Crime in a time of connectivity

Is Silicon Valley’s ‘Just ship it’ mentality flawed? Are consumers of technology armed with enough knowledge in order to protect themselves from cyber crime?

Marc Goodman, a former visiting fellow at the University of Toronto’s Canada Centre for Global Security Studies and consultant with the FBI and Interpol, presents his new book, Future Crimes, in Canada on Feb. 23 at the Munk School of Global Affairs.

Goodman — a self-proclaimed techno-optimist — argues our wired world comes with a great cost. He spoke with OpenCanada this week about the exponential growth of technology, what devices we can expect to be hackable in the future, and the need for more cooperation between Silicon Valley and security agencies.

Some cyber crime — from cyber attacks to surveillance issues to the debate around drones — has received more attention recently, but what is either happening or may happen in the future that might surprise us?

We saw all these news reports of companies being hacked, whether it be Target or Home Depot or Sony Pictures and what’s interesting is the media reports these as if they are discrete events like, ‘Wow, Sony was hacked, that was a surprise’ and ‘Wow, Target was hacked, that was a surprise.’ What people seem to miss is that there is a pattern, which is the fact that we have connected the world to the internet — so every physical device on our planet is soon going to be online and though we have wired the world, we’ve failed to secure it.

Some of the things that would surprise people is if you think that we have a lot of internet or technology security threat problems today, the fact of the matter is we’re driving toward something called the Internet of Things. The Internet of Things means we can support about 4 and a half billion simultaneous devices on the internet using Internet Protocol version 4. In the next few years, we’re switching over to Internet Protocol version 6 and rather than supporting 4 and a half billion connections, we’ve run out of space so the next iteration is going to support 78 octillion simultaneous connections. To put that in perspective, that’s as if today’s internet is metaphorically the size of a golf ball and tomorrow’s internet will be the size of the sun.

Most people they look at the technology in their lives today and they think, ‘Wow, I have a computer and a laptop and smartphone and my son or daughter has an Xbox and look at all this technology,’ but they don’t realize that we are at the very first minute of the first hour of the first day of the internet revolution. Or, to put it as we used to say in New York, ‘You ain’t seen nothing yet.’

So everything from cars to planes to pacemakers, they are all going online and they are all hackable. There has never been built yet a computer system that could not be hacked and what that means is that while today we have to focus on protecting our computers and phones, tomorrow, it is literally going to be our cars, it’s going to be the toys that our children play with, the nanny cams, refrigerators, televisions, it’s all going to be hackable.

You mention in the book you fell into high tech crime, as a police officer in the mid ‘90s, because you were one of the few in your department to know how to use spell check — that made you part of the ‘techno elite of cops.’ How do you stay part of the techno elite now when advances in technology move so quickly?

It’s actually quite a challenge. One of the things I did was leave the Police and that was for many reasons but what I realized was this is not going to be a problem that could that could be solved internally with all the bureaucracy of law enforcement and government security services. This was something that would have to involve the people that were created the technology. So that’s why after 20 years of working in law enforcement, I moved to Silicon Valley because I could see that the threat was evolving so much faster than the solutions were, and I realized that the people who were creating the technology were going to be part of the solution.

Now I teach at some place called Singularity University and its co-sponsored by NASA and Google and they’re looking at everything from Artificial Intelligence, robotics, nanotech, Internet of Things, brain science. So you have all this super cool technology going on there and most of my colleagues are studying the very positive impacts of these technologies and that’s a key point I wanted to make in the book — all of this technology is awesome and it’s going to work potentially to humanity’s great, great benefit. But at the same time, there are bad actors out there, bad apples, that are going to use these very same tools and want to use that against us.

So, why not a Future Good Deeds kind of book? Is it that there’s a misconception or underreporting of the warnings you give in your book that makes this message so necessary?

Most people are very in tune to the good story. ‘Facebook is great, I get to see my grandson in Australia, I can skype with him, I can keep in touch with all my friends from high school…’ Silicon Valley is a machine and they are great at putting out the positive images. So I think the positive message of technology has spread quite nicely and the majority of the books on technology are on ‘leverage technology for your business,’ ‘how to grow your business,’ ‘how to stay in touch with friends,’ — all the good stuff on technology. And there’s another group of books that says technology is bad, never go online. My book is the one that covers the middle ground.

I want to be clear — technology is awesome, I am a techno-optimist. Technology in the next decade will bring probably two billion more people on our planet out of poverty; it will bring food and clean water to parts of this world that has never experienced it previously; we’re going to see vast expansion in life and decreases in mortality; big chunks of the world will become educated, they can use their phone to take free online classes.

But there is a flip side, an ominous, flip side that we don’t too often consider: All of the great things our technology brings will not come for free. Once you wire the world for good, you’ve also connected it for those who want to take advantage of that technology, so this promising techno-utopia won’t come to us for free. Anyone that can follow the news can see there are bad actors — government actors, terrorist actors, organized criminal actors, hactivists — that are trying to subvert these technologies for their own good and against the public’s interest. The public must get involved and participate in trying to take back control of their technology and being intentional about using it for the greater benefit of humanity because if they just sit back and ignore the obvious signs of what’s going on around them, there is the potential that the bad guys could win.

Is there a fine line between scaring people and showing them what is realistic? Was finding that balance a challenge during writing?

