! Someone at last night’s event joked about would people have the right to shoot down aircraft that invaded their property without permission. Would the FAA have to regulate? Will we have sky ‘roads’ when competing vendors start sending their little buzzies at the same time? What happens to my UPS guy? I like him!

Futuristic silliness, probably – or is it? As we all know, technology changes quickly and DC has a very hard time keeping up. Consider this advanced warning.

New Year, New Congress – Moving Closer to Privacy and Security Legislation?

When I commented last May on the CISPA bill (Cyber Intelligence Sharing and Protection Act) that was causing an uproar in policy circles, it seemed as though the Professional Communicator’s world might change quickly.

 

While CISPA made good political theater in April and ultimately did pass the House of Representatives, it slipped away quietly in the Senate last summer given concerns about privacy invasion and civil rights, as did the similar Cybersecurity Act of 2012. Last year also saw the failure of SOPA (the Stop Online Piracy Act) and PIPA (the Protect Intellectual Property Act), resulting from swift and forceful pushback from Silicon Valley. In the Fall, the White House promised an Executive Order on cyber security given Congress’ failure to act, but held back issuing it given the Election and the ‘Fiscal Cliff’ silliness that ensued thereafter.

 

But now it’s a new year. The Election is behind us and the players are in place. While bills failed last year, the amount of bills on cyber and data privacy increased – elected officials know these are big problems, and some action on privacy and cyber security is likely to come soon. The two are closely inter-twined, and one often is used in rationale for the other when justifying Congressional action.

 

I think mainstream users are ready for a change. A few months back Facebook grabbed negative headlines with its stealth conversion of every user’s email to @facebook.com from their original email address. And the “Find Friends Nearby” feature [nicknamed ‘the stalking app’] magnified attention on and resistance to proximity networks, which had not previously been broadly used. Instagram’s recent announcement that it would essentially help itself and its advertisers to user photos for free created outrage so quickly that the policy was reversed within a day. As such sophisticated technology goes more mainstream and more mobile, users are getting fed up – and parents are getting more worried. Communicators and marketers take note that boundaries are being crossed.

 

The reality is that better protection of our online identity and experience is needed, especially for children. Theft of intellectual property is a huge and growing problem that cuts into our national economy. And the cyber wars are heating up, as evidenced by the Flame attack on Iran and alleged attacks by the Chinese on U.S. government and business networks. Lawmakers need to balance protective legislation with still allowing market innovation.

 

In discussing this with another attendee at last month’s Silicon Valley PRSA Media Predicts dinner (shout out for a great event), I was somewhat bemused by his stance that DC would never catch up to the Valley’s innovation curve, therefore legislation would not matter. The law may become inconvenient, but it will still be the law. Communicators and marketers should stay tuned as passage of any bill will touch our work in ways to be determined.

It’s Gotten Serious

Yesterday’s launch of the Internet Association marks a new era for the tech industry’s relationship to DC. This consortium of giants [and competitors] shows that the industry has gotten serious. While all of these companies have had their own government affairs presence, their banding together represents significant clout and deep pockets to act in the interest of keeping the internet “free and innovative”.  Undoubtedly the SOPA and PIPA legislation from earlier this year, which failed only because the tech industry woke up to it and reacted badly, has been the major catalyst behind this move, driven by a culture known for moving quickly – in a world known for moving at a dinosaur’s pace.

When I went to DC to study tech policy, I was looking for the intersection of the Silicon Valley and Washington.  Frankly, I didn’t find much of one. That appears to be changing, through not just this new group but a number of other smaller players who are advancing the discussion around what’s brewing in the Congress. The Internet is pivotal in enabling this discussion, of which it is also the subject. Congress is as dependent on it as any other user. [recalling Marshall Macluhan “The Medium is the Message” from my undergrad days] And of course there’s still the power struggle between the Valley, Hollywood and the music industry. This will get interesting.

Double Standards

Microsoft seems to have a double standard on standards. In  acquiring online videoconferencing leader Skype last year, Microsoft refused to commit to standards-based interoperability between Skype and other video communication products. The US and the EU gave their ok for this deal as-is, thereby enabling proliferation of a proprietary Skype platform with the market reach and resources of Microsoft behind it. Their belief was that consumers would still have plenty of other VoIP choices, so this was not an anti-competitive situation.

Consumer choice of a platform is not necessarily the issue, but I don’t think regulators understand this. Like with the telphone, one way calls don’t work. People will choose different vendors’ platforms, and those should be able to talk to each other.

Yesterday, networking giant Cisco, a major player in the Video and VoIP business, filed an appeal with the General Court of the European Union asking for a review of the EU’s approval of Microsoft’s Skype acquisition. The basis for the objection is not the merger itself, but Microsoft’s refusal to embrace standards-based interoperability between Skype and other video communications products.  Cisco’s stated goal is to “ensure broader customer choice, greater competition…and to help foster an environment in which video calling is as easy and seamless as a voice call or an email is today.”

Microsoft has a history of trying to monopolize markets, and I would have thought they would have learned from the Internet Explorer anti-trust bruhah with the EU that incurred years of costly litigation and huge fines. But the current Skype issue is all the more audacious, considering that when Cisco acquired Swedish video company Tandberg in 2010, Microsoft lobbied the European Commission for the same kind of  standards based interoperability commitments, to which Cisco agreed. Now in the opposite position, Microsoft isn’t interested in playing fair, and it would seem isn’t confident enough in its ability to deliver the product of consumer choice, so that it is dug in to a protectionist stance.

It puzzles me that in this internet era, companies think they can still lock up proprietary markets. Skype is a popular platform, but VoIP video conferencing is still nascent. As adoption grows, I believe consumer demands will force the need for openness, as is happening in so many other online applications. While the EU is the target of this week’s action, the US is certainly as complicit in approving the deal last year. That legislators still don’t get the recurring pattern of what happens with ICT lets me know there’s a long way to go with making sense of technology and policy.

Exposed

The Economist Intelligence Unit, with backing from Booz Allen Hamilton, has just published the CyberPower Index, an index of G20 countries’ ability to withstand cyber attacks and to “deploy the digital infrastructure necessary for a productive and secure economy.”  On the one hand, I suppose this report can serve as a wake-up call, as it exposes legal/regulatory, economic and technical vulnerabilities that these countries need to address. I can see it being influential to investors looking for safe international opportunities. But on the other hand, it seems a bit provocative, maybe even mean-spirited, to point out who is most vulnerable, and why. Like telling a burgular which house is empty and where the goods are.  The Index is backed by research papers, which Booz describes as “examining how the business community is responding to the opportunities and challenges offered by cyber.” This covers how organizations and governments can build cyber resilience, particularly in an era of mobile computing. I’m sure this is a way for Booz to sell consulting services, but such a tactic seems a bit over the top to me. I’d welcome any insights and discussion on why this is a good thing.