Lessons on digital security and privacy from SXSW
| AUSTIN
When President Obama took the stage on the opening day of the South By Southwest Interactive festival, he sought to sell the throngs of entrepreneurs and coders on public听service.
But the most-requested audience question for the commander-in-chief at this massive festival for creative types was about something else entirely: The debate over encryption and the balance between national security and consumers鈥櫶齪rivacy.
Security and privacy are increasingly prominent topics for the tens of thousands of digerati who flock each March to Austin, and this year, Passcode was at the center of those discussions. In one official panel, Passcode explored ways forward on the encryption debate 鈥 an especially timely talk since the terror attack in San Bernardino, Calif., pitted many in the tech industry against US law enforcement and intelligence officials.
In another session, we gathered key stakeholders to debate ways to make sure that privacy is preserved in the burgeoning Internet of听Things.
And on the trade show floor, Passcode and its partners hosted trainings and talks to help thousands of people 鈥 one on one 鈥 learn how to improve their Internet habits and browse the Web听safely.
Over the course of the SXSW Interactive festival, we brought together security researchers, tech executives, digital rights advocates, government officials, former White House staff, and many of the other sharpest minds in the security and privacy space to discuss some most pressing issues for consumers and businesses when it comes to navigating the Digital听Age.
Here鈥檚 some of what we learned:
Cryptowars 2.0: Strong stances, emotional arguments
Our session 鈥淐ryptowars 2.0: Silicon Valley v. Washington鈥 featured prominent figures听in the encryption debate now听and back in the 1990s.听Matt Blaze, the famed University of Pennsylvania cryptography expert who found a serious vulnerabilities in the Clipper Chip the National Security Agency wanted telecoms to use in the 1990s because it contained a government backdoor, appeared on our panel. So did听Stewart Baker, former general counsel for the National Security Agency, and听Amit Yoran, president of the networking security giant听RSA.
Things got听heated.
In fact, Mr. Baker, former general counsel for the NSA, dismissed arguments by many in the security and tech community in favor of 鈥渃rypto everywhere鈥 as nonsense. 鈥淓ncryption is the most oversold security solution,鈥 he said. 鈥淚t鈥檚 designed by people who measure themselves against the NSA rather than hackers in Eastern听Europe.鈥
While Baker worries that ubiquitous encryption will increasingly block the government from pursuing child pornographers and terrorists, Mr. Blaze worries that efforts to weaken systems will give criminals an advantage. 鈥淟et me be the first to admit that we don鈥檛 know how to build secure, robust systems. It鈥檚 a fundamental problem of computing,鈥 said听Blaze.
And any effort to deliberately weaken those systems would 鈥渃ause more crimes,鈥 he said. In fact, Blaze says he鈥檚 鈥渂affled鈥 that the FBI considers the state of cybersecurity so good that it 鈥渨ants tech companies to design flaws in encryption.鈥
It鈥檚 not as simple as privacy v. security
Many experts and journalists have framed the current Apple v. FBI showdown over the tech giant鈥檚 refusal to help the government unlock the San Bernardino shooter鈥檚 iPhone in terms of a broader, societal struggle over balancing privacy and security.听
But Blaze says that鈥檚 too simplistic of an approach. It inherently assumes that encryption is so good 鈥 and widespread 鈥 that users can achieve absolute digital privacy. 鈥淲e are nowhere near ready to have a policy debate that is that simple,鈥 he听said.
