Friday, September 05, 2014

A Dissenting View?

I just re-learned the same lesson all over again, iPads do not give me control over my mistakes!
There is no undo when editing text on an iPad in most contexts. Déjà Undo!? Why would I have clicked cancel, seriously! Why? Dear iPad, You should have at least checked with me before deleting 2 hours of contemplation!

Thus this will be a lesser post, a shadow of its former self, there will be some who celebrate that it will thus be shorter, but sadly it will also miss some key nuances that I have neither the wit nor the energy to reproduce.

@Henry Story just posted the largely excellent BBC Horizon program on the dark web. It started off focussing on the important issue of being in control, but sadly for me weakened with a conclusion that focused on the "Online Privacy" meme.

Privacy is simply an outcome of choosing not to be transparent, in effect choosing to close the curtain to the internet. (Aside: Can there ever really be a curtain to the internet, or perhaps a better question is should there be?) Privacy is arguably a transient result of living in a global village that has not yet achieved the transparency that was the norm in earlier villages, in that bygone era before the internet.

I would have concluded with a piece that highlights the importance of the layers that give us the ability to be in control. Let's consider the problem using Maslows approach to the Heirarchy of needs. Assuming that we agree that having some degree of privacy is of value, to achieve that...
We need to have the choice of privacy or transparency... to achieve that...
The digital agents that act on our behalf should respond to our intent, in short we should have agency over our agents. ...to achieve that...
We must be able exert control over said digital agents (which are invariably embodied on devices) ...to achieve that...
We must be able to trust the devices that are a part of a developing set of digital fabrics ...to achieve that...
We must be able to exert control over said digital fabrics, (some of which are not owned by us) ...to achieve that...&
We must be able to trust the ecosystem that supports the digital fabrics, and that ecosystem must be able to identify us ...to achieve these thing...
We must have the right to be in control of our digital environment, and our digital identities (persona)

In short we should have the right to have digital agency over the digital fabricswe interact with.

We have a long way to go to achieve this....

Today we are all poorly served by our politicians, who have become focused on the Privacy Meme

When what we really need is control...  ie having that Digital Agency over those Digital Fabrics.

On Privacy: we are fast approaching a time when the last thing the world needs is an excess of privacy. For there are some bad people in the world who thrive on fear and the ability to act often secretly against individuals that dare to stand up to them. There was a time in my life when I chose to publically stand up to a bully, with a large part of the school watching. I was soundly beaten for my action, but the act triggered others to do the same and the harsh light of transparency caused the bully to be controlled by the majority. It was a proud, as well as bruised time in my young life, which taught me that private timidity, ie keeping ones head down, was not always the right thing to do. There are those in the world who purport to be for example Christian, Russian or Muslim, but who are currently using fear and "privacy" to act against society. Often they cover their faces, to ensure their privacy, whether the Ukrainian sepperatists, or ISIL fighters, or the actors on the Dark Web, they are fighting against our collective right to self determination or agency.

Let us focus on arguing for Digital Rights that are far wider than Privacy Rights, which would give us the right to chose to act for the good of society, as well as ourselves. Then let's focus on ensuring that the digital fabrics of our society support these rights, to do this they will need to be designed from the outset to be secure and trustworthy!

Please, it is not all about Privacy, being in control or having digital agency is far more important.

Yes I am like a scratched record, but apparently I am not getting the message across!

Thursday, September 04, 2014

Who should control your digital fabric?

A new sort of fabric is coming, or for some has come, into being; a digital or cyber fabric. There are going to be a number of types of digital fabric. The term is starting to be used to describe a digitally connected environment, owned by a specific stakeholder, and incorporating their digital devices and all manner of "Things". The key question for these stakeholders is who will be in control of this fabric. The race is on to attain that control, directly out of the hands of the owning stakeholders, often without their knowledge, and frequently without their considered decision.

Many enterprises are starting to understand the need to develop digital strategies. The outcome of an effective digital strategy is being referred to as Digital Mastery. Digital Mastery will not be possible without effective control of a stakeholder's digital fabric.

