Our current issues with cybercrime have multiple roots and solving the big picture problem will take more than making stabs at one or another issue. Think of it as solving a Rubik’s Cube. You have to solve all sides of the cube simultaneously if you expect success. Arranging all the red or blue squares for example on one side, will still leave you with 5 sides looking like a dog’s breakfast. Many of the challenges facing humanity right now are of the Rubik’s Cube variety yet we persist at attacking them like different versions of Whack-a-Mole. I should write a separate piece about that!
The latest in-coming at the Facebook bunker comes from friendly fire. Co-founder, and luckiest Harvard roommate ever, Chris Hughes, last week called for Facebook’s breakup in the New York Times. And as welcome as this call to action might be, it’s not the first and, like others, it might be wide of the mark, not because Facebook doesn’t need fracturing but because a breakup done poorly or without sufficient consideration might do no good or even produce more harm.
We’re going through some growing pains with the whole cyber world and taking stabs at one or another solution can cause great harm not least due to the inadequacy of taking a silver bullet approach. You know, if we could only do this one thing everything else would be fine. This approach barely works in medicine and has no hope of success even in something as mundane as dieting. We need a comprehensive cyber-solution and this article envisions what one might look like.
A comprehensive solution to cyber growing pains would include,
1. A light touch self-regulatory regime to enable regulation at the point of use.
2. A means of eliminating improper use by corporations.
3. A way of curtailing mis-use by nation states.
In the process, business models like Facebook’s would change enabling the company to continue making money and support users who now depend on it. Let’s start at the beginning.
Logic out the window
You more or less know you are being lied to when advocating change if you’re met with variations of, “We can’t do that because it would be too expensive,” or “It would never work,” or “It could cripple the whole industry,” or, even better, “We’d like to but it’s just impractical.” Nothing could be further from truth telling. What’s really being said at those times is, “We’re making money hand over fist and we like the system as it is. Those things you call bugs are really features. Now go away.”
The cigarette industry was famous for such strategies though they aren’t alone. Part of the strategy includes hiding any relevant information to prevent the public from doing its own analysis. Oil companies give us, “We’re not sure if we’re causing all that pollution,” while advertising in the opposite direction, until quite recently. A New York Times story’s opening says more than I can,
“Exxon Mobil, under fire over its past efforts to undercut climate science, is accusing the Rockefeller family of masterminding a conspiracy against it. Yes, that Rockefeller family.
The company, which has been accused of scheming to pay surrogates to deny the threat of climate change, is trying to turn the tables by calling its opponents the real conspirators.”
If we had time and space, we could go off on quite a tangent here but let’s just abbreviate what could be said next with, “No collusion,” or “Investigate the investigators” or “(Somehow) it’s Hillary’s or Obama’s fault.”
Simple point #1, The light touch
American democracy’s approach to regulation has historically been using self-regulation as a first line of defense and it’s worked for over a century. By enacting laws and standards, very often professional associations take on the work of regulating their members leaving government to deal with higher level issues. For instance, the IRS has more than 80,000 employees making an average of a bit over $72,000 each. They ride herd on more than 140 million tax returns. A nice ratio.
Tax law has spawned an industry of accountants and tax preparation professionals to help individuals and corporations stay in compliance with the law. In 2016 the US Bureau of Labor Statistics estimated there were 1,397,700 accountants and auditors plying their trade in the US enforcing tax laws at the tax payer’s expense. Well done!
We can go on. Every profession has some form of state or federal certification and enforcement arm. Plumbers, electricians, beauticians and almost any professional services specialist you can think of has a certifying agency ensuring members toe the line. Doctors? Sure. Each state has a board of registration in medicine but private associations regulate much of medical practice. For instance, specialists all have additional certifications from professional organizations. That’s why the words “board certified” are so important.
Check out the American Board of Medical Specialties (ABMS), the American Board of Physician Specialties (ABPS), or the American Osteopathic Association (AOA). These organizations take over where state boards stop.
Solution to simple point #1
Social media doesn’t have anything like the ABMS, ABPS or even a state licensing program that plumbers, hair stylists and others have. Maybe social media users should have certification.
