Security and Society:

An IBM Deep Dive

IBM’s Global Innovation Outlook

• Launched in 2004• Opened IBM’s in-house forecasting of trends

in business and technology to outside thought leaders

• Security and Society: A series of six Deep Dives in 2008

• Water: second series of Deep Dives in 2008

Deep Dives on Security and Society

• Six Deep Dives– Moscow– Berlin– Taipei– Tokyo– Vancouver– Chicago

Deep Dive format

• Representatives from IBM GIO team, who attended all Deep Dives in series

• Other IBM personnel• About twenty other attendees from business,

academia, and government• One day brainstorming session preceded by

reception and dinner the night before• Final report based on six Deep Dives of series

Rationale for Security and Society Deep Dive

In April, the GIO began its first focus area of 2008: Security and Society. Why security? Because the need for security is a fundamental part of the human condition. Lives are spent in pursuit of it. Societies are built around it. And businesses buy and sell the promise of it.

The ongoing battle between those that desire security and those that undermine it has never been in more flux than it is right now. Globalization, ideological conflict, and a global communications network that connects everyone on the planet have conspired to reshape the global security landscape in a matter of decades.

As a result, new thinking needs to be applied to this new reality.

Suggested Deep Dive Theme

“To fight a network, you need a network”- Katharina von Knop

Assistant Professor, University of the Armed Forces, Munich

Claim: Web 2.0 social networking can provide such a network

Deep Dives before Chicago

• Starting in April 2008• Moscow– First Deep Dive broaching concept of community

security• Towns, villages, families, and individuals all have a role

to play in security• Many participants say that innovative management of

energy supplies will be Russia’s greatest contribution to global security• Green Mark vodka – countering counterfeit products

More Deep Dives

• Berlin– “Sustainable security”: must root out causes of

instability and conflict, e.g., resource scarcity, wealth disparity, oppressive governments

More Deep Dives

• Taipei– Building on SARS outbreak of 2003 – immune

system as metaphor for global security• Threats allowed to enter system• System quickly responds and bolsters defenses against

similar future attacks– Athol Yates, Executive Director, Australian Homeland Security

Research Centre• Balance of supply chain efficiency and security

robustness• plans for International Homeland Security office

More Deep Dives

• Tokyo– Concern that Japan losing reputation for being

one of safest and most secure countries• Globalization interfering with culture of security and

allowing physical and digital destabilization forces into Japan

More Deep Dives

• Vancouver– Online identities focus of discussion• How to manage and control personal identification

online

– Consensus that delicate balance of centralized and distributed security is the right way to address global security

Chicago Deep Dive

• Key Theme: Privacy – Cavoukian, strong advocate• IBM GIO attendees– Amy Hermes, Worldwide GIO Program Director– Verna Grayce Chao, GIO Business Development

Manager– Laura Lombard, GIO Program Coordinator– Kristopher Lichter, Director, Exploration Programs,

GIO Executive Director– Milind Naphade, GIO Research Liaison

Chicago Deep Dive

• Other IBM attendees– Marc Lautenbach, General Manager, IBM Americas– Chung-Sheng Li, IBM Research, Security & Privacy– Harriett Pearson, VP Regulatory Policy and Chief

Privacy Officer– Cathy Lasser, VP Industry Solutions and Emerging

Business – Rey Khachatourian, Senior Information Architect,

Customer Experience Strategy, Global Business Services

Other Chicago Attendees

• Linda Foley, founder Identity Theft Resource Center

• Carol Rizzo, CTO, Kaiser Permanente• Andrew Mack, Director Human Security

Project, Simon Fraser U. – U.N. experience• Natalie Ambrose, futurist, Future Expeditions• Christopher Hoff, CISO, Unisys• Erv Blythe, CIO, VPI&SU

Other Chicago Attendees

• Mustaque Ahamad, director Information Security Center, Georgia Tech

• Julie Fergerson, VP of Emerging Technology, Debix Identity Protection Network

• Chris Kelly, Chief Privacy Officer, Facebook• Dan Shefflin, VP of Advanced Technology for

Automation and Control Solutions, Honeywell• Michael Barrett, CISO, Paypal

Other Chicago Attendees

• Glenn Armstrong, VP of Corporate and Global Innnovation, Alticor

• Marc Sokol, JK&B Capital partner• Ann Cavoukian, Information and Privacy

Commissioner, Province of Ontario• Pat Conley, SVP Product Development,

Verisign• David Trulio, Special Assistant to the

President, White House, DHS

The Report

• Distributed Security: The Network Effect

• Government and Business: The New Roles

• Incentives: Best Behavior

• Privacy and Identity: Getting to Know You

The Network Effect

• Common Law– Community-based security (vigilantes?)

• Wireless Watchdogs– Mobile phones• Thayer School Engineering in Medicine poster winner –

detect counterfeit medicines – Ashifi Gogo, Ghana

• The Secure Supply Chain– Athol Yates - smart supply chains with central

analysis engine for risk data at all levels

The New Roles• Good Security, Good Business– Private sector has more incentive for strong security

than government or individuals– 1.6 to 2% revenue lost to fraud, theft, and organized

crime• The Legal Vacuum– Courts of law dangerously out of touch with digital

criminal landscape• Built-in Security– Embedding security into products, e.g., car alarms– Trade-off between convenience and cost, e.g., iPod

Best Behavior

• Strictly Business– Money is the most powerful incentive for changing

behavior – Green Mark example• The Threat Within– 92% Insider attacks precipitated by negative work-

related event – not opportunism (CMU report)– Monitoring, soft incentives

• Convenient Truth– Having good security make life more convient

• Travelers pay annual fee for prescreening of personal data

Getting To Know You

• The Master Token– Biometrics

• Cancelable biometrics, e.g., distorted fingerprint

• Reputation Reconnaissance– Peer-to-peer based online rating systems

• Social network• Aggregated by third party, like credit ratings

• Reclamation Project– Data tethering – can know who is using your personal

data

On-going Collaboration

• IBM R&D• Julie Fergerson, Linda Foley - Identity Theft• Christopher Hoff - Unisys• Ann Cavoukian – Information and Privacy

Commissioner, Ontario – video surveillance• Carol Rizzo, CTO, Kaiser-Permanente – Secure Medical

Records– Decades of medical records for same patients from 26

hospitals• Athol Yates (Taipei) – International Homeland Security