Testing, testing, testing for a more secure (internet) world

If there’s one analogy between the Covid-19 crisis and cyber security, it is the lack of testing in many places across the globe. In both cases to truly know how safe and secure we are, testing needs to be stepped up considerably. As this is a blog about cyber security let’s put our focus there.

Over the past days and weeks more and more organisations have switched to digital products and services to sustain working from home, to keep productivity up and to be connected. Our dependency on the internet has become even larger, with perhaps one large difference: more people are actively aware of their dependency and not as something they see as normal without thinking about it. Let’s not forget that by far most people have slipped into the digital age, without comprehending the implications. Let alone how it works. With this newly found realisation, this is the time to act where cyber security improvements are concerned. First let me give a few examples of how we slipped into the digital age.

How we moved to the internet
Over the past years we all have started to use products and services we do not truly understand nor do we have an overview of the implications coming with the use of these products. This goes for apps that transgress every basic rule of privacy without any hindrance, but also for government organisations using cloud services in the U.S.. We use Google, Facebook, Whatsapp, etc. multiple times daily without being aware that we are the product, “the user”, of these companies. Energy companies connecting a nuclear reactor to the internet as running maintenance from the home if necessary is so easy. Or, a machine in a factory that is directly connected to the manufacturer for maintenance without built in security. And what about all those connecting devices entering our home without basic security installed. Etc., etc., etc. All were decisions with large implications, usually made without security in mind, not offered, not asked for, not (fully) understood. Let’s make it more tangible.

Secure/insecure?
On Wednesday 31 March Boris Johnson, U.K. prime minister, posted a photo online, showing his cabinet’s video conference, giving away a load of data about his workplace, gear and even his unique username to the Zoom application the U.K. cabinet used for the conference. Twitter sort of exploded because of it, and yes, the lack of understanding in the PMs office is extremely disconcerting, but a part of the Twitter explosion focused on the program used. Zoom is an application that is used all over the world for video conferencing, one of many. What was pointed out yesterday, at a time that almost every organisation depends on video conferencing, that Zoom is not as secure as it advertises. Many people pointed out that Zoom blatantly lies about its level of security on offer.

And here is where I am coming to my point that we need to test, test, test. An important question ought to be: Why did some people only bother to test the service now and not last year or the year before? Can you tell me whether any of the other services are better? I can’t.

Responsibility for a secure internet
The world fully depends on ICT products and services, something that today is more clear than ever. It also means that the products and services need to become more secure. 100% Security is something no one can offer. Avoidable mistakes though should no longer be acceptable when a product or service enters the marketplace. Not in a product connecting to the internet, not in software and not in online services and hosting. If the current crisis shows us anything, it is the responsibility the internet market has where the world’s security is concerned.

Making the internet more secure
This can easily be improved if during the production phase testing becomes a prerequisite. For everything already on the market, it is quite clear that the status quo is that a company awaits an alert or a breach before taking action to amend the flaw in its product, if even then. To become more safe there are three ways forward:

1) New products are made by new rules assuring a higher level of quality and security;
2) Testing;
3) Attribution.

White hat testing
I would like to focus on the last two. Mark Goodman proposed in his book ‘Future Crimes’ to create a worldwide pool of white hat hackers who test products and alert a company or a central agency on discovered flaws that are then repaired and updated. One thing is certain, the “bad guys” test products 24/7 in search of flaws and use them for their own nefarious purposes. So why don’t the “good guys” do this in an organised way? Yes, this is a challenge to organise, but the white hat hackers already exist. So why not pool them and make use of their energy? Finding flaws before the bad guys do saves everybody money, time, losses, hurt, bankruptcy, etc. Yes, it is a burden on the manufacturers but then they are the source of the flaws. Not the consumers. In fact not even the “bad guys” are the source, they are just using what is on offer in a bad way.

A related example is the city of The Hague that organises a yearly hack contest on itself. Something more companies and organisations should do.

Consumer organisation testing
A second way of testing is through consumer organisations. Products and services with online components from now on need to be tested on cyber security aspects. Are certain internet standards deployed? Are passwords in place? Are patches guaranteed? Is data protected? Etc., etc. This way pressure is applied to manufacturers and service providers to up their game. This way consumers can compare products. The test of webshop websites in The Netherlands and privacy adherence in an app in Belgium are good examples of this.