Even with the spread of encryption and other technology designed to defend against malicious attacks, Blaze says, 鈥渨e are in what can only be described charitably as a cybersecurity crisis鈥. There may be a privacy v. security question that we can debate when my field is wildly successful.鈥
听
Other countries want data, too
It鈥檚 not just the US that is having this debate over the tradeoffs that come with the spread of encrypted consumer devices. It鈥檚 also happening in Britain, France, Russia, and China. 鈥淪ilicon Valley is completely misreading the world stage,鈥 said Baker, suggesting that foreign governments aren鈥檛 going to allow the tech company to sell devices that are impenetrable to its police and law enforcement. 鈥淧rivacy is a new form of Silicon Valley imperialism.鈥
But building strong privacy protections into its products is about building trust for American products in other markets, said Amit Yoran of RSA, especially in light of the Snowden disclosures. 鈥淚 think it is a very dangerous move against US economic interests across the听board.鈥
Since Apple is resisting the government鈥檚 request in the iPhone case, Baker said he鈥檇 like to know whether or not Apple is also resisting Chinese requests for help accessing data on its devices 鈥淎pple is sure not telling us what they do for China,鈥 he said. 鈥淚 think we are all entitled to听know.鈥
In fact, he said, 鈥淐hina is their biggest market and they鈥檝e acted like it.鈥 And if Apple refuses to comply with the US government鈥檚 request, it should be forced to disclose what kind of access it has provided to other countries, he听says.
The national security question
Mr. Yoran dismissed the FBI鈥檚 claim that there鈥檚 a serious 鈥済oing dark鈥 problem, because we are living in a Digital Age in which so many cameras, connected devices, and sensors are tracking and recording our Web activity and physical movements. 鈥淲e have not gone dark 鈥 we live in the great surveillance society,鈥 he said. 鈥淒o we want to further weaken our systems by going that last extra bit? No. Weakening our systems is not a healthy balance.鈥
In fact, he said, the DOJ is making 鈥渁n emotional plea鈥 when it comes to the San Bernardino iPhone. 鈥淭here鈥檚 no intelligence and national security value to weakening the cryptosystems,鈥 he said. 鈥淭he bad guys already have access to all the strong crypto they want.鈥
Tech's role in society
鈥淭he job here is not for Apple and all tech companies to create open access for law enforcement鈥 said Yoran. 鈥淚t鈥檚 not Apple鈥檚 job to make law enforcement鈥檚 job more efficient.鈥
Yet Baker said that Apple 鈥渋sn鈥檛 being socially responsible鈥 when it comes to encryption. 鈥淚f Apple is assuming the benefits of the privacy it is selling, how about it takes on some of the costs of crime? How about letting victims of crimes that have not been solved because of encryption sue Apple for damages?鈥
But Yoran said he can鈥檛 believe that the FBI can鈥檛 break into the iPhone in the San Bernardino case. 鈥淎re we to believe that the FBI & the NSA can鈥檛 get access to the iPhone 5c? If that鈥檚 the case, I鈥檝e got serious national security concerns.鈥
What's at stake for business
At a separate Passcode talk during SXSW on the encryption debate,听Kevin Bankston, director of New America鈥檚 Open Technology Institute, said that US businesses, not the bad guys seeking to use encryption, will be the ones to feel the consequences of a government backdoor. 鈥淲e could put backdoors into US products and still not prevent bad guys from using encryption,鈥 Mr. Bankston said. 鈥淸Encryption is] freely available all over the place. It鈥檚 math. Our companies don鈥檛 have a monopoly on听it.鈥
听
Internet of Things: Fraught with privacy and security challenges
Passcode editor Michael Farrell delved into the privacy and security concerns when it comes to the Internet of Things 鈥 a popular subject at this year鈥檚 SXSW 鈥 with Federal Trade Commissioner听Julie Brill, Intel鈥檚 vice president of law and policy听Ruby Zefo, and Cisco鈥檚 chief privacy expert听Michelle Dennedy.
Ms. Zefo pointed out the challenge for industry is that one person鈥檚 privacy nightmare is another person鈥檚 convenience. For example, she said, she recently received a notice offering to automatically adjust the temperature in her home based on who was in it 鈥 by tracking location services in her family members鈥 devices. It could also save money by automatically turning off the heat or air conditioning if no one was home. While she personally would never trade that kind of personal data for the convenience factor, she says, 鈥淚 liked the fact I had a听choice.鈥
鈥淵ou鈥檝e got to be a wise consumer; you can鈥檛 just ignore it all and just throw up your hands,鈥 Zefo says. 鈥淚f you have zero privacy, you should get over it, because you did it to yourself.鈥澨
Still, as Ms. Brill added, 鈥淵ou can鈥檛 give consumers choices over each step. I like the analogy of an automobile. We want our automobiles to be safe, but when consumers get into a car to go somewhere, they are given some choices 鈥 how fast they鈥檙e going to go, what gears to use. Those are the fundamental choices and the rest is built in... We need to build in more privacy and security under the听hood.鈥
Privacy profiles could begin to address the issue of how different consumers view their own privacy, said Ms. Dennedy. People could, for instance, choose avatars like in video games to adjust their settings. After all, she says, introducing entertainment to compliance can help consumers understand privacy. When she previously worked at Intel, for instance, the company developed cartoons to explain its privacy听policy.
