Biometrics

...now browsing by tag

 
 

Privacy to PreCrime

Thursday, July 9th, 2009

 

When the NSA assumed control of the Cyber Command, it stirred up many privacy concerns. As most know they have been intercepting domestic communications for some time While some people are worried about their phone and email conversations being recorded by the government, the other g-men at Google are doing the exact same thing. Of course deleting your g-mail account only prevents you from accessing the information, deleting your account at the NSA will get you a free vacation to Cuba for waterboarding lessons.

 

Throughout your life, little pieces of information are gathered and accumulated. Your profile is constantly amended as data volunteered by yourself is automatically correlated.  Every time someone forfeits some morsel of information, that data is forever public.  This material goes into a database, the security of which will be compromised at some point. We could blame the corporations when they experience a security breach, but honestly who’s at fault for supplying them with the information to begin with?

 

If we are to address privacy concerns, then it is hypocritical to start the finger pointing with the NSA. Thanks to popular social networking sites,  people are willing to give away the most important details of their lives.  It is this very ignorance of the overall value of information that creates risk on a number of levels. Police officers only require a name and date of birth to positively identify most people. The same details can be used by criminals.  Think about that the next time someone mentions their birthday. If that person has their real name associated with the statement, then all of the facts required to build an extensive profile have been provided.  Such a profile, for example, could be used by a criminal to assume an identity, manipulate a person into revealing more information, or even pose a physical threat.  This same method could be used to launch attacks from within an organization through the user. Imagine a sort of phishing attack that affects the user at home. They enter into correspondence via email with a criminal posing as an old friend.  The employee continues this correspondence at work on the company computer. Since the employee feels safe, they are willing to click links, or even download files.

 

There is a whole industry based on gathering data about consumers, and using their personal details for marketing. The obvious signs of this are places like Amazon that recommend items based on site history.  What does your Amazon account say about you?  I don’t buy into that line about “if you’re not doing anything wrong, you don’t have anything to hide”. Would you invite someone into your house to create a behavioral profile based on your possessions?    Just about everything you do reveals some detail about your life.  For example, when you go to sleep your inactivity is noted. Just by looking at your social network updates anyone can know what your sleeping habits are, and possibly where you sleep.  Everything you do is recorded, cataloged, correlated, psychologically analyzed, and put up for sale. The biggest customer for this information is the Federal Government, and because these databases are private, the Freedom of Information Act does not apply.

 

In the past it was common for people to keep a their private names and public names separate.   In Homer’s Oddesy, Ulysses used a clever name to avoid unwanted attention from the other Cyclopes after blinding Polyphemus.  In Christian mythology, God gives Adam the power to name the animals, and so he had some power over them.  What of the clever goblin Rumpelstiltskin who allowed the millers daughter to renege on a deal by giving her a chance to guess his name?  When I first started in networked computing, one of the first things we learned was to contrive a ‘handle’, a pseudonym under which we would carry out our online activities.  Today, it seems, people view this an act of cowardice, or become suspicious to the motivations behind concealing one’s identity.  It wasn’t a hacker thing, it was standing operational procedure. There is no such thing as anonymous internet usage. The best people can do is become aware of how much privacy that has already been lost, and do what they can to hold on to its shredded remains. It’s not about assuming a new identity, it’s about protecting privacy.  Today people  on-line are trading their identity for an illusion of friendship.

 

With the amount of information already in the databases, it is possible for them to know what we want before we do.  Using predictive modeling, marketing companies can already forecast the likelihood of future purchases. This also
means with government access to these details, they can perform similar analysis. Psychographic profiles reveal your personal interests, activities, and opinions, when combined with demographics and other variables, it is possible to triangulate personality in the same manner as physical location. It is trivial to track the physical direction of an individual, the same is also true about their mental direction.

 

Today we have the increased use of biometric identification. It comes with the promise of security, but can pose a new privacy risk.  Clear, the airport security screening service, may be taking the data trade to a new level. The TSA approved company, which required biometric finger and eye scans, has suddenly shut down.  It is likely their database will be transferred to some other private firm which specializes in collecting biometric data.  Since they are working with Lockheed Martin, I’d suggest the database and technology will resurface as part of the new biometric authorization requirement for access to public and private infrastructure.  Unlike passwords, there is no easy way to reset your fingerprints once the database has been compromised. 