Just as you can cut your own hair or install a new kitchen sink in your own home, personal use of social media should remain as is. As long as people are trading pictures of food and puppies or catching up on what just happened on some reality show, fine. Let it be.
But anyone wanting to address thousands or millions of people on the Internet with some great idea or bargain should meet some standards such as identifying themselves accurately and agreeing in writing not to harm the system (part of certification). You can install your own kitchen sink, but you can’t dig up the street and mess with the water main. See the difference? But right now, social media users are free to crank up a back-hoe and begin digging. Why is that?
Simple point #2, Eliminating improper use
Facebook was caught giving access to consumer recordson multiple occasions, promised not to do it again in a famous consent decree, and proceeded to ignore the decree. Some amount of law might be needed to keep data safe and prevent its distribution to people who would use it in conflict with Facebook’s commitments to its users. Obviously this goes for all businesses that hold consumer data.
Solution to simple point #2
This shouldn’t be hard. The European Union has been coming after Facebook and others with fines and regulations like the GDPR. The social network is teed up to pay a $3 billion to $5 billion fine in the US for its bad behavior but critics view this as a slap on the wrist. This is why some are calling for Facebook’s breakup, but there is a more targeted approach.
The company founded on an application has morphed into a platform provider with applications. A platform operates at a level of abstraction above the apps and supports them. Facebook apps include Instagram, What’sApp, Oculus VR, FriendFeed, LiveRail.
In other competitive markets a company that is a platform doesn’t typically own apps, that’s generally space for competition. The platform company is in a different line of business by that point. For example, McDonalds began as a chain of burger joints but as it grew the core corporation became a distributor of raw materials like frozen burger patties, the enforcer of standards and the primary advertiser. It also became a real estate company that owned stores that franchises lease.
Making that transition is tricky but in Facebook’s case the time has come. Facebook should be in the platform business providing platform services like security of the core database. Other software companies such as Salesforce sell their original apps but they also sell access to their development platform. Partners use the platform to develop apps that interface with and overlap Salesforce but the two don’t directly compete. Over time it’s likely that Salesforce will be primarily a platform provider except for the original customer relationship management apps. Facebook is at this juncture too.
As it takes on the platform provider mantle Facebook’s business model would need to change and that’s the point. Facebook can’t be in the business of recruiting new individual users as well as safeguarding the data and its brand. Divesting the apps on a country-wide basis would offer opportunity for more variation and diversity and fuel more growth. It would also get Facebook out of the dangerous position of turning a blind eye to improper data use. How to do this? See point #1. With self-regulation a new business would open up in which specialist vendors resell Facebook services with their own value add. The partners would assume some, but not all, of the responsibility for self-regulation.
This is an analogous situation to what happened when AT&T was broken up by a consent decree in 1982. The breakup enabled a massive wave of innovation over pent up demand and directly resulted in voice mail systems and mobile telephone use. Today AT&T is a dominant player in mobile phone service and still manages to make money.
Simple point #3, Curtailing mis-use by nation states
Admittedly, this point doesn’t have a lot to do with social media or Facebook but it is part of a comprehensive solution.
Currently there is a silent and multi-sided cyber war going on. It’s a Hobbesian battle of all against all with specialization by bad actors. The irony here is worth comment: bad actors are specializing but in the US we don’t specialize in the way that the above discussion would support. China is mostly about industrial espionage, stealing industrial secrets including software and product specifications and more. Russia and several Eastern European actors are into sabotage of western democracies including interfering in elections, leveraging social media to stir up resentments and divide opponents.
We’re well aware of how this works but keep in mind the US is not the only victim and that it has been an aggressor too. Brexit and elections in France and elsewhere have been hacked by Russian operatives.
The old Russian playbook
Russia has, for decades, sought ways to destabilize the west and it struck pay dirt with social media. All this is happening with a backdrop of a declining living standard and longevity in the former USSR whose tactics against the west haven’t changed in at least 50 years.
