Lessons on digital security and privacy from SXSW
Amid the national debate over encryption and the battle between the FBI and Apple, cybersecurity and digital privacy were hot topics for the tens of thousands of digerati who flocked to Austin for the 2016 South by Southwest Interactive festival.
AUSTIN — When President Obama took the stage on the opening day of the South By Southwest Interactive festival, he sought to sell the throngs of entrepreneurs and coders on public service.
But the most-requested audience question for the commander-in-chief at this massive festival for creative types was about something else entirely: The debate over encryption and the balance between national security and consumers’ privacy.
Security and privacy are increasingly prominent topics for the tens of thousands of digerati who flock each March to Austin, and this year, Passcode was at the center of those discussions. In one official panel, Passcode explored ways forward on the encryption debate – an especially timely talk since the terror attack in San Bernardino, Calif., pitted many in the tech industry against US law enforcement and intelligence officials.
In another session, we gathered key stakeholders to debate ways to make sure that privacy is preserved in the burgeoning Internet of Things.
And on the trade show floor, Passcode and its partners hosted trainings and talks to help thousands of people – one on one – learn how to improve their Internet habits and browse the Web safely.
Over the course of the SXSW Interactive festival, we brought together security researchers, tech executives, digital rights advocates, government officials, former White House staff, and many of the other sharpest minds in the security and privacy space to discuss some most pressing issues for consumers and businesses when it comes to navigating the Digital Age.
Here’s some of what we learned:
Cryptowars 2.0: Strong stances, emotional arguments
Our session “Cryptowars 2.0: Silicon Valley v. Washington” featured prominent figures in the encryption debate now and back in the 1990s. Matt Blaze, the famed University of Pennsylvania cryptography expert who found a serious vulnerabilities in the Clipper Chip the National Security Agency wanted telecoms to use in the 1990s because it contained a government backdoor, appeared on our panel. So did Stewart Baker, former general counsel for the National Security Agency, and Amit Yoran, president of the networking security giant RSA.
Things got heated.
In fact, Mr. Baker, former general counsel for the NSA, dismissed arguments by many in the security and tech community in favor of “crypto everywhere” as nonsense. “Encryption is the most oversold security solution,” he said. “It’s designed by people who measure themselves against the NSA rather than hackers in Eastern Europe.”
While Baker worries that ubiquitous encryption will increasingly block the government from pursuing child pornographers and terrorists, Mr. Blaze worries that efforts to weaken systems will give criminals an advantage. “Let me be the first to admit that we don’t know how to build secure, robust systems. It’s a fundamental problem of computing,” said Blaze.
And any effort to deliberately weaken those systems would “cause more crimes,” he said. In fact, Blaze says he’s “baffled” that the FBI considers the state of cybersecurity so good that it “wants tech companies to design flaws in encryption.”
It’s not as simple as privacy v. security
Many experts and journalists have framed the current Apple v. FBI showdown over the tech giant’s refusal to help the government unlock the San Bernardino shooter’s iPhone in terms of a broader, societal struggle over balancing privacy and security.
But Blaze says that’s too simplistic of an approach. It inherently assumes that encryption is so good – and widespread – that users can achieve absolute digital privacy. “We are nowhere near ready to have a policy debate that is that simple,” he said.
Even with the spread of encryption and other technology designed to defend against malicious attacks, Blaze says, “we are in what can only be described charitably as a cybersecurity crisis…. There may be a privacy v. security question that we can debate when my field is wildly successful.”
Other countries want data, too
It’s not just the US that is having this debate over the tradeoffs that come with the spread of encrypted consumer devices. It’s also happening in Britain, France, Russia, and China. “Silicon Valley is completely misreading the world stage,” said Baker, suggesting that foreign governments aren’t going to allow the tech company to sell devices that are impenetrable to its police and law enforcement. “Privacy is a new form of Silicon Valley imperialism.”
But building strong privacy protections into its products is about building trust for American products in other markets, said Amit Yoran of RSA, especially in light of the Snowden disclosures. “I think it is a very dangerous move against US economic interests across the board.”
Since Apple is resisting the government’s request in the iPhone case, Baker said he’d like to know whether or not Apple is also resisting Chinese requests for help accessing data on its devices “Apple is sure not telling us what they do for China,” he said. “I think we are all entitled to know.”
In fact, he said, “China is their biggest market and they’ve acted like it.” And if Apple refuses to comply with the US government’s request, it should be forced to disclose what kind of access it has provided to other countries, he says.
The national security question
Mr. Yoran dismissed the FBI’s claim that there’s a serious “going dark” problem, because we are living in a Digital Age in which so many cameras, connected devices, and sensors are tracking and recording our Web activity and physical movements. “We have not gone dark – we live in the great surveillance society,” he said. “Do we want to further weaken our systems by going that last extra bit? No. Weakening our systems is not a healthy balance.”