Attribution of breaches
When hacks or other digital breaches occur, one way forward is to collectively learn from the cause(s). E.g. by making it known the breach was caused by a lack of security in product X or service Y. This puts pressure on manufacturers who currently produce sub-optimal or even less safe products. No product wants to be associated with negative news, so most likely all will progress because of it.

A milder form is to mention the cause without the name but including explicit mention of costs and losses, in combination with suggested questions consumers can ask to their vendors or demands they can make for a more secure product. This creates awareness at the customer side and puts pressure on the manufacturer.

Is this bad for innovation? All other products in the world show that rules or regulations do not stop progress. So why would the internet be different?

Security investments come with costs
More than ever before the world has become dependent on the internet. It is time that the internet business takes the responsibility for this dependency. This comes at a cost. Yes, there is another side to this debate. It has to become normal to pay for internet security. It is only fair money is made on the investment industry has to make to provide cyber security.

Conclusion: start testing!
Just like at this point in time in the Covid-19 crisis a lot of people are not aware whether they have attracted the disease and are cured because they have not been tested, many internet services and products can get on the market, even with false claims, without testing. It is time for change. Societies have to start testing.

In a recent report published on the website of the Internet Governance Forum I have identified 25 pressure points in society that can aid in making the internet more secure. If you are interested to learn more you can download it here:

https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/9615/2023

Posted in Cyber awareness, Cyber crime, Cyber security, Internet standards; | Tagged , , , , | Leave a comment

Why are internet security standards badly deployed and what to do about it?

In 2019 under the aegis of the Internet Governance Forum a pilot project was conducted into the causes of and solutions for the, in general, slow deployment of internet security standards. Standards that on mass deployment make the internet and all its users safer, indiscriminately, immediately.

The report
Recently the report ‘Setting the standard. For a more Secure and Trustworthy Internet. The Identification of Pressure Points in Society to Speed up Internet Standards Deployment’, was published on the IGF website. Information was gathered by means of an international survey, breakout sessions at the IGF, dozens of interviews with stakeholders and desk research. It focused on two questions: 1) What are the reasons for slow deployment? and; 2) What are solutions to speed up deployment? This showed that underneath all other provided reasons lies a collective action problem. To break out of this state of inertia 6 recommendations, 25 identified pressure points in society and 7 action plans are presented. Including identified stakeholders who have to be(come) involved to have a chance at success in speeding up deployment.

Six standards
The project took six standards as examples to start the discussion, three internet standards by the official definition, DNSSEC, RPKI and bcp38 and three not: OWASP top 10, ISO 27001 and the Safe Software Alliance principles. For ease of writing and reading all are called internet standards within this context.

Causes
Many participants agreed on the main cause for the slow uptake: the lack of a business case. If there is no demand, in general there’s no offer. Research showed that there are underlying causes. The report shows that there is a lack of pressure on decision makers; from the sides that matter. As far it was able to ascertain and no one pointing to another conclusion, there is no(t enough) pressure from laws/regulation, media or consumer organisations. As one of the interviewees stated: “No one cares if you deploy and no one cares if you don’t”.

To add, the overwhelming majority of consumers is not willing to pay for security measures, while/because of not understanding the implications of insecurity. The entrepreneurs willing to deploy face a negative business case or operate in a niche market.

Another important conclusion is that it is not (just) technical proficient employees deciding on deployment of the standards. Yet, outreach from the technical community is often aimed at these people. Unfortunately not reaching the level of success needed to make the internet safer, as they do not decide on deployment. This calls for different aims and for a change of narrative. It is the owners, board members, financial officers who need convincing. That may take pressure from other stakeholders to achieve change.

Governments have not taken internet standards into law (ISO 27001 is a voluntary exception), as is the preferred situation of nearly all we’ve spoken to. At the same time most of the efforts of governments (agencies) but also e.g. banks concerning cyber security are aimed at the only stakeholder with limited power where deployment of standards is concerned: the consumer or “user” as the internet industry prefers to call its customers. In other words, there are no carrots and no sticks of any kind, making it far worse than having no business case.