In the late 1950’s Premier Nikita Khrushchev launched a strategy of “wars of national liberation” against the west. The USSR would partially fund, encourage and foment destabilizing actions against newly liberated and democratizing former colonies. The US partly took the bait spending much time and treasure playing whack-a-mole against those efforts. Vladimir Putin seems set on reviving Khrushchev’s strategies but he should really think hard about it.
In 1961 John Kennedy addressed a joint session of Congress to request more money to address the Soviet challenges. He asked for additional funding for new Polaris submarines that carried nuclear missiles, a reorganization of the Army and Marines, and more funding for the US Information Agency’s broadcasts to the third world. Kennedy also asked for money for what would be called the Space Race.
Russia is a very good STEM (science, technology, engineering, and math) power but it has historically been hobbled by backward political theory. In the end the Soviet Union couldn’t compete with America’s more liberal approach to government, economics, and business and it never got a Cosmonaut near the moon. Ronald Reagan reprised the idea of battling the Evil Empire with engineering competition with the Strategic Defense Initiative (SDI) a battle that bankrupted the Soviets and broke up the country.
Why is this important?
You’d think that the Russians would learn from their history but that’s not the case. Their use of Internet and social technology to destabilize the world and make it more to their liking is short sighted and can potentially disrupt them again just as SDI did 40 years ago and the Space Race before that.
Solution to simple point #3
It’s not hard to trace malicious actions by a hostile nation on the Internet and currently there are no consequences for bad actions but there could be, and it wouldn’t be hard to implement.
The World Trade Agreement which brought into existence the WTO (World Trade Organization) contains a great deal of language about how nation states interact through trade. Members of the treaty organization, which is virtually every nation on the planet, can and often do bring disputes to the WTO for litigation and resolution per the terms of the agreement. If a nation dumps steel for instance, i.e. selling it below cost and that dumping damages the target nation’s indigenous steel industry, the targeted nation can get redress from the WTO. All this happens in a civilized way and no shots get fired. That’s real progress compared to 100 years ago.
But the WTA was written and implemented when computers were dumb but useful tools for record keeping. The agreement never envisioned the world we have with artificial intelligence and machine learning. So, it’s time for a refresh.
It would be relatively simple to add language to the WTA to sanction and even suspend or expel members that violate a cyber war prevention provision to the agreement. Some might argue that this is impractical and that in Russia’s case there already are crushing sanctions in place. But sanctions are not much better than medieval siege warfare. They take a long time to have an effect and they are easy to disrupt through cheating.
Others might disagree on the ability to get the world’s nations to all agree on such a treaty amendment but then again that’s what some people said about the original WTA but here it is. In practice, if a few nations led by the US and NATO countries decided an amendment was needed and they set a deadline for compliance by threatening tariffs on those who refused to go along, the trading system wouldn’t break. Rather, the nations of the world would ratify the change and we’d finally have a mechanism for policing and enforcement of civilized cyber behavior.
If you doubt that, consider The United Nations Convention on the Law of the Sea which established a comprehensive regime of law and order in the world’s oceans and seas establishing rules governing all uses of the oceans and their resources. We even have The Geneva Conventions that protect people who are not or are no longer taking part in hostilities. This can include POWs, wounded, etc.
Here’s a 555 page publication from the US State Department listing all of the treaties that the US is party to and that were in force as of January 2018. Don’t say this can’t be done.
First thanks for reading. This was a lot. The takeaways are simple:
1. We have the wherewithal to contain cyber misbehavior in its various forms but it’s not as simple as finding one quick fix. Several fixes are needed but they’re straightforward.
2. Regulation is always behind innovation for the simple reason that until innovations stabilize there’s nothing to regulate. In the interlude between stabilization and regulation there is often a (hopefully) brief period of wild west activity that drives most of us crazy. This is that.
3. It’s not okay to ignore the problem because it could get worse. But it’s also not okay to throw any old solution at the problem because a bad solution could also make things worse. What’s required is thoughtful analysis and implementation of “just right” management to borrow a phrase from Goldilocks.
This article tries to point out some of the ideas that ought to be considered for a cybercrime-free future. What are your ideas?