In fact, he said, the DOJ is making “an emotional plea” when it comes to the San Bernardino iPhone. “There’s no intelligence and national security value to weakening the cryptosystems,” he said. “The bad guys already have access to all the strong crypto they want.”
Tech's role in society
“The job here is not for Apple and all tech companies to create open access for law enforcement” said Yoran. “It’s not Apple’s job to make law enforcement’s job more efficient.”
Yet Baker said that Apple “isn’t being socially responsible” when it comes to encryption. “If Apple is assuming the benefits of the privacy it is selling, how about it takes on some of the costs of crime? How about letting victims of crimes that have not been solved because of encryption sue Apple for damages?”
But Yoran said he can’t believe that the FBI can’t break into the iPhone in the San Bernardino case. “Are we to believe that the FBI & the NSA can’t get access to the iPhone 5c? If that’s the case, I’ve got serious national security concerns.”
What's at stake for business
At a separate Passcode talk during SXSW on the encryption debate, Kevin Bankston, director of New America’s Open Technology Institute, said that US businesses, not the bad guys seeking to use encryption, will be the ones to feel the consequences of a government backdoor. “We could put backdoors into US products and still not prevent bad guys from using encryption,” Mr. Bankston said. “[Encryption is] freely available all over the place. It’s math. Our companies don’t have a monopoly on it.”
Internet of Things: Fraught with privacy and security challenges
Passcode editor Michael Farrell delved into the privacy and security concerns when it comes to the Internet of Things – a popular subject at this year’s SXSW – with Federal Trade Commissioner Julie Brill, Intel’s vice president of law and policy Ruby Zefo, and Cisco’s chief privacy expert Michelle Dennedy.
Ms. Zefo pointed out the challenge for industry is that one person’s privacy nightmare is another person’s convenience. For example, she said, she recently received a notice offering to automatically adjust the temperature in her home based on who was in it – by tracking location services in her family members’ devices. It could also save money by automatically turning off the heat or air conditioning if no one was home. While she personally would never trade that kind of personal data for the convenience factor, she says, “I liked the fact I had a choice.”
“You’ve got to be a wise consumer; you can’t just ignore it all and just throw up your hands,” Zefo says. “If you have zero privacy, you should get over it, because you did it to yourself.”
Still, as Ms. Brill added, “You can’t give consumers choices over each step. I like the analogy of an automobile. We want our automobiles to be safe, but when consumers get into a car to go somewhere, they are given some choices – how fast they’re going to go, what gears to use. Those are the fundamental choices and the rest is built in... We need to build in more privacy and security under the hood.”
When it comes to building in security to IoT devices, it’s a lot start from the beginning – before a product draws a half million users or the company is acquired and is forced to consider the ramifications, Brill said. “To try to retrofit some of the security things is really just so much harder,” she said.
Rising entrepreneurs can avoid having their customers’ data and intellectual property stolen by developing a better security culture, putting it their data in a place where they can remember it, and cutting down on unnecessary digital clutter, said Heather West, a senior policy manager for Mozilla, during a SXSW talk hosted by Passcode. “I think a lot of people say, ‘It’s just in a database somewhere.’ Or, ‘I put it in the cloud,’” Ms. West said. “But you may need to understand better how you’re doing it.”
But as long as entrepreneurs and technologists push the boundaries in the IoT space, there’ll be new vulnerabilities that could expose users to privacy and security risks, said Mike Wyatt, director of Deloitte Advisory’s Cyber Risk Services, during a separate Passcode talk during SXSW. “Cyberhygiene needs to start at design … not after the fact when all the data has been collected.” And, as the burgeoning IoT becomes more common in critical infrastructure — cities, utilities, or transportation –technologists need to “design systems so when they fail, they fail safe.”
Unfortunately, said John Matherly, CEO of Shodan, a engine for Internet-connected devices, “There’s just no security on most devices.” His platform tracks some 600 million devices that connect to the Web – from connected egg cartons to toilets – and catalogs a part of the Internet that most people never see. While security for kitchen gadgets might not seem like a big deal, vulnerabilities in IoT devices that run cities or utilities are certainly concerning.
“You might not care if someone can take down your refrigerator or light bulb,” he said during a Passcode talk. But if hackers can do that, he said, “they might be able to take down everyone else’s light bulb as well.”
While the cybersecurity space is rife with doom and gloom scenarios of hackers causing widespread power outages, Cris Thomas, aka Space Rogue, a strategist at the cybersecurity firm Tenable Network Security, offered a cautionary note when it comes to blaming physical attacks on digital incursions. (See his full talk at the Passcode booth here.)
