Last week, I wrote in SearchCIO’s Searchlight news column about Apple’s opposition to a federal court order directing the company to give the FBI the tools to get into the iPhone used by Syed Rizwan Farook, one of the suspects in the San Bernardino, Calif., massacre in December.
A reader commented on the IT Knowledge Exchange blog that instead of forcing Apple to circumvent its smartphone encryption controls, the government should create its own lock-picking software.
The FBI wants to get at the information stored in the phone — texts, photos, maps — to see whether Farook or his wife, Tashfeen Malik — both killed by police after the shooting deaths of 14 people at the county health department where Farook worked — had connections to terrorist groups. Does it need Apple’s help, or can it use its own resources to unlock the device?
Layers of security
First, here’s the issue. The upgrades to Apple’s iOS operating system on the iPhone 5C, the model of the phone Farook used, encrypt all data on the phone, so even Apple can’t get to it — that is, without creating a special tool.
The FBI doesn’t have the password that is locking the phone, and investigators can’t just go guessing, because of a feature Farook could have enabled that would destroy all stored data once someone enters an incorrect password 10 times. Is it switched on? The FBI doesn’t know that, either.
Still, it might be possible for the FBI to access at least some of the data, said Khalid Kark, who works on Deloitte’s CIO research team.
“There’s a fairly good chance that if you put in the 10 passwords the data is going to be wiped,” he said. “But even if the data is wiped, there are actual physical-hardware ways to still capture the data or remnants of the data and piece it together.”
Tough going for the government
But accessing the data hidden behind an unknown password and Apple’s smartphone encryption would be a painstaking process, Kark said, and even “sophisticated hacking” by the government may not capture 100% of the information in the phone.
The FBI missed an opportunity to get a backup of the data. The Justice Department said the password was reset by the San Bernardino County health department, which owned the phone. If it were not reset, the information could have been backed up to Apple’s cloud. Apple said the government had the phone when the password was reset.
Avivah Litan, an analyst at market research outfit Gartner who specializes in cybersecurity, wasn’t optimistic about whether the feds could gain access to information on the phone.
“Only if they got the password from someone,” she said. That, though, is possible — if the FBI can find the right people. “Maybe they left behind friends that have their password. People tend to reuse passwords, so maybe they could.”
The federal court compelling Apple to help the FBI bypass encryption controls in the iPhone used by one of the suspects in the San Bernardino, Calif., massacre is leaning on a 227-year-old law called the All Writs Act. Part of the Judiciary Act of 1789, the statute authorizes the government to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”
In 2016 English, that means it lets the government issue any order it needs to make somebody do something, as long as it is for a legal reason. Jonathan Mayer, of The Center for Internet and Society at Stanford University, called the law a “Swiss Army knife for the courts” that has been used in a wide range of scenarios, including challenging criminal convictions and establishing real estate.
While the law is broad, it’s not all-powerful. In fact, the ruling that orders Apple to work with the FBI on the phone states that if the tech company finds compliance “unreasonably burdensome,” it can appeal. The company has until Feb. 26 to do so.
No law to turn to
Johna Till Johnson, president and founder of Nemertes Research, said the legal ground under the FBI’s feet is shaky.
“That’s exactly why Tim Cook made it public,” she said, referring to the Apple chief executive’s public letter to customers about the “dangerous precedent” complying with the court order would set.
Right now, Johnson said, “there is no law that says you need to re-engineer every mobile device to disable encryption.”
The Communications Assistance for Law Enforcement Act of 1994 requires telecoms to let the government around encryption controls in their networks, but it doesn’t cover mobile devices. Congress has been reluctant to pass legislation requiring tech companies to build “backdoors,” or shortcuts around encryption, into their products. In Johnson’s view, that could be on purpose.
“If they did that, they’d kill the mobile phone industry,” she said. Foreign cell phone equipment suppliers like Alcatel-Lucent, already spooked by the revelations of global surveillance programs by former government contractor Edward Snowden, would want nothing to do with us.
“Everybody would stand up and say, ‘No way, José. The U.S. can do without mobile phones. We’re done,” Johnson said.