Within a few years there will be a global DNA database which will be used for a number of purposes. Utilization of the genome is so important that Francis Collins, who was responsible for the Human Genome Project, has been made director of the National Institute of Health.  If you take a look back at that psychographic profile link, you’ll notice the article was in strategy+business, which is published by Booz and Company the global parent of Booz Allen Hamilton. A representative of Booz Allen was the one who brought to my attention the Global DNA database while giving a talk titled  “Hacking the Genome” at a computer security conference.  Booz Allen is interested in developing psychological and genetic databases, they are also one of the main contractors for organizations such as the NSA . This sort of database, combined with genetic screening, could lead to the ability to determine much of the future of an unborn child.  While this has its merits, like any other system it can be abused. If not kept in check, it could lead to the reincarnation of the eugenics movement of the last century which was forced to re-brand after WWII because of it’s popularity within the leadership of the German National Socialist party as part of their platform for world domination

 

Welcome to the Brave New World!

 

Cyberspace Policy Review – 2009 "The cyberSpace Race"

Saturday, June 6th, 2009

Analysis of the Cyberspace Policy Review

Essentially they want a well regulated internet to protect the economy, and defend the nation. This will require international acceptance of standards to protect against state sponsored cyber war. The government is organized to address this problem. They intend to centralize control over cyber security. A new position of Cyber Security Coordinator will be created as a White House level position. This person will work closely with a number of agencies and the Executive Office of the President.

They are comparing the current cyber security situation to the Space Race. With specific mention to the launch of Sputnik, it seems like the U.S. is still pretty bitter about that. The upside to this will be the creation of jobs during the current recession. In order to achieve their goals they intend to further blend the existing government activities with private ones.

According to the document this is a ‘Digital Revolution‘, with their main focus being on the protection of economic and national security. In specific they fear industrial and military espionage, including actions such as the theft of valuable data including corporate and military secrets. There is also the threat to non-cyber infrastructure such as the power grid, where they site SCADA as an example. Last but not least they mention their concerns on privacy. Unfortunately for the people, this concern is monetary, with the focus on the economic damage caused by identity loss and fraud.

Behind this policy review are people referred to as ‘stakeholders’. They seem to be the cyber-sycophants determined on funneling as much funding to their own coffers as possible. Much of this Review parallels the direction of the Cyber Security act. It has been drawn up on much of the same Congressional testimony, and official reports as the Act.

There are some legal issues which will have to be dealt with, some of them possibly Constitutional. To reassure the public they will be kept safe at all costs, the report mentions multiple times the existing Executive Orders which give the Government the power to seize complete control over communications in time of an emergency. At the moment that power would go to the Department of Homeland Security, the concept of an eFEMA is not factually that far off base. In regards to the international impact of such a decision, the Department of State has the authority over foreign communication policy. According to the Review, the Secretary of Homeland Security is responsible for the protection of critical infrastructure, including information networks.

However the Secretary’s power does not cover Federal systems. For this the Comprehensive National Cyber security Initiative was created. The goal of the CNCI is the consolidation of law enforcement, intelligence, counterintelligence, and military capabilities to address the full spectrum of cyber threats. The head of the CNCI stepped down out of concern for the public based on the direction of the current cyber strategies.

To replace him they have created a new White House level position. The Cyber Policy Officer, will report to the National Security Council and the National Economic Council. There also is the established Communications Infrastructure Interagency Policy Committee (ICI-IPC), which is chaired by the NSC and the Homeland Security Council. The ICI-IPC is focused on “achieving an assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities”.

Whoever is appointed by the President to the position of policy official, will be supported by Presidential authority, support and resources. They will receive assistance from at least two Senior Directors from the NSC, and one Senior Director and appropriate staff from the NEC. One of their duties will be to consult with the Federal governments Chief Technology Officer, and Chief Information Officer, in addition to the appropriate people within the Office of Management and Budget and The Office of Science and Technology Policy.

The Goal is to create a central position of leadership within the White House, a figurehead who will be responsible for establishing security policy, as well as responding to cyber-emergencies. There are a number of agencies which have already been created such as the National Security and Telecommunications Advisory Committee, the National Infrastructure Advisory Council, the Critical Infrastructure Partnership Advisory Council, and the Information Security and Privacy Advisory Board. These groups will be evaluated by the policy official with the goal of optimization, and elimination of redundancy, which basically amounts to the consolidation of power within the White House.

The stakeholders involved in the Cyberspace Policy Review discussed a variety of options to coordinate and oversee cyber security. The Joint Interagency Cyber Task Force (JIACTF) currently is responsible for this. If you have read the previous articles, you might find it interesting to know that this task force works under the Director of National Intelligence. The former DNI is cited in both the Cyber security Act as well as this Policy Review. He is currently employed as SR. Vice president of one of the largest recipients of government cyber security and intelligence contracts. The Review states explicitly that “unless and until such an office is established, the work of the JIACTF will continue”. The Director of National Intelligence is in charge of all the intelligence agencies, which in turn outsource most of their work to private corporations.

