Saturday 2 November 2019

Cyber Dissonance: The Struggle for Access, Privacy & Control in our Networked World

Back in the day when I was doing IT full time (pre-2004), we were doing a lot of local area networking builds for big companies.  There was web access, but never for enterprise software.  All that mission-critical data was locked down tight locally on servers in a back room.  When I returned from Japan in 2000, one of my jobs as IT Coordinator at a small company was to do full tape backups off our server at the end of each day and drop off the tapes in our offsite data storage centre.  Network technology has leapt ahead in the fifteen years since, and as bandwidth has improved the idea of locally stored data and our responsibility for it has become antiquated.

We were beginning to run into security headaches from networked threats in the early zeroes when our sales force would come in off the road to the main office and plug their laptops into the network.  That's how we got Code Redded, and Fissered, and it helped me convince our manager to install a wireless network with different permissions so ethernet plugged laptops wouldn't cronk our otherwise pristine and secure network where all our locally stored, critical business data lived.  We had internet access on our desktops, but with everyone sipping through the same straw, it was easy to manage and moderate that data flow.  Three years later I was helping the library at my first teaching job install the first wireless router in Peel Board so students could BYOD - that was in 2005.

Back around Y2K,  IT hygiene and maintenance were becoming more important as data started to get very slippery and ubiquitous.  In a networked world you're taking real risks by not keeping up with software updates. This is still an issue in 2019, at least in education.  We're currently running into all sorts of headaches at school because our Windows 7 image is no longer covered by Microsoft.  Last year one of our math teachers got infected by a virus sent from a parent that would be unable to survive in a modern operating system, but thanks to old software still infesting the internet, even old trojans get a second and third chance.  Our networked world demands a degree of keep-up if everyone is going to share the same online data - you can't be ten paces behind and expect to survive in an online environment like that, you're begging to be attacked.
The hard sell on cybersecurity perils only lasted a minute.
The possibility of nuanced control of users was much of
the rest of the presentation. When you work through an
IaaS lense, you're not on the public internet any more.

Last summer I took Cisco's Cyber Operations Instructor's Program, which was a crash course in just how fluidly connected the modern world is, and how dangerous that can be.  After logging live data on networks and seeing just how much traffic is happening out there from such a wide range of old and new technology, it's a wonder that it works as well as it does.  Many cybersecurity professionals feel the same way, our networks aren't nearly as always on as you think.

This past week I attended Cisco's Connect event which once again underlined how much IT has changed since I was building LANs in the 90s and early 00s.  The drive to cloud computing where we save everything into data centres connected to the internet comes from a desire for convenience, dependability and the huge leap in bandwidth on our networks - and you ain't seen nothing yet.  There was a time when you had to go out and buy some floppy disks and then organize and store them yourself when you wanted to save data.  Now that Google and the rest are doing it for you, you can find your stuff and it's always there because you've handed off that local responsibility to professionally managed multi-nationals who have made a lot of money from the process, but there is no doubt it's faster and more efficient than what we did before with our 'sneaker-nets'.


You probably spend most of your day with
a browser open.  Ever bothered to understand
how they work?  Google's Chrome Intro Comic
is a great place to start.
If you ever look behind the curtain, you'll be staggered by how many processes and how much memory web based applications like Google Chrome use.  Modern browsers are essentially another operating system working on top of your local operating system, but that repetition will soon fade as local operating systems atrophy and evolve into the cloud.  Those local operating systems allowed us a great deal of individual control over our computing, but we give that away when we hand off management of our data to someone else in the cloud.

At Cisco Connect there was a lot of talk around how to secure a mission critical, cloud based business network full of proprietary IP when the network isn't physically local, has no real border and really only exists virtually.

Cisco Umbrella and other full service cloud computing security suites do this by logging you into their always on, cloud based network through specific software.  Your entire internet experience happens through the lens of their software management portal.  When you lookup a website, you're directed to an Umbrella DNS server that checks to make sure you're not up to no good and doing what you're supposed to be doing.  Systems like this are called IaaS - infrastructure as a service, and they not only provide secure software, but also integrate with physical networking hardware so that the IaaS provider can control everything from what you see to how the hardware delivers it.


In 2019 the expectation is for your business data to be available everywhere all the time.  It's this push towards access and connectedness, built on the back of our much faster network, that has prompted the explosion of cloud based IT infrastructure.  In such an environment, you don't need big, clunky, physically local  computer operating systems like Windows and OSx.  Since everything happens inside one of the browser OSes, like Chrome, all you need is a thin client with fast network access.


The irony in Chromebooked classrooms is that the fast network and software designed to work on it aren't necessarily there, especially for heavy duty software like Office or Autocad, so education systems have migrated to thin clients and found that they can't do what they need them to do.  If you've ever spent too much time each day waiting for something to load in your classroom, you know what I'm talking about.  A cloud based, networked environment isn't necessarily cheaper because you should be building network bandwidth and redundancy out of the savings from moving to thin clients.  What happened in education was a cash grab moving to thin clients without the subsequent network and software upgrades.  This lack of understanding or foresight has produced a lot of dead ended classrooms where choked networks mean slow, minimalist digital skills development.  Ask any business department how useful it is teaching students spreadsheets on Google Sheets when every business expectation starts with macros in Excel.

