Identity As Privacy

but at first I just wanted to introduce dr. gear he's that information security visionary I don't think I need to talk a lot about him but he's turned me the chief information security officer in Kotel and without further ado I want to introduce dr. here take these kind of things so sometimes seriously so long but that also means I appreciate that so feel for yourself see you say well somebody help this because this is potentially that although this is not me computer if you not familiar that Ito is any priest standing invest upfront we are funded by honest leader tax dollars the taxpayer let's assume most of you are you should be grateful for the

efficiency in which we spend your money we are small like Washington Senators I've learned to turn work in Washington that is in our budget Lindt thankful for that I guess as well if you are an entrepreneur or a planet being you should keep us in mind when I say we're the investment firm we're a little different than others insofar as we are a creature of the industry our funding comes by way of the intelligence community broadly speaking I hope the CIA tell me all their colors that's surely all that include centers like TSA FBI as well the monies that we have in invest and this is where they're not Fedora plantation keepers of mine they

are done because what we want is companies that will produce something that will be of interest to the intelligence community and as such we are not in the business of making money if you're a venture capitalist you're sitting behind a desk there's a lot of people out the door holding their hat and your question for all of them is if I give you a dollar gets ten back in our case we find 60% of the companies we invest in 70% of those that never done business with any government and we're partly the way in which broke and we're parking unless they did our customer base and if you've ever tried to be an entrepreneur you will know that by and

large it's a bad bargain to decide to try to get into the federal market soon because it's policy we've invested a lot of companies that you might be familiar with hands down the most famous was called people which might not always be worth it for example most of what we do is we pay people to add features or change the way their product works like theirs so that it is an interesting today Thomas McKean all that was adding the API that allows you combine maps and data of their own rather than just having it which is the original plan be an automobile navigation for other companies so that are more relevant to you here I don't know that I

can necessarily get all of them but I'll rattle off a few our site fire Palantir huddle error code reversing labs I'm probably forgetting somebody not intentionally but those are companies that we have invested in that again with which you might be familiar in all cases what we offer them is a chance to do something that may well in fact be in their in their roadmap but would be delayed or which was not something that they had planned to do a long time ago I took one of my daughters to the Academy Awards when he managed to I won't quite say break in but end up in the front row and that's an interesting story we can do off camera but the I

will i watch the people who are miking up folks and it's quite remarkable particular no offense to women but particularly when there was no place to hang the mic it's a an interesting problem if you're in that line of work but back to ink it out we we invest in a lot of them and most of those are where again we are taking something out of their roadmap or an adaptation of what they do that would be of interest to the intelligence community we do not if you are again if you're an entrepreneur we do not take board seats we do not take equity so we are non-dilutive to founders which is very useful and everything we do is covered

with a statement of work that has warrant backing which is to say options backing if in fact you have a wonderful day and you go public or you sell to somebody with a lot of cash or whatever yes of course we exercise our options and the money goes back in the pool back to being good for you as a taxpayer if not that's not the point the point is that whereas a venture guy would say if I give you $1 what we get 10 ours is if we give you $1 when you live long enough to build the stuff that we're looking for and so I just leave it at that we have an office in Waltham for what it is

worth headquarters is needless to say in Washington and the other off-board office will not surprise you it's on Sand Hill Road in Menlo Park all look all of those are locations that might be unsurprising so I'll skip the ink you tell apart from that point forward this is not an ink you tell talk what this is is they talk on identity and privacy and to a degree identity as privacy I say that not because I have a thoroughgoing last word analysis but because I think the rate of change that we are in the rate of change that we see is such that the issues in front of us are one which to a small degree we can see where they

lead but not entirely everybody here knows that the rate of change generally speaking is very fast and that the rate of change is something that is not anticipated well enough to show up in policy policy and in Washington or broader sense before the the technology is already in place we've had that kind of before the first automobile license plates did not occur until there had been a number of traffic accidents oddly enough the first one of which was the only two cars in Ohio hit each other at an intersection nevertheless the idea that there is a rate of change at which anticipatory rulemaking is impossible or implausible that's probably good but nevertheless or put it in a slightly

differently no society no people no entity no government needs rules against things which are impossible but as you well know we are converting things that are impossible in the things that are possible at a fairly fast clip examples of that what would be a good example of SB 1386 the California data breach law which is the first of its kind how did you get that the answer is two parts one the California personnel system managed to dump the personal information of the entire employee base in the state of California on the internet that happened to include the legislature a law ensued this should come as no surprise the law by the way was written by Deirdre

Mulligan then of CDT now elsewhere and what she did was she took a toxic waste spill law and substituted a few nouns where it had been what happens if you pour trichloroethylene on the street and now it is what happens if you pour information on to the digital superhighway and that is actually how it was written there are now a lot of them they don't quite match to each other and if you're a large firm of course you probably are well aware of that on a global scale of the Venn diagram intersection of all the rules that you have to follow is that all set that of course is another problem altogether but this idea that as things develop we need

to dissipate or react quite strong I by the way do not have a clearance I work without a clearance as a matter of choice I work with a lot of people who are clear that does get in the way from time to time but it is my version of putting my money where my mouth is when it comes to where I know too called open source of hope and I'm a great believer in that I think that need by and large the clearance except for one thing and that is maybe to see the future a little earlier than others but if the rate at which the future arrives continues to accelerate the value of the clearance

