The Countermeasure is security commentary and news focused on the enterprise, hand-delivered to your inbox every Saturday morning.
…Keep Your Hacker Enemies Closer
In This Issue:
- Companies are hiring their own critics and hackers
- China goes ‘all in’ on AI
- RSA is coming
Companies Are Hiring Their Own Critics and Hackers
For many people, the most recent Facebook news is a bit odd: Facebook hires up three of its biggest privacy critics. Why would Facebook, considered by many to be actively hostile toward the very concept of privacy, hire three of its most vocal critics? There are several reasons, not the least of which is that Germany has suddenly decided to get rather serious about privacy; and where Germany leads, the EU follows.
From a business standpoint, this move makes sense on two different levels. A standard tactic in any form of warfare is that if you can’t defeat your enemies, co-opt them. Facebook has sacks of cash. Most people, when presented with adequately large sacks of cash, can be bought.
Of course, not everyone can be bought, which leads to the second reason that Facebook's move makes perfect sense: if the regulatory winds on privacy truly are changing, Facebook needs to develop some privacy bonafides ASAP. The alternative is likely to be no more Facebook.
Facebook will not be the only one doing this. Both governments and tech titans rushed to snap up the world's top hackers in the 1990s, with everyday enterprises joining in during the 2000s. This is despite the fact that those same hackers were in many cases responsible for attacking the very organizations that hired them.
Privacy law is hideously complex, and it's likely to get much more so throughout the 2020s. There’s a demand for people whose skills and passion lie in navigating the byzantine privacy laws of the world, advocating for change, and who have spent their careers building the network of contacts necessary to realize that change.
As the regulatory situation around privacy looks set to remain uncertain for the foreseeable future, multinational organizations should be actively recruiting privacy experts. Competition will only become fiercer with time. The goal of these experts should be – at least in part – to help organizations prioritize their infosec efforts. Legal experts can help organizations adapt to the rules that exist today, but privacy experts can help organizations prepare for the regulations likely to be coming down the pipe, and often have an in-depth enough technical understanding to work directly with infosec teams to construct viable technological solutions.
China Goes ‘All In’ on AI
China doesn’t intend to be the manufacturing hub of the planet forever. For one thing, China got where it is because the cost of labor was so low in China. As China's middle class explodes, labor in China is no longer as cheap as it used to be.
China's leaders, despite popular depictions elsewhere in the world, also have little interest in keeping their population impoverished. They’re dedicated to improving the quality of life in their country, for the majority of citizens, at least. This is important. The key to increasing quality of life is education, and China is all in on public education.
An educated and increasingly affluent populace is driving a change in China's economy away from manufacturing, resource extraction, and resource refinement. China is becoming a services-based economy, just like Western nations, but its leaders aren’t content for China to simply be one among many.
Understanding China's AI Strategy provides a good look at China's plans for economic global dominance. China's leaders believe artificial intelligence (AI) will drive the next industrial revolution, and China intends to be the dominant player of this century, much as the U.S. was in the last.
With a population larger than North America and Europe combined, China certainly has the raw number of brains available and is likely to succeed in their ambitions. As China's influence over the AI market grows, they’ll increasingly be setting the international tone on everything from business models to the morality and ethics of many of the most popular AI products available.
Economic dominance enables significant cultural influence, and periods of transition between dominant cultures are historically rife with all forms of conflict, from the military to the legally banal. As we have seen with Huawei, Western nations aren’t above turning corporations or their products into political footballs, and because AI products are all functionally black boxes, there aren't a lot of workarounds if they happen to do something that some government doesn't like.
Information security and compliance are closely intertwined. As the stakes in the cultural and economic clash between the U.S. and China become higher, it will become ever more important to be vigilant about what data is stored where, and which products - especially which AI products – have access to what data.
If you haven't started adding data sovereignty, geolocation, and application access controls into your infosec practices, now is the time to start. Getting all the way there will take years, but this thing between the U.S. and China is going to last decades. Nobody wants to be the sacrificial lamb excoriated on the altar of public outrage to satisfy some political point in the conflict between two technological, economic, and business superpowers.
RSA Is Coming
2019's RSA conference is taking place in San Francisco's Moscone convention center from Monday, March 4 until Friday, March 8. This year's theme is Better, and we'll leave the jokes about that to the readers.
RSA is arguably the conference for the information security industry, and over the next three weeks, expect to be flooded with articles, blogs, and infosec announcements of every kind. RSA Security's The dark side of customer data survey is expected to be a source of much discussion and has already produced some fascinating insights, such as Consumers Care About Security – Sometimes. For those attending, Bruce Schneier is presenting at RSA, and these sessions are likely to be standing room only events.
If you aren't attending RSA, at least schedule in some time to peruse the many and varied announcements coming out of vendors and security experts over the next month. Once the sessions are available online, filter through them to see which ones are relevant to your organization and/or career, and watch them. Regardless of whether or not you attend, follow the #RSAC and #RSA2019 hashtags on social media, if for no other reason than to find new infosec people to follow and learn from.
Tweets of the Week
Never forget that the Internet remembers everything, forever. This thread is an excellent reminder of that.
"UPDATE: The company (my attacker specifically) has now emailed myself and @Me9187, with the stance that we 'hacked' them and 'threatened' them." – Dylan (@degenerateDaE)
Podcast of the Week
Jack Rhysider from the “Darknet Diaries” podcast joins Graham Cluley to chat about his interview with the elusive Hacker Giraffe
Smashing Security #114: Darknet Diaries, death, and beauty apps
Tool of the Week