Technology Trend

Let's begin with the technology trend. Apple cofounder Steve Jobs once said at the unveiling of a new product, “An iPod, a phone, an Internet mobile communicator…these are not three separate devices! And we are calling it iPhone! Today Apple is going to reinvent the phone. And here it is.” Technology is hot—but especially mobile technology. It is the future. The list of vendors offering devices and platforms and operating systems and applications is astounding. Mobile phones, smartphones, have been great contributors to redefining to a significant extent how work gets done and where work is done. The word has a nice ring, if you'll forgive the pun. Mention the word “mobile” to most people and it inspires a lot of notions. It means not being tied to an office or a desk. It means freedom, not from work but from the structure of work, perhaps. Mobility brings options and flexibility. It inspires lots of visions: keeping in touch while on vacation, making sure the house alarm is set, checking on the kids after school, conducting bank transactions.

Look at where investments in technology are focused and the answer is in social media and mobile technology. In large part, social media is being driven by mobile technology. There is the desire and demand to be virtual, to be mobile, flexible, fluid, responsive, connected continuously.

“Mobile devices have grown in acceptance by both private and corporate communities,” says Danny Miller, system chief information security officer for the Texas A&M University System. “They occupy much of our time and minds. The wave of new smartphones, tablets, and e-book devices are creating an environment ripe for cross-platform malware to take root in our personal business operations such as online banking and at work with easy access to corporate asset information.

“The growing strength of malware will expose new sources of revenue to online criminals. These devices are running almost all of the same social and Web-based content that desktop devices have used for years. These newer, sleeker systems will only add to the onslaught of new vulnerabilities to these recently ported platforms. There will be crimeware threats for practically every mobile device or tablet OS platform and ported application.”¹

Mobility delivers a certain extension of freedom. More information is accessible across more platforms and from more locations than at any time in history. A number of researchers are forecasting significant growth over the next decade in mobile devices around the world. While forecasting out to 2025 is tricky, there are projections that 50 billion devices will be in the market by then. That's a huge number, but not irrational, and for this reason: When executives have been polled on the subject of how many mobile devices they carry, the average number is three or four—business laptop, business smartphone, business tablet, and personal cell or smartphone.

Looking at the developing markets around the globe, banks may be expected to provide mobile devices to populations who currently do not have a banking relationship, substantially increasing the number of customers and the number of mobile devices. Armed with a mobile device and electronic currency, banks will likely increase market breadth and depth. This initiative will drive mobile device growth.

In 2013 the United Nations reported that of the world's 7 billion inhabitants, 6 billion had a cell phone. However, only 4.5 billion had access to toilets or latrines. Mobile phone growth in Africa is linked to education. In fact, the majority of citizens in the country of Nigeria are linked to the mobile communications network. It is an essential part of the mission to provide education throughout the country. According to the United Nations, “Initiatives promoting mobile learning have already been spearheaded across a wide range of countries—including Mozambique, Pakistan, South Africa, Niger, Kenya, and Mongolia—where policies have already provided access to distance education in far-flung communities and improved literacy among girls and women.”²

The UN research indicates that about “three out of four people have a mobile phone in Kenya and while only a third of Kenyans have access to the Internet, 99 per cent of this comes from mobile phones.” Mobile technology has the ability to favorably impact developing nations in many ways, from improving education and health care, to helping to eradicate disease through awareness, to enhancing farming and agriculture. There's no doubt that mobile technology will benefit these efforts. Mobile technology is believed to be a powerful antipoverty tool. But it isn't that simple.

The history of computer and communications technology, including mobile technology, succinctly illustrates, for better or worse, the truism that the reach and expansion of technology is most often driven by perceptions and facts about lower costs, increased productivity, the use of technology as a force multiplier, expanded markets, enhanced presence, and so on. When enterprise-wide decisions are made, particularly among companies and in government and other organizations, security is not typically the driving consideration. It isn't security that makes the world go round, it's productivity. That's hard to argue against. On the other hand, without security, the risk of use increases, and the consequences can be significant.

