As
an American, when I picture the beginnings of civilization, I don't picture
Neanderthals huddling together in caves. I picture the pilgrims landing
on foreign soil, building log cabins to sustain themselves against the
winter. With the hope of a new frontier to explore.
It
strikes me that we are in the same position when it comes to the
Internet. It's a wild and dangerous frontier that can hold vast wealth or
the dangers of identity theft. In Part 1 of Privacy is Dead: Now Where's MyInheritance, I
postulated that an individual's privacy is worth up to $10,000 per year. In Part 2, I broke down each category of privacy related data and discussed how each
area is important to the individual's privacy as a whole.
Individuals,
however, aren't the only ones venturing out into this new frontier. The
question is, how can companies benefit from the same benefits to sharing
private information as individuals?
Some
companies have built sharing the personal data of their customers into their
business plan. Google does this through advertising. Facebook
benefits through the network effect: the more people and the more content, the
more valuable they are. In fact, any of the 10 domains of "Privacy
Property" I identified in Part 1 could be integrated into a company's
business plan.
What's
interesting is that companies can reap similar benefits when they are willing
to share information about themselves. This is a little
counter-intuitive, but most organizations are already doing this without
knowing it. For example, when a Microsoft or Apple program crashes, the
first thing it does is ask you if you want to share information about the crash
with Microsoft or Apple in order to fix the program. The benefit is that
the individual gets a better, more stable version of software.
Security Through Obscurity vs. Security Through
Community
Security
Through Obscurity is an old concept. The idea is that you can protect the
security of your software by keeping the source code secret. The idea is
a tried and tested human concept. Think of buried treasure. A more
contemporary example would be a company's trade secrets, the secret formula to
Coca Cola or the Colonel's 11 herbs and spices. It makes sense to
businesses to keep their code secret because that what every other part of the
business already does.
The
problem with this concept is that every day, thousands of evil hackers are
looking for vulnerabilities. Code sometimes gets leaked. Code can
be reverse engineered. Sometimes vulnerabilities can be found without
knowing the code at all. If security through obscurity worked, then
zero-day vulnerabilities wouldn't be worth hundreds of thousands of dollars on the black market. Worse for businesses that use the software, no one
knows when zero-days are found until high enough profile breaches occur because
of them.
Another
model is Open Source software, where thousands of good programmers have the ability
to look at the code and clean the vulnerabilities more quickly. And there
are a lot more good programmers out there than ones willing to commit
crimes. To borrow a phrase from the U.S. Supreme Court Justice Brandeis,
"Sunlight is the best disinfectant." (Brandeis, coincidentally,
is also the father of U.S. privacy law.)
Companies
like BrightCloud and FireEye are creating a market by collecting data about
customer’s security related information. BrightCloud and FireEye both
gather user data in order to provide a reputation score for IP addresses, web
sites, or even specific files. FireEye, for example, will take a file and
load it into their cloud based sandbox to observe whether the file contains
malware. Subscribers to the service will all then share the benefits of
having shared that information with the community through fewer malware
infections. These services have the potential to save businesses hundreds
of hours of time to clean infected machines and lost productivity time from
employees.
Similarly,
telecommunications providers like AT&T or Verizon, and to some extent
managed security providers have the ability to correlate attacks against all of
their customers. These providers have the visibility to see attacks in
real time against thousands of their customers. Managed Security
Providers can then prevent attacks from even entering their customer's
networks. This can help reduce the costs of bandwidth and loss of
reputation with customers.
Organizations
can also partner with other organizations in their industry in order to
directly share their information about security. Most large organizations
have an Information Security Advisory Council internally that will help report
security threats, help refine policies, etc. Many industries have adopted
Councils of trusted practitioners who can share information across companies,
even competitors, because sharing information about threats protects the
industry as a whole. The Payment
Card Industry Security Standards Council is an example of this. The Department of
Homeland Security has a CISO Council for Federal security
leaders.
The Banking industry has the Financial Services Information
Sharing and Analysis Center.
The Power, Communications, Nuclear, Water, State, Public Transportation sectors
all have their own ISACs as well. There's even an ISAC of ISACs.
Security
through Community is still immature, however, but the next big thing in
security may come from this concept. Just like with Anti-Virus, which
many companies now offer for free when they used to be expensive add-ons, these
services should also be free. Today, all of the communities mentioned
above require some cost to join, and most are very expensive. It is
precisely the network effect of having huge numbers of customers that makes
these communities have value. Cost is a barrier to entry, especially for
a service that requires your private information to exist. Imagine if
Facebook asked people to pay for their service?
In
part 1, I postulated that to an individual, sharing private information could
be worth $10,000 per year. It is more difficult to measure, but sharing
some private data could be worth a lot more.
No comments:
Post a Comment