|“Quis custodiet ipsos custodes?” – Satires of Juvenal||“Good, Bad, I’m the one with the gun” – Bruce Campbell as Ash in “Army of Darkness” (1992)|
Tools and devices are not inherently good or evil: once developed and made available in principle anyone can use them. In fact, given sufficient motivation and access to knowledge, it’s only a matter of time until they are used by someone.
I mentioned the days (and long nights) around CodeRed in The Wake Up Call: here was malware that appeared to almost come from a sophisticated, professional lab, probably a government lab somewhere. It claimed “Hacked by Chinese,” but that could be claimed by anyone.
Theories abounded as to the source. Was it a gamma globulin shot for the Internet? Was it a wake up call to industry or was there something more sinister going on, from organized crime manipulating Internet-based system efficiency to a genuine form of Hacktivism?
In spite of physics being at odds with many religious world views, we still see religious regimes around the world questing after nuclear weapons. Despite the inherently technical nature of modern exploits and operations online, we still see hacktivism helping extremist movements. When you get down to it, whether a technological advantage appears as a toolkit or SDK for building Trojans or a new way to use a centrifuge for separating Uranium 235 (from Uranium 238, which is more common in nature), the technological “know-how” of how to use is out there for anyone to pick up and use.
I’ve been watching the news recently from Egypt, along with all of you. The comments all express at least one of the following:
1. Surprise that it happened so fast;
2. Shock that after 30 years of solidity, people moved and were galvanized quickly;
3. Solidarity across all of Egypt around some simple principles that everyone knew;
4. It followed a template!
Lessons learned in Tunisia mere days before for coordinating and getting social movement took fire in Egypt, the region’s largest and thought-to-be most stable regime within weeks.
The message is clear: dictators beware (if you want to know what I mean, do a Google search on “Day of Rage”). It makes total sense that Egypt’s government reacted by shutting off the Internet, but it was too late by that point.
But let’s be clear here, this sort of use of social media tools is available like any other tools and templates for anyone, anywhere and on any scale. Since my Information Selection column which covered Wikileaks, I’ve given more thought to the flow of ideas and data: our environment is evolving into one that continues to share information more porously, faster and more effectively over time.
Not only is confidential or sensitive data at risk of overflowing the banks and spilling into detrimental channels, but other forms of information will flow faster and reach farther than ever before:
1. The first is what I call “Real-time News Effects”: it used to take time for news of events in one part of the world to reach other parts of the world and potentially trigger reactions. Now, that time is approaching zero: news gets through and it gets through fast, and that means it influences events much more quickly and potentially in a combinatorial manner.
2. The second is the spread of “know how” or Technology Information: when one group somewhere learns how to build a new bomb, compile a new tool for hacking or exploit a vulnerability, that knowledge is flowing fast and effectively to others, good and bad. Remember – the tool and the knowledge to build it carries no “connotation” from its original inventor or discoverer to subsequent groups. This also includes, incidentally, templates for things that work: there is a revolution template out there now like none before and now everyone, good, bad and indifferent knows how to use it!
3. Just as there is a real-time “news effect,” many of the ideas out there exist and influence each other. Many of you know I subscribe to meme theory, at least as a useful thought experiment and tool – this is an example of an accelerating and growing Memetic Environment. Ideas such as fundamentalism, democracy, communism and their attendant memes are influencing each other faster and more widely than ever before: the revolutionary Petri dish is bigger and more volatile than ever.
This has real implications for security – both physical and logical. Many won’t be known for years to come, and others will seem self-evident very soon. Here’s the takeaway for me as a security professional in a changing world, changing online with the cloud and smartphones and social media and in the real world with millions of people taking the streets and toppling 30-year-old regimes:
1. Do frequent risk assessments: note the risk landscape and terrain and understand how it is shifting and changing.
2. Engage in “gaming” and modeling of threat scenarios – if you want to pursue excellence in operations and snappy, repeatable, effective processes, it requires honing and refining and practice.
3. Contingency planning isn’t simple disaster recovery and business continuity. It’s actually planning pragmatic, easy-to-use plans and testing them and improving them – constantly improving them.
4. As with Nuclear War, early warning matters: this means get your human intelligence, your community intellgence and your data feeds under control and providing relevant context rather than simple background noise and FUD.
5. Knowing is half the battle: know the actors (states, non-state actors, commercial, criminal, hactivist, random, insiders, etc.) and know the idea (or meme, if you prefer) landscape.
6. You must be part of the dialog: loud voice or soft, big ears or small, you must understand how ideas are changing and being influenced.
7. You, your company and your brand are in the spotlight. As with the Uncertainty Principle, observing the system affects it; so be aware of the inadvertent (or advertent?) affect you are having on the system: you are in the spotlight and your action and inaction affect the flow, the debate and the future shape of the world.
In the end, it’s about focus and efficiency: your goal is to reduce risk with optimal spend through tools, people and operations. More-and-more, the tools we use will become common place and ubiquitous – the difference is in how you take in and bring context to your decision loops, whether we’re looking at a data breach or the impact of a revolution on your organization’s data and mission.
As a closing note, think about this: Brazil has already embraced (for better or worse) the notion of e-Democracy (see what Alex Howard wrote on this as a theme to watch in 2011). What will this mean for the nature of government and citizen interactions everywhere over the next decade?