Collective Action Problem
All this results in a collective action problem, where there is no demand and no incentive to change behaviour and deploy the internet standards. Usually it is the government that society looks towards for solutions. In many sectors this is completely normal and accepted behaviour. Health, (air)traffic , agriculture, etc., etc.. A question in need of an answer is, what makes the internet so different, it justifies the absence of governments, while the market cannot solve the enormous security challenges facing it? Perhaps it becomes necessary to look at the problem as a (digital) health issue. What perspectives does that provide to act upon?

This report does not answer these questions. It searched for potential solutions and pressure points in society that can contribute to break up the collective action problem. A few examples are presented below.

Recommendations
The six recommendations are an accumulation of advice provided. Although there is a near consensus among participants that action is needed, there is no consensus on the precise way forward. The first five were tested in the breakout sessions (number 6 came out of the sessions) at the IGF and are seen as sensible.

1. ‘Create a business case for the deployment of internet standards’.
2. ‘To deploy internet standards successfully they need to be incorporated by reference into law or legally binding regulations, including a designated regulator.’
3. ‘To deploy internet standards successfully requires building security by design / default into products and services’.
4. ‘All stakeholders should collaborate on coherent strategies for multilingual awareness raising on internet standards and their effect on internet security’.
5. ‘Internet standards and architecture must become part of education curricula.’
6. ‘Standardisation processes are advised to include a consultation phase with government and industry policy makers, and civil society experts.’

The paradox this report bares, is that a large proportion of the participants see legislation as the only option to force industry into deploying, yet no one wants it. As legislation is seen as the least desirable option this comes with a moral obligation to step up on all others. No legislation can and may not equal non-deployment. Hence the pressure on those having to deploy needs to be created elsewhere. The report mentions 25 options, from parliamentarians addressing the issue to industry, to consumer organisations testing ICT services and products, from regulation to media publications.

Pressure points in society
Where deployment of standards is concerned a government can take on a few roles. Standards could be demanded by them through procurement. Standards could be demanded on the basis of duties to care. A question in need of an answer is what regulators can achieve on the basis of current laws, whether telecommunication, privacy, consumer, etc.. When all else fails the government is the legislator but even then cooperation is of utmost importance.

Mistrust of governments is one of the reasons mentioned why the technical community remains more or less aloof from other stakeholders that could play a role in making deployment happen. It is of the greatest importance that these others understand what internet standards are, why they exist, how they are made and what the importance of deployment is for a more secure internet. To ensure that future measures are the right ones, interaction is key. Hence the reason this report invites IETF en ISOC to participate actively in the next phase and assist in the creation of a change of narrative and the direction of outreach, to prevent legislation where possible. Their role lies in leading the other stakeholders forward and to make plausible deniability of not having heard of internet standards in need of deployment impossible. At the highest levels of industry and society at that. Why? The decision to deploy seldom is a technical decision but a financial one, an investment (without return). This calls for a different approach and narrative.

All this translates into seven actions that you can find in the report. To massively deploy internet standards is and will be a herculean task involving many stakeholders with different and most likely competing interests. Deep down however all stakeholders around the globe have the same interest: not to be hacked, not to have compromised or lost data, not to lose money, etc.. This is a starting point. And, when all is said and done, all will have to pay for security. That goes without saying.

Conclusion: a no-brainer
Ideally this report is not the end but a beginning. To start work on deployment by enacting the recommendations and gather the stakeholders in the action groups. The IGF is a neutral platform where all involved are equal. The first and most difficult steps can be conducted here before the results are taken outside of the IGF to be implemented. All with one aim: to make deployment of security raising standards a no-brainer for all involved.

You can find my report on the IGF website:
https://www.intgovforum.org/multilingual/content/implementing-internet-standards-and-protocols-for-a-safer-internet

Posted in Cyber security, Internet governance, Internet standards; | Tagged , , , , , , , , , | Leave a comment

Internet consolidation at EuroDIG 2019: Questions in need of an answer

On behalf of SIDN I was the focal point and moderator of the workshop on internet consolidation at EuroDIG in The Hague, June 2019. The following is the official report of the workshop I wrote and published on the EuroDIG wikipage. It is followed by the questions that remained open and identified potential next steps forward.