There is some activity on the issue. Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) are pushing for a bill to bypass encryption on mobile devices. Rep. Michael McCaul (R-Texas) and Sen. Mark Warner (D-Va.) are seeking an approach that balances government access to encrypted data with privacy protection, beginning with a commission to study the privacy and security implications of new technologies.
What might the world look like under a law requiring tech companies to decrypt information? Read the post “Life under a new encryption law.”
The U.S. government is tapping the broad authority of a centuries-old statute, the All Writs Act of 1789, to make Apple build new software that would make it easier to get information locked in the iPhone in the San Bernardino, Calif., murder case. According to Apple chief executive Tim Cook, if the government used the law in such a way, nothing would stop it from peeking into the iPhones of millions of users without their knowledge.
Johna Till Johnson, president and founder of Nemertes Research, suggested the government dug up the legislation because it doesn’t have an encryption law to use in its place: one that would require “backdoors,” or mechanisms that would bypass the encryption on mobile devices that turns private information into gibberish for anyone but authorized users.
Several lawmakers are looking into bills that would require tech companies to decrypt information when the government demands it. The debate will surely rage on Capitol Hill for some time. But what if such a bill passes both houses of Congress and becomes law? What then?
Ultimately, it may prove hard to enforce, at least among telecoms, Johnson said. Other countries would still be able to produce uncrackable devices, so there would be little stopping anyone from going abroad and buying one.
“You’d have to really push,” Johnson said of the government. “You’d basically have to say something like, ‘Verizon, you cannot provide service to XYZ model PDQ phone, because that’s an illegal phone.'”
For CIOs and security teams, though, things probably wouldn’t change too much, she said. Under an encryption law that would circumvent secure communications on mobile devices, CIOs could encrypt their applications instead. For everyone else, especially those without a whole lot of tech smarts, it’s a different story.
“Your average consumer isn’t going to go out and buy application-layer security and layer it on top of his iPhone,” she said. “So it really is mostly an impact on citizens-slash-consumers.”
The 3D printing market may be nascent, but CIOs should start to prepare the enterprise for the emerging technology.
According to Shawn DuBravac, chief economist and director of research at Consumer Technology Association, a standards and trade organization for the consumer electronics industry in the United States, preparation means more than ensuring the infrastructure is up to snuff. He also encourages executives to begin helping employees transition from 2D to 3D thinking.
“This is going to be something that becomes significantly more prevalent in the future,” he said in an interview with SearchCIO.
DuBravac’s concept of 3D thinking differs from what Google search results turn up. Rather than catchy, easy-to-remember consultant shticks, DuBravac is talking about a shift in conversation from what’s technologically possible to what’s technologically meaningful (real uses cases, user benefits, etc.).
The conversational pivot reflects a maturing 3D technology, similar to the maturation of wearables. “I don’t think we’re there yet with 3D printing, but we’re getting there,” DuBravac said during a recent presentation he gave at EmTech, an emerging technology conference hosted by the MIT Technology Review.
New generation of 3D thinkers
Part of the enterprise transition into 3D thinking will happen naturally, DuBravac said. Middle and high school students are already being exposed to thinking in three dimensions through gaming. Minecraft, for example, is a popular game where players design habitats in 3D, and, virtual reality headsets, such as Oculus Rift, are becoming more commonplace. Plus, it’s not unheard of for schools to invest in the 3D printing technology so that students can experiment with it, though the numbers are still small.
“Today, there are about 100,000 schools in the US, K-12. About 1,000 of them — 1% — have a 3D printer,” DuBravac said at EmTech.
But there’s no reason CIOs have to wait five to 10 years before they begin helping the enterprise make the transition from 2D to 3D thinking. One of the ways DuBravac, a trained mathematician and economist, changed his thinking was to pull the trigger and invest in his own 3D printing technology. “At first, I didn’t know what to do with it,” he said. “Over time, and it probably took a year, I started to say to myself, ‘I need this. I can’t find it. I could just 3D print it.'” CIOs can do the same for the enterprise.
