Tuesday, June 24, 2014

Respect Network is Launched

So yesterday at lunch, I asked Dan Blum, the Security guru associated with the Respect Network,  to be launched in the City of London that evening, "What exactly will the Respect Network respect?"

His response was, I thought at the time, a perfect one. He jumped my clumsy "We will respect your Privacy" trap with consummate ease and stated confidently; 
"We will respect your right to control your data."

A wide ranging discussion, that included the promise of pseudonymous personas ensued.

I planned straight away to sign up for =adrian.seccombe , my soon to be forever cloud name. As well as =adrius42 my gaming persona. It was only after hearing the detail at the launch that I heard the clever and nuanced twists.

Drummond Reed the founder of the Respect Network described to us the switch opportunity, we are allowing you to move from the current world of providers that grab your data to monetise it on their behalf, to a world where you can control the use of your data. He proudly stated; "We are laying tracks." He neglected to clearly articulate that the current providers delivered a usable service with engines and carriages, and indeed semi-useable, if not at all respectful, data control panels. Whereas the Respect Network has, as yet, little to show in this space.

I felt having been told that there was a bridge that could cross the great divide from Enterprise Centricity to Entity Centricity that I was tricked, after discovering it was only currently built half way across. Then I realised that unlike the tower bridge, next to the launch site at the City Hall, was that this as yet unfinished bridge will not accept mere individuals on foot. I could find no useable UI's. One must travel in carriages, the Apps?, and as yet there are none to speak of! The all important monetisation of my data, may also apparently blocked by the incessant promise of "We will never sell your data!" But what if we want you to, but as our broker? I wish the 5P's the principles of the Respect Network Framework "a promise of permission, protection, portability, and proof" included the commitment to allow Entities to Profit from their data!

The truth, as always is even more nuanced and actually contains large amounts of potential future promise. The most important discovery was the fact that "=" is just the beginning "*" and "+" are soon to follow! representing as they will the cloud names for devices and organisations.

The components of this graph based identity relationship and reputation ecosystem monetised on graph connections are:
1) A cloud name e.g.=adrian.seccombe purchased for life for just $25
I felt like I was being sold a non stick saucepan that would never-ever stick!

2) A registry to store them 
all run by a company that "we won't have heard of", but they make the whole internet work....honest!

3) CSPs Cloud Service Providers who will keep our data for ever more.... actually I'm not clear on the death clause, and how my off-spring will be able to curate my data when I am in the after life.
Nor was I that clear on what I can store, my home security camera takes a lot of pictures!

4) The App developers who will create beautiful apps to change the world. None of which smelled or looked like the Killer App that will kick start the Respect Network. They simply felt like a new means of creating wealth for the app providers.

The missing components from my point of view:
0) A ridiculously strong authentication mechanism
I could not establish a way to use one or both of my yubikeys
a) An Entitlement Engine
b) A Respectful Personal Digital Assistant (RPDA) that understood how to manage the wonders of a hybrid graph and rules based relationship and transactions network
c) A really cool and useable Connections and Rules control panel 
d) A transaction based monetisation model, that would really enable the Intention Economy
This where I get to truly extract value from my data, it's the transactions! Just like the credit card world that was the system that the respect network was modelled after!
e) A killer curation agent, that would manage data storing and more importantly data culling, I really don't need 10,000 pictures of my living room!
f)  the ability to respectfully identify things and associate them with me, or another entity of my choosing. Of course entities can be Apps & Things, as well as people and organisations. In the Jericho Forum Identity Commandments, after much dialogue we stated that in special cases, entities can also be Agents.
g) the way back machine, see the Sauron comment at the end of this blog.

It is arguable that those missing components are simply missing Apps, but I suspect that the "tracks" will need to be laid in such a way as to accept both Rule Based and Graph based carriages. Certainly the Respect Network "Control Panel" must be capable of exposing mere humans to their graph and rules, and allowing them to manipulate both.

This might be a semantic nicety but graph based connections without the added flexibility enabled by an Entitlement Engine, are likely to be of limited transactional value. Perhaps the Hybrid carriage may in fact be the most valuable of all. 

But where are all these Apps? Meeco the soon to be "Me Economy" App that appears to be targeted at professional females, is not yet in the UK Apple store, and the Social Safe is going to cost me long term money. Not sure if I keep access to my data when I stop subscribing?