declines because the future occurs quick enough that a long view of it doesn't help those of you who've read dumb true names by Verner vended may recall that story and it was written quite a long time ago which he said something quite fascinating said when I began writing science fiction the stuff that I was talking about would take 10 to 20 years to reach the public consciousness now I have a hard time staying 18 months out and for someone of his caliber to say that I think again that illustrates that the rate of change is not just technological apin as I suspect all of you are deeply involved with but it is the broader implications as well and in

fact I'm reasonably certain that all of you all of us everybody in this field needs to be thinking at least some of the time about policy questions and not just about technology I like you prefer to work on things and just maybe operate I only want community a visual are seen removed in the IDF in Dane parts and as the mr. Molina in Cannes person holding the name as his rough consensus and working code I mean in that school at the same time it's not as is what we are good and doesn't have broad effects and I think all of you would be advised please pay attention if not involve yourself and how those in the life on work on that

there are currently roughly 25 millions in the Congress about cybersecurity alone many of which you would not like and I'll leave the kingdom but many others would not like at the same time those are folks who are doing their best and what does that mean and it means doing their best in us in this space is visible particularly when we're talking about on the one hand is the rate of technological change that underworld as small and quick versus a rate at which one can also may provide rules to society large than she's in any one and it is probably a good thing that the rate at which you can apply rules to the rest of society is slow

contemplative full of compromised etc that's all probably good because the alternative would not be the alternative is far trade nevertheless I suggest an all you should or somesuch pay attention to there when I think looking back you could say where do we all come from I would everyone my agent security was training for something else I was trained for where it's worth as a biostatistician I actually have a computer science degree but but the main training was as a biostatistician that means to a degree I think like a biostatistician that is to say I view many things as questions of like public health or disease models or transmission or are those kinds of things that's fine that's a that's a

good primer it's just as good a prep to be a civil engineer why do buildings fall down how did the Tacoma Narrows Bridge of oscillate itself into non-existence of and so forth how do you build things that survive situations outside of the envelope that was their set of designer that's a that's a fine preparation being a lawyer is a fine preparation because lawyers amongst other things have to worry about the difference between rule of the procedure of it and enforceability how do you how do you think about things which would like to have happen but is it plausible to enforce them as you all know the number of rules is very large now I recommend a

book the title which is three felony today written by the silverglade at the Harvard Law School and what she talks about the night now that nearly everyone is committing as he puts it at all the matter today just because frankly you don't know what all of the felonies you might be committing are that being said we risk of course getting ourselves in a situation where almost all enforcement is selective and selective enforcement again is not the hallmark of a free society is the hallmark of a non-free society so these are important questions I'm going to speak in a sense about one of them but more as a matter of trying to think about where things lead and rap

and not as something where I'm trying to say we should do this or we should do that or we should not do something else the title of this was identity as privacy and identity is a hot topic if you haven't seen it you might want to read the so-called national strategy for trusted identities in cyberspace or instant now if you hang around Washington you everything is an acronym so in stick is the way it is said but the national strategy for trusted identities in cyberspace it was put out by the Obama administration and I think a little over a year ago I'm sorry I can't remember the exact date but nevertheless it's an idea of what do you

do about the problem of identity now mind you many of the people who are talking about an identity are frankly more interested in attribution attribution being a term of art of if someone if a bullet comes by your head who sent it and that idea of attribution has applied to the digital sphere it does bring up the question of anonymity as from their point of view of a problem you may view an as far from a problem but rather is something that is the hallmark of either living in a big city or being on the internet at large it is now of course entirely possible John Perry Barlow so declaration of independence for cyberspace when reread now can only be described as

wishful thinking yet attractive wishful thinking I think it was attracted wishful thinking but that's what it is turned out to be aspects of that include the so called end-to-end principle the Indian principle which was first put out by I believe Clark Salter and read if I remember correctly and it said that the internet and I believe that to be in many ways the fundamental design decision in the Internet as we have it now for those of you old enough to remember the telephone system had anything but those characteristics rather it had the idea that it was a network in some sense that was responsible for everything whereas the Internet design principles that came from the end-to-end idea were

quite the opposite and end-to-end says that what the network is is a transport mechanism it is not a policy enforcement tool and as a transport mechanism it carried all packets and the question was what security regime did that require and answers none because that was a subject of discussion and negotiation between the endpoints endpoints itself at the time was well understood it is now difficult it is now difficult to understand what endpoint means is the endpoint code is the endpoint you is the endpoint of device I suspect everybody in this room has multiple devices some of which are probably synced with each other what is your endpoint Marjorie Blumenthal and Dave Clark has written a

another paper trying to bring that up to date again I'll leave that to you to read but nevertheless it is a thing where the definitions changed again with my time in Washington I can say that in any public policy the real partner should read is the definitions page it's all over after that the definitions page is where it matters the rest of it is it's all over because the definitions page says what we mean by X are what we mean by Y and the rest of it is the implementation details so as you if you don't have the heart to read 25 bills a season or what have you at least take a look at the

definitions page because those have a lot of impact on what then then happens if you're familiar with the European data privacy protection initiative for example you will know that in Europe there's a considerable debate about quoting the right to be forgotten and the right to be forgotten says that I'd like data about me to go away this of course is quite difficult it's quite difficult in any number of ways not the least of which will be experienced by most people including my children who are coming of age as we speak and who have been in so many words disclosing rather a lot between the time they got their first device and the time they entered the job market that is just one