Digital Fabric is being and will be implemented at many levels, in many spaces from cities to countries; From offices, and laboratories to factory floors. From shopping centres to distribution centres. From individuals to the homes of their extended family. Digital Fabrics will be overlapping and interconnected, but most importantly they should be secure and easily controllable.

The resulting fabric(s) will have many labels, for example the fabric covering the offices, laboratories and factories of a company will likely be called Industrial Fabric. The challenge for fabric owning stakeholders, whether organisations or individuals, will be to achieve the appropriate control over a specific fabric designed and composed to meet their needs.

There is a group of organisations that understand the importance of building, connecting, and controlling these different digital fabrics.

Country Fabric
Industrial Fabric
Transport Fabric
City Fabric
Consumer Fabric
Vehicle Fabric
Domestic or Home Fabric
Personal Fabric


Sadly for most organisations and individuals they have not experienced, nor do they understand the importance or value of a coherent well architected / designed digital fabric. Most are suffering from a patchwork approach to the development of their digital fabric. This is caused by component and device manufacturers or service providers bringing their own silo-based approach to the development of digital fabric.

An effective digital fabric can be said to be in place when all the relevant digital entities, and real entities which are connected to the fabric can achieve their desired outcomes securely, quickly, easily and at low transaction cost. Simply connecting your computers to a network, does not create a digital fabric.

Does your Digital Strategy specify the need to be in control of YOUR digital fabric?

Have you considered the importance and value of leaving your partners and customers in control of their digital fabrics?

How should these digital fabrics connect, you ask?

Well, that's where you have identified the need for an e-trust ecosystem.

And probably the most important thing you have realised is that you should be in control of all your things, both digital and real, that compose your digital fabric. Perhaps you have also started to think that all your real things should be represented by digital things. If so, you may be starting to understand the power and value of a digital fabric.

So start designing and building your digital fabric now! Perhaps more importantly should you help your customers implement theirs?

So, YOU can be in control of your Things, rather than others, and your customers can be in control of theirs.

As an aside I connected my Samsung TV to the internet again today, and despite my taking care to maintain control, Samsung again demonstrated that they think that it is their Thing, not mine. For despite skipping the software update step when I connected the TV to the web, just as I switched to viewing the TV, Samsung forced a software update on the device. Nor could I find a way to delete my Wifi password from the TV, once I had entered it. Worse they think that the idea of providing a "single-sign-on" service by capturing my facebook and email passwords is a secure one. Samsung are trying to force me onto "their" digital fabric. You may have spotted that Samsung are buying Smart Things for $200M, a move to extend their digital fabric into our homes? They are not the only one's who are aiming to own our digital fabrics, think Apple, Amazon, Google Microsoft et al

Finally what are the best types of fabrics, will they be open, or closed, perimeterised or deperimeterised, internal or external. Perhaps it is best you decide before you build yours!

Thursday, July 17, 2014

Scratching an itch... I want Reality in Layers...

Having just ordered my first App enabled Vehicle, a Mitsubishi Outlander PHEV, I am already struck by my frustration about what I cannot control. I downloaded the App months before the arrival of the vehicle. The vehicle I will potentially receive has apparently already been identified and is being shipped from Japan.

But sadly my potential vehicle does not yet know that I am it's potential customer.
I want to be able to be talking to and starting to interact with my Vehicle today.
I want to alter the way the car operates and behaves, why can't I start teaching it now!?

Actually if Mitsubishi had allowed me to create a virtual representation of my vehicle as soon as I had downloaded their App. I could be doing just that.

The key change is the need to create a digital representation of the vehicle that can be connected to the real vehicle when I get it.

Funnily enough that is exactly what I am discussing with the folks at Flexeye.

They understand this need and they are starting to build the tools and infrastructure that will allow just that.  In it's early form it is called the Eye Hub.

Tuesday, June 24, 2014

Respect Network is Launched

So yesterday at lunch, I asked Dan Blum, the Security guru associated with the Respect Network,  to be launched in the City of London that evening, "What exactly will the Respect Network respect?"

His response was, I thought at the time, a perfect one. He jumped my clumsy "We will respect your Privacy" trap with consummate ease and stated confidently; 
"We will respect your right to control your data."