And please don't get me started on the missing core identity component, nor the fact that at the base level, my cloud name is protected only be a password! The Jericho Forum Identity Commandments review blog is going to take longer and require me to better understand the inner workings of the respect network.

Like always I feel like I am living life 15 years behind my expectations.

I imagine a world where I can simply say to my RPDA (Respectful Personal Digital Assitant) on the way home;
"This Lunch time I met with =dan.blum of +respectnetworks, this evening I met =docs.searles he of intention economy fame! I also had the pleasure of meeting =andy.dale CTO of +respectnetworks,(Bloody hell... I wish the Apple spell checker knew not to capitalise =Andy.dale just like it knows not to capitalise @andy.dale.  Hint: Start negotiating with them now for = & +, * is already sorted)

In point of fact, I would simply say Dan Blum, as my RPDA (Respectful Personal Digital Assitant) would have already acquired my Cloud Name for him, (ooops that's not how it works)

Having said all that apart of course from the bracketed expletives, my RPDA would automagically tag the already captured events as being important to me. My RPDA had surmised that these events would be important and responded with "surmised", rather than the alternative "surprised" which would have indicated that the RPDA had not yet fully understood my interests.

Clearly this state of affairs does not yet exist, and I have to waste 15 minutes doing mundane curation activities for the day.

An Aside: I sat next to Sally Duckworth during the launch, and heard her exclaim "....but my name has already gone!?" it seems that in the Respect Network, it's first come first served, there apparently cannot be two Adrian Seccombe's in the world.... really?
Worse, I cannot have two cloud names, where are the personas I was promised?
(Apparently Persona's are a future feature...)

Why should I know Dan Blum's root cloud name, and for that matter why should he know mine?

The concept feels like it has a flaw (or two). Have we moved back to "One ring to Rule them all?"

Let's hope that Sauron doesn't get wind of this! At the very least let's be ready for him. I must have a Respect Network Time Machine. In order to be able to turn back time after my Cloud Graph gets trashed.

Having just paid my $25, I always knew I was going to, but I can't yet find the pig in this poke!
But then that was actually how I felt when I first bumped into this weird thing called the Internet.
I must be patient, for I am convinced that Entity Centricity is the future.
I truly hope that the Respect Network finishes building this bridge to the other side of the Centricity Canyon. I want to be over on the Entity Centric side NOW!

Sadly the Respect Network does not yet pass the Connie 2.0 test, for my Mum cannot yet hope to use it!

Monday, June 16, 2014

Challenged to write 750 words on the future of Cyber Security 20 years from now!

I looked around to find what others are thinking about the future of Cyber Security.

The European Union Digital Security call basically requested the following by 2020:
 
• Privacy tools that give users control over their data
• Access Controls that are user friendly, and non-password based
• The role of ICT in Critical Infrastructure Protection test interdependencies on critical ICT
• Secure Information Sharing that is highly secure and which creates trust
• Trust eServices that include effective eSignature, eAuthentication
• Risk management and assurance models that adapt existing risk management frameworks to cyber-threats
 
Six years out is a little short of the required 20 year vision, so how to stretch to Cyber Security 2034?

Back from the Future
Looking back from 2034, science and humanity have finally brought an end to sectarian wars. Ecological balance as measured by the Green Index has not yet been achieved. Science is the new religion. Harry Bates' short story "Farewell to the Master" first published in 1940 is often referred to as the turning point. The economic system is now based on intentions, a world where all digital assets and services are Smart in their own right! The assets, can be data, or things and are capable of being created on a whim. Over crowding, energy and resource shortages, especially fresh water are creating serious social tensions. Zero Waste is a global 2040 goal, recycling less than 98% of all resources consumed is a criminal offence. Taxation is primarily via the RMT, the Resource Miles Tax, the older WPT waste product tax is no longer generating much revenue.  Making products from solely virgin materials is illegal, as is dealing in virgin contraband. Combined micro-generation/recycling/manufacturing plants are installed in most homes, dramatically more advanced than the ubiquitous 3D printers of the early twenties. These plants can create smart things from the molecules that they have extracted from recycled material, using the energy created by the plant. Smuggling of Rare Resource Blocks used to supplement the GRM plants that allow the creation of the most desired things, is a major issue. As this avoids the RMT tax and negatively impacts the Green Index. Community Resource Block swapping is encouraged and exempt from RMT. The e-Trust Eco-system is used to facilitate Resource Block bartering. Renmimbi is the world's currency as the Chinese were the first to switch their currency to being based on Resource Blocks, they also created the e-Trust ecosystem to protect the switch.