example but it's one that everyone is familiar with nevertheless the right to be forgotten has its attractiveness there are communities in England small towns that have asked to be taken off the map and you might say why would you ask to be taken off the map and the answer is that Czechoslovakian lorry drivers who don't speak English and read only for GPS or driving big trucks through towns where the roads are all a single Lane and they would like to be taken off the maps and the GPS can't find them so nobody routes their trucks through the assembled sheep on the roadway etc these these kinds of things are what I'm getting at and there

there's a plethora of examples there's more examples than we can probably enumerate this again may be good and it may not be but it indicates to me anyway that where technology takes us is not yet out of our control but it could well be I'm not altogether convinced about the pending singularity and the various writings that have been done that principally by Ray Kurzweil and co-authors but I am nevertheless convinced that an environment in which the number of devices in the amount of knowledge and the amount of information Dwarfs any one person's ability to either consume it are much less and inventory it how many places can you be found on the internet if you want to

watch something watch this Sunday on 60 minutes where Lesley Stahl and Alessandro Christie who's a professor at Carnegie Mellon will talk about quote re-identification unquote and REE identification is where you think you're anonymous but you're not the experiment that they perform they've explorer for many experiments twisted by the way I believe is the best experimental designer in this field hands down nevertheless what they will show is they went out on the Carnegie Mellon campus took a bunch of pictures of people at random and then were able to identify them by wandering around the internet there are three billion new photos of with people's faces and it uploaded a month so even if you are not in the

habit of uploading pictures of yourself and either dignified or undignified situations the odds that someone else has done so our large Andrea dent occation is now a term of art that you might want to scan there are lots of papers in this space and it begins to look like RIA denta fication is difficult you I'm sure are well aware that there have been several episodes where quote anonymous data unquote has been shared with the research public al I think did at first but there have been a bunch of them people that have done it and the idea was we'll provide some anonymous data so that researchers can look at at you know patterns of you say

you know like but not actually identify people every one of those to my knowledge has come to grief and that if you are talking about something that not many people are talking about if you are a unique in any way it pods are it can be found and so this technologic change where so much of it is out there that you are unlikely to be able to corral it is probably the basis for the european desire for a right to be forgotten at the same time my view that is almost impossible to enforce amongst other things in a world of Republican where people scrape one website and put it on another finding all the places to turn it off

are difficult it has of course at the corporate level been some time since it was far cheaper to keep all your data than to do selective deletion it is far more tractable and it is far cheaper and more cost effective just to keep all your data and as we know the amount of data is growing quite quickly gardeners estimate is world doubling time of data is under 30 months now in declining if you look at the rate of Moore's law which seems to be still holding up that's a doubling every 18 months what I will point out that the cost-effectiveness doubling time for storage is under 12 and for bandwidth at least not necessarily what you can buy

home but bandwidth in a laboratory it's probably under 9 so you let me just say as round numbers 18 12 and 9 is 2 orders of magnitude in computing power a decade but 3 in storage and 4 and bandwidth which says that in future data in general data in general will be far more extensive than our computing can keep up with it and at the same time it will be far more mobile than we're used to have it so those things make a important change in the way we view the world for those of you who are in the security trade which I suspect is 99 point 44% of you the I think we can go our jobs to

something that I will describe there was a professor at at Harvard named Stephen Jay Gould you may or may not have ever heard his name he had he's a paleo biologist he had some very interesting shows on National Public Television and he talked a lot about the course of evolution but he early in his career coined a term which has stuck and as you well know if you're an academic and you coined a term that sticks you are not forgotten that's how it works and his term of art was punctuated equilibrium the idea that evolution as a process is of course undirected it does not have an animate function per se and furthermore that it is not a

steady up slope at 8% grade it is instead long periods of quiet punctuated by rapid change whether you're talking about the Precambrian explosion of species or what have you that there are these long periods where nothing happens and followed by short periods in which everything happens I would suggest that that occurs in security as well and all of you can in some sense thank Microsoft for your jobs in when they first introduced a tcp/ip stack for free in Windows I believe Windows 3 what did that do and it's the answer is it did something really good but it had a side effect and the side effect was it took an operating system that had been

designed for a single owner operator on at most a private network and connected it to the universe the problem course is it in the universe every sociopath is your next-door neighbor and this has had its effect if you looked at the I'm again I'm a statistician I'm a numbers guy I'm the son of an accountant I spent my youth checking adding machine tapes it's numbers are sort of what I'm made of if you looked at the rate at which attacks were reported to the cert at CMU they've since stopped doing that which I'll come back to but if you looked at the rate and you looked at believe it or not the second derivative I assume

everybody can speak enough calculus to know what that is what you saw is a sharp spike four and a half months after the introduction of tcp/ip as a free component of the Windows operating system now why is that interesting and the answer is it's interesting because it was a sharp spike never to occur again in the rate of attacks as reported to the cert subsequent to the introduction of tcp/ip stack and Windows a second derivative spike is like lighting the solid fuel on a shuttle nothing happens at first you say is that all there is but there's two things about that one you can't turn it back off and two pretty soon you realize that that was important because the

acceleration gets to be you know five g's or something and you are not just laughter - your seat you can't raise a finger it's that kind of phenomenon that I believe produced the need for people like us that's one punctuated equilibrium the the second one was I believe about five years ago and not nearly as sharp but the punctuation was the we had finally gotten to where we were good enough at what we do that finding vulnerabilities was no longer really a hobby you had to do it as a job you couldn't just do it as a hobby you needed to be paid for it you needed to have something that bought your time and