The fact that this workshop was able to tie into a previous workshop on internet consolidation at the IGF in Paris, November 2018 provided focus and allowed for considerable steps to be made in The Hague. Here is the report.

The report
At EuroDIG 2019 a workshop was organised around the topic of consolidation on the Internet. It was organised around four angles: technique, competition, society and human rights and; future research. One thing became extremely clear: no one contested that consolidation is taking place nor that this already has and will have an impact on the Internet and consecutively on society. There also was consensus that this topic is not going away, that addressing it is urgent and more study/research and interaction between stakeholders is necessary. If anything, the workshop led to more questions being asked than answers given, which is telling in itself.

What is consolidation?
Consolidation, in this specific context, is the process by which internet activities and businesses get increasingly integrated, both vertically and horizontally or more simply put: where many of the same suddenly becomes fewer of the same. Another term often heard in this context is centralisation. This term is used when users have to go through one central point, e.g. to use a specific service or access a specific database. The two terms are not interchangeable.

A study by the Internet Society (https://www.internetsociety.org/blog/2019/02/is-the-internet-shrinking-the-global-internet-report-consolidation-in-the-internet-economy-explores-this-question/) shows that consolidation takes place at different levels of the internet. Applications, access provision, service infrastructure are mentioned, but beyond that deep dependencies are created e.g. through total service environments.

Potential consequences of consolidation
In the Internet governance sphere the topic of consolidation was raised by the Internet Engineering Task Force (IETF). It flagged the topic as important, something other stakeholders needed to learn more about. Jari Arkko presented on the topic at an IGF workshop in Paris, November 2018 (http://www.intgovforum.org/multilingual/content/igf-2018-ws-40-internet-mega-trends-impact-on-the-internet%E2%80%99s-architecture). The outcome led to a follow up workshop at EuroDIG dedicated fully to the topic.

In short, it was explained, the internet works because all involved, “the many to many”, follow universal, mandatory and voluntary open source rules and procedures, so called internet standards. Now that the many become less and less, it changes the internet and internet governance procedures. When one or a few organisations control large parts of the internet, they also come to control access to the internet, to data, determine success or failure of innovative products, privacy, free speech, etc. This leads to important questions societies need to address. Many of these major questions were asked during the workshop, fundamental questions that in part go right into the sort of society we all want to live in.

Already there are companies at the service level, in online retail, social media, search engines, DNS queries, etc. so big that they hold large percentages of the market and dominate at a regional and even global level. This comes with a large economic power, political influence, the (potential) stifling or co-opting of innovation, etc. Competition rules are looked at to establish fair play and a level playing field, but do they?

Although there was no explicit consensus in the room, looking at the discussion with an helicopter view shows that the process of consolidation leads to feelings of discomfort and unease from all sides. Whether people have a background in business, human rights, access to data and services, etc., they all have questions in need of an answer towards both actions in the present as the outcome in the future. Academia aside, they all look to others, e.g. governments, competition authorities and policymakers for action and to provide answers.

Potential next steps
Competition law
An important remark at the session was the following: We already have competition laws, so why would we need new ones? There was no direct answer to this question, yet is important to follow up on. It was pointed out e.g that there is a need to look at companies and their strategies in different ways. Market power could also be measured in (the availability of) access to data and not just in traditional market shares or by looking differently at overall strategies of companies in the case of mergers or acquisitions. There is a need for a debate whether current, mostly national. competition law is sufficient within a global, internet environment.

Many in the room were alerted to the fact that the Dutch competition authority (ACM) had concluded a study into market power of Apple’s app store and concluded that a formal investigation was called for (https://www.acm.nl/en/publications/acm-launches-investigation-abuse-dominance-apple-its-app-store).

Technical solutions
From the technical community came the question: ”What do you want us to do”? Several possible future technical measures and solutions were suggested. E.g. to create better functioning interfaces that allow access to systems or opening up social media systems. There came no concrete answer from the non-technical community, except the conclusion that consolidation is a non-technical topic. The people responding stated that consolidation is an economic/competition law issue, so regulatory. There seems to remains one obvious role for technicians: flagging and explaining, but let’s not conclude yet whether there is no role, as the technical community sees a potential role for itself. E.g. in assisting smaller companies to collaborate in a better way. The value of these measures have to become clear.