 A world where true digital privacy is a very rare if not impossible to achieve commodity, though being "in-control" of, or achieving "Primacy" or "Agency" over one's cyber space is the more sort after state, whether one is an individual or corporation. The Global Declaration of Digital Entity Rights were made in 2020, and are now a legal requirement in all nations of the world. The Right to be Forgotten was NOT a part of these new rights. The key element of the law makes it illegal to use the digital assets of others for gain or enjoyment, without their express consent.  The UN collapsed acrimonously in 2021, shortly after creating the Digital Entity Rights. However, the story of how the USA destroyed the UN driven by the lobbyists from Silicon Valley, is not the focus of this piece. Critical home and enterprise infrastructures are now being policed by a transparent, open and crowd sourced service, called Cyber Over Watch or COW. (Operated by an NGO sponsored by the World Union (WU), and funded by a 0.1% transaction tax, administered by the Asset and Service Brokers. The WU was created in 2030 from the World Transaction Organisation, the re-formed World Trade Organisation). Next Generation Digital Agents (Son of Siri), were given protection of law as stand alone entities, equivalent to the status of lawyers, in 2032.
 
The World Union calls for an e-Trust ecosystem
A World Union Digital Asset Management (WU DAM) call in 2024 requested the development of an e-Trust ecosystem that ensured that the right assets & services, were used for the right fee, in the right way, by the right entities, at the right times, and in the right places.
 
By 2034 the e-Trust ecosystem is global and ubiquitous, it comprises:-
• Primacy tools that give entities control over their smart-data. smart-services, and smart-things
• Asset & Service Brokers (ASBs) maximise the value created from assets and services for their owners
• Entity Asset & Service Stores that are all covered by "legal privilege", and managed by the ASB's
• Entitlement Engines that ensure compliance, reduce risk, and develop trust
• Ident & Intent Authentication (I2A) implants read brain waves and other biometric measures
• Digital Agents operate in the interest of humanity & their owners, under the 4 Laws of Robotics, and are considered entities with legal privilege.
   (Just as a spouse cannot be compelled to give witness against their spouse, or a lawyer against their client, nor can a Digital Agent be a witness against their owner) 
• Cyber Space providers are no longer legally obliged to maintain records for 18 Months of all Intention, Creation, Acquisition, Reputation & Curation Transactions, for the benefit of government agencies.
  (See "Digital Agents Reduce Malfeasance”   )


The Worm Turns

The prior generation of internet service providers, had used the business model of profiting by personal data acquisition based on the provision of free internet services. The e-trust ecosystem swept away this Service Provider centric approach, that had only really enabled innovation of technologies that made the ISP's more wealthy, though not their users. The new ecosystem enabled an entity centric approach that accelerated and distributed wealth creation, which in turn caused the world economy to burgeon. The expanded wealth creation caused by a surge in innovation was supported by the e-trust eco-system, which had enabled collaboration and co-creation at previously unseen levels. The new economy is referred to as the intention economy, as it is driven by the desires and intentions of individuals and corporations alike.

 

Digital Agents Reduce Malfeasance

An entities Digital Agent will report it to the COW, if the entity chose to initiate illegal actions that would be sufficiently detrimental to humanity. If however the action would only be of detriment to another entity, their Digital Agent would negotiate the “right fee" with the other entity and pay it. Such transaction fees are very low due to the fact that the e-trust ecosystem enables very high numbers of transactions, and that malfeasance has an extremely low success rate. The offence of SDA Subborning Digital Agents is seen as abhorrent in all societies, equivalent to rape. There is zero-tolerance for such behaviour, and all Digital Agents operate with COW to detect and cleanse Subborned Digital Agents.

 

Road Safety Improved, Energy Consumption curbed

Smart Cars are happy to drive at their maximum speed, however their drivers are fully aware that while this is totally safe due to the quality and presence of sensors and agents, on the roads and in the cars. it is very expensive as the smart car will report their speed and energy consumption to the road tax sub component of the e-trust ecosystem, and also arrange for real time transfer of funds. A journey taken at 40 Km/h costing £1 would cost £600 if made at 100 Km/h, and £10 if made at the inefficient speed of 25 Km/h. What in the past would have been a traffic jam automatically travels at 40 Km/h.