It’s true that not all businesses need to sink resources into 3D thinking right now. (DuBravac’s quick rule of thumb: “If the business is involved in design at all, that’s a business that will be influenced” by the technology.) But it’s also true that 3D printing has never been more accessible or affordable. If CIOs can make even a small investment in the technology (one expert claims they can do so for $10,000), they may be able to set the stage for a shift in the conversation, DuBravac said.
Three-dimensional printers aren’t exactly a new technology. “It’s 30 years old,” said Pete Basiliere, a Gartner analyst who’s covered the 3D printing market for years.
The most widespread and time-tested use of 3D printing technology is by manufacturers and product designers for rapid prototyping. “Any company producing a product that designs something physical will most likely have 3D printers. It cuts down the design cycles significantly,” said Shawn DuBravac, chief economist and director of research at Consumer Technology Association, a standards and trade organization for the consumer electronics industry in the US. The iterative process enables companies to tweak designs quickly — and cheaply, directly benefiting the business. “It lowers not only the cost, but the time involved in designing and bringing products to market,” he said.
But here’s where things get tricky: 3D printing technology has been around for three decades, but it’s also acting like a newborn, according to Basiliere. While rapid prototyping is a familiar and well-established use case for the technology, new 3D printing use cases are beginning to emerge. One that’s receiving its fair share of media attention is customization, which is giving rise to handful of small, niche players in certain markets.
Hearing aid manufacturers are using the technology to scan a patient’s ear, create a model and then print a hearing aid shell specifically for a patient — in no time. Invisalign, manufactured by Align Technology, uses 3D printing technology to use a similar process for non-metallic braces, constructing 150,000 dental aligners a day, according to Basiliere. Or consider Sols, a startup that’s combining mobile technology and 3D printing to produce custom shoe inserts. The Sols tagline? “Three photos, ten minutes, two happy feet.”
Interest is growing in location intelligence, but the technology isn’t a priority for most businesses, according to the third annual Location Intelligence Market Study published last month by Dresner Advisory Services LLC. Location intelligence refers to a business intelligence tool that relates geographic information from a variety of data sources, including GIS and aerial maps, to business data.
Respondents to the survey, which included 403 industry representatives from technology to health care to financial services, ranked location intelligence/analytics 12th out of 25 technologies. Respondents pointed to dashboards, data discovery, data mining and integration with operational processes as bigger priorities than location intelligence; they ranked topics such as in-memory analysis, big data, text analytics and the Internet of Things (IoT) as lesser priorities than location intelligence.
The findings don’t surprise Howard Dresner, founder and chief research officer at Dresner Advisory Services. Interest in location intelligence is dependent on the industry. “If you’re doing things like sales operational planning, you have to use location intelligence to do that. Otherwise, you’re not going to understand how to allocate resources appropriately,” he said.
Indeed, when broken down by industry, the survey reveals that retail has the highest interest in location intelligence with 65% of those representing the industry indicating that location intelligence is either critically important or very important to their company. Only 40% of survey takers from health care and 35% of survey takers from education said the same.
Yet Dresner predicts location intelligence will rise in importance across all industries eventually. One driver is Internet of Things (IoT), he said, pointing to the growing network of Wi-Fi enabled physical objects such as Fitbits and connected vehicles. “IoT is about where stuff is, first and foremost,” he said. As the IoT stack continues to mature and as more businesses build IoT pilots, Dresner believes location intelligence will ratchet up the priority list.
While location intelligence might be “kind of a sleeper,” right now, Dresner advised CIOs and senior IT leaders to seize the moment and get in front of the wave of interest. In some cases, businesses will need geocoding skills, converting, say, a street address into spatial data, to attain the level of granularity they’re after — skills that will most likely be housed in a company’s analytics department. In other cases, location intelligence features are baked into the business intelligence software, making it easy for a marketing or sales department to serve themselves.
Regardless, the IT department will have a hand in installing the technology, loading in the data, providing the technology support and training users, Dresner said. “[IT] has a role, unless you buy something that’s a SaaS offering, which makes it more of a managed service,” he said.
