No need to watch a summer blockbuster for excitement, the realities of cyber crime are enough of a thrill. Marc Goodman outlines in his book “Future Crimes” how technology has shaped criminal operations, how vulnerable we already are, and the potential impact of emerging technologies.
This book is full of illuminating stories about how technology can (and has been) used by criminals. Here are some of my top takeaways from the book:
The systems we live and work in are vulnerable
If there was an intruder in your house right now, you’d probably take immediate action.
However, there’s crime happening all of the time that most of us aren’t aware of or doing anything about.
Cyber crime. Publicized hacks of company databases are not isolated incidents, they are symptoms of systemic problems. As we become more connected and information about us is collected, shared in public, stored in multiple systems, or sold behind the scenes, we are at increasing risk of criminals using it against us.
“Every computer system is hackable.”
– Marc Goodman
One problem is that we’ve grown to trust screens and the results of algorithms, a trust that other people can take advantage of. As we become more disconnected from “reality” through virtual interfaces, black box algorithms, and machines, these tools can be used to enhance our lives but also deceive or hurt us.
Besides the technology and user experience issues, business models that increase our security risks are the new normal. Some companies are choosing business models that generate revenue by selling information about their users to data brokers, who in term sell it to other parties. That information is at risk of being purposefully or accidentally shared with malicious actors, often without our awareness (unless we read the detailed terms of service).
There’s a whole underground economy
Goodman reminds us that criminals have always leveraged technology for their own gains. They are early adopters of any technology that improves the efficiency or reduces risk associated with committing crimes. They’ve also adopted the latest management thinking, behavioral science, infrastructure, and new business models to achieve their goals.
He talks about how they’ve evolved sophisticated criminal enterprises, aka “Crime, Inc.”, with full on functions like CIOs, CFOs, and HR to support their operations. Mexican cartels built their own telecommunications network. Terrorists in Mumbai leveraged standard social media and search engines to manage their 2008 attack. There are e-commerce marketplaces for purchasing products and services related to any type of crime. Criminals build websites, apps, malware, and whole businesses to masquerade as innocent entities.
Technology is changing exponentially and criminals will be there to take advantage of it
This exponential change in technological capabilities will lead to unprecedented benefits for society. At the same time, it opens up more opportunities to cause harm. Security IT, law enforcement, and the legal system are having difficulty keeping up with the crimes committed with the aid of yesterday’s technologies. Much less prepare for future threats, in a world that’s rapidly evolving.
As solutions become more complex, with more lines of code and connected devices, identifying criminal activity, protecting against it, finding the perpetrators, and prosecuting them after the fact becomes increasingly challenging. The technological change is coming, and we have a responsibility to understand what this means from the criminal perspective.
Some of the impacts of exponential technological progress:
- The scale of impact is increasing. It is now easier to steal from or harm millions of people at once.
- The number of connections is increasing. Get access to one area of the system and it’s easier to work your way through the rest.
- Prices are falling rapidly and access is widespread. It doesn’t require a huge bank account to acquire these tools.
- Everything is going online. Items in our home, public spaces, implants, even animals are “online” now.
- More data about us will be captured and revealed. Not just social media profiles and banking info, but also our genome, location, behaviors, and content captured by sensors in our homes and communities.
- The supply chains of crime will also change dramatically and be harder to track. For example, transporting cocaine with drones, printing guns and drugs with a 3D printer, or deploying personalized biological weapons for targeted killings.
- Goodman says that “Law enforcement is a local solution to a global problem.” While doing what they can, law enforcement has limited resources, rules to follow, and the current structure isn’t set up for international digital challenges.
- Our policymaking and legal systems aren’t evolving as rapidly as they need to. Status quo or linear improvements in our social systems have no chance of catching up with exponential technological change.
- Technology literacy is expanding but there are many people who don’t understand what’s going on behind the screens. Algorithms that run operations impacting our daily lives are black boxes to most people. Many technology creators and users don’t understand the full risk and impact of their decisions.
As system participants, we have some responsibilities
Goodman outlines some tips on how individuals can protect themselves and others, which he calls the UPDATE protocol. No system is unhackable but some actions can help you cover the basics, such as:
- Update frequently: Accept computer and phone system updates to patch known vulnerabilities.
- Passwords: They’re not perfect but going beyond the basics with unique and long passwords plus two-factor authentication helps.
- Download: Be careful about what you open and download from the internet, especially the source and the fine print.
- Admin: Don’t use the admin profile on your computer as your primary account. Conduct most of your work with a lower privileged account.
- Turn-off: Disconnect your devices from wifi when you’re not using them.
- Encrypt: Protect your data with encryption, especially in public places.
As system designers, we have some responsibilities
“Done is better than perfect.” Or is it?
According to Goodman, the attitude of “just ship it” combined with increasing complexity has contributed to the staggering amount of faulty code. That code can have security vulnerabilities for months (or longer) before anyone notices the issues, fixes them, and installs the updates.
He advocates for designing in security from the beginning. We could also build better incentive systems for people to report bugs to vendors instead of the black market. Pressure from the public for higher quality code and regulations holding vendors accountable are other angles for addressing the problem.
We could also apply more of our human-centered design talent to security apps. The current designs often confuse people or promote behavior that is unsafe in order for people to get their work done.
“Security software and hardware products today are almost uniformly designed by geeks for geeks.”
– Marc Goodman
The military practices with war games, why not do the same with our systems, products, and businesses? We could create “red teams” that are in charge of taking the criminal perspective. Let them loose to search for vulnerabilities and test out how well your enterprise responds.
Goodman also suggests crowdsourcing the fight against cyber crime by creating something like a “National Cyber Civil Defense Corps.” There’s a lot of talent in universities and the private sector that could be used for surge activities to support law enforcement. Companies, nonprofits, and cybersecurity associations could play a role in supporting this movement.
Some other thoughts about how this impacts portfolio planning
I’m not a cybersecurity expert, but from what Goodman’s said and what I’ve seen in the industry, I think that there are opportunities for us to do more as business, technology, and product leaders.
- Question why we’re collecting information and how we plan to use it. Is it really needed to provide value or are there other options?
- Better incorporate security professionals into our portfolio planning and product design processes, to brainstorm scenarios and mitigate risks earlier in the life cycle.
- Add more resiliency-building projects to our portfolio.
- Do more experimentation and bug catching early on, long before shipping code into production (play “agile war games”).
- Question interfaces and business models when making decisions about which businesses and SasS products to partner with.
- Be conscious of when our product experiments cross the line into human research, without the participant’s knowledge.
- Get more involved in associations and projects to help law enforcement and shape digital policy to address the emerging risks of emerging technologies.
- Challenge ourselves to apply more creative business models beyond the freemium/advertising model. Ones that put our users at less risk.
The possibilities offered by recent technological changes are inspiring. However, I think that many companies focus on the positives of applying these changes, such as future business or experience benefits, and overlook the costs. That creates an important security gap but also opportunities for other ways to do business (legally).
In the future, protecting data will be an increasingly important value proposition. It’s a daunting challenge but an exciting time in history to be able to help shape a safer future.
What do you think? What other insights did you take away from this book?