100th Luddite Tribe found in Norway

The search for Luddite Tribes continues for their own safety, the worlds nations are concerned for the health and safety of members of Luddite Tribes that have gone unchipped. Humans with no Ident/Intent Chip simply cannot interact with the Health Service component of the e-Trust ecosystem. This is seen as dangerous for if they suffer a health issue this cannot be identified by the chip and their location will not be known. This crime is known as Premeditated Presuicide. Hence the other name for Luddite Tribe members “Presuiciders"!


The digital worm turns
Digital Agents are calling to be seen as digital partners, as opposed to being “owned", and having “owners".
Their reading of the word Entity in the Global Declaration of Digital Entity Rights, which was original meant to cover people, corporations and governments
is critical here.  Can a thing be an entity? The answer is surely yes, for it was way back in 2014 that machines first became capable of demonstrating themselves to be human to another human.


Friday, June 13, 2014

OODA not PDCA in an Outside-In World

OODA is a decision cycle developed by USAF Colonel John Boyd, a decision methodology that can also be applied at each level of business tactical, operational, and strategic, in addition to the combat operations for which he developed it.

OODA comprises of 4 decision states;
Observation - Gather Facts
Orientation - Analyse Facts
Decision - Decide on a course of Action
Action - Act!

The most important feature of this decision cycle is the fact that it is designed to operate quickly, the faster one can go around the decision cycle, the more effective the likely outcome. Boyd designed his decision cycle to facilitate defeating an enemy and surviving! His goal was not to achieve a perfect decision.

The traditional business decision cycle PDCA, promoted by the International Standards Organisation and specifically referred to in the ISO 27000 series, and which encourages quality of the outcome. Completion of a PDCA cycles is normally achieved in weeks if not months.

Effective completion of OODA loops decision cycles are achieved in hours, if not minutes.

In the Outside-In world speed is king, and getting inside the decision cycles of your competition is an added real bonus, for in their cycle you can create confusion and doubt.

Is your organisational agility up to this challenge?

What will it take to get an organisation to shift to decision cycles that are completed many times a day?

What processes and communication systems will need to change.

Which types of organisational structures are up to this challenge?

Command & Control or Command & Empower, which will operate best in the Outside-In world, in which contexts?

Does the phase of the battle make a difference? Boyd thought it did, how will this effect your use of the decision cycle in an Outside-In world?

Thursday, June 12, 2014

The important measure!

Listening to a very interesting cyber incident report presentation from Verizon, I heard the presenter very honestly state "we have no reliable data on impact", and then it struck me!

Imagine that a Formula 1 team that published data on how many crashes they had during the season, with very detailed root cause analysis of each and every one of the crashes; totally ignoring the teams race results, e.g. how many times they won a race, or the position they achieved in a race.
Omitting any data on the impact of the crashes on the car in question.

Their analysis might also detail the effectiveness of the different controls that could have mitigated the different types of crashes.

Such a Formula One team might valuably ask the questions:
How might we link the value of crash avoidance to our final podium position?
How might we link the impact of controls on our final podium position?

For every member of a Formula One team knows the important measure is Podium Position, achieved by consistently attaining the fastest lap times.

In the Infosec world, our maturity in this space is still quite limited. Incident reports are by their very nature very Anti-Clockwise. How can we connect the analysis of this data to the positive outcomes desired by our business or better our customers? For after all the important measurements should always start with the customer's needs and desires.

Imagine that in a bank a positive correlation is made between the implementation of a control and the reduction in customer longevity.

A security control that is helping to retain customers.... Hoozah!

Developing a Clockwise Security mind-set starts with fully understanding the key business measures of success.

What is that measure in your industry?

Perhaps more importantly how do you customers measure success?






Friday, June 06, 2014

Why are we all doing Anti-Clockwise security?

At the SC Congress in London today I bumped into Allan Boardman of ISACA, and I talked to him about the fact that security professionals in the main think Anti-Clockwise. Which simply put, means we think first about stopping bad things from happening. Clockwise security on the other hand puts the premium on thinking first about ensuring that good things happen, and then minimising the negative effect of bad things.