How important is it that CIOs report to the CEO? I recently sat in on a CEO-CIO panel discussion that shed light on the benefits and demands that come with this reporting relationship.
The CEO-CIO pairs were presenting at the SIM Boston Technology Leadership Summit. They hail from two very different types of companies. CEO and co-founder Andy Youniss and CIO Jay Leader are from Rocket Software of Waltham, Mass., a 25-year-old global company that builds enterprise software. CEO Martin Borg and James Bowen, CIO/COO, are from Measured Progress Inc., a not-for profit headquartered in Dover, N.H., that sells K-12 educational assessment products and services to clients nationwide.
As noted in my story this week, “The CEO-CIO business partnership in action,” these CEO-CIO teams — despite their different businesses and business models — share certain attributes, including first and foremost a CEO who sees IT as more than just a cost center, and a CIO who can think strategically about the business. The two CIOs work closely with their CEOs. Both make presentations to their boards of directors. Additionally, both CIOs have gradually taken on a more outward-facing role at their companies; each now is being sent out to meet with customers in order to help their respective companies better understand customer needs.
You might be interested in hearing some of what they said during the panel. Here are a handful of observations made by Youniss, Leader, Borg and Bowen about their CEO-CIO relationships, and what the future holds for CIOs. (Quotes have been edited and condensed.)
Business sees IT in different light
CEO Andy Youniss of Rocket: When we first got a CIO we made a decision that the role would report to me; IT was not ever designed to be a cost center; it was designed to be an organization that would create value within the company. …We are a tech company, and we sell our products to CIOs. A decade ago, or a couple decades ago, when I visited CIOs it was more likely than not that I was walking into an organization that was a cost center, and I remember the conversations we were having: “If only the CEO understood what we’re talking about; if only the CEO understood the value of these investments we’re making, but they’re just asking me to cut costs.” Today, when I talk to a CIO, more often than not they actually have a seat at the table, because technology is driving everything.
A couple of decades ago, the technology we were selling was very much supporting systems of record, more transactional things. Now with all the data that those transactions have created, and the new business users, new business models and new systems of engagement coming online, the CIO is able to bring more business value around mobile apps, around systems of engagement and analytics — so we’ve seen the conversation shift as we have talked to our customers, and this is not locally but happening all over the world.
Seat at the table equals CIO success
CIO Jay Leader of Rocket: Part of the reason it is important to be sitting at the table and hearing the conversation is because the words often come out wrong. Andy has heard me say this to him before. I don’t think my job is to do what Andy tells me; I think my job is to do what Andy wants. And because sometimes the words do come out wrong, I try to listen to the message. …
My job is to try to really understand what we’re trying to accomplish. Andy and I have this conversation where we start at, “We should go do this! And then we realize that, well, our objective is really this, so let’s go about it another way.” Sitting at the table allows you to hear the conversation so that if the words are wrong, you can say, That’s not what I heard. I heard that the problem is this, and if the problem is this, then doing that is not going to solve it.
CEO Marty Borg of Measured Progress: It is the CEO’s job, as well as the rest of executive team, to set business direction. I think the CIO’s job is to come in, listen to what that is and then amplify it. By the nature of their position, they are translating business need into possible solutions. And the possible solutions are very deep inside of their discipline. I don’t want to be deciding what kind of array to have in our servers, but I do need to be able to say, “Here’s where we are, here’s where are students are, and here is where our differentiators are.” James is in the room when the direction is set, and that is important, because if you set a direction that is not coordinated with your infrastructure and skill set it is going to be really tough sledding.
CIO of the future
CEO Youniss of Rocket: This is not just because Jay’s sitting next to me, but when we recruited for a CIO we were obviously looking for someone who would be good technically in that role, but mostly we were looking for somebody who would be a good general business person. What I always say to my executive team is “Leave your functional hat at the door when you come in the room;’ when you’re around the executive team table, we are all executive peers and I need everybody’s input and opinion coming from your different perspectives.
So I think the CIO of the future is a really good business mind. That is one of the things I wanted to communicate to you, and the other thing is to be a good change agent, good at change management. As you know it is constantly changing and someone has to be advocating for that change and managing it and quite frankly pushing that change and communicating well around it.