Net neutrality
Another point made in this context was the need for net neutrality as this creates a situation of equal access for all. Another topic for future debate was identified.

Interaction between stakeholders
Overall there was one major development compared to Paris in November 2018. It became clear that there’s a need to get to know each other, as some stakeholders were not familiar with each other, let alone with the work going on within their respective silo’s. If anything, this was the step forward set between the session in Paris and the work leading up to the workshop in The Hague. The sharing of knowledge could lead to new actions within respective silo’s. Whether by taking measures at the technical level, as information that authorities need to build cases on or as suggestions for using current policies or to create new ones. It was suggested to look into these options.

The good, the bad and the absent
Many people raised concerns, yet it proved hard to provide concrete, negative examples coming out of consolidation. “I cannot run my own private mail server anymore”, was the most concrete one. A conclusion that can be drawn is that it seems that at this point in time those actively involved have grave concerns, because market power has come to rest in too few hands. A situation that may come with potential negative effects (soon). Attention was drawn to the fact that not all stakeholders seem aware of the current developments and what they (may come to) mean to their respective positions and interests. On the other hand, ISOC’s study shows the advantages of consolidation in e.g. cloud services and the global reach they provide even the smallest companies, although they come or may come soon with a vendor lock in, as it becomes impossible to switch to another provider (with ease).

So what are next steps? The workshop made clear that doors to other silo’s need to be opened. Knowledge needs to be exchanged and organisations can assist each other in developing answers to questions that are in need of an answer. Coordination between different stakeholders could be set up and there is a strong need to provide convincing examples whether consolidation is a good and/or a bad development. Finally, missing stakeholders need to be actively invited to these meetings.

Conclusion
This workshop contributed in a meaningful way to the debate on consolidation. It provided enlightenment to those involved, despite the fact that many questions remained in place. Fact is, many were raised for the first time with other stakeholders present. Questions that are in need of an answer that will take multiple stakeholders participating in the formulation of those answers. This starts with sharing experience and knowledge among each other. Conditions were created at EuroDIG in The Hague to do so.

Wout de Natris
Workshop focal point consolidation on behalf of SIDN
De Natris Consult

Questions in need of answers
– For now the following questions and action points were identified.
– A need to identify and understand the working of each layer of the internet within this context
– A need to identify and understand the current situation in each layer of the internet
– Establish the link between consolidation and net neutrality
– Does net neutrality also need to take into account free speech and innovation?
– Identify how each stakeholder community can contribute to answering identified questions
– Identify current and potential actions within and among stakeholder communities
– Establish how contributions from other stakeholders can assist (the actions of) others
– Do “classic” competition laws work for the internet or is this a truly new environment?
– “The people” do not seem to worry. Should they? and if so, how do we tell them?
– What can (the strategy behind) mergers and acquisitions tell us about consolidation?
– Is there a need for standardisation in regulatory reporting to truly make comparisons or conclusions at the global level?
– Are security threats limited or rising because of consolidation?
– In what way can enabling smaller players from a technical point of view become an alternative to consolidation?
– How can consolidation be measured and quantified?

A word of gratitude
This workshop was made possible through the support of SIDN but would not have had this impact without the valuable input of Carl Gahnberg, Cristian Hesselman, David Korteweg, Jari Arkko, Marie-Noémie Marquez, Zoey Tung Barthelemy and all who contributed actively in the workshop itself or shared ideas in the preparatory process. The EuroDIG secretariat’s Rainer Rodewald facilitated the whole process in a professional and extremely kind way.

Posted in Internet consolidation;, Internet governance | Tagged , , , | Leave a comment

Chances and opportunities or the U.S., the E.U. and privacy regulation

The European Parliament recently sent a letter to the U.S. government expressing its concerns on the U.S. government’s demands on U.S. companies to deliver (privacy sensitive) data stored in Europe to the U.S. enforcement and security agencies when so requested. U.S. court cases concerning this topic are confusing and contradictory, the stance of the U.S. government as such is not. Neither is the privacy law of the E.U. A clear case of non-compatible laws.