allowed you to find vulnerabilities under the circumstance of it being a hobby what do you get in the answers bragging rights how do you get them in the answers you announce what you found and you announce it quickly less of course someone else find it - when you do that when you announce them it says that the public is generally speaking informed about where the vulnerabilities are at roughly the rate at which they are discovered in a world in which people are paid to do this they do not share the aside effect of that is the proportion of all the vulnerabilities that are publicly known begins to fall and I think the reason that you see so

much now where people are saying where are all these zero days coming from and the answer is that they're not coming as fast perhaps as they once did but the proportion of them the fact that they are zero day the proportion of them that are known in advance Falls because the people who are finding them are doing it as a job not as a hobby and they don't share that was the second punctuated equilibrium and I think it changed the way in which vulnerabilities and attacks based on them have proceeded I'll come back to that as a policy matter in a second but I think it changed things I think it changed things quite spinelli

although again it wasn't quite as sharp we're in the knee of the curve right now for what I believe is a third one and that is the rapid worldwide adoption of mobile technologies and the reason for that and and its side effects like bring your own device to work for example the side effects of that are that reach ability and the kinds activities that take place without going through a central anything are growing and I believe they're going to change things a lot one aspect of that of course is that the desktop computer as a consumer durable is now beginning to fade I believe it was September a year ago when the tweeny if you look at the

total chip CPU chip shipments from the fabricators it no longer was PCs it was mobile devices and it's been a little over a year now that the dominant customer target for the chip makers is not the desktop machine it's not the computer as we ordinarily think of it it is other things and I'm sure you know that if you buy a car these days there's bunches of various kinds of CPUs in it most of which are out of surveillance now I say that for a point and that is that if you are a human being sitting behind the machine what are human beings good at and the answer is they're good at noticing patterns that's what we're

good at that's you know why we are what we are we can notice patterns and because we have language we can share them with other people that is what separates us from you know most of the other animal objects that being said where does that lead us and the answer is if the majority of devices are now beginning to appear in a lot and places where there is no person in some sense watching them the pattern recognition that we are so good at is no longer a protection it's an irrelevance and so one of the questions for you is how close are we to the point where we cannot expect people to be the protectors we have to expect the

machines to be protectors and yeah I guess I'm probably touching on the on the script of the matrix here but the idea that the machines are what protect us as opposed to ourselves is I think relevant and I believe we are in any of on that particularly as quote the internet-of-things unquote begins to build those bring us a lot of changes and I believe there are punctuation a punctuation point at which the basic dynamic of what's going on has now different drivers the drivers modify because of this phenomenon that I just spoke of now that it's neither good nor bad I'm not trying to imply that those things are good or bad what I'm trying

to say is that those kinds of events that change the the underlying paradigm of what for example to security mean up to and including what does end-to-end mean which I spoke of earlier those are the things which in a sense policy will eventually touch no as I said no society needs rules against things which are impossible as we make things that are possible faster and as we do them in a ways where in a sense people are not the surveillance mechanism for them but are rather machines if at all that does change how things work it does change a lot my I do deal with the defense establishment on a fair basis they have to a degree adopted a viewpoint which

I'm I'm glad they have I'm by no means the author of it but one of the various rabble rousers about this which is that intrusion prevention is probably a lost cause intrusion tolerance is probably the better design principle the idea that you cannot prevent people from getting in for what you can do quite possibly is prevent them from doing anything that derails the fundamental mission of the computer in general our opponents do the same thing I'm sure have seen the isn't there a botnet that's mining bitcoins right now and using your spare cycles for this purpose in a sense what do you care now we can debate that if you like but what do you care you still have all the

compute power you need because it's nice about not stealing it when you need it on the other hand there's an awful lot of complete power out there that could be harnessed for things of that sort do you care do you and it's a real question do you care do you care if machinery that you own is being used for something that you didn't ask it to do I read something there's there's an ongoing discussion on one of the cryptography lists it's a cryptography list about the application photography and they have been talking over the last few days about whether or not it is at this point possible to say that I want to verify the code I use and

someone made the very cogent remark that in a single day he now uses more code than he could probably himself review in a lifetime so his only alternative is to pay people to review it the problem with that of course is the people he's paying to review it could probably get a better price from people that are not your friends and so where do you want to go with that let me offer a policy kind of question this is one where I am NOT a lobbyist with a capital L and registration and all that but a lobbyist in this sense and that is I think the US government ought to corner the market vulnerabilities as you well know there's

a vulnerability there's a vulnerability market out there they're people who buy them in this and the people who sell them two brothers from Texas the hood brothers were able to corner the world silver market you think the US government doesn't have enough money to corner the world Vanar ability market we just simply announced sure as a competing offer we'll pay you ten x now of course there are folks who say I do not sell to Americans I only sell to Ukrainians those folks won't sell but if you know that there is a market and if you know that a fair number of the vulnerabilities that are found our East Automation is - did if not automation

then in turn someone who has them and says I do not sell to Americans will know that someone else will discover it in due course and so the shelf life of the thing that they have found is limited and they must find somebody to sell it to I think we would collapse the market fairly quickly but I say that on one condition and I mean this that if we're going to buy those we're gonna make them public I do not want them stored up as a kind of alternative to nuclear weapons and silos I want them made public and for what it's worth general Hayden feels the same way god be praised he feels the same way