CIO Leader of Rocket: I think my role has evolved a lot over the last 10 years from being master of craft and expert of silo, to a connector and an influencer. We have unique capability in IT in that we have a reason and a contribution to make in most facets of our business from time to time. There are times when we have to spend time in finance and HR or to support manufacturing or testing services. You have to have some flavor of and familiarity with all facets of the company; similarly we don’t have line authority for anything, so I can’t make anyone do anything at Rocket except the people who are in my vertical organization. So for me to be effective I have to be an influencer, and to be an influencer, I have to understand what is important to you and how can I get you to the place that you want to be — by the way that I want to go there.
I have gone from spending maybe 50% of my time looking at internal operation of IT, to spending about 90% of my time looking at internal and now external operations of Rocket. And that’s because that is really what I am paid to do.
CIO/COO James Bowen of Measured Progress: As far as my journey goes, I spent the first year as chief technology officer sorting out all the technology ; my second year as CIO I spent understanding and learning the business and influencing and gaining that trust; and then my third year as COO, is about really helping to grow that business.
The autonomous-car guys at Google have got to love the 2015 cult comedy sequel Hot Tub Time Machine 2. Not because they thought it was a good film — I think they’re probably too smart for that — but because in the sequel, the future is a bright one for driverless cars. In director Steve Pink’s 2025 — the year most of the cast from Hot Tub Time Machine get transported to — cars take directions from people and cart them about, expertly ride through highway curves and stop on a dime. (They also try to run down humans who are rude to them, which may scare people who yell at their laptops.)
As for the real 2025, a lot can happen in nine years — and a lot will have to happen before cars can motor their way out of human control, according to MIT’s John Leonard.
The mechanical engineering professor and artificial intelligence researcher told an audience at the recent Brain + Machines symposium at Harvard University that Tesla Motors founder Elon Musk’s declaration of self-driving cars as “a solved problem” was more than a little optimistic.
“Just very respectfully, I disagree,” Leonard said. “And I think that driving exposes fundamental issues in intelligence, fundamental issues in how the brain works. And we might be a very long way away.”
Though he thinks Google Car is “an amazing project that might one day transform mobility,” the technology today is overhyped and misunderstood.
Bumpy road ahead
Leonard studies simultaneous localization and mapping, or SLAM, a technique for building maps that vehicles use to direct themselves. He led the team behind MIT’s autonomous car in the 2007 DARPA Challenge, a competition for driverless cars held at a former Air Force base in California.
A video taken at the event of a collision between cars from MIT and Cornell University illustrates his point. MIT’s car tried to pass Cornell’s and hit it instead. The problem, Leonard said, was one of spatial reasoning. The computers running the cars, aided by algorithms, were missing the “semantic understanding of the world” that people have.
Leonard discussed other unsolved challenges facing autonomous driving. One involves the human interaction that often enables car travel. He showed a video taken by a camera fixed to his car’s dashboard as he drove in his hometown of Newton, Mass., a Boston suburb. At a busy intersection with no traffic light, making a left turn would have been nearly impossible without waving at an oncoming car to signal his intention.
In another video, a police officer is standing in the street waving people through a red light at an intersection.
“So if anyone here is a programmer, how do you write the code that says, ‘Always stop at red lights, unless there’s a man on the side of the road waving at you’?” Leonard said.
Unexpected changes to things like road surfaces can also throw off automated cars. Google cars, for example, use precise maps that tell them where they are at any given point on a journey. But if Mother Nature drops a foot of snow, or if a road gets repaved, a driverless car may easily get confused, Leonard said.
Then there’s what’s called the “handoff problem.” When a car can’t figure out what to do on the road, how does it get a human to suddenly pay attention and take the wheel?
“Humans are actually pretty bad at that,” Leonard said.
Until cars can be 100% autonomous — which Google is pursuing — Leonard advocates what he calls a “guardian angel system.” In it, a human has to pay attention the entire trip; auto-driving kicks in only when he makes a mistake or when an accident looks likely.