Security has, it seems, always been in the backseat, and that's understandable if the mission is to generate revenue by selling hardware, software, and services. There's no argument in this corner. However, because technology's reach exceeds its grasp, in the form of security, there is the seemingly unstoppable problem of information compromise. The mobility factor doesn't increase security. In fact, the tide of security incidents will rise with the tide of mobile implementations.

The data backup service company Mozy came up with some interesting findings. According to Mozy, 80 percent of professionals work remotely at least some of the time, and more than two-thirds use memory sticks. A quarter of Americans lose their cell phones every year. Of 800,000 mobile devices lost or stolen in 2010, 97 percent were never recovered. The Ponemon Institute reports that 12,000 or so laptops are stolen or lost in airports in the United States every week. Is the number accurate? It doesn't matter. What does matter is that these devices are simply disappearing, whether lost or stolen. A significant number of them were targeted by criminals. And that is the point.

Executives and other employees are too often careless with laptops, especially in airports. Airports are public places, where many people feel unthreatened by criminal activity. There are usually police officers patrolling, and there are lots of people. Airports look and feel reasonably safe and secure.

When people feel reasonably safe and secure, their defense mechanisms slow down. People with laptops at the airport are thinking about things other than laptop theft. They are thinking about the upcoming business meeting at their next destination. Or maybe they're thinking about a promotion, a raise, getting back home to then head out on vacation. Perhaps thoughts of marriage, divorce, sports, kids, and any number of other things are at the forefront of their consciousness. That they are waiting to board the next flight does not seem to stimulate thoughts of security and awareness of surroundings.

Loss of Situational Awareness: Distraction

One security executive who was fortunate enough to be assigned an aisle seat in the first-class cabin was using a BlackBerry while walking toward her seat. With too much to do and not enough time in which to do it, she was utilizing those precious moments to send out updates and respond to e-mail while walking. This has become something of a national techno pastime. Arriving at her seat, with a number of other passengers behind and in front of her and across the aisle, she needed to place her travel bag in the overhead bin above her assigned seat. Needing both hands to execute the maneuver, she innocently set the BlackBerry on the first-class seat. After placing the bag in the overhead bin, she reached down to retrieve her BlackBerry, but it was nowhere to be seen. She looked around quickly, even desperately. Somebody must have seen it. Did it fall off the seat and onto the floor? Could it fallen into the pouch on the back of the seat in front of her? Querying the nearby passengers and flight attendants was fruitless. No one admitted to having seen anything. Maybe someone saw something, maybe not. The result was the same.

People leave cell phones in taxicabs and other places all over the world, by the many hundreds of thousands, if not millions, every year. Many of these phones are smartphones and contain valuable data, often information regulated by various authorities. And many of these phones and tablets, even laptops and memory devices, are not password-protected. Steal the device and it's easily accessed. This is particularly true of many small and midsize companies, which may not have enforced information security policies, particularly in those companies—including some larger companies—that possess no regulated data or at least believe that they possess none.

It's easy to focus on the positive attributes associated with mobile technology. These devices are easy to carry, easy to conceal, easy to use, relatively inexpensive, increasingly powerful, and multifunctional, even indispensable. An entire generation is using computers that fit into the palm of a hand or, in the case of tablets, a small lightweight bag or sleeve; some of these people have probably seldom worked on a desktop machine.

It's not that desktop machines were secure. It is more that they were not as easily lost or stolen. So maybe they were more secure. People, or users, in the vernacular of the industry, remain the greatest threat to information integrity. A user could do less damage in the desktop era. Yes, information could be copied off of a hard drive. But it was hard to lose a desktop unless a thief broke into the office or home housing the unit and stole it.

Given that users are not well trained in security, and that data resides on increasingly small hardware platforms, the combination of carelessness and diminutive scale is a problem when it comes to protecting data. Just as the user may perceive device size and weight as a distinct operational advantage, especially when considering the power of these devices, a thief will appreciate their compactness and concealability. They are easy to steal in a swift and invisible strike.