about that with that the idea of classifying vulnerabilities is nonsense because amongst other things that means everyone else will follow suit and pretty soon and as you know nearly every country that's worth talking about has some study group out there trying to find every way it can modify the internet experience or perhaps derail the internet experience of potential adversaries that it might find in a shooting water if we were to make them all public we empty their warehouse of zero days at the same time we empty ours and so the idea of somehow or other we need to buy them all and in turn give them to your favorite covert agency is I believe insane and it is cheap to buy

them all on the scale at which the US federal budget is denominated we need to do that and the reason we need to do that is I think the response to one of one or perhaps two of those equilibrium punk traders of which I just spoken now that's only one example but it's the kind of example of where does this lead and what could we do that I think people such as yourselves who are in a better position to know what side effects our need to be outspoken you may or may not recall that there are numbers of policies against modifying other people's computers the Computer Fraud and Abuse Act which of course is problematic at many levels not just

Aaron Swartz but problematic in many levels because amongst other things what is happening amongst laws and regulations we see is we have begun to separate to no longer require actus reus and men's rheya which is to say we have begun to say in the traditional criminal law setting it said that you had to have done something and you had to have done it with intent many of the computer security laws either on the books are being proposed don't ask the question of what was your intent they ask only the question of what did you do which I think feeds Harvey it appears in Harvey silverglade spoke as well it feeds this idea that if you do something it doesn't matter

whether you meant to if it can be interpreted as wrong it's a crime per se that is a problem and one of those in particular is what to do about shooting back there are a lot of people who want to shoot back I'm one of them I admit right off the bat that I want to shoot back and yes it has unknowable collateral damage and I say that not because I like that fact but because it is a fact and if I have to talk about what the trade-offs are I think I'm going to come down on this side of you should be allowed to shoot back Stewart Baker who was the general counsel for the NSA for a while and it's

been it's quite well known and a big name in Washington so forth you can look up his testimony from last September in the Department Homeland Security and which he talked about that his analogy and remember law the practice of law is the search for analogies that's what it is his analogy was the the early West in this country where if for whatever reason there was no law in this territory you could hire Pinkertons to chase down the guys who stole the gold out of your stagecoach the idea that there are private police forces to make up for the absence of public law that is effective is something that he was talking about I strongly recommend

reading his testimony again it was from September Stewart Baker it it though nevertheless raises this question of what should we be doing given that our opponents are now people who are not slouches they are very very good there are on this past Tuesday was there not one of the one of the advisories was if I remember correctly HTTP is where you can send a single packet to an IR server and you can't recover the IO server without rebooting the machine now there's an interesting little tool what would you do with that the answer is well if I was the person who found it I would sell it to anonymous of course strictly speaking I would not but you

get the idea I would sell it to anonymous I don't actually sell anything I'm past the point where I'm a fighter pilot I'm now more like an airshow judge and but nevertheless what would you do with that and I think denial of service particularly denial of service as a purchased good you know you can buy denial of service now relatively cheaply I got an advertisement last night not for denial of service but for Twitter followers if you buy enough of them there are one tenth of a cent apiece you can buy a couple hundred thousand for a couple of dollars now what does that mean and it means that our opponents know what they're doing and part of that

of course is designed characteristics of the Internet the design characteristics of the Internet were for survivability not for policy and I still believe that the end-to-end principle is the most important decision we ever made nevertheless one might say so what does that what would that do for policy what would our friends in Washington want to do with that well I'll tell you what they want to do it is obvious the last ten years and newspaper headlines would tell you and that is they want to deputize all the ISPs and in fact in a country this one where 90 percent of the Internet however you want to describe it I don't mean just ISPs I mean every

internet facing service etc if 90% of it is or 95% of it is owned by the private sector what do you do and the answer is either you nationalize it or you deputize people against their will if I were in charge which I'm not or if I can if I can channel for dr. Seuss if I ran the zoo I think I would say to the ISPs here's your choice either you're a common carrier in which case we give you the liability protection that common carriers get you're not red X is not responsible for transporting a package that is illegal if you're a common carrier you carry all bits equivalently you do not charge differentially if you

want to charge differentially you are welcome to do that but by the way you're responsible for content choose wisely we don't give refunds that's that's what I would say if I ran the suit maybe it's good that I don't run the zoo but nevertheless that's an example where what is going on is the ISPs are being deputized against their will across the board there's an ongoing discussion about whether or not as a back door why would it have a back door and the answer is not in your interest if it has a back door given who owns it now it would be because the back door was required to operate in probably other countries if you are a

multinational you have to abide by the laws of the countries you are in and not everybody is freedom-loving as much as we argue I'll also point out of course that in a free country if something isn't explicitly forbidden you're free to do it in a non free country if something isn't explicitly permitted you're forbidden and we are seeing that a large number of spaces now look across what's an example look at Saudi Arabia's rules about the internet as an example how do you deal with that if you're a large company and the answer is you in fact have multiple versions that are buy by local rules of course locality is another matter geocoding the internet

has its advantages it also has its disadvantages you can figure that out you know where I'm talking about it has its advantages in its disadvantages what is the trade-off there the trade-off depends on where you think the future is if you think the future is one kind of future then the trade-offs of geo-locating the internet are bad if these think of a different kind of future the advantage of the geocoding the internet are good it will happen if you don't say something and it will happen in a way that amongst other things will quite likely play out first in an internet sales tax if indeed the government passes that if it passes an internet sales tax the question is who

