Responding to Cyber Creep

For the past seven hundred years or so, the Tower of London has been secured each night through the Ceremony of the Keys. The Yeoman Warders lock up at 10 p.m. with the monarch’s official keys, in a tradition that is now a tourist attraction rather than a deterrent to thieves. This ritual is of course similar to the more famous Changing of the Guard at Buckingham Palace, where thousands of onlookers often gather to watch and make funny faces at the statuesque footmen.

The pageantry of these displays tells us much about the ages-old concept of how to ensure security: give a show of visible force—and often a clear message of unseen force and potential legal punishment. The Roman emperor’s security detail no doubt functioned much the way that the Yeoman Warders did, albeit with different tools of protection. And their strategies were not too different from the approach behind today’s shopping mall security guards, the U.S. Secret Service, or the “Protected by ADT” signs that mark American yards and windows.

Such strategies, however, may have finally met their match. The Internet and other cybertechnologies are increasingly eroding the formal delineations that underlay traditional conceptions of security: your space vs. my space, your person vs. my person, your country’s laws vs. my country’s laws. Virtual space, after all, is a paradox: unique expressions of it, such as a website, are both nowhere and everywhere at the same time. As we further connect ever larger spheres of our physical lives to virtual space, policing this realm will present serious new technical, legal, economic, political, and moral questions.

Worlds Converge

According to Nielsen//NetRatings, the typical U.S. home Internet user spends roughly 13 hours more per month online currently than they did at the beginning of 2003, and the typical work user spends almost 42.5 hours more per month than they did in January. Every day, there is more to do, see, and learn on the Web than there was before, and the speed with which we access these new virtual places (or old favorites) is growing. Nielsen//NetRatings estimates that broadband access grew by nearly 50 percent between May 2002 and May 2003.

Faster surfing is not just a more pleasant experience; it makes feasible entirely new applications. The Web’s most controversial use to date—music streaming and sharing—is hardly sufferable over a dial-up connection but is a world at your fingertips when accessed over broadband. The same is true for video, voice, and other bandwidth-gorging uses.

The most important consequence of faster Internet access will not be new uses for the personal computer, however; it will be new uses and increased connectivity for new products. This idea of incorporating cybertechnologies into practically everything we own goes by names like “convergence” and “everywhere-connectivity,” and is the next wave of technological innovation.

The Internet and television are slowly merging. Already, four million people in the United States alone have access to video-on-demand. Cellular providers are pushing toward a world where a souped-up personal digital assistant (PDA) will become a central feature of modern life, giving us continuous access to the virtual world and nearly all corners of our physical world. Wi-Fi (wireless) visionaries imagine perpetual interconnectivity between TVs, DVDs, PCs, PDAs, lights, air conditioners, door locks, bank accounts, fantasy football games, digital photo albums, and the local Starbucks.

For instance, the British department store chain Marks & Spencer is investigating the potential of microchips in clothing that would “talk” to the washing machine to ensure that it uses the correct washing cycle. Massachusetts Institute of Technology’s Media Lab is providing the research for such ambitious future gizmos. In addition to networked clothes, the lab’s projects include “memory glasses,” eyeglasses that function as short-term memory assistants, and a “context aware cell phone” that knows when a user is in a restaurant or at the symphony and automatically shuts off his loud Ninth Symphony ringtone.

As we are pushed forward by the next waves of information technology, Dr. Sherry Turkle of MIT explains, “The challenge is to deeply understand the personal effects of the technology in order to make it better serve our human purpose” (Harvard Business Review, September 2003). Erasing the borders between the real and virtual worlds—a process we might call cyber creep—will create our most important cybersecurity dilemmas for a long time to come. The very advantages we derive from cyberspace—greater convenience, greater access, new sources of value—will also become the targets of cybercriminals and terrorists. The new ways we use this connectivity and the new applications we develop to maximize its utility will drive unpredictable sources of value and, thus, targets for cyberattack.

Consider, for example, video gaming.