A wide ranging discussion, that included the promise of pseudonymous personas ensued.

I planned straight away to sign up for =adrian.seccombe , my soon to be forever cloud name. As well as =adrius42 my gaming persona. It was only after hearing the detail at the launch that I heard the clever and nuanced twists.

Drummond Reed the founder of the Respect Network described to us the switch opportunity, we are allowing you to move from the current world of providers that grab your data to monetise it on their behalf, to a world where you can control the use of your data. He proudly stated; "We are laying tracks." He neglected to clearly articulate that the current providers delivered a usable service with engines and carriages, and indeed semi-useable, if not at all respectful, data control panels. Whereas the Respect Network has, as yet, little to show in this space.

I felt having been told that there was a bridge that could cross the great divide from Enterprise Centricity to Entity Centricity that I was tricked, after discovering it was only currently built half way across. Then I realised that unlike the tower bridge, next to the launch site at the City Hall, was that this as yet unfinished bridge will not accept mere individuals on foot. I could find no useable UI's. One must travel in carriages, the Apps?, and as yet there are none to speak of! The all important monetisation of my data, may also apparently blocked by the incessant promise of "We will never sell your data!" But what if we want you to, but as our broker? I wish the 5P's the principles of the Respect Network Framework "a promise of permission, protection, portability, and proof" included the commitment to allow Entities to Profit from their data!

The truth, as always is even more nuanced and actually contains large amounts of potential future promise. The most important discovery was the fact that "=" is just the beginning "*" and "+" are soon to follow! representing as they will the cloud names for devices and organisations.

The components of this graph based identity relationship and reputation ecosystem monetised on graph connections are:
1) A cloud name e.g.=adrian.seccombe purchased for life for just $25
I felt like I was being sold a non stick saucepan that would never-ever stick!

2) A registry to store them 
all run by a company that "we won't have heard of", but they make the whole internet work....honest!

3) CSPs Cloud Service Providers who will keep our data for ever more.... actually I'm not clear on the death clause, and how my off-spring will be able to curate my data when I am in the after life.
Nor was I that clear on what I can store, my home security camera takes a lot of pictures!

4) The App developers who will create beautiful apps to change the world. None of which smelled or looked like the Killer App that will kick start the Respect Network. They simply felt like a new means of creating wealth for the app providers.

The missing components from my point of view:
0) A ridiculously strong authentication mechanism
I could not establish a way to use one or both of my yubikeys
a) An Entitlement Engine
b) A Respectful Personal Digital Assistant (RPDA) that understood how to manage the wonders of a hybrid graph and rules based relationship and transactions network
c) A really cool and useable Connections and Rules control panel 
d) A transaction based monetisation model, that would really enable the Intention Economy
This where I get to truly extract value from my data, it's the transactions! Just like the credit card world that was the system that the respect network was modelled after!
e) A killer curation agent, that would manage data storing and more importantly data culling, I really don't need 10,000 pictures of my living room!
f)  the ability to respectfully identify things and associate them with me, or another entity of my choosing. Of course entities can be Apps & Things, as well as people and organisations. In the Jericho Forum Identity Commandments, after much dialogue we stated that in special cases, entities can also be Agents.
g) the way back machine, see the Sauron comment at the end of this blog.

It is arguable that those missing components are simply missing Apps, but I suspect that the "tracks" will need to be laid in such a way as to accept both Rule Based and Graph based carriages. Certainly the Respect Network "Control Panel" must be capable of exposing mere humans to their graph and rules, and allowing them to manipulate both.

This might be a semantic nicety but graph based connections without the added flexibility enabled by an Entitlement Engine, are likely to be of limited transactional value. Perhaps the Hybrid carriage may in fact be the most valuable of all. 

But where are all these Apps? Meeco the soon to be "Me Economy" App that appears to be targeted at professional females, is not yet in the UK Apple store, and the Social Safe is going to cost me long term money. Not sure if I keep access to my data when I stop subscribing?

And please don't get me started on the missing core identity component, nor the fact that at the base level, my cloud name is protected only be a password! The Jericho Forum Identity Commandments review blog is going to take longer and require me to better understand the inner workings of the respect network.

