Original Article by Bruno Kerouanton (@kerouanton)
http://bruno.kerouanton.net/blog/2014/05/07/building-trust-in-a-connected-world/
I was recently invited as a panelist expert at CIO Forum (the VIP event for selected CIOs within EMC World, Las Vegas), in duo with RSA’s chairman Art Coviello, and we were interviewed by CBS News’s famous correspondent Richard Schlesinger (9 Emmy Awards, wow!)
The topic Art Coviello wanted to talk with me, is « intelligence-driven security », as RSA’s vision is now empowering storage and big-data to collect as much data as possible from different sources, analyse them and try to detect abnormal digital behaviors, on servers or networks.
I strongly agree that for now, the only realistic way to detect APT is by doing so. All the infosec industry starts realizing that detecting anomalies on a single device such a PC with an antivirus or isolated detection systems isn’t enough against new forms of cybercrime, and that signature-based detection is just becoming unpractical. Even Symanted told publicly a few days ago that the legacy antivirus concept was dead.
Obviously, that kind of data collection and deep-packet inspection means a total loss of privacy as users are being continuously monitored. Thanks to Richard Schlesinger, I was able to develop this important topic, and how IT industry could help to improve privacy while preventing cybercrime.
I quoted the just-released White House report on Big-data and privacy, explaining that even Obama’s governement started realizing it was becoming hazardous to let private companies and the government do big-data analytics on people as they do it now and in the future. The report gives several recommendations (starting p.68) about what to do, and notably by protecting children, preventing discrimination, and extend privacy to non-U.S. citizens, which is a really good step forward (but those are only recommendations for now).
The reason all non-U.S. citizens are so angry about U.S. Government and private companies collecting data, is that we (Europeans) do not have the same definiton of Privacy. In the States, and contrarily to popular belief, people do care about privacy, but not the same way as us : In Europe, privacy is about personal data collection. In the US, privacy is about personal data divulgation. Which is totally different, because it means Americans do tolerate data collection and analysis of their digital activities and behavior, but are in the same position as europeans if for any reason this data (or related data) is disclosed against their will.
That explains a lot the reason why so many US projects at Google, Facebook, Apple, and everywhere else don’t really care about the negative impact of data collection and analytics : they focus on IT security to protect that data and the resulting analysis, and keep claiming that they really care about privacy. Which is right at some point, because privacy is -for them- only related to unintended divulgation of personal data. That also explains why strong leaders such as Art Coviello, and his company RSA are pushing forward the intelligence-driven security model : for them, doing so is not directly related to privacy, since data collected is not supposed to be disclosed but only serves at detecting and remediating cyber-risk. Like as in an antispam, that scans emails to detect anomalies, but on a much more larger scale as it embraces the whole Internet. So they really feel doing things rights, and I believe their sincerity on that point, when they say they don’t intend to harm people’s lives, but try to protect them (even if the way to achieve it is not the right one, as the consequences can be dramatic).
So the issue is « only » related to a difference of what privacy is really about.
But there’s more ! Let’s talk about trust, and take an analogy with people like you and me : when you fall in love, your blindly trust your partner. If he or she betrays you, it’s a major desillusion that can definitely harm the relation and could take years to forget (or can never be rebuilt), as trust is destroyed. People fell in love with Internet, so they blindly trust it (explaining the reason they put so much private information everywhere on the Internet, starting by search engines that know you better that your beloved partner !). So, Internet has the moral duty not to betray them as it has a special relationship with everyone of us, as would have any partner we love.
All companies, institutions and governments making the Internet happen should act in accordance with this principle.
The solution it to safekeep trust. I’ve changed my Twitter profile as I now no longer use the term « security » in my description : Building trust is much more powerful for me, as it embraces both security and privacy. Bringing trust to individuals and all Internet users, whether or not they are people or companies or institutions, is having the right balance between security (to protect data) and privacy (to protect people).
Thank you for reading. Spread the word, and feel free link to this page or quote the contents. Because trust matters !