It is no wonder the Review explains that goals consistent with U.S. Constitutional Principles may make certain activities conducted by the Federal government more difficult. Keeping their best interests at heart, they feel the need to partner with Congress. The goal of this partnership is to benefit from Congressional knowledge and experience, in order to properly please the industrial lobbyists represented there.

At the state level, representatives from the National Governors Association, feel that cyber security is the weakest link in the protection of their states. While they already receive funding from Homeland Security which can go to cyber security, historically the grant funds have not been prioritized for that purpose.

The digital revolution includes the Smart Grid program as well as the Next Generation Air Traffic System, which receive funding from the new bailout bill. To sustain this revolution they wish to educate the public beginning in the first year of school. A cyber security education program would teach digital safety, ethics, and security, with the hopes of creating a technologically advanced workforce. The review even goes so far as to recommend a public safety campaign similar to the Smokey Bear fire safety campaign. Likely with accompanying catchy public service announcements stating that ‘only you can prevent malicious worm propagation’ (don’t copy that floppy anyone?). Along this same thread it is suggested that Celebrities, the computer generation, and new media should be used to deliver this message of cyber security awareness.

The reason for this education campaign is an underlying fear that the United States will fall behind other nations in the cyberSpace Race. Why else would they have brought up the whole Sputnik thing? They state that talented IT employees are in high demand, but the number of people receiving related education has been in sharp decline for several years. Thankfully the National Science Foundation, and the DHS offer grants and scholarships, with 80% of those who receive them getting government jobs. The National Centers of Academic Excellence in Information Assurance Education and Research, which was founded by the National Security Agency, and lately co-sponsored by the DHS, works to promote education in information assurance in 38 states and DC. The Defense Department also sponsors the Information Assurance Scholarship Program in the same institutions.

Now that you’ve bit the hook, and they’ve reeled you in, they want to keep you fresh. The Review mentions a plan for “shared training across agencies and into the private sector”. Blending the oft mentioned public-private partnership, they would like to have public-private employees as well. In reality this is not likely much different then the current situation. I could imagine a scenario where they would begin to trade top talent like the professional sports leagues. This could lead to some interesting results with IT ‘stars’ demanding higher pay because of their ‘skills’.

Another reason for the necessity for a tight public-private partnership is that the private sector “designs, builds, owns, and operates most of the network infrastructures”. Aside from a hostile take over, the best option is partnership. Likewise the corporations involved depend on the government’s protection from various threats, so it is a mutual arrangement. I mentioned in a previous article how they are attempting to create a monopoly. The Review actually cites the Sherman Antitrust Act in reference to private sector concerns about “certain federal laws” that might impede their partnership. Thanks to the Trade Secrets act and the Critical Infrastructure Information Act, the parties involved will not need to be concerned with the Freedom of Information Act.

We can be sure there will be no conflict of interest specifically concerning the multinational owners of major private government consulting operations. The Review suggests tailored solutions to handle such situations. One of them is to adopt a system similar to that which is used in Britain. Called the consultancy model, vetted private information security providers are used as a nexus to combine data.

Taking it to the next level, the Review suggests the government consider focusing on “game-changing” areas things such as behavioral and incentive based solutions. Something similar to the vouchers I have mentioned previously, tax breaks could be offered to those who choose to become early adopters of the new system.

Since the Internet is a global system, it is important to partner with the international community. Once the government comes up with their domestic plan, they hope to spread it around the world with love like they have done with democracy, bringing like minded nations together to discuss acceptable norms, implementation of standards, and “use of force”. “New agreements between governments and industry may need to be documented to enable international information sharing, as well as strategic and operational collaboration”. The U.S. will help other countries build legal frameworks, and work with allies to ensure the stability and global interoperability of the Internet.

When the Taliban unleashes their cyber army, the government wants to be prepared. The Review states the need for a coordinated joint response from the government, the private sector, and its allies. As a defensive measure is suggested that some sort of system be put into place before an attack happens, a sort of early warning system and cyber defensive grid. Only the White House has the authority to react to such an event. The policy official would be responsible in this situation, which underlines the necessity for centralization of National cyber emergency management.

The Cyber security act mentioned the National Institute of Standards and Technology ignoring classifications of national security on systems. Similarly the Review mentions the problems that arise from the “existing legal, but artificial, distinctions between national security and other federal networks”. With regards to the Review it pertains to the dispersion of federal cyber incident response across many federal departments. It is mentioned that legislation might be required to consolidate this response, to harmonize or enhance as necessary the different departments.