Hollywood action movies are now written, developed, and marketed with a video game version in mind. ESPN uses EA Sports’s College Football 2004 video game to demonstrate college teams’ plays, and NASCAR uses EA Sports’s NASCAR game series to explore the characteristics of individual race tracks. The gravitational pull of the video game on other media is driven both by its current value of billions of dollars and by its potential to reap billions more from online gaming. Microsoft founder Bill Gates did not launch the X-Box, a video game system that allows online competition, just because it was fun. Gaming online with strangers is a phenomenally popular pastime. Nielsen//NetRatings reports that the top ten online gaming sites in August had a combined audience of 16,580,000. Multiply that number by a few dollars per month per person, and it becomes clear that there is big business in these frivolous bytes.

But one does not have to own a software company to make big business out of online play. The January 2003 issue of Wired magazine told the story of Bob Kiblinger, who is a sort of leveraged buyout specialist for online players’ virtual “assets” in the game Ultima. In the game, these assets—houses, barns, shoes, occupations—can take an individual player hundreds of hours to develop or earn. Kiblinger buys, in real money, assets from players and sells them, in real money, to other players who would rather pay for them than spend the time to earn them in the game. Kiblinger’s biggest payoffs, and hence the leveraged buyout function, come from buying a player’s combined assets and stripping them apart to be sold individually—houses from estates, barns from houses, and shoes from closets. This is Kiblinger’s way of making a living. And he is evidently not the only one doing it.

Kiblinger demonstrates the complexity facing us as we consider the future of cyber-security. The gradual development of new mechanisms for connectivity—cyber creep—often introduces new vulnerabilities. The explosion in popularity of instant messaging, for example, has opened up new openings for worms and remote penetration. Imagine, then, that it were possible for a hacker to find a security flaw that allows him or her to manipulate the real value of virtual assets in arenas like gaming.  How do we evaluate the degree of social harm created when theft occurs in a virtual game that just happens to have adherents who take it so seriously that they spontaneously create mechanisms of determining financial value in a nonvirtual space? The danger becomes even more acute if we imagine a future in which virtual assets become important in less playful contexts.

Legal Lagging

The answers to the new questions that cyber creep presents may seem easier to come by than they really are. We have already witnessed, for example, a disconnect between popularly accepted conceptions of the rule of law in the physical world and its attempted extension into the virtual world. Online music swappers clearly consider the anachronistic character of physical music distribution systems a moral justification for sidestepping real-world copyright laws. And there would seem to be some public sympathy for their cause. Who really views children and grandparents sharing MP3 files as the equivalent of copyright pirates? Even the experts are fiercely debating the role and shape of copyright and other legal principles in a digital, virtual world.

According to data from the NPD Group’s NPD Music division, 36 percent of U.S. households with Internet access possess no digital music files on their computers, and another 36 percent possess one hundred or fewer such files. However, 5 percent of online households have more than 1,001 files. These super-swappers provide 56 percent of the total inventory, and they are precisely the people targeted by the Recording Industry Association of America’s now-famous lawsuit.

Unfortunately, such gross violators of copyright law are disturbing the evolution of online music exchange for fair users. The potential of a small number of online criminals to diminish the experience of the much larger online majority is demonstrated by the growing use of digital constraints on CDs, DVDs, and other digital media provided through digital rights management (DRM) technology. DRM provides a cybersecure mechanism for preventing illegal copying and sharing of digital artifacts, but it can also prevent all copying and sharing of digital artifacts without extreme (and illegal) efforts to neutralize the encoding. Robin Gross, an intellectual property attorney with the Electronic Frontier Foundation, argues that “DRM technology may not be capable of distinguishing between legal and illegal uses” of a digital artifact for which fair use is a long-established right of the consumer. For example, rapper Anthony Hamilton’s newest album, released September 23, 2003, totally prevents unauthorized duplication or play on more than one PC.

In virtual space, the distinction between one person’s space and another’s is entirely fluid. The physical action of stealing an entire warehouse supply of CDs deprives their true owner of his property. Taking the same amount of music in the virtual realm, by contrast, does not directly deprive its owner of anything; it only cuts into “potential” sales, if that. Moreover, the actions involved in such thievery are not greatly different from those required in legally copying a single song from a CD one has bought onto one’s computer for transfer to a portable MP3 player. Hence, the old saw about “my rights ending at the tip of your nose” is not very useful in an unbounded world. Nonetheless, it is all we have, and so our efforts at cybersecurity, lacking a better paradigm, often proceed as if it made sense in this new context. The extreme result can be the elimination of the boundaries separating individual rights from group rights and the presumption of innocence from the presumption of guilt—as with DirectTV’s legal suits against all “smart card” purchasers that ask defendants to prove their legitimate reasons for making the purchase—the very boundaries that must be protected if cybersecurity measures are to be viable.