Cyberwar saber-rattlers, for instance, have previously pointed to a Brazilian blackout as evidence of hackers building skills to carry out physical attacks. But Mr. Thomas pointed out that officials eventually linked the outages to sooty insulators. And yes, experts have proven that hackers took out power in Ukraine for several hours in December. But squirrels, he says, are a more dangerous threat to the grid.
While there’s a small chance that malicious hackers could pull off a more damaging physical attacks, “let’s not devote 100 percent of our efforts to it,” he said.
And while the Apple v. FBI case was discussed widely at SXSW mostly in term of what president it would set for security and privacy standards in consumer devices such as smartphones, Hilary Cain, director of technology and innovation policy at Toyota, also said the outcome of the legal dispute could have far-reach effects on the IoT space, too.
“I think how this plays out will have ramifications beyond the device industry,” said Ms. Cain in a discussion with Gary Shapiro, CEO of the Consumer Technology Association. “This will have implications for the entire Internet of Things.” (See their entire conversation here.)
Privacy awareness: Consumers are getting savvier
From search engines to social media, consumers should be aware that their Web behavior is being logged and analyzed, and in many cases, passed on to advertisers and others seeking to market to certain kinds of customers. “If the service is free, you’re the product,” said Mike McCamon, president of SpiderOak, during a Passcode session to discuss consumers’ changing attitudes about security and privacy.
“If you’re getting free drinks, be suspicious,” added Emma Llanso of the Center for Democracy and Technology. Users might have a choice about what kinds of data is displayed – but companies don’t always make that clear at the outset, Mr. McCamon says.
He was angry when he discovered his young daughter’s location services on Instagram had enabled by default, revealing the location of her house, school and church to the world. “You can make something free, and we can make those compromises, and I’m cool with that,” Mc. McCamon says. “But don’t lead someone into a dark alley [when it comes to privacy] and not tell them about it.”
However, increasing privacy awareness may not solve the problem. “You would expect when awareness increases, people would do more about their privacy,” says Rafael Laguna, CEO of Open-Xchange, who discussed his firm’s recent Consumer Openness Index with Passcode at SXSW. “But actually, the opposite is true. People feel they are much less capable of controlling their data online.”
Cybersecurity 101: Getting the basics right
Much of our conversations this year at SXSW focused on the basics of cybersecurity and privacy by helping people improve their “cyberhygeine.” For instance: Pick good passwords. Avoid public wi-fi. Upgrade your software. Turn on two-factor authentication.
When it comes down to it, it’s pretty simple stuff, said Nick Percoco, vice president of global services at the cybersecurity firm Rapid7.
“How we define security hygiene is very similar to personal hygiene,” said Mr. Percoco, Vice President of Global Services at Rapid7. “It’s very, very simple things that make a difference.”
And that goes for network security as well as the security in sectors such as the gaming market and even aviation, said security experts. Video games, for instance, are prime targets for criminals seeking compromise vulnerable accounts – and sell those accounts’ virtual goods for real money, says Matthew Cook, the cofounder of Panopticon Labs. If gaming companies don’t build in security measures to combat such fraud, says Matthew Cook, players won’t stick around and criminals will cut into profits. (See Cook’s entire presentation here.)
One gaming publisher lost 40 percent of its revenue because of hackers, he adds. “They are nothing less than a cancer on these games,” he said.
Just as airlines have the National Transportation Safety Board to investigate accidents and incidents, companies and the US government need a board that can dive into issues and mark areas for improvement. “By not sharing this information, we’re making the bad guys more cost effective,” said Trey Ford, a global security strategist. (See his Passcode talk here.)
Cybersecurity has even become a more pressing issue for public relations executives, explained Michelle McKenna from Hill+Knowlton Strategies. If a company wants to avoid damage to its reputation after a breach, it first needs to find out exactly what happened – and get its narrative straight in-house before telling its customers, says Ms. McKenna from Hill+Knowlton Strategies.
Releasing incorrect or too much information at once can panic customers, McKenna says, and for smaller companies, their reputation may be at stake. And the public relations battle doesn’t stop once the breach’s news cycle ends. “Reputation recovery from one of these issues is a long term project,” she says. (See her Passcode talk here.)
A key reason why Washington still doesn’t get basic cybersecurity right, two former US deputy chief technology officers said at a Passcode talk, is because the government hasn’t embrace what is second nature to most tech companies: Deploying a preliminary version of a product, assessing what works and what doesn’t, and adjusting on the fly.
Instead, they say, government officials are striving for an impossible goal: Getting it right in one shot. “Nothing lasts for 25 years in this space, so stop trying to build that thing,” said Nicole Wong. Plus, Andrew McLaughlin advised, don’t delay on innovation. In the government, he says, “ ‘Maybe someday’ never happens.” (See their talk here.)
Michael B. Farrell, Jack Detsch, and Malena Carollo contributed reporting for this piece. All videos by Michael Brennan.