The defensive strategy will begin with the development of “a set of threat scenarios and metrics” that can be used for “risk management decisions, recovery planning, and prioritizing of R&D”. The ICI-IPC would be in charge of making enforceable rules for incident reporting, while the CNCI would continue to improve “federal network defenses”. In addition there is a plan called the Trusted Internet Connection program, whose goal is to reduce the number of government network connections.

For the moment “the Defense Department is responsible for aggregating information on network health and status, attempted intrusions, and cyber attacks for its networks, the Intelligence Community for its networks, and US-CERT for civilian federal agencies and to some extent the private sector”. The Review suggests the government should assist in preventing, detecting, and responding to cyber incidents by leveraging existing resources such as the Multi-State Information Sharing and Analysis Center, and the 58 existing State and local Fusion Centers.

According to the Review, “security classification and clearance requirements” inhibit information sharing. Policies governing the “collection, use, retention, and dissemination of information” need to be audited as they “present significant barriers”. The “Federal government should help the research community gain access with appropriate controls, to cyber security-related event data that could be useful to develop tools.”

Once they figure out the domestic file sharing, they plan to expand it internationally, sharing data with allies, and seeking “bilateral or multilateral” agreements. This international collaboration might upset some of their domestic partners. However since they depend on the government for “the common defense of privately-owned critical infrastructures”, most of the stakeholders have “indicated a willingness to work toward a framework under which the government would pursue malicious actors and assess with information and technical support to enable private-sector operators to defend their own networks”. Private sector operators “such as the World Bank and the International Monetary Fund” are specifically mentioned as institutions that should be defended.

As medical records are digitized, the Smart Grid technology is implemented, along with the Next-Generation Air Traffic Control system; there will be an increasing need for information security. One way to achieve this is to develop a “next-generation of secure computers and networking for national security applications”. The goal is to “harness the full benefits of innovation to address cyber security concerns”.

Cloud Computing, “introduces new policy challenges for the private sector and governments around the globe”, it “presents challenges for law enforcement, the protection of privacy, and civil liberties”. This could prove to be difficult for the government if a terrorist’s data was in the cloud in a country that did not conform to the international standards. On the other hand, as a side note, if your data exists in a cloud in a foreign country then your rights to that data might only be covered by their law.

DARPA, the guys that brought us the Internet, see the “defense of current Internet Protocol-based networks as a losing proposition”. They suggest “an independent examination of alternate architectures”. As of March 2009 they have begun analysis of alternatives. In the mean time it is suggested the government focus on research and development into “game-changing technologies”, which build on “existing Networking and Information Technology Research and Development strategies”.

One of these game-changers might be the development of “an opt-in array of interoperable identity management systems”. It is being developed based on the findings of The National Science and Technology Council’s subcommittee on Biometrics and Identity Management. The goal is to create a national standard of biometric identification at the federal level. This technology would become available for private operators, and emergency services. Part of securing the Nations cyberspace, the Smart Grid and the new air traffic control system, will involve the adoption of  technology to verify the identity of whoever is using the services.

This doesn’t do any good if the hardware or software is compromised during manufacture. Because much of the hardware is constructed overseas, there are “concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations”. Examples of these are the counterfeit products that have turned up in various places. Called “supply chain attacks”, this manipulation can be “virtually impossible to discover”. To protect against this, the Review suggests the U.S. should “define procurement strategies”. Such strategies would be based on work by the National Security Agency and the Defense Department, “to create market incentives for security to be part of hardware and software product designs”.

National security and emergency preparedness are two of the main concerns of the government. When there is some event of national emergency, federal and local agencies depend on the national communications infrastructure. Many of the services such as the Emergency Operations Centers are beginning to use new technologies. Enhanced 9-11 call centers are using Voice Over Internet Protocol in some cases. So these facilities also now require direct cyber defense. Homeland Security is “working toward the goal of providing national security and emergency users with access to the converged information services of next-generation networks”. This includes the authorization of the President “to use, control, or close communications services, systems, and networks”. A public-private National Coordinating Center exists to “assist in the initiation, coordination, restoration, and reconstruction of communications services or facilities”.

Cyber security is the two faces of a single coin. One side is the Federal government, its agencies, departments, and alphabet soup. The flip side is private business and corporations. The two sides depend on one another for survival, and therefore are very willing to share the middle ground. If one was to remove the emblems from the obverse and reverse of the coin, you would be left with a homogenous metallic slug. At the core of the national cyber defense strategy is the alloy consisting of the public-partnership. To maintain the value of this partnership, it is very important for it to become the international standard. Steps will be taken to prevent the production of counterfeits, but eventually the plan is to replace it with something modern and more secure.

Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player