Cyber Creeps

This quandary likely will be repeated countless times in countless ways over the coming years. Increasing shares of our real lives will be introduced to the virtual world—whether we like it or not—until one will rarely if ever be without the other. Computing power and speed are always increasing, while computing price and size are always decreasing. As a result, technological change is taking place at an astonishing pace. Each new development holds the potential for unpredictable types of abuse, many of which will be difficult to reconcile with our real-world laws and security efforts.

Even in instances where cybercrime would be universally recognized as odious—such as financial theft—the degree of state or corporate power to which we are willing to assent to prevent it may exceed comfortable or appropriate limits. The ease of digital copying and distribution of music files have led the media industry to seek copyright and usage protections for the digital age that are more extensive than their antecedents. It is not difficult to imagine a further technological evolution that changes the game yet again.

There are, however, some certainties about this future. We do know that where some seek and find value, others will create and provide it. A smaller number will attempt to destroy or steal it. Some will attempt to destroy or steal in the virtual world as part of a larger attempt to wreak havoc on the physical world. The members of these last two groups will represent a wide array of different motives and tactics. Perhaps the most challenging factor is that the cybercapabilities we must counter will differ dramatically from one another, ranging from a teenager with a lone PC to nation-states with fleets of supercomputers.

The problems are growing rapidly. This past summer, Carnegie Mellon’s CERT Coordination Center stated that between 1997 and 2002, the number of reported Internet security incidents grew by 3,747 percent, from 2,134 incidents in 1997 to 82,094 incidents last year. We are well on pace to keep up with this explosive trend in 2003. More than 76,000 such incidents were reported in just the first half of the year. There is a danger that, as with music piracy, the worst of these incidents will determine the aggressiveness of the cybersecurity measures we are willing to employ. Microsoft, for instance, recently closed its free, unmoderated chat rooms to all users due to their use by pedophilic sex offenders.

As we now begin to consider the even more serious threats of cyberterrorism and cyberwarfare, the potential for harm would seem to be great enough to justify the most draconian security measures. Of course, the value (including the economic value) that comes from the fluidity and openness of cyberspace could be greatly diminished by severe restrictions or pervasive surveillance. For example, Dartmouth’s Institute for Security Technology Studies demonstrated a clear link between defacements of Israeli websites and instances of physical conflict between the Israelis and Palestinians in 2001. Such digital graffiti is also popular among cyber-malcontents far less dangerous than international terrorists. In the War on Terrorism, we will want to pay more attention to graffiti connected to international terrorism than to a college environmental group digitally translating the spirit of the ’60s. The alternative would be like throwing the baby out with the bathwater, allowing cybercriminals to dictate the evolution of the entire virtual world.

Fortunately, cyberspace itself presents a natural means of monitoring potential cybercrime as well as a mechanism for committing it. However, the availability of more powerful surveillance tools increases the potential for intrusive corporate and governmental actions. This danger will be magnified as the fusion of the real and virtual realms extends to security technologies. For example, the use of biometric authorization procedures for voice, face, or iris signatures is increasing, as are proposals to use similar technologies in public spaces. Whereas a face-recognition camera connected to an employee’s computer might seem a reasonable cybersecurity measure akin to a log-in and password, a face-recognition camera in Times Square would be another matter entirely. As we determine the appropriate dividing lines between public good and privacy, and between preemptive surveillance and unreasonable intrusion, such distinctions will be crucial.

Cyber creep, the gradual collapse of the dividing lines between virtual and real—in the ways we use our technology, the targets and types of crime that develop, and the methods of preventing crime or attack—presents as difficult a problem for the political, legal, economic, and technical dimensions of security as any we have ever faced. As with the business strategies of firms or the education of workers, technology will force continuous adaptation. There will be no cyber Yeoman Warders in this new world, performing their duties with romantic flourish hundreds of years hence.