Like always I feel like I am living life 15 years behind my expectations.

I imagine a world where I can simply say to my RPDA (Respectful Personal Digital Assitant) on the way home;
"This Lunch time I met with =dan.blum of +respectnetworks, this evening I met =docs.searles he of intention economy fame! I also had the pleasure of meeting =andy.dale CTO of +respectnetworks,(Bloody hell... I wish the Apple spell checker knew not to capitalise =Andy.dale just like it knows not to capitalise @andy.dale.  Hint: Start negotiating with them now for = & +, * is already sorted)

In point of fact, I would simply say Dan Blum, as my RPDA (Respectful Personal Digital Assitant) would have already acquired my Cloud Name for him, (ooops that's not how it works)

Having said all that apart of course from the bracketed expletives, my RPDA would automagically tag the already captured events as being important to me. My RPDA had surmised that these events would be important and responded with "surmised", rather than the alternative "surprised" which would have indicated that the RPDA had not yet fully understood my interests.

Clearly this state of affairs does not yet exist, and I have to waste 15 minutes doing mundane curation activities for the day.

An Aside: I sat next to Sally Duckworth during the launch, and heard her exclaim "....but my name has already gone!?" it seems that in the Respect Network, it's first come first served, there apparently cannot be two Adrian Seccombe's in the world.... really?
Worse, I cannot have two cloud names, where are the personas I was promised?
(Apparently Persona's are a future feature...)

Why should I know Dan Blum's root cloud name, and for that matter why should he know mine?

The concept feels like it has a flaw (or two). Have we moved back to "One ring to Rule them all?"

Let's hope that Sauron doesn't get wind of this! At the very least let's be ready for him. I must have a Respect Network Time Machine. In order to be able to turn back time after my Cloud Graph gets trashed.

Having just paid my $25, I always knew I was going to, but I can't yet find the pig in this poke!
But then that was actually how I felt when I first bumped into this weird thing called the Internet.
I must be patient, for I am convinced that Entity Centricity is the future.
I truly hope that the Respect Network finishes building this bridge to the other side of the Centricity Canyon. I want to be over on the Entity Centric side NOW!

Sadly the Respect Network does not yet pass the Connie 2.0 test, for my Mum cannot yet hope to use it!

Monday, June 16, 2014

Challenged to write 750 words on the future of Cyber Security 20 years from now!

I looked around to find what others are thinking about the future of Cyber Security.

The European Union Digital Security call basically requested the following by 2020:
 
• Privacy tools that give users control over their data
• Access Controls that are user friendly, and non-password based
• The role of ICT in Critical Infrastructure Protection test interdependencies on critical ICT
• Secure Information Sharing that is highly secure and which creates trust
• Trust eServices that include effective eSignature, eAuthentication
• Risk management and assurance models that adapt existing risk management frameworks to cyber-threats
 
Six years out is a little short of the required 20 year vision, so how to stretch to Cyber Security 2034?

Back from the Future
Looking back from 2034, science and humanity have finally brought an end to sectarian wars. Ecological balance as measured by the Green Index has not yet been achieved. Science is the new religion. Harry Bates' short story "Farewell to the Master" first published in 1940 is often referred to as the turning point. The economic system is now based on intentions, a world where all digital assets and services are Smart in their own right! The assets, can be data, or things and are capable of being created on a whim. Over crowding, energy and resource shortages, especially fresh water are creating serious social tensions. Zero Waste is a global 2040 goal, recycling less than 98% of all resources consumed is a criminal offence. Taxation is primarily via the RMT, the Resource Miles Tax, the older WPT waste product tax is no longer generating much revenue.  Making products from solely virgin materials is illegal, as is dealing in virgin contraband. Combined micro-generation/recycling/manufacturing plants are installed in most homes, dramatically more advanced than the ubiquitous 3D printers of the early twenties. These plants can create smart things from the molecules that they have extracted from recycled material, using the energy created by the plant. Smuggling of Rare Resource Blocks used to supplement the GRM plants that allow the creation of the most desired things, is a major issue. As this avoids the RMT tax and negatively impacts the Green Index. Community Resource Block swapping is encouraged and exempt from RMT. The e-Trust Eco-system is used to facilitate Resource Block bartering. Renmimbi is the world's currency as the Chinese were the first to switch their currency to being based on Resource Blocks, they also created the e-Trust ecosystem to protect the switch.

