m7c1

In 1970, the US federal government passed the Fair Credit Reporting Act (FCRA). The act can be seen as a early reaction to an emerging appreciation for the power of mechanized (and then digitized) data collection and analysis. The FCRA represents one of the earliest legal actions taken in realm of privacy and security.  Here's a brief look at the the event, and the climate within which it took place.

On the night of April 27th 2007, a statue was removed from a busy intersection in the middle of the Estonian capital of Tallinn, and relocated to a military cemetery a short distance away.  Beneath the statue were the graves of a number of Red Army soldiers who perished in World War II.  The incident touched off several days of riots in Tallinn, and sparked what later became known as 'Cyber War I’.^[1]  Though for all intents and purposes the relocation of the statue was a classically political move, several factors specific to Estonia and the era made it unique.  We’ll first consider the classical elements, and then unique features, and finally interpret it in terms of securitization.

On December 23rd, 2015, nearly a quarter-million Ukrainians unexpectedly lost power.²²⁶  In the aftermath of what is thought to be the first wide-spread attack on power infrastructure, US investigators determined that the same BlackEnergy malware that was involved in the Ukrainian disruption was present in “numerous industrial control systems (ICSs) environments”in the US.²²⁷  It appeared to US cyber officials that the“sophisticated malware campaign” responsible for the software’s presence had been running since 2011.²²⁸  David J. Weinstein, who worked at the US Cyber Command from 2010 to 2013 and was quoted in a recent NY Times article on developments in offensive US cyber activities, likened the 2015 Ukrainian event to crossing the Rubicon.^{229, 230}  In invoking the solidification of Caesar’s power and accompanying death of the republic, Weinstein manages to at once suggest the seminal nature of an attack on power-infrastructure, and the difficulty inherent in identifying any single event as a beginning. The prosecution of a large-scale cyber campaign with potentially lethal capability, fatalistically supports the former suggestion.

    A few weeks ago I wrote about what appears to be the changing nature of obscurity.  Under the now nearly ubiquitous model, actively thwarting data collection is no longer likely to obscure you from surveillance, but rather to highlight you.  Extending the concept of the security of the majority to data collection suggests that the majority one wants to join is no longer the mass of the unsurveiled.  Ubiquitous collection and the wild-west-like data-use market strongly suggest that we’re well over the hill in terms of big data, and we need to update our doctrine to reflect that reality.  I imagine there are many clever ways one might mitigate this issue. I propose weaponizing the means of data production through curation.

    We’re experiencing a fundamental shift in the way in which security is achieved.  This shift is, I think, best described by examining the differing characterizations of the ‘before’ and ‘after’ states.  The before state is one characterized by a general lack of data. Universal data collection was, for a variety of technological and cultural reasons, not being done.  An individual enjoyed the benefits of safety in numbers simply by default, without having to take any special action. An entity wishing to obtain more information about that person, perhaps wishing to compile a profile on that individual, would need to specifically target that person for surveillance.