A misplaced bit in the cyber world caused me to miss this morning's Cyber Shockwave war game put on by the Bipartisan Policy Council, but plenty of Twitterers kept me updated. (Search for #cybershockwave) for some of the insights. The scenario involved, firstly, the hack of a mobile phone platform. Within 45 minutes, the entire Internet was down. And then the real fun began: an attack on the power grid. CNN is broadcasting the event this weekend; they're already running ominously sounding promos for it.
Which brings me to Jamie Gorelick: among the participants, she came closest to addressing the concept of cyber hygiene, a weird-sounding and increasingly controversial topic. To put it simply: no one has any. Consumers approach cyberspace as an all-you-can-eat buffet, with very little appreciation whatsoever for the constraints the system imposes upon the commons. We download all the applications we can buy, from secure platforms (like iPhone's app store) or from the web; we don't update our anti-virus software (but we expect government to perform when, because of our failure to take care of our interactions with cyberspace, malware infects a website that we visit).
We confuse cyber hygeine with our basic need for privacy; we want control of our data (because it is a simulacrum of our personal selves) but we eagerly give it away through Twitter, Facebook and Google. Sometimes, lines are crossed, and the public protests; Facebook or Google adjusts its software and somehow, even though we've increased our control of the information belonging to us by one micron, we feel safer. Political consultants eagerly use data-mining software to determine our sexual orientation, race, voting ideology; they know whether we have gun licenses, what magazines we buy, where we've traveled. At the same time, we eagerly accept credit cards with easily steal-able RFID chips and carry around cellphones that can be hacked into by amateurs. The most common password is still "password."
Industry is complicit; the marketplace demands speed and convenience, not warnings and roadblocks. And government doesn't have the legal means or practical political force to persuade industry to spend the money on backend information security architecture that would temporarily reduce productivity but would, in the end, increase security.
In Singapore, grade school children compete to become Cyber Ambassadors, complete with a certificate signed by the Prime Minister. The ambassadors are selected
because they're unusually effective in helping their mates interact more safely with the Internet.
Emphasizing that positive peer influence can be a powerful mechanism to promote good cyber wellness practices, at the launch of the Cyber Wellness Student Ambassador Programme, SPS Masagos explained that the new initiative equips students with knowledge and skills on using online tools safely and provides an extended platform to complement existing cyber wellness education efforts. Students who want to play an active role in promoting cyber wellness among their peers can now become Cyber Wellness Student Ambassadors. The Cyber Wellness Student Ambassador Programme is launched today to promote safe and responsible use of Information-Communication Technologies (ICT) among students through peer education.
I find this a bit Orwellian, and no doubt that any government-imposed or sponsored scheme of this sort will be used to censor political speech. But the idea that consumers, too, have a responsibility when it comes to cyberspace is one that might gain support, albeit in a uniquely American way. The Department of Homeland Security is trying
; Secretary Janet Napolitano gave a speech about it.
App developers could establish a consortium that would review all apps for malware and give the clean ones a seal of approval; the marketplace might reward consumers, somehow, for having their anti-virus software up to date. (Dare I say: would Internet providers reduce the bills of consumers who buy and update anti-virus software? Does this violate net neutrality?)
Major companies might subject themselves to cyber "stress tests" administered by DHS. When major companies become the victim of cyber attacks because of their negligence, they should be exposed. Right now, the government protects these companies.
At some point, the president -- or a president -- is going to tell the American people that the National Security Agency is going to have to perform deep packet inspections of the dotcom domain. And that it will have to retain data for a period of time, and it may well be personal data, and, unfortunately, that's the only way that the dotcom domain, given the way it is built, can really be protected against low-probability, high-impact events. This is an exceedingly difficult conversation to have with politicians now, much less with Americans. But it starts with an acknowledgement that cyberspace has become something worth protecting; there is positive value in taking the extra time necessary to brush your teeth, in a cyber sort of way.