Bruce Schneier’s recent op-ed in the New York Times [“Internet Hacking is About to Get Much Worse”] argues that hacking-threats have overwhelmed traditional IT security and that governments must intervene to fix market failure. His assessment of the problem is only arguably-inaccurate, but his proposed solution is almost certainly wrong.
We do need a more-robust public debate on structural issues in online security and privacy as they take center-stage in the coming decade. This should be a conversation. What it should not be is a politically-influenced, expensive, overreaction to what is a new equilibrium brought about by new levels of connectedness.
It is true we see more frequent reporting of major hacking events both domestically and globally and through non-state and state-actors. Russians dig like paparazzi to influence opinion, Chinese hack global supply chains, Israel attacks nuclear networks, Americans spy on everyone, including their allies. And we should assume what we see publicly is only the tip of a larger iceberg. It can feel downright sensible to panic and look for Government to save us.
Two recent innovation trends compound concerns: first, the ‘Internet of Things’ (IOT) where networks merge with previously-unconnected everyday items such as door locks, cars, toasters, trains, and drones; and second, Artificial intelligence (AI) that replaces static software code with recursive algorithms that mutate by design.
In the face of increasing security breaches experts like Bruce argue Government-mandated security standards, penalties, and more regulation and oversight will help ensure security is “the number one concern”.
This approach will serve to only create more expense and complexity, solving nothing fundamental. The chief reason for not clamoring to produce more centrally-mandated security technology and Government regulation is because they all reduce to a doubling-down of existing, moderately-effective methods.
In contrast, we should debate and explore:
1. We should acknowledge that by default we won’t enjoy a highly secure and private online life. Controversial or not, this is true. The widely-held assumption of a “lost state” here — that we ever had good universal security or privacy by default is one that students of media, history, and anthropology might remind us is a gross misunderstanding of the reality of past societies. Today, of course, there are effective tools and methods individuals can use to protect their privacy and to manage their own risk-levels in the face of ubiquitous data collection and surveillance but we need to understand that these won’t be provided to us by default- not by the Government, nor by anyone else.
2. We can invest more in preparedness and response than just protection. Hacking will happen, so let’s think about better prepared handling and response. The market capitalization of enterprise security companies today is completely out of proportion to that of investigation and response services.
3. Recognize where technology isn’t needed. This seems obvious but it is worth reminding our better selves that toasters work well and have done for 100 years. By doing a more serious job of risk-assessment, we can be deliberate about limiting new security risks and privacy costs.
4. Right-size market regulation based on time-tested experience. Tension between regulation and the market is good — but only after we understand new technologies and their effects and apply common sense to their most pernicious effects.
5. Accept that Governments spy. We all live on this blue ball and we all talk and produce lots of information. We’re all curious about each other. And we all unequivocally need to stop true terrorism in its tracks everywhere on earth. State hacking may ultimately foster greater accord than discord.
6. Low-tech often works and evolving technologies hold promise. We can use pen, paper, and in-person conversation effectively just as we have for thousands of years. Bitcoin and blockchain security architectures point the way to a promising realization of widespread use of public key encryption and more. Bitcoin now has a decade-long record of success in preventing the hacking of the world’s most valuable online-accessible pot of gold. That many of our smartest minds are at work here makes a case for optimism that markets are indeed responsive to security and privacy needs.
This is just a start and an attempt to foster conversation and debate. Let’s avoid applying policy-first approaches, fearmongering, and expensive institutional overreaction to the current world of data security. Many things viewed today as security issues caused in part by technology and its ubiquitous spread are things students of media and history might remind us are likely unstoppable societal changes. As Mcluhan said: “the world today is one city. All war is civil war.”
Rob Shavell is a co-founder and CEO of Abine.com, The Online Privacy Company. Abine offers DeleteMe for removing information made public about you online and of Blur, a privacy-first password manager and digital wallet. Abine’s solutions have been trusted by over 25 million people worldwide.