What surprises me is that Europe in general always complains about the dependence on U.S. cyber moguls. If this demand of the U.S. government shows anything, than it is opportunities for E.U. cloud and data companies to step into the void the U.S. companies are about to leave behind.

It is a fair question whether, due to the restricting rules of GDPR, the amount of privacy sensitive data stored today can ever be as big as it presently is. Fact is that the data companies want to store need to be compliant with E.U. privacy laws. Where better to store this data than within Europe with companies that assist their customers to be compliant?

So people let’s stop complaining and expressing concerns and step into the market, head up high and grab the opportunities presented for free by an unbending U.S. government.

The E.P. focused in its letter on the risk of splitting up the Internet because of the U.S.’s actions. The Internet is already splitting as actions of different eastern countries show. It may be time that the E.U. starts to prepare for something that might be inevitable. Even if it is just in case or as a case study. It’s always better to be well prepared. Boosting an industry is one such preparatory step in that direction and economically sound to.

Wout de Natris

Haarlem, 2 February 2018

Posted in Court decision, Privacy | Tagged , , | Leave a comment

How the West was won or protecting data

The Internet world shook once again this week with the revelation of military, strategic information leaked by a sports app. By running around the compound soldiers gave away their position to the app, that dutifully offered this information to the world, transparent as it is. It became worse. Researchers were able to track individual soldiers to their private addresses simply by connecting available data and thus revealing the identity of soldiers working in highly classified circumstances. This is just one aspect of where things seem to go horribly wrong.

It is not surprising to me that apps reveal data of its users. What does come as something of a shock is the fact that even in organisations that snoop on the world with unprecedented capacities the naiveté concerning simple apps is still so high. It is 2018 and still the military and undoubtedly dozens of other organisations around the globe are surprised by a single app that tracks the fitness and running scores of individuals using the app. And I will not even go into privacy implication here.

From this information it becomes clear that still there are no clear rules on the use of apps, social media, fitbits, etc. vis à vis the workplace. This is not just about the military but about each and every individual, next to the millions of people working in high(er) level trust environments. Was this app installed on a work phone or a private phone brought to work? It should not matter in these circumstances. It shouldn’t be on the phone, in these circumstances, at all.

The news so far focused on the fact that an app revealed this data. If we look one level further down into the app, the question is where does the software come from? Who else is able to gather this data -and who knows what else data from the phone or laptop- either through the software used in the app, what is the origin of the chips used to build the app and is the data sold in any form to third parties?

Ever since the journalists Maurits Martijn and Dimitri Tokmetzis showed that by installing one single app (in this example of a large Dutch department store) on a smartphone, dozens of, mostly unknown firms from North America were able to access all information on that phone every few seconds to auction this information off to advertisement companies, I am very weary of apps on my phone. What apps are really for, data gathering, ought to be common knowledge by now. Perhaps not by the general public but certainly by those is positions where the secrecy of certain data is key. Including rules and regulations concerning the use of apps.

Again the news shows that the knowledge and understanding of the Information Society simply does not seem to get between the ears of those responsible. It makes me dread the moment that the West really comes into a conflict with adversaries. I’m afraid that we will find out the hard way that we really haven’t seen anything yet.

Hence the question becomes whether an open Internet for all is something the West must strive for. The balkanisation of the Internet is becoming a fact fast. China, Russia, Iran, North Korea, etc. are all becoming less and less open to the West. We remain open and highly vulnerable to attacks of all sorts of nature. Is it time to contemplate a wall around us as well?

This question is a far jump from the data revealed by a sports app. Yet it is all related. Each individual incident shows the weakness in our defences. It is time to rethink and strengthen ourselves as well, without giving away anything on the inside. Free speech, economic benefits and protection of the core of the Internet are all possible within our system. Who wants to live beyond these rules, suffers the consequences. Most likely economically to.

What the sports app data revealed does show, is the level of openness our western society has reached. There is no going back on that. Perhaps there is a way of protecting it better. It will be drastic though.