When it comes to building in security to IoT devices, it鈥s a lot start from the beginning 鈥 before a product draws a half million users or the company is acquired and is forced to consider the ramifications, Brill said. 鈥淭o try to retrofit some of the security things is really just so much harder,鈥 she听said.
听
Rising entrepreneurs can avoid having their customers鈥 data and intellectual property stolen by developing a better security culture, putting it their data in a place where they can remember it, and cutting down on unnecessary digital clutter, said听Heather West, a senior policy manager for Mozilla,听听鈥淚 think a lot of people say, 鈥業t鈥檚 just in a database somewhere.鈥 Or, 鈥業 put it in the cloud,鈥欌 Ms. West said. 鈥淏ut you may need to understand better how you鈥檙e doing听it.鈥
But as long as entrepreneurs and technologists push the boundaries in the IoT space, there鈥檒l be new vulnerabilities that could expose users to privacy and security risks, said听Mike Wyatt, director of Deloitte Advisory鈥檚 Cyber Risk Services, during a separate Passcode talk during SXSW. 鈥淐yberhygiene needs to start at design 鈥 not after the fact when all the data has been collected.鈥 And, as the burgeoning IoT becomes more common in critical infrastructure 鈥 cities, utilities, or transportation 鈥搕echnologists need to 鈥渄esign systems so when they fail, they fail听safe.鈥
Unfortunately, said听John Matherly, CEO of Shodan, a engine for Internet-connected devices, 鈥淭here鈥檚 just no security on most devices.鈥 His platform tracks some 600 million devices that connect to the Web 鈥 from connected egg cartons to toilets 鈥 and catalogs a part of the Internet that most people never see. While security for kitchen gadgets might not seem like a big deal, vulnerabilities in IoT devices that run cities or utilities are certainly concerning.
鈥淵ou might not care if someone can take down your refrigerator or light bulb,鈥澨鼴ut if hackers can do that, he said, 鈥渢hey might be able to take down everyone else鈥檚 light bulb as听well.鈥
While the cybersecurity space is rife with doom and gloom scenarios of hackers causing widespread power outages,听Cris Thomas, aka Space Rogue,听a strategist at the cybersecurity firm Tenable Network Security, offered a cautionary note when it comes to blaming physical attacks on digital incursions.听
Cyberwar saber-rattlers, for instance, have previously pointed to a Brazilian blackout as evidence of hackers building skills to carry out physical attacks. But Mr. Thomas pointed out that officials eventually linked the outages to sooty insulators. And yes, experts have proven that hackers took out power in Ukraine for several hours in December. But squirrels, he says, are a more dangerous threat to the听grid.
While there鈥檚 a small chance that malicious hackers could pull off a more damaging physical attacks, 鈥渓et鈥檚 not devote 100 percent of our efforts to it,鈥 he听said.
And while the Apple v. FBI case was discussed widely at SXSW mostly in term of what president it would set for security and privacy standards in consumer devices such as smartphones,听Hilary Cain, director of technology and innovation policy at Toyota, also said the outcome of the legal dispute could have far-reach effects on the IoT space,听too.
鈥淚 think how this plays out will have ramifications beyond the device industry,鈥 said Ms. Cain in a discussion with听Gary Shapiro, CEO of the Consumer Technology Association. 鈥淭his will have implications for the entire Internet of Things.鈥澨
Privacy awareness: Consumers are getting savvier
From search engines to social media, consumers should be aware that their Web behavior is being logged and analyzed, and in many cases, passed on to advertisers and others seeking to market to certain kinds of customers. 鈥淚f the service is free, you鈥檙e the product,鈥 said听Mike McCamon, president of SpiderOak, during a Passcode session to discuss consumers鈥 changing attitudes about security and听privacy.
