I took a train to Buckhead, in North Atlanta, this week to hear some executives brought in by Bloomberg talk about the future of technology.
They talked about the Internet of Things, what I started calling Always-On technologies in 2003, and the transformation this was creating on devices and in networks. But the view of their audience was negative.
They didn’t trust the technology, because they didn’t trust cybersecurity. With good reason. Because, as I noted here in 2012, the issue is tied closely to that of identity and we haven’t addressed the politics of that yet.
What I wrote in 2012 is even more important for you to hear now. What I wrote was that “The problem of identity is a political problem.” Instead cyber-identity has been discussed only by elites http://www.identityblog.com/, and solutions like RealID have been pushed through the Congress, but these efforts have lacked public support, as evidence by successful efforts in many states to water down the requirements. Without consensus to push an online identity regime through, the problem of cyber-insecurity will only grow.
The Bloomberg panelists made clear that the problems of cybersecurity and secure identity are, in fact, one problem, but that point went over the audience’s head. That is a key point, because the audience consisted of Bloomberg advertisers, who are business leaders throughout the area.
We’ve been locking our companies behind firewalls, the panel noted, but when someone gets in through the front door the whole network becomes open to them. It’s like leaving all the company’s money in a big pile near the building entrance, said one panelist.
What we need is a system that uses identity to control access in a more granular way. No one gets in without proving identity, and that proof defines what doors become open. In a tech company with secrets, even an employee badge won’t get you into every room, and every company is now a tech company with secrets.
What we have in identity is an industry.
What we need is a movement.
Elites for years have ignored or minimized the opposition to identity. It comes from the right, from people like Rand Paul and Ted Cruz who see identity as the “mark of the beast.” It comes from the left, from people like Bernie Sanders and cyber-libertarians who resist giving their “papers” to every cyber-cop they meet. The desire for anonymity is buried deep in the American psyche, and it will take an enormous effort to dislodge it and enable 21st century security dealing with 21st century threats.
The only way forward is to do what the elites have already done, link the problems of cybersecurity and cyber identity together. Explicitly. Publicly. Politically.
The greatest fear Americans have today is not that we’ll be mugged, killed or have our cars stolen, but identity theft. Hacking is now the crime that Americans fear most.
The problem with groups like OpenID isn’t in what they’re doing, but the lack of political impetus behind the effort. When the President announced his cyber security plan in January it was all about policing, about what happens after the crime happens. It wasn’t about crime prevention, because secure identity is at the heart of such prevention, and we haven’t built public support for it.
For Always-On or the Internet of Things to work, we have to know that a command to your thing, or an order coming from a thing, is actually coming from you, not some hacker half a world away. Lightweight identity tokens, along with audit trails covering tests of these tokens, need to be at the heart of the technology. Technologists understand this. Voters don’t.
This means that politically, we need to create analogs between the physical and the virtual world, and gain enough support for those analogues to overwhelm the cranks of either the left or the right. I distinguish here between politics and marketing. Politics shapes attitudes in the public square, they define what we consider acceptable. Marketing shapes attitudes in the private sphere, defining what we choose, as individuals, to consume.
Despite our protests, we have proofs of identity all around us in the physical world. Your car key proves your identity to the car. Your house key proves your identity to your home. Your license proves your identity to the cop. Your heart monitor and your refrigerator also need to prove their identities. If they’re seen as anonymous online, then any hacker can masquerade as them, with just a tiny slice of code. A complete, uniform identity management system will, at minimum, give every hack a hurdle they have to jump over, and provide an audit trail that can help cops trace the crime to its source.
None of this is foolproof. We can’t let the perfect become the enemy of the good when it comes to identity technology. There will be bugs, there will be flaws, and there will be upgrades, as in everything else.
We need to shift the focus of the cyber-crime debate. We need to start talking about prevention, not policing. The way to do that is by talking honestly, and publicly, about identity. Starting with the present political campaign.