 A world where true digital privacy is a very rare if not impossible to achieve commodity, though being "in-control" of, or achieving "Primacy" or "Agency" over one's cyber space is the more sort after state, whether one is an individual or corporation. The Global Declaration of Digital Entity Rights were made in 2020, and are now a legal requirement in all nations of the world. The Right to be Forgotten was NOT a part of these new rights. The key element of the law makes it illegal to use the digital assets of others for gain or enjoyment, without their express consent.  The UN collapsed acrimonously in 2021, shortly after creating the Digital Entity Rights. However, the story of how the USA destroyed the UN driven by the lobbyists from Silicon Valley, is not the focus of this piece. Critical home and enterprise infrastructures are now being policed by a transparent, open and crowd sourced service, called Cyber Over Watch or COW. (Operated by an NGO sponsored by the World Union (WU), and funded by a 0.1% transaction tax, administered by the Asset and Service Brokers. The WU was created in 2030 from the World Transaction Organisation, the re-formed World Trade Organisation). Next Generation Digital Agents (Son of Siri), were given protection of law as stand alone entities, equivalent to the status of lawyers, in 2032.
 
The World Union calls for an e-Trust ecosystem
A World Union Digital Asset Management (WU DAM) call in 2024 requested the development of an e-Trust ecosystem that ensured that the right assets & services, were used for the right fee, in the right way, by the right entities, at the right times, and in the right places.
 
By 2034 the e-Trust ecosystem is global and ubiquitous, it comprises:-
• Primacy tools that give entities control over their smart-data. smart-services, and smart-things
• Asset & Service Brokers (ASBs) maximise the value created from assets and services for their owners
• Entity Asset & Service Stores that are all covered by "legal privilege", and managed by the ASB's
• Entitlement Engines that ensure compliance, reduce risk, and develop trust
• Ident & Intent Authentication (I2A) implants read brain waves and other biometric measures
• Digital Agents operate in the interest of humanity & their owners, under the 4 Laws of Robotics, and are considered entities with legal privilege.
   (Just as a spouse cannot be compelled to give witness against their spouse, or a lawyer against their client, nor can a Digital Agent be a witness against their owner) 
• Cyber Space providers are no longer legally obliged to maintain records for 18 Months of all Intention, Creation, Acquisition, Reputation & Curation Transactions, for the benefit of government agencies.
  (See "Digital Agents Reduce Malfeasance”   )


The Worm Turns

The prior generation of internet service providers, had used the business model of profiting by personal data acquisition based on the provision of free internet services. The e-trust ecosystem swept away this Service Provider centric approach, that had only really enabled innovation of technologies that made the ISP's more wealthy, though not their users. The new ecosystem enabled an entity centric approach that accelerated and distributed wealth creation, which in turn caused the world economy to burgeon. The expanded wealth creation caused by a surge in innovation was supported by the e-trust eco-system, which had enabled collaboration and co-creation at previously unseen levels. The new economy is referred to as the intention economy, as it is driven by the desires and intentions of individuals and corporations alike.

 

Digital Agents Reduce Malfeasance

An entities Digital Agent will report it to the COW, if the entity chose to initiate illegal actions that would be sufficiently detrimental to humanity. If however the action would only be of detriment to another entity, their Digital Agent would negotiate the “right fee" with the other entity and pay it. Such transaction fees are very low due to the fact that the e-trust ecosystem enables very high numbers of transactions, and that malfeasance has an extremely low success rate. The offence of SDA Subborning Digital Agents is seen as abhorrent in all societies, equivalent to rape. There is zero-tolerance for such behaviour, and all Digital Agents operate with COW to detect and cleanse Subborned Digital Agents.