Thinking about thinking
Leonard is looking at neuroscience to help solve the problems driverless cars face — specifically at how the brain of a person or an animal gathers information and creates an inner vision, or “representation,” of where it is in physical space. He is experimenting with visualized maps that can help a robot negotiate its way through a room or the MIT campus — without crashing into a chair or colliding with a moving object, like a car.
“My dream is to achieve persistent autonomy of lifelong map learning. Say, a robot car that, as it drove around Boston, it would get better and better,” Leonard said. “It would learn about the world.”
The problem: Petplan Insurance Agency LLC, a 140-employee company founded in 2003, wanted to offer its customers a more personal and more relevant shopping experience. The pet insurance company, which recently ranked #59 on the Forbes list of America’s Most Promising Companies, was looking to integrate online and offline points of contact with customers for marketing campaigns.
“We have this treasure chest of data, we just really need to find the key and open it up,” said Petplan’s chief digital officer Gerry McGoldrick, who was hired in May to lead digital and mobile initiatives. McGoldrick reports to Natasha Ashton, Petplan co-founder and CMO.
The strategy: McGoldrick set his sights on integrating call center data and online data. “The theory is that anyone who calls probably dealt with us through a digital experience at some point,” he said. Before purchasing a policy, Petplan customers may visit the website as many as four times, often seeking a quote for comparative shopping. With each visit, customers leave behind digital breadcrumbs and, in some cases, valuable data such as the breed and age of the dog or cat they’re looking to insure. To connect the online and offline dots, McGoldrick invested in BlueConic, a marketing platform, with the director of IT’s blessing.
The results: The BlueConic platform enables Petplan to take online data and build customer profiles, which are then served up to call center agents who can use them to tailor conversations. “Someone coming in through search will act differently than someone coming in through an email campaign,” McGoldrick said. And the more personal the conversation can be right off the bat, the better. He described the technology investment as “dipping our toe in the water” of personalization and hopes the platform will eventually incorporate data from its internal CRM and CMS for marketing use cases and beyond.
High-profile cyberextortions like the Sony Pictures Entertainment hack in 2014, the one last year on infidelity dating site Ashley Madison and even a lesser-known hack on InvestBank in the United Arab Emirates must have spooked a lot of people.
According to a study released in January by Cloud Security Alliance and security software vendor Skyhigh Networks, 25% of organizations said they’d be willing to pay a ransom to hackers to stop the release of sensitive information, and 14% would pay more than $1 million.
“To me that is disheartening, and it does tell us that both we’re not doing a good enough job in the industry protecting information,” said Jim Reavis, co-founder and CEO of Cloud Security Alliance, “and also that our use of technology is so vast that there are so many threats out there.”
And they keep happening. The Boston Globe reported just this week that the town of Medfield, Mass., paid a ransom after “ransomware” — a virus that locks a computer or device and demands the user pay a cash sum — shut down its computer network for about a week.
I wrote last week about the “culture of security” at Equinix, a Silicon Valley provider of data center space. CIO Brian Lillie described it as a companywide awareness about threats to information security – achieved through relationship building and support from top execs down — combined with an array of technological tools and a CISO to make sure all departments check out.
Now is the time for more companies to take Equinix’s lead. Traditional security practices like doing backups and tools such as intrusion detection software and antimalware are all compulsory to maintaining a strong security posture, but the fact that organizations are willing to give in to hackers’ cash demands — and in practice do — is testament that more is needed.
The human element in information security often gets short shrift. For example, many still believe that training programs don’t work and aren’t worth spending time and money on. But the best security defenses in the world won’t be successful if even one employee doesn’t know a phishing email when he sees one. And today, it’s easy for business departments to order a cloud service or download an app to a corporate smartphone. People who don’t know what’s kosher and what isn’t are practically courting disaster.
Everyone — from chief executives to business departments to the newest of hires — needs to be keenly aware of the threats out there, how to prevent them and how to counter them if they do occur. The more an organization can instill its people with a security mind-set, the more it can bolster its defenses against an increasingly bold and innovative underground.