In 1949, the great John von Neumann lectured on the “Theory and Organization of Complicated Automata,” which included a discussion of “self-reproducing automata”—what would later be dubbed “computer viruses.” Ever since then, activities and enterprises dedicated to digital security have focused primarily on malware. As late as 2010, national security maven Richard A. Clarke made malware and physical threats to the Internet backbone the centerpieces of his Cyber War: The Next Threat to National Security and What to Do about It (Harper-Collins). In February 2013, however, Mandiant’s publication of APT1: Exposing One of China’s Cyber Espionage Units suddenly brought general public awareness of the security threat posed by the penetration of privacy as opposed to security.
The Mandiant report showed that, for at least six years, elements of the People’s Liberation Army (PLA) had been preying upon the intellectual property of some 150 businesses and organizations in the US and other Western nations. Up to this point, officials and experts (such as Clarke) focused on educating the public about online threats to the operability of individual computers, entire networks, and even the Internet itself. Determined hackers, they warned, could ravage significant pieces of the Internet, committing the equivalent of cyber homicide. The APT1 revelations dramatically revealed that the far more insidious and profitable cyberattacks were not security exploits but privacy exploits—not cyber homicide but something akin to cyber kidnapping. The idea was not to victimize a government agency or a corporation by killing its networks, but to keep the victims alive and producing intellectual property that could be siphoned off and consumed for years to come.
The value of personal data has an increasingly frequent topic of discussion lately. The announcement, on July 28, of the merger of advertising giants Omnicom and Publicis made headlines largely because, between them, the two companies enjoyed 2012 revenues of $22.7 billion. It was Big Money that came from Big Data. Everything we browse to, look at, click on, and buy, every online form we fill out, every social media post we make, every Facebook like we register, every ping our smartphones fling into the ether is harvested by companies like Omnicom and Publicis. If we don’t like it, we can try to minimize our digital footprint or we can just learn to live with it. Or we can ask the question an AdAge Digital headline asked in 2011: “Here’s My Personal Data, Marketers. What Do I Get For It?”
To the degree that data becomes currency and privacy thereby becomes fungible, protecting one’s personal hoard of Big Data will be a very basic security issue, like locking down a bank vault. Even without a direct cash value, however, privacy is already valuable. It translates into personal and corporate reputation, into personal and corporate brand identity, and into personal security. Whoever invades the privacy of an individual or a company may be enabled to commit fraud, theft, extortion, or even such physical crimes as home invasion and abduction. Businesses that fail to safeguard customer and client privacy not only risk damage to their reputation and brand, but may incur ruinous civil and even criminal liability.
Little wonder that privacy is overtaking the likes of virus and malware protection as the new and sexy “security” frontier. The smart digital security providers are those who are scrambling to add creative privacy products to their existing portfolios of traditional security offerings. And the scrambling should be all the more urgent amid the unending drip-drip-drip of the ongoing Snowden leaks about NSA and other government incursions into digital privacy.
On the whole, the emphasis on privacy as the new security is a good thing, both for the online security industry and for consumers. Let us not, however, lose sight of the fundamentals of digital security, which do include those 1949-vintage threats. Thanks to the proliferation of mobile platforms, especially those with Android operating systems, malware infection is a bigger menace than ever—and yet one that many users blithely ignore. In July, the Department of Homeland Security and the FBI jointly issued a “Roll Call Release” to alert first responders in the law enforcement, fire, EMS, and security communities to the need for updating the operating systems on their Android devices. The document noted that 79% of mobile malware threats in 2012 attacked Android devices, yet fully 44% of Android users were still using the Gingerbread OS, released in 2011 and riddled with security holes plugged in more recent versions. Even among those of us who do regularly update and patch our systems, there is overconfidence in the efficacy of signature-based antimalware software and a concomitant complacency about the threat posed by more sophisticated “metamorphic” malware, which can encrypt or modify itself to disguise its signature and thus evade antivirus programs.
Privacy the new security? Perhaps. Security, as we know it today relates predominantly to viruses and malware. However, this applies only to the security of the computer and the digital items it stores. Privacy relates to the security of the individual, that is significantly amplified in our connected world, filled with mobile devices. But it is far more productive to think of security as one continuous spectrum on which both 2013 privacy and 1949 security demand the same equally urgent priority.