Culture

The culture at work and home and everywhere else in between is changing, in large measure because of technology. Mobility has helped define the culture of work and play. A generation ago, most people worked only at the place of work. Now people work everywhere, courtesy of mobile information and the devices that power accessibility. The line between work and home has faded, often to the point of obscurity. Conversely, the home has invaded the office. Workers may be checking e-mail at home at night, while at the office they may be participating in social networks, checking personal e-mail, and monitoring the kids' activities after school. What at one time was a line of distinction between these pursuits is now more of a fog of content. They aren't always clear, these lines of division, but it seems that this has become the accepted path to the future. Social protest has changed. Even in presidential elections, technology has helped define how to manage the process, how to reach voters, how to persuade the masses and influence public policy. Masses of political workers armed with smartphones, tablets, and the Internet are defining the future of political dynamics as they analyze data, interpret political dispositions, and calculate how to best influence outcomes.

Mobility also enables easier sharing of information, and this is a defining cultural issue. There is an expectation of sharing information, an expectation of information access. According to the report from the Office of the National Counterintelligence Executive discussed in Chapter 4, “The cultural shift involves the rise in the U.S. workforce of different expectations regarding work, privacy, and collaboration. Workers will tend to draw few distinctions between their home and work lives, and they will expect free access to any information they want—whether personal or professional—from any location.”

So what are the concerns about wide-scale deployment of mobile devices? The organization Transparency International reports a lot of corruption in many of the nations where mobile device use will grow and where these devices will be distributed increasingly widely. From South Asia throughout most of the African continent, corruption is a major problem for which there does not seem to be a near-term solution. The intersection of corruption, mobile technology, and transnational organized crime represents a major risk, especially when taking into consideration serious security deficiencies and the emergence of unregulated electronic currencies. Laundering money generated through corruption and organized criminal interests is one expected outcome.

Think about it. Billions of people walking around with mobile devices. Laptops. Smartphones. Tablets. Surely this must fire the imagination of those with something to sell, as well as those with larceny on their minds—and revolution.

Picture thousands of people across the world sitting at desktop computers, engaged in social media. Could they participate in a distributed denial-of-service (DDoS) attack? Absolutely. Then consider the mobile variant. Could these same people create flash mobs and social protest on the fly? That's not as easy. But the ability to be mobile does make it possible. Using mobile communications allows for highly fluid and flexible gatherings, from a Benghazi-type terrorist action to a protest over just about anything.

Neither technology alone, nor mobility exclusively, defines the future of work, crime, social protest, terrorist strikes, and personal endeavors. The Office of the National Counterintelligence Executive has identified four trends that are defining the future. One of them is technology. In addition, economic, cultural, and geopolitical trends are contributing to rapid change.

Technology is a Double-Edged Sword

Let's start with the economic trend. The globe has become smaller, flatter, more accessible, as well as highly dependent on multinational trade. Technology drives the economy. The economy has also become infinitely more complex. Technology has become infinitely more complex, too, although it doesn't look that way to the average user. In fact, technology has become incredibly easy to use. That's why it is such a critical driver of the global economy: Everyone knows how to use it. That ease of use is a double-edged sword. Easy to use, easy to abuse. Nevertheless, technology is inseparable from the economic future. Certainly it is hard to imagine an economy without technology. It is becoming difficult to think about an economy that isn't stimulated by mobile devices, from mobile banking to mobile medicine to farming and agriculture. This is a mobile economy and the future may be expected to be even more mobile. Data travels with the workforce and the pleasure seekers of the planet.

Now consider the geopolitical trends. The U.S. government states that “a geopolitical shift will continue the globalization of economic activities and knowledge creation. National boundaries will deter economic espionage less than ever as more business is conducted from wherever workers can access the Internet. The globalization of the supply chain for new—and increasingly interconnected—IT products will offer more opportunities for malicious actors to compromise the integrity and security of these devices.”³ This is certainly the case with respect to mobile devices.

China and Russia remain the most crucial threats. The growing interrelationships between companies in the United States and China illustrate this very well. China's economic reach is massive, and it has what many developed and developing nations need: money. Although there are indicators of financial stress in China, it remains a formidable player and will continue as such. Its financial strength ensures continued alignment with Iran, Pakistan, and others. It also means that as the cyber dimension evolves in the coming decades in emerging nations, such as those on the African continent, China will surely benefit, as it has with its cyber attack relationship with North Korea, which allows it plausible deniability.

