Cybersecurity - NCICU Ethics Bowl
As I mentioned in last week’s post, I attended the final competitions of this year’s NCICU Ethics Bowl on AI and Cybersecurity. It was awesome to see college students tackling complex ethical issues that are only going to get more pronounced as we move through the 2020’s. The sessions tackled how AI would affect art and our humanity as well as the ethical duties of cybersecurity researchers.
I got to address this group at Friday’s dinner to discuss some of the challenges and paths forward. I pulled some of my remarks into two blog posts: the first on Artificial Intelligence and this one addressing some personal experiences with Cybersecurity.
Ethics in Data Access
In 2018, news broke that personal information was scraped from 87 million facebook accounts to build deep personal profiles to model individuals behavior. This data was obtained using 270,000 Facebook users who installed a Facebook quiz app; the other 86 million had never granted access to the app. Facebook’s data interface was exploited to provide broad user access without much auditing or oversight.
The company behind this massive data scraping operation and arguably a data breach was Cambridge Analytica. The intent behind this data gathering was to influence voting decisions across the world. Their success in influencing user behavior is debated, but the ethics of misleading users, violating terms of service and collecting and aggregating this volume of data is pretty clear.
Social Media
In 2013, I joined ArchiveSocial where we focused on helping governments fulfill public records laws. By making compliance easy, we helped empower and protect open dialog through these new communication channels. To accomplish this mission, we used the same programming interfaces (API) to pull content from the social networks as Cambridge Analytica.
What was the difference? We were careful to limit the scope of our data access to the pages that our clients had granted us access to. There were opportunities to explore possible markets by expanding our data scraping. A whole cottage industry of social listening tools exist that aggregate and report on conversations happening across social media. We stayed focused on our core clients and adhered closely to our mission.
The Cambridge Analytica news broke in March 2018. Over the next few months (April 4, April 28, May 1, and July 2), Facebook began locking down data access which had previously been very open. Needless to say, 2018 was a rough but necessary year for developers who were building on top of social media networks. Many applications and businesses shut down operations as a result of more privacy centric data access. Due to our tight focus on archiving only the data being generated by our users, our service remained mostly uninterrupted even though it took some work to adjust to the new access permissions.
In May 2018, Cambridge Analytic filed insolvency proceedings and closed operations. In December 2022 Facebook, “agreed to pay $725 million to resolve a class-action lawsuit accusing the social media giant of allowing third parties, including Cambridge Analytica, to access users' personal information.” They now regularly audit developers who have access to user data to confirm security standards are being met.
Security
Security is an asymmetric problem. As a defender you must be successful every time. An attacker only needs to be successful once. The way to guard against this type of asymmetric risk is a pooled defense. This means everyone defending is made stronger by sharing information and helping each other defend against attackers, just like a school of fish.
Even in a highly competitive environment it makes sense to everyone to work together to defend against the bad actors. In practice this looks like bug bounties and public reporting portals so ethical hackers can highlight vulnerabilities before unethical hackers find them. This means working with organizations to provide patches as soon high severity vulnerabilities are published.
To achieve this, security can be incentivized in a lot of ways. You can punish bad behavior through fines or you can limit data access to organizations that pass audits. Cyber insurance has emerged as a way to pay for a rise in ransomware but insurability and premium price is now being tied to good security practices like two factor authentication.
The majority of Cybersecurity is all of the boring stuff. Mundane security updates, regularly patching systems, rotating keys and having good passwords are the most important things you can do. We’re all in this together so we need to watch each other’s backs, raise concerns as we see them, and educate each other whenever we can.