I argued that CobIT in my analysis was primarily an Anti-Clockwise tool. I had hoped the ValIT was going to point the way to a more Clockwise approach from ISACA. Sadly it did not live up to my hopes.

Allan heard my analysis as an attack on the Infosec community as a whole and accused me of being disingenuous, and argued that most security professionals did in fact think of the business first. We explored my contention that if that were the case CobIT would have been subsumed into ValIT, rather than the actual case of ValIT being lost into CobIT version 5. The C in CoBIT does after all stand for Control.

As another carrot, I also believe that if we acted as true enablers, more of us would have a seat at the big table!

The day at the London SC Congress did nothing to dissuade me that we think primarily Anti-Clockwise, and worse Anti-clockwise with a technology and tool bias.. We talked mostly of identifying threats, we never talked about securing opportunities. We talked often of Controls. Basically our language all day was Anti-Clockwise. In fact I suspect, hopefully not disingenuously, that as Security professionals we do not know how to think and talk in a Clockwise manner.

Traditionally we think in the order incidents, threats, controls, risk, compliance, and only on very few occasions do we move onto Value, Need, and Positive Outcomes.

Our Formula One colleagues may have hit upon an important discovery. Which may help us to learn clockwise thinking. KERS is a hybrid control/enabler, it has a dual function, it serves both as a means of deceleration, as well as a means of acceleration.

Early Formula One engineers proudly stated that they put great brakes in racing cars so that they could go faster. This was pseudo-Clockwise thinking, or Anti-Clockwise thinking in sheep's clothing! If we go too fast we will crash (threat),  control = Great Brakes, Risk of not slowing down fast enough reduced, and we did it while complying to F1 rules.

(Aside: Let us not fall into the trap of becoming locked into Pseudo-Clockwise thinking.)

Then along came a Clockwise F1 Thinker; we want to win more races (Outcome), so we Need something to make us go faster, where can we get the energy from ? 
What about storing up the braking energy? Let's rewrite the F1 rules (Compliance). 
What are the risks? Fire Hazard, May not decelerate sufficiently. Let's design those risks out...
KERS designed. a control that is also an enabler.
Threat of crashing into corners reduced, in fact many F1 drivers are learning to approach corners faster, as that way they can store up more energy!
Incidents: few Laptimes: Faster

How can we become Clockwise Thinkers, what opportunities await us?

Can you create a control that can also be an enabler?

How should ISACA evolve CobIT? Perhaps the first thing to do is actually call it ValIT.

Let's put Value Creation as job #1 and value protection as job #2.

I find it very hard to think Clockwise. after many years of being encouraged to stop bad things from happening and berated when they do, it was and still is difficult to think first of Outcome.
My break through came when I learned that in the Pharma industry, getting the health outcome to the patient safely and quickly was the key economic drivers, the cost of a delay was $150 per second. All other considerations pale into insignificance. Many of our controls were burning time. I started looking to take out disabling controls and accelerate time, then along came the Cloud, a great place to think clockwise!

How many Hybrid Infosec Tools are you aware of?  ...I don't mean brakes that allows us to drive faster, I mean brakes that MAKE us go faster!

Imagine if you were involved in developing a process, tool or service that created as many opportunities as it reduced threats? What would it look like?

What Outcomes do your Customers value? How can you help meet their needs?

Then maybe we could start talking of the 8 Information Criteria. 

Information Value being the most important criteria of all.

I agree Allan it is obvious, but if we do not state it, we often do not strive for it.

As we agreed, the reason for the existance of any organisation is to create value for it's stakeholders.

But please don't get me wrong! An even greater sin than Anti-Clockwise thinking, is solely thinking about Value. A rather negative experience that I had was in the IoT session at this years SC Cogress. We talked of Smart Things that were not secure! Given the very effective lesson we had learnt over lunch about Smart Phones not being as Smart as we think; it is key that we complete all of the Clockwise Security cycle

Outcome
Need 
Value Created(data, thing or service)
------ we mustn't stop here ....
Compliance
Risk
Control, or even better Hybrid Control/Enabler
Threats reduced, and in the case of Hybrid Control Value increased
Value Protected

Finally, as with all things in life, the truth is a balance, for right in the middle of an attack the last thing I would argue for is Clockwise thinking, I believe we then have to very quickly revert to Anti-Clockwise thinking, clearly we shouldn't only use Clockwise Security, or Anti-Clockwise Security.