There were many, many challenges of writing. This was my first book and I can say it was no small task. So there was a lot of thought that went into the stories I would tell, the points I would make. The first thing I do [in each chapter] is acknowledge the positives of these technologies and how helpful they are and how great they can be, so I think it’s fair and balanced. With regards to scaring people, my goal is not to scare but is really to empower… So I get that the book can seem perhaps like a difficult pill to swallow. There’s a quote in the book by Carl Sagan that it is much better to appreciate the world as it is than what we hope it is, or something like that, The point is, until we look at ourselves in the mirror and see honestly where we are then we can’t make it better. My goal is definitely not to frighten, it’s to empower and education and information is empowerment.

Is there a grey area in terms of how to define security from crime, threats from protection? How do we come up with those definitions, especially when we are trying to establish norms for governance across borders and perspectives?

We have to come up with new norms and standards. So if you think about some of the technology that we had when you go back to — in the book I talk about Westphalia — the whole concept of nation-state and laws of warfare, I mean it took a really long time to develop all of that. The big thing that has changed and many people have said ‘Oh, the internet, it’s just another technology — the car was a technology, the factory, the printing press… and we adapted to that so we’ll be fine here.’ The key point that they miss is the rate of change. It’s the fact that we are living in exponential times. That’s because all technology is driven by Moore’s Law, which means we’re doubling the processing power in computers every 18 to 24 months. That’s why the iPhone that you carry has more computing power than was available to all of NASA when it launched Apollo 11. And so the exponential technology, the pace of change, is going so quickly that I think people miss out on how quickly all of these new technologies will be in our lives. What will your iPhone be capable of doing in five years, 10 years, let alone 20 or 30 years?

All of our technologies around us are exponential in their growth timeline, the key exceptions to that are public policy, law and perhaps even ethics — those are decidedly linear institutions… so how do we expect them to opine and respond intelligently on matters of Artificial Intelligence, on matters of technology and virtual reality? There’s a fundamental mismatch in the systems of governance that we have and the pace of all the other elements of technology around us.

You give several examples of protecting ourselves —coming up with new norms, as you mentioned, the proposals around expert advisory groups, etc. What about on the individual level?

I do flesh that out in Chapter 18 and I also have an appendix with 10 great detailed tips with what each individual can do. So while broadly this book is meant to be a big high-level commentary on man-versus-machine, and our relationship with technology and what can go wrong and what we can do to make it go right, I did want to leave people empowered and give them very practical tips. I wanted it to be a book on solutions.

Google executive Vint Cerf recently warned of a “digital dark age” and that there is a risk that we could lose a lot of historical traces of this century should technology fail or be lost. Are we too late to dial down the technology advances or could taking a step back be part of the solution as well?

Certainly there are people that talk about that, Arianna Huffington wrote a book, Thrive, where she talked about the impact of technology on the individual — seeing screens, how it keeps constantly running, it messes with our brain function, it prevents us from sleeping. So those types of very human issues have been addressed. Others, like psychologists, psychiatrists, and neuroscientists, are looking at how this technology is changing our brains.

So clearly the technology is having an impact but to Vint’s point, I don’t know if we can put the technological genie back in the bottle. And that’s another reason that I wrote this book because if you look at the Internet of Things, we’re about to add, Cisco says, 50 billion new devices to the internet by 2020 and Entel has estimated that number to be 200 billion. So before we add the next even two billion devices to the world, shouldn’t we maybe think about security? That’s the problem with the original internet and a lot of the technology that we use — that security design and engineering is often an afterthought. The motto of most companies, including Facebook which famously had this painted on their walls, is ‘Just ship it.’ Just get the code out there. Ship it. Get it to the customer. Fix it later. And so on. With that mentality of course mistakes are going to be made and it’s those mistakes, those software bugs that could then be used to get into the program and hack you. So I talk about the importance of good security design. Where is the [Apple designer] Jony Ive of security? Think about your security design today: your password needs to be 600 digits long, it needs to be in upper case and lower case, a haiku… nobody can manage any of that stuff. The design principles that are going into technology are abhorrent because they are designed by techno geeks for techno geeks who understand it. So I think if we add a few jobs, and maybe the Jony Ive of security and have much better user experiences, then we’d have much better security as well.

Delving into the various motives of users and creators of technology, were you still able to come out feeling hopeful that this kind of security can be achieved?

I’ll be very honest, I had tough days. I wrote about some really challenging things for parents in the book about young girls and boys either being kidnapped or sexually assaulted and talked about how parents can prevent that stuff from happening. The goal was to share that information so parents can be empowered to protect their children.

Broadly, here’s where I walked away from this all — my line of work has been law enforcement for most of my life and so I’ve definitely seen lesser pleasant sides of humanity but here’s the good thing that I know: there are way more good people in the world than there are bad people. They out number them by some tremendous amount and I think if the crowd gets involved, if the good people get involved, if we create opportunity for the average Joe or Jane to become empowered to take back control of technology and give them the tools to use for good. Think of something like Kickstarter or the crowd sourcing sites out there — all the amazing things that are being created out of that. The tools of innovation are in everybody’s hands and the good guys are creating tremendous innovation, so I would just say the good people outnumber the bad but because the bad people can have increased reach due to the interconnected nature of the world, we’re going to have to be vigilant.