gets deputized besides FedEx and the Postal Service and the UPS I'm not sure but it probably means looking for where is the actual source address physically you know is it at my address which is in Rhode Island is it at your address some of you no doubt live in this town where is it and does that matter to you that that is a recorded matter does it matter to you that as I said earlier recording everything is cheaper than recording just some things based on the decision because the the time required to make a decision is very very small a company in Washington run by a meet Oren called net witness what does it do

and the answer is it records all the data coming into a company records everything this has value if you later discover that a problem is because you can work backwards and say where did this first appear how long has this been going on because that that question if you're in the intelligence world how long has this been going on is far more interesting than who is doing this how long has it's been going on because to do any kind of repair you have to know how far has it been these the theft of the avionics and the f-35 Joint Strike Fighter is an example that had to be redesigned how did it how did the

theft happen the answer is counterparties if you look at the Verizon data breach report what does it say it says that 80 percent of all data thefts are discovered not by the victim but by somebody else myself and a colleague in New York who works at a bank that doesn't allow me to say who it is run something called the index of cybersecurity I invite anybody here to be in contact about that because we're always looking for respondents respondents in this case means we ask people their opinion just like if you're familiar with the consumer confidence index that is an opinion based index done by asking people questions on a monthly basis in the case of that one

for it is worth the conference board pays the Nielson organization to make 5,000 random phone calls a month as you might guess I'm not in the business of making 5,000 random phone calls a month instead what this is is a little one-page click button a set of click buttons that thank you the one-page set of click buttons that asks in the last month has for example malware pressure on your environment gotten worse gotten better gotten a lot worse gotten a lot better stayed the same for those of you have done Survey Research that's called a Likert scale it's typical in Survey Research it has one useful feature I'm sure if I ask everybody in this room to

write on a piece of paper what their definition of a vulnerability is we would have more than one answer we'd probably have many answers we'd probably have something like 50% of the countin room answers that is a problem if what you're trying to do is science if you're trying to do science and say I'm looking for the causal sources of effects that I can see having definition problems is an issue if on the other hand you say to people all in the last month has vulnerability pressure gotten better or gotten worse what is important there is I'm picking on somebody I know oh what's got what's important about that is I don't care what his definition is all i

care is that it's self self stable if his definition is out of the blue every month a different one I'm in trouble well that's assume for the moment that it's the same every month and so what I'm asking is the differential speaking as a statistician if whatever you're measuring your measuring device is relatively poor as long as the errors it carries are not themselves pathologic I'll leave that as a sidebar discussion as long as the errors it's caring are not pathologic then the trendline that results from asking better or worse is okay and I can obviate the problem of people's definitions are not all the same so we asked these of a lot of people the people we're looking for by

the way there are people who have operational responsibility for cybersecurity and as such are on the front lines they know what the current situation is I'm not looking for academics I'm not looking for marketing people I'm not looking for CEOs I'm looking for people maybe see so maybe not maybe a letter below C so I'm looking for people who have an opinion and the opinion is based on current operational reality now that opinion is not from their firm it is from the individual I'm I don't care if I have five people from I'm gonna pick something out of blue this is not the case I don't care if I have five people from Morgan Stanley what I care about is

they're all experts because what I'm looking for is expert opinion and what I'm trying to get at is is the cybersecurity situation getting better or getting worse and we asked 24 questions compound those together and we do it just like you would do a financial index in fact the math is exactly the same and the reason for that is so no one can complain that our results are an artifact of our methods we're entirely boring in fact some people say well this is boring why are you doing this the answer is boring is good now in doing this we also every month by the way that friend is inexorably upward there should come as no surprise of upward as since a

risk is rising our index is like golf a higher score is not what you want the its its inexorably rising however on a month-to-month basis which components of the overall risk have risen the most varies all over the map it just simply is all over the map one month its nation state one month it is insider one month it is automated malware you get the idea so the if you do rank statistics or rank order what was the biggest contribution to the overall change in these index of cybersecurity each month what's on top is a total rat's nest if you plot it out as just a total resident which i think is good by the way it says that the

components were asking a high volatility even if the compounding of them does not have high volatility volatility is a variance if you prefer I'm sorry I worked in finance for a long time so volatility is the word that comes to mind the one of the but one other thing we do is every month we ask a separate question and the separate question an extra question is you know a question of the month if you will and that separate question is whatever we want to make it in September we asked have you or your colleagues ever found an ongoing data loss somewhere else 55% yes confirmed 10% yes but unconfirmed that 65% verizon says 80% we

exclude law enforcement from our survey I'd call that corroborated so this issue of you keep everything but some of it doesn't matter to you and so of course you don't pay as much attention to that and furthermore it is impossible to have selected deletion has its effect on the practice that we are in and it has its effect on what would be good policy what would be good policy for this what would you say about this I mean if you're in the consulting trade you know that as you go to other firm to go around various firms one of the things that they you will find every time is they don't strictly speaking know what data they have it's across the

board they strict you know and I'm not making fun of people for that because the volume the volume is overwhelming what do you do about that if you don't know what you have what do you do well there's two alternatives one is you take the effort to get rid of things that you don't need maybe you do in or LS - T or T you and you pipe that through something maybe that's what you do maybe it's not because as you well know an awful lot of data retention is by Fiat not by choice on the other hand maybe what you do is you say I have to protect everything at the highest level because