Sunday, June 01, 2014

On Learning and Cyber Agency

Learning as we all know has four states.

1) Unconscious Unconsciousness
     Key learning step: Awareness
2) Conscious Unconsciousness
     Key learning step: Education
3) Conscious Consciousness
     Key learning step: Practise or Automation
4) Unconsciousness Consciousness

or in plain English

1) Not knowing you don't know
2) Knowing you don't know
3) Knowing you Know
4) Not Knowing you Know

These four states can be applied to our ability to attain Cyber Agency, in this context I define Cyber Agency to be the degree of control that an entity has over all the elements of Cyber Space that they interact with, be they; Data, Things or Services.

Current State: We do not know that we are not in control of our Cyber Space
                      (ie We do not know that we do not have Cyber Agency)
In the world of Cyber Agency the vast majority of the planet's inhabitants are in the first state, and apparently either have little interest in accepting that there is anything in this area that they need to know, or, sadly for some, have no access to cyber space, thus have nothing to be concerned about; for one cannot have control over something one cannot access!

The first step to the next state is likely to be the hardest, for the incumbent service providers are doing all in their power to keep as satisfied with the status quo. They want to suppress Awareness of the importance and value of our being in control.

Here perhaps, the Privacy Advocates are doing us all a dis-service by distracting us from the real issue.
Author shivers and SCREAMS to himself: "IT'S NOT ALL ABOUT PRIVACY!" But sadly the politicians, (at least in Europe) are enamoured with the idea of giving us all the "Right to be Forgotten!"
(I wonder who this right is really aimed at!) Apologies to Ms Neelie Kroes, but I did try and tell you!


Next State: We know that we are not in control our Cyber Space
                    (ie We do know that we do not have Cyber Agency)
This an equally dangerous state, for if individuals do not develop a clear desire to "be in control" of their Cyber Space, they may get used to not being in control, and the clever play from the incumbent providers will be the "give us (difficult to use) controls" that we do not wish to, or cannot, use! To be clear, having a desire to "have control" is NOT enough, the desire should be developed for individuals to "be in control"


Who has the responsibility or the motivation to educate 
the world's citizens on the importance of Cyber Agency?


The Important State: We know that we can, and should control our Cyber Space
          (ie We are working hard to achieve Cyber Agency) 
This state is probably the most transient and sadly once the average individual understands how much effort it is going to take to achieve and maintain control with current tools and services, they well revert rapidly back to state 2... "Cyber Agency is hard! Who needs it!"



"How to get individuals to the next state?" without them freaking out, will be the most important question to answer. There is likely to be tool and service requirements here...

  • Better information; How in control am I? 
  • Better and easier to use controls; How easy is it to "be in control"?

 Target State: Being "in control" of our Cyber Space, with little or no conscious effort.

With the appropriate training and capabilities we can all gain Cyber Agency.
Automation is likely to be key.

e-Trust will be foundational

Cyber Agents that act on our behalf to help us maintain control of our personal Cyber Agency will be common place.

Who will provide them, and how will we be able to trust them?





Downsides of not having Cyber Agency, or not being in control of your cyber space
  1. You will not know what data you have
  2. You will not know the import or value of your data
  3. You will not know the value or capability of your things
  4. You will not now the limitations of your things
  5. You will not know when others are controlling your things 
  6. You will not know when others are using your data
  7. Others will be making money out of your data
  8. You are likely to lose access to data that is important to you
  9. You are likely to keep too much rubbish data

Upsides of having Cyber Agency, or being in control of your cyber space
  1. You will know what data you have
  2. You will know the import and value of your data
  3. You will know the value and capability of your things
  4. You will now the limitations of your things
  5. You will be able to control who controls or uses your things 
  6. You will be able to control who uses your data 
  7. You will be making money out of your data 
  8. You will have access to data that is important to you
  9. You will have curated your data, keeping only that with value.


Sadly I fear that apathy will be the largest response, and it will quickly be too late! 
For when we have given up all our Cyber Agency, we will not easily get it back! 

As the following scene from Matrix shows:-

Remember: Having Control is NOT the same as Being In Control!


There is no spoon!