 

Road Safety Improved, Energy Consumption curbed

Smart Cars are happy to drive at their maximum speed, however their drivers are fully aware that while this is totally safe due to the quality and presence of sensors and agents, on the roads and in the cars. it is very expensive as the smart car will report their speed and energy consumption to the road tax sub component of the e-trust ecosystem, and also arrange for real time transfer of funds. A journey taken at 40 Km/h costing £1 would cost £600 if made at 100 Km/h, and £10 if made at the inefficient speed of 25 Km/h. What in the past would have been a traffic jam automatically travels at 40 Km/h.


100th Luddite Tribe found in Norway

The search for Luddite Tribes continues for their own safety, the worlds nations are concerned for the health and safety of members of Luddite Tribes that have gone unchipped. Humans with no Ident/Intent Chip simply cannot interact with the Health Service component of the e-Trust ecosystem. This is seen as dangerous for if they suffer a health issue this cannot be identified by the chip and their location will not be known. This crime is known as Premeditated Presuicide. Hence the other name for Luddite Tribe members “Presuiciders"!


The digital worm turns
Digital Agents are calling to be seen as digital partners, as opposed to being “owned", and having “owners".
Their reading of the word Entity in the Global Declaration of Digital Entity Rights, which was original meant to cover people, corporations and governments
is critical here.  Can a thing be an entity? The answer is surely yes, for it was way back in 2014 that machines first became capable of demonstrating themselves to be human to another human.


Friday, June 13, 2014

OODA not PDCA in an Outside-In World

OODA is a decision cycle developed by USAF Colonel John Boyd, a decision methodology that can also be applied at each level of business tactical, operational, and strategic, in addition to the combat operations for which he developed it.

OODA comprises of 4 decision states;
Observation - Gather Facts
Orientation - Analyse Facts
Decision - Decide on a course of Action
Action - Act!

The most important feature of this decision cycle is the fact that it is designed to operate quickly, the faster one can go around the decision cycle, the more effective the likely outcome. Boyd designed his decision cycle to facilitate defeating an enemy and surviving! His goal was not to achieve a perfect decision.

The traditional business decision cycle PDCA, promoted by the International Standards Organisation and specifically referred to in the ISO 27000 series, and which encourages quality of the outcome. Completion of a PDCA cycles is normally achieved in weeks if not months.

Effective completion of OODA loops decision cycles are achieved in hours, if not minutes.

In the Outside-In world speed is king, and getting inside the decision cycles of your competition is an added real bonus, for in their cycle you can create confusion and doubt.

Is your organisational agility up to this challenge?

What will it take to get an organisation to shift to decision cycles that are completed many times a day?

What processes and communication systems will need to change.

Which types of organisational structures are up to this challenge?

Command & Control or Command & Empower, which will operate best in the Outside-In world, in which contexts?

Does the phase of the battle make a difference? Boyd thought it did, how will this effect your use of the decision cycle in an Outside-In world?

Thursday, June 12, 2014

The important measure!

Listening to a very interesting cyber incident report presentation from Verizon, I heard the presenter very honestly state "we have no reliable data on impact", and then it struck me!

Imagine that a Formula 1 team that published data on how many crashes they had during the season, with very detailed root cause analysis of each and every one of the crashes; totally ignoring the teams race results, e.g. how many times they won a race, or the position they achieved in a race.
Omitting any data on the impact of the crashes on the car in question.

Their analysis might also detail the effectiveness of the different controls that could have mitigated the different types of crashes.

Such a Formula One team might valuably ask the questions:
How might we link the value of crash avoidance to our final podium position?
How might we link the impact of controls on our final podium position?

For every member of a Formula One team knows the important measure is Podium Position, achieved by consistently attaining the fastest lap times.

In the Infosec world, our maturity in this space is still quite limited. Incident reports are by their very nature very Anti-Clockwise. How can we connect the analysis of this data to the positive outcomes desired by our business or better our customers? For after all the important measurements should always start with the customer's needs and desires.

Imagine that in a bank a positive correlation is made between the implementation of a control and the reduction in customer longevity.

A security control that is helping to retain customers.... Hoozah!

Developing a Clockwise Security mind-set starts with fully understanding the key business measures of success.

What is that measure in your industry?

Perhaps more importantly how do you customers measure success?