I don't know where the highest level stuff is and so everything has to be protected at the highest level that's this economic as a rule and so what do you do and the answer is generally speaking you fudge and I'm not making fun of this it's just a fact of life it's just what people say and if you go and give you a report about this if you're a consultant you're going to give you a report about this the first question they will ask me is how are we doing the second question in will ask is how do we compare to our peers because nobody wants to be the out in front because it probably means you're

spending too much money nobody wants to be the last gazelle in the herd because the hyenas know that you're the last gazelle and herd and so this question of how do we compared to others is important this is where information sharing comes in information sharing is an essential aspect to a lot of what we might do and yet at the same time if you're in a world in which anonymization is practically speaking impossible practically speaking impossible what do you do about that do you it is entirely common now for people to turn in data to the federal government saying I see the following and have the data that was acquired by a private firm acting in its

own account given to the government and then classified this I view again as a problem nevertheless if you are a consultant what that second question asked you how do you compare to your peers what is that the answers the customer is using you as an anonymous ation engine that's what they're doing they're using you they're assuming that your trustworthiness is such that you would not share something with them that would violate another customers rules but at the same time you're able to see things that they can't see I would suggest for those of you who are our consultants that in my view at least it is a professional duty to do exactly that and so you now

see a lot of that Landon's reports Symantec's reports everybody has got a report now fair codes reports for example everybody's got a report on this semantics recently had a paper out probably a year ago now Lila bilge and I can't remember the first name of the second author but the last name was doing matrice and what they looked at was the way in which attacks occur and what they look what they were able to say from their data and this is a creative reuse of the data they had was that the average zero-day is in use 300 days prior to discovery 300 days what does that tell you I'm not sure what it told you but I can tell you

what our friends in defense ask they want to know who is behind it and if they can't get that they want to say this attack was that the same people who did this other attack they want to know is that come from the same people if they can't get that they want to know does it come from a kit and can the kit be bought and one of the questions that you might ask is if I can buy a kit is that the latest model of Hyundai or is that last year's model is this year's model being used by people who don't share and they only sell it after they've got a better one or the one that

they got has been used a bit too much and they want a fresher one that won't be recognized these are important questions at the highest level and what do you do about them let me turn to the identities privacy question this is not quite a tall enough building you go to the Hancock Tower look down look at everybody's roof suppose you see a couple what's a nice turn of art in flagrante delicto on a roof and you have no idea who they are the question is do they have privacy if your answer is unobserved the definition of privacy's unobservable 'ti the answer is no because you can take a picture of it from the roof from the

observation deck at the Hancock if on the other hand your definition of privacy is the absence of identifiability then the answer is yes they have privacy you can see it but you know who they are I don't need to tell you that observability is ramping up fast I spoke of that early on about Rio Dental file velvety photographs but observability is ramping up fast if you have bought a new car for example you have in each of the tires something that says whether I'm low on air how does that get to the dashboard since after all the tire is spinning and that's a problem the answer course is a little Bluetooth radio that means and of course

how does it the dashboard say it's your right rear tire and the answer is each of those little Bluetooth radios are unique so if you go to London where they already have the entire infrastructure for cameras at every intersection in every direction what would it cost to add Bluetooth recognition for cars the answer is nothing because they paid for everything already on a radiant radio antenna is cheap so do you care about that it's observability I work in an area where from time to time I see things early I can tell you that facial recognition at 500 meters is entirely possible I can tell you that iris recognition at 50 meters is entirely possible I can tell you that your heart

is a small microwave transmitter that currently can be read at 5 meters out and furthermore just like your fingerprints it's unique I can tell you that you carry in your pocket those of you carry a cell phone probably has it as a smartphone it has an accelerometer the accelerometer will tell me whether it's you or not because every one of us walks in a slightly different fashion gait analysis as it's called is entirely doable with the accelerometer in your pocket in fact the accelerometer in your pocket if you're careful about it you can even tell what someone is typing because when they touch the screen they move it just a little bit these are all

things that are either in lab or in development as we speak what do you want to do about that and the answer is you can't stop the progress I don't see how you can stop the progress because amongst other things technology is in a positive feedback loop and positive feedback loops buying cannot be stopped so let's assume for the moment that observability is rising at a very fast rate that would say then can I do identifiability instead can I fall back from my definition of privacy as the absence of observability to one that is the absence of identifiability and this is where things like a national strategy for trusted identities in cyberspace actually come in that this is

where questions of photovia we identify patient if you don't take photos and you don't have a Facebook account or what-have-you someone probably has I'm standing in front of a camera okay you were all photographed by the person taking a photograph of the meeting early on I doubt any of you care that it's known that you were here but nevertheless there you are observability is getting out of control and will not come back give it up I don't like that but give it up the only way to really not give it up the only way to get it back is to adopt the lifestyle of those who choose such things as Amish or pro to offer someone

of the cloistered communities where of course you don't have privacy but only from your community members so can we do the identifiability that is problem but I would suggest the following what do you have as a definition of security might be this is mine the state of security is the absence of unmitigated or surprise there will always be surprises the question is can you mitigate for them SB 1386 the data briefs law says there will always be loss of credit cards the question is what do you then do and it says you know you buy people a couple years worth of credit watch and you give them new cards and you and if something's been bought

you know if ton of jewelry has been bought in Cairo you give them the money back and so forth that says that surprises will happen but we know how to mitigate them so one might say that under the data breach laws we have a state of security at least by the definition that a state of Security's the absence of unmitigated by contrast what would be safe for privacy and this is where I'm going to be contentious my view privacy at this point as a state of privacy is where you have retained the effective capacity to misrepresent yourself because if you cannot misrepresent yourself you don't have it and I don't like that but again I'm not in the wishful thinking