Wout de Natris

Haarlem, 31-01-2018

Posted in Cyber awareness, Cyber education, Cyber espionage, Cyber security, Cyber warfare, Privacy | Tagged , , , | Leave a comment

Options for the Digital Transition

Over the past years I’ve written repeatedly about the digital transition. In 2015 I organised and moderated a workshop on behalf of the Dutch national Internet Governance Forum, NLIGF, on this topic at the IGF in João Pessoa in Brazil. This workshop looked at the digital transition from a few angles: education, permissionless innovation, privacy and politics. The results were somewhat disconcerting as a room filled with (inter)national experts concluded that education was running far behind developments. No one present was able to point to the new kind of jobs that a transition usually brings. Privacy was under severe pressure, e.g. from algorithms that were seen as black boxes and politicians were near ignorant of these developments. All saw the thriving permissionless innovation, with participating (Internet) engineers who could not wait to see where the world is moving towards. The report NLIGF published can be found here: http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals under workshop 48, ‘Internet of Things. Ethics for the Digital Age’.

This topic a such is far from new. With every mechanical innovation a loss of jobs came; that were replaced by other, often jobs that required an higher education. Probably since the invention of the wheel. Looking with an optimistic view it isn’t hard to conclude that the same will happen here, although it does take education and I’ll return to that below. Perhaps these jobs lie just around the corner and we cannot see them yet.

It is a rather acute topic though. Some people have declared that Donald Trump was elected president by people who have lost their jobs to machines, with little chance of regaining a new job (that is meaningful to them). If true, the people who lost out to globalisation and further industrialisation made the rather small difference between win or lose. These people felt unheard and made their choice. It is the former part of this sentence that is important. It looks like a lot more people may get to this state and will want to be heard. Why?

The news

The reason I am writing right now is because of a few disconnected pieces of news that alerted me over the past days. “Software is able to decide on traffic management during traffic jams”. The software opens or closes an extra lane by studying camera footage. “First tests with driverless trains to start”. “70 km stretch of roads opened to automated car tests”. “Robots performing surgery”. All these tests are aimed at one thing: replacing workers for artificial intelligence: traffic management personnel, train drivers, lorry drives, taxi drivers and surgeons. What will these people do after they have been let off?

Mind, all the above our autonomous cases, not connected to each other. One company, a ministry, a university hospital, testing new software. All in their own cocoon. There’s one major communality. As soon as the software does what it is supposed to do at a satisfactory level it brings one thing: massive lay-offs, of people who will probably not find another meaningful job. My guess is this will probably happen around the same time. So massive lay-offs of people, mostly with a lower education, who now have meaningful, satisfying jobs.

This is where leadership comes in. As long as decisionmakers at the political level have not developed an awareness around the digital transition, as their own colleagues and other experts stated in João Pessoa they have not, let alone developed a vision of how to confront this transition, they will be surprised and overwhelmed of what these changes are going to bring to society.

In The Netherlands there is a strong call, a lobby to set up a digital team of policy leaders within the government. Yes, it is important to create favourable circumstances for businesses to develop further, yes, there are major opportunities for start ups and incumbent companies alike, yes cyber security is a major issue and yes, it is extremely important to educate our youth (and do not forget to re-educate those people losing jobs). It is even more important to develop a view on what sort of a society we all want to live in.  If we do not get this right, I am afraid that discontent is going to rage high in the coming decade. People are losing jobs and want to be heard and their numbers may grow exponentially when the software is able to fully take over. There is a little window of opportunity still open to take this question full on. In ten, perhaps even only five, years it will be too late. So what is it going to be? It’s time to add this last line to that manifesto.

Wout de Natris, Haarlem 31-03-2017

Posted in Cyber awareness, Cyber education, Digital transition, Internet governance | Tagged | Leave a comment

Luddites of the 21st century unite, revisited

Some years ago I wrote a post on the fact that I saw the world automate fast and did not see a lot of people worrying about the consequences for their lives. Nobody was smashing automated production lines. Smashing smart phones and laptops. In fact, embrace of new technology by the masses probably never in history went this fast. Several and very different causes, among which globalisation, have led to a level of wealth that made these expensive tools and toys within reach of a vast number of people.

Now early on in 2017 it seems that discontent is all around. The hatred for institutions, experts, politicians, immigrants, the views of “others”, etc., is raging through societies leading to decisions and outcome of elections that, taken at face value, are not what rationality would dictate or even expect. It is time for change. In the following I will try to provide a way forward from the defaitistic future many see in front of us. First a sort of inventory.