Geopolitically, Russia also remains a threat. Of course, organized crime has been a continuing issue associated with Russia and much of Eastern Europe. But organized crime isn't the only problem. Many Russians with technical skills and experience live and work in the United States, and the Russian intelligence services are not beyond pressuring them to steal secrets as part of the country's economic espionage pursuits, a fact referenced by the Office of the National Counterintelligence Executive. More and more Russian companies are doing business in the United States. The employees of some of these firms are former Russian intelligence operatives.

Geopolitics also encompasses the subject of terrorism and cyber terrorism. While it may be politically disadvantageous for China or Russia to engage in a direct cyber offensive against the United States, that doesn't mean that neither country would benefit from such attacks. These attacks show where the United States' critical infrastructure is weak or strong, and what would have a major impact and what would have less of an impact. An attack of this kind would have the ability to disrupt critical supply chains and the distribution of power, among others.

Most of all, perhaps, it would announce to the world that the United States, or any other country targeted in an attack, has a soft underbelly. The massive credit card breaches of late 2013 and early 2014 are clear messages that this information is accessible, because it is vulnerable. Understanding vulnerability is essential. Taking advantage of it can be dangerous. But suppose that, say, North Korea or Iran, launching a cyber offensive against the West, is successful in leveraging identified vulnerabilities. That has value to China, and it has value to Russia. And although there are links between the nations, plausible deniability again surfaces. China or Russia could even look cooperative diplomatically by appearing to pressure the offending nation.

Maintaining a powerful cyber offensive capability is an element of geopolitical superiority and command. Subsidiary national relationships are necessary, and the cyber dimensions of such relationships are increasingly important.

“Cyber operations are very attractive to foreign intelligence organizations, non-state actors, criminals, and terrorists because they can be conducted relatively cheaply and easily and offer high returns with a low degree of risk,” according to the Office of the National Counterintelligence Executive. “The risk of exposure is low because cyber operations can be carried out remotely and with a high degree of anonymity. In addition, cyber operations are comparatively inexpensive, and can be conducted rapidly. For all of these reasons, state and non-state actors are increasingly turning to the cyber domain to augment and bolster their respective intelligence activities against the United States in an effort to gain advantage.”

Technology is shaping the development of all of these trends, and especially mobile technology, and it changes rapidly. Rapid change in technology is often referred to as Moore's law, and it is applicable here. Gordon E. Moore, a pioneer of Silicon Valley and a cofounder of semiconductor manufacturer Intel Corporation, predicted in 1965 that “the number of transistors incorporated in a chip will approximately double every 24 months.” Says Intel Corporation, “Continuing Moore's Law means the rate of progress in the semiconductor industry will far surpass that of nearly all other industries. The future of Moore's Law could deliver a magnitude of exponential capability increases, driving a fundamental shift in computing, networking, storage, and communication devices to handle the ever-growing digital content and Intel's vision of 15 billion intelligent, connected devices.”⁴ Although this exponential growth is expected to decline somewhat, to a doubling of growth every three years instead of two, that is still tremendous growth. But it seems the figure of 15 billion “intelligent, connected devices” may be a low estimate.

The growth of mobile technology and social media, as well as their impact on culture, economics, and geopolitics, is nothing short of remarkable. It enables productivity and commerce; that is undeniable. But it also enables the ability of potentially debilitating offensive attacks, widespread fraud, and politically expedient disinformation.

Technology will continue to advance. Culture will continue to evolve according to adoption trends in technology. Economics will continue to drive how technology is used and how culture adapts to change. Geopolitical influences will continue to divide nations as technology brings disparate societies together or tears them apart. That's the thing about technology: It is neither–or both–, consistently, friend nor foe. It is a tool of attack and defense. But the problem is that most users see their mobile devices and social networks as more friend than foe. That's why they share personal information so indiscriminately. And that's also why so many whose personal information is compromised are so surprised.