Department I am in the as best I can reality Department and that is if you cannot misrepresent yourself what have you got and I think that includes what's a good example those of you have a fit I don't know how many of you still do this but there was a time when cypherpunks for example with generally at meetings would swap affinity cards at various at CVS or what-have-you so that you're randomizing the tracking mechanism you might pay if you have a therapist you might pay your therapist in cash under an assumed name if you if the smart grid comes to pass you might put a motor generator between yourself and yet so it doesn't read what you're

the appliances are doing if you if you're really serious you probably retain a inventory of misconfigured web service and you proxy through them this is what I mean by the effective capacity to misrepresent yourself and yes it is absolutely something that can be used for good and something that can be used for bad I am certain at this point that all security technology is dual use no use as a Washington term for it can be used for offense or defense I am certain of this we can argue it another time but I'm certain of it if that's the case then we can't say that this technology cannot be used because it might be used by bad people we are at great risk of

that from our friends in Washington the issue of Bitcoin might be a place to watch this it might be a place to watch what Washington does only this week Treasury said that the bit the people who run the people who run the the hawala the right that they can't that they can't deal with mount mount right I'm sorry sometimes I forget the names of things I'm getting older it's a feature the alternative is worse by the way but watch what happens with Bitcoin is it a currency or is it not is it specie or is it not what is it and I don't actually think that it deserves regulation but it's hard to imagine that

there are people who make their living making regulations who won't find a reason to want to do that George Bush was somewhat famous for saying that what he wanted was an ownership Society some people made fun of that some didn't I'm not here to argue the point but I'll ask you over the next five years what will you own one of my daughter's is a tax attorney who does estate planning it's already in her as a professional in that field it is already within her purview that for example you cannot include your iTunes library in your estate because you can't transfer it it's not you have a license and you not have ownership what about medical

records electronic health records who owns them I was working in the Harvard teaching arena Harvard teaching hospital arena in their 70s I believe it was 1975 but at that point the who owns the medical record changed over from being the patient to being the institution that was to combat insurance fraud but nevertheless that was the situation who owns it you have a license to it in a world in which your medical records are wherever someone quote has a need to know who you own them or do you not or do you merely have a license or for that matter are you the license granting authority for those medical records if I am unconscious I guess I want anybody to

be able to read them if I find me on the street and there's a red card wrapped around a tree I suppose I want them to be able to read my medical records regardless of my level of Commission on the other hand what does the accountability for that loans in is that something where I own it or is it not do you own your face what is the definition of public in public is now quite a bit broader than it once was do you own your face do you own your data if particularly if your data is somewhere else for those of you keep your all your data at home or you know and only do your email there the

text I'm being autobiographic here only do your email and our text and the text system and you and you keep it all on local machines that you backup yourself to hardware that you own that's one thing if no offense to anybody if everything you own is a gmail do you own it try to erase things sometimes try to erase things open up a facebook identity and play around with it for a while then try to make it go away this is very hard Marcus Ranum who some of you may know who's the inventor of the firewall quite a while ago allowed some people he was not in facebook he allowed some people to create a fake Marcus Ranum and

have fun with it and the answer is when they were done with the experiment it was almost impossible to get rid of it because he's well-known not quite a public figure but you're familiar with the idea of a public figure has no right of privacy which I will remind you public figures include everybody who makes laws and so how do you expect them to have in some sense a sympathetic view of what should be rules ed Appel who for 25 years was the FBI's special agent in charge of counter espionage that was at a time when counter espionage meant people leaving the country with a briefcase of course it does not mean that now but us ignore that he said

something important about this he said your choice is not one big brother or not your choice is one big brother or lots of little brothers choose carefully I think his advice which was from 1991 by the way applies now and it applies today America's greatness has been not only the question of if it isn't forbidden you're free to do it it has been if you want to reinvent yourself do it you know go west young man or whatever if you want to reinvest or reinvent yourself you were able to do it that is why we are where we are can you still do that do you want a world in which you can do that

when you change your name what do you want to do do you want to change the name I would suggest if if as I said earlier my definition of privacy is one where you have the ability to misrepresent yourself I would suggest you want not one internet identity but as many as you can handle and you want them to be distinct and you want them to be cultivated or should I say perhaps curated do you want them to be something that is under your control and if not then you have to concern yourself with the fact that the technologic advance changes the equation of possible and impossible in ways that are not readily identifiable but which

have side effects I'll close with something I heard at a lecture at Harvard some years ago at the Kennedy School and I'm sorry I forget the name of the author I wish I had it it is improper to not give people credit but this speaker said the four verities of government are that most important ideas are uninteresting most interesting ideas are unimportant not every problem has a good solution all solutions have side effects and I think that applies to us perhaps more than anywhere else I think cybersecurity is the most challenging intellectual profession on the planet I salute you for being in it but I'm here to deliver the bad news that you are in

it for life thank you