The times they are a-changin’
Jobs are disappearing and not just by moving them to cheap labour countries, no, the cheapest form of labour is a machine doing the work of humans. A company like Philips has already moved production back from China to The Netherlands for a fully automated plant. So the work is back, but not the labour. I always wonder who is going to buy that product when everyone is out of work because of work replacement? Owners and shareholders do not benefit from no or little sales.

Isolation and nationalism lead to “me first” in everything. So in the end also to an Internet with high tariffs, little and expensive access, the end of net neutrality: in other words the much feared fragmentation of the Internet, “Balkanisation”, is around the corner more than ever. Now it may be true as a Dutch economy columnist wrote this week that it may offer all sorts of opportunities for EU companies, that are now without chance against major U.S. multinationals. It was not his favourite outcome, but at best second best.

Is this the way then that the Internet and its related products are smashed by 21st century Luddites? Through a movement of democratically elected parties and individuals who, taken from their thoughts and actions, are not so democratically inclined. An analogy with the early 1930s is necessary to make. It was the complacency of German politicians and industrialists that gave Hitler and his NSDAP the option to rule and then let him abolish democratic institutions to install a dictatorship within weeks after being given power. That complacency is all around again. Ideology has withered, capitalism in his loosest form is harmful to most people, religion has withered. Many people don’t belong to anything anymore, except perhaps as supporters of a team, where they see bored millionaires run after a ball here today, gone tomorrow for greener, pardon me, financially more attractive pastures. For many this situation hurts them in ways that are hard to explain, but there seems an urge to belong with many. Nationalistic organisations can be seen as a substitute.

A change in the workplace
We live in a world that is in transition. And that is scary. No one knows where we are going to wind up. In the past years I’ve been able to organise workshops around the theme of changing societies. No matter what experts were involved, no one saw answers, no one saw new jobs around the corner. The new jobs that have always come with transition. Yet they are announcing themselves undoubtedly. To find answers we have to listen better to industries that are in the middle of the transition. If anyone knows what these new jobs are, then it must be here.

For years I am hearing the Dutch technical community saying we have a total mismatch between demand and supply where students are involved. I heard it first in 2012 or 13 and now in 2017 things seem to have changed little. So what are the demands that change, the transitions taking place in our society and industry, asks for of our educational system? What curricula are in demand? And how do we make our children, our workforce of the future understand that it is important to take the courses and classes that will lead to jobs, instead of being educated for jobs that soon do not exist anymore? I know parents who seriously fear whether their children will ever hold a meaningful job.

Politics
In those same workshops elected members of parliaments stated that they do not see a vision on that future being discussed in their respective parliaments, that their colleagues do not grasp the transition we are all in. If this is the case, who is to lead before it is too late?

These are giant questions that need to be answered. The current discontent comes from uncertainty, the loss of jobs with no, meaningful, alternative in sight. Add to that the, stirred up, fear caused by the mass influx of refugees and the acts of terrorism. The result is a dangerous brew that drives people towards populist politicians profiting from and heightening that discontent, while feeding that fear without offering any actionable solution to any of the underlying problems.

Leadership comes in twos
It is all nice and fine to be negative about all this, but that does not make sense. So what are the alternatives? Politicians, assisted by their underlying force of policymakers, are chosen by the people to lead. It is time they do so, but not without the urge and assistance of those in the know. With the right information it is possible to change for the better.

Together tracks can be selected that assist people to new jobs that are in line with the demand. With the right information societies must be able to create curricula, courses and classes that match current demand. And when we are at it. Together we must be able to define policies on what is acceptable online and what not. Together we can make a serious start on how to make the Internet a safer place for all. Together we can ….. (fill in your favourite here).

It’s time to start thinking outside of the box, outside of that safe silo, even a little will make a difference. All developers around the Internet are doing that constantly, disrupting existing structures by the day. So all involved can learn here. If relevant parties do not step forward and start cooperating, the democratic world may step into that state of complacency soon and the result may be something I simply do not want to be involved in. So let’s get to work for the better.

Wout de Natris

Haarlem, 25 January 2017

Posted in Cyber education, Cyber ethics | Tagged , , , | Leave a comment