James Beeson, chief information security officer and IT risk leader at GE Capital Americas, recalled a recent conference at which Bush-era security czar John Ashcroft was speaking. It was in the wake of April’s Boston Marathon bombings that killed three and wounded more than 260 hours. Ashcroft said that from the intelligence gathered from myriad data sources at the scene, authorities determined that had a text message been sent to Massachusetts Institute of Technology security guard Sean Collier 20 seconds earlier, it might have prevented him from being gunned down by Tamelan Tsarnaev, one of the presumed bombers who was eventually killed in a shootout with police.
Intelligence-driven security “is what we need to think about as information security professionals,” Beeson said at a panel discussion on Big Data and security at the SC Congress security conference in Toronto on Tuesday.
Computer Dealer News editor Paolo del Nibletto ran down recent developments on the analytics front that point to improved business processes: Wal-Mart’s hiring of 200 data scientists to find patterns to accelerate sales; Chinese PC manufacturer Lenove building four factories in the .S> because analytics showed it could save money and be faster to market; cornfield sensors that relay soil data to farmer; a project to ease parking congestion in Paris.
But the discussion turned quickly to the downside of ubiquitous data collection and its privacy implications: the fact that there is no public space in the city of London where you arenot captured on closed circuit television; the U.S. National Security Administration’s monitoring of phone records and e-mail snooping.
“It’s an unfortunate reality that people are just waking up to,” said panelist David Lewis, director of ISC2, a security certification administration organization. And while he joked that the NSA surveillance program is “the best backup system ever,” he lashed out at pervasive surveillance, and those who argue that if you have nothing to hide, it shouldn’t bother you.
“I’m not buying into that,” Lewis said.
Beeson pulled out the quote from Scott McNealy, then-CEO of Sun Microsystems at a Microsoft event in the early 2000s: “There is no privacy. Get over it.” The amount of personal information that is private is shrinking rapidly, he said.
“The issue is our laws … (are) way behind the capabilities of the technology,” Beeson said.
Meanwhile, the vast amounts of data collected by corporations is inherently insecure. It’s a risk-reward relationship: can the company afford the cost, including fines, of data leakage, or can they afford the cost of ameliorating the insecurities? Beeson finds the perfect analogy in The Club, the car auto-theft device that immobilizes the steering wheel to discourage theft. “If they really want to steal James Beeson’s car, do you think that club is going to stop them?” he asked. It won’t, of course. It just makes the car less vulnerable. “I want them to move on to your car.”
While one audience member suggested companies should be transparent about the data they collect from customers, Lewis argued that there is too much monetary value in the data for corporations that collect it to do that.
“There isn’t really any impetus for them to be transparent,” Lewis said.
And while we may fret over the erosion of our privacy, Beeson said, the upcoming generation of digital natives has grown up in a different privacy environment, and aren’t nearly as concerned.
“Their sense of privacy is way different from ours,” Beeson said.