鈥淚f you鈥檙e getting free drinks, be suspicious,鈥 added听Emma Llanso听of the Center for Democracy and Technology. Users might have a choice about what kinds of data is displayed 鈥 but companies don鈥檛 always make that clear at the outset, Mr. McCamon听says.
He was angry when he discovered his young daughter鈥檚 location services on Instagram had enabled by default, revealing the location of her house, school and church to the world. 鈥淵ou can make something free, and we can make those compromises, and I鈥檓 cool with that,鈥 Mc. McCamon says. 鈥淏ut don鈥檛 lead someone into a dark alley [when it comes to privacy] and not tell them about听it.鈥
However, increasing privacy awareness may not solve the problem. 鈥淵ou would expect when awareness increases, people would do more about their privacy,鈥 says听Rafael Laguna, CEO of Open-Xchange, who discussed his firm鈥檚 recent听听with Passcode at SXSW. 鈥淏ut actually, the opposite is true. People feel they are much less capable听of controlling their data听online.鈥
听
Cybersecurity 101: Getting the basics right
Much of our conversations this year at SXSW focused on the basics of cybersecurity and privacy by helping people improve their 鈥渃yberhygeine.鈥 For instance: Pick good passwords. Avoid public wi-fi. Upgrade your software. Turn on two-factor authentication.听
When it comes down to it, it鈥檚 pretty simple stuff, said听Nick Percoco, vice president of global services at the cybersecurity firm听Rapid7.
鈥淗ow we define security hygiene is very similar to personal hygiene,鈥 said Mr. Percoco, Vice President of Global Services at Rapid7. 鈥淚t鈥檚 very, very simple things that make a difference.鈥
And that goes for network security as well as the security in sectors such as the gaming market and even aviation, said security experts. Video games, for instance, are prime targets for criminals seeking compromise vulnerable accounts 鈥 and sell those accounts鈥 virtual goods for real money, says听Matthew Cook, the cofounder of Panopticon Labs. If gaming companies don鈥檛 build in security measures to combat such fraud, says Matthew Cook, players won鈥檛 stick around and criminals will cut into profits.听
One gaming publisher lost 40 percent of its revenue because of hackers, he adds. 鈥淭hey are nothing less than a cancer on these games,鈥 he听said.
Just as airlines have the National Transportation Safety Board to investigate accidents and incidents, companies and the US government need a board that can dive into issues and mark areas for improvement. 鈥淏y not sharing this information, we鈥檙e making the bad guys more cost effective,鈥 said听Trey Ford, a global security strategist.听
Cybersecurity has even become a more pressing issue for public relations executives, explained听Michelle McKenna听from Hill+Knowlton Strategies. If a company wants to avoid damage to its reputation after a breach, it first needs to find out exactly what happened 鈥 and get its narrative straight in-house before telling its customers, says Ms. McKenna from Hill+Knowlton Strategies.
Releasing incorrect or too much information at once can panic customers, McKenna says, and for smaller companies, their reputation may be at stake. And the public relations battle doesn鈥檛 stop once the breach鈥檚 news cycle ends. 鈥淩eputation recovery from one of these issues is a long term project,鈥 she says.听
A key reason why Washington still doesn鈥檛 get basic cybersecurity right, two former US deputy chief technology officers said at a Passcode talk, is because the government hasn鈥檛 embrace what is second nature to most tech companies: Deploying a preliminary version of a product, assessing what works and what doesn鈥檛, and adjusting on the fly.
Instead, they say, government officials are striving for an impossible goal: Getting it right in one shot. 鈥淣othing lasts for 25 years in this space, so stop trying to build that thing,鈥 said听Nicole Wong. Plus,听Andrew McLaughlin听advised, don鈥檛 delay on innovation. In the government, he says, 鈥 鈥楳aybe someday鈥 never happens.鈥澨
Michael B. Farrell, Jack Detsch, and Malena Carollo contributed reporting for this piece.听All videos by Michael Brennan.
听