Seeing how business is doing things before diving back into my classroom is never wasted time.  The stable, redundant wireless networks in any modern office put our bandwidth and connectivity at school to shame.  In those high speed networks employees can expect flawless connectivity and collaboration regardless of location with high gain software, even doing complex, media heavy tasks like 3d modelling and video editing in the cloud - something that is simply impossible from the data that drips into too many classrooms onto emaciated thin clients.  Data starvation for the less fortunate is the new normal - as William Gibson said, the future is already here, it's just not evenly distributed.

Seeing the state of the art in AI driven cybersecurity systems is staggering when returning to static, easily compromised education networks still struggling to get by with out of date software and philosophies.  The heaps of students on VPNs bypassing locks and the teachers swimming through malware emails will tell you the truth of this.  The technicians in education IT departments are more than capable of running with current business practices, but administration in educational IT has neither the budget nor the vision to make it happen.  I have nothing but sympathy for IT professionals working in education.  Business admin makes the argument that poor IT infrastructure hurts their bottom line, but relevant, quality digital learning for our students doesn't carry the same weight for educational IT budgets.

In addition to the state of the ICT art display put on at Cisco's conference, I'm also thinking about the University of Waterloo's Cybersecurity & Privacy Conference from last month.  The academic research in that conference talked at length about our expectations of privacy in 2019.  Even a nuanced understanding of privacy would probably find some discomfort with the IaaS systems that cloud computing is making commonplace.  The business perspective was very clear: you're here to work for us and should be doing that 24/7 now that we've got you hooked up to a data drip (smartphone) in your pocket.  Now that we can quantify every moment of your day, you're expected to be producing. All. The. Time.  I imagine education technology will be quick to pick up on this trend in the next few years.  Most current IaaS systems, increasingly built on machine learning in order to manage big data that no person could grasp, offer increasingly detailed analysis (and control) of all user interaction.  Expect future report cards to show detailed time wasted by your child data on report cards, especially if it can reduce the number of humans on the payroll.

These blanket IaaS systems are a handy way of managing the chaos that is an edgeless network, and from an IT Technician and Cybersec Operator point of view I totally get the value of them, but if the system gives you that much control over your users, what happens when it is put in the hands of someone that doesn't have their best interests at heart?


WIRED had an article on how technology is both enabling and disabling Hong Kong protestors in the latest edition.  While protestors are using networked technology to organize themselves, an authoritarian government is able to co-opt the network and use it against its own citizens.  I wonder if they're using business IaaS software that they purchased.  I wonder if many of the monitoring systems my students and I are becoming familiar with in our cybersecurity research is being purchased by people trying to hurt other people.


As usual, after an interesting week of exploring digital technology I'm split on where things are going.  We've seen enough nonsense in cybersecurity by criminals and government supported bad actors on the international stage that there is real concern around whether the internet can survive as an open information sharing medium.  Between that and business pushing for greater data access on increasingly AI controlled internets of their own that could (and probably are) used by authoritarian governments to subjugate people, I'm left wondering how much longer it'll be before we're all online through the lens of big brother.  If you're thinking this sounds a bit panicky, listen to the guy who invented the world wide web.

The internet might feel like the wild west, but I'd rather that than blanket, authoritarian control.  Inevitably, the moneyed interests that maintain that control will carve up the internet, reserving clean, usable data for those that they think deserve it and withholding it, or leaving polluted information from everyone else.  I get frustrated at the cybercriminals and state run bad actors that poison the internet, but I get even more frustrated at the apathy of the billions who use it every day.  If we were all more engaged internet citizens, the bad actors would be diminished and we wouldn't keep looking for easy answers from self-serving multinationals looking to cash in on our laziness.  I've said it before and I'll say it again, if I could help make a SkyNet that would protect the highest ideals of the internet as its only function, I'd press START immediately.

The internet could be one of the most powerful tools we've ever invented for resolving historical equity issues and allowing us to thrive as a species, but between criminality, user apathy and a relentless focus on cloud computing and the control creep it demands, we're in real danger of turning this invention for collaboration and equity into a weapon for short term gain and authoritarian rule.



“It’s astonishing to think the internet is already half a century old. But its birthday is not altogether a happy one. The internet — and the World Wide Web it enabled — have changed our lives for the better and have the power to transform millions more in the future. But increasingly we’re seeing that power for good being subverted, whether by scammers, people spreading hatred or vested interests threatening democracy."
- Tim Berners Lee

"The internet could be our greatest collaborative tool for overcoming historical inequity and building a fair future, or it could be the most despotic tool for tyranny in human history.  What we do now will decide which way this sword will fall.  Freely available information for all will maximize our population's potential and lead to a brighter future.  The internet should always be in service of that, and we should all be fighting for that outcome in order to fill in the digital divide and give everyone access to accurate information.  Fecundity for everyone should be an embedded function of the internet - not voracious capitalism for short term gain, not cyber criminality and not nation state weaponization.  Only an engaged internet citizenship will make that happen."
- my comment upon signing a contract for the web.