Connect with us

Intelligence

Russia between economic crisis and geostrategic projections

Giancarlo Elia Valori

Published

on

As Lev Tolstoj maintained “There is nothing stronger than those two: patience and time”. These are two of the most characteristic traits of the soul and psychology of the Russian people. On the other hand, if you follow Sun Tzu’ strategic guidelines, whoever has time masters also space.

The fact of getting accustomed to suffering and sacrifice have always been typical of the Russian people who, as Vladimir Putin said by quoting Gogol, “have the sharp word which comes from the bottom of the heart.”

Today this is perhaps the most rational way of analyzing the state of the Russian economy and its new geopolitics, which started with the Russian armed forces’ engagement in Syria in favor of Bashar el Assad and against the very complex system of local and international jihad.

The slow but relentless increase in oil prices, organized by the oil and gas futures market during the current different, albeit parallel, crises in Iran and Saudi Arabia, is already an important sign of renaissance for the Russian Federation’s economy.

Furthermore, after the recent Doha summit of April 16, all oil market analysts predict that the oil barrel prices will increase rapidly throughout the second half of 2016 while investors, however, still cautiously maintain short term positions.

This is the result of a mix of factors such as the slow, but stable, global economic recovery and the planned decrease of oil extraction as a result of the decisions recently taken in Doha.

Certainly the Doha Summit failed because of the tension between Iran and Saudi Arabia, but all the latest OPEC projections point to a gradual increase in oil prices per barrel, although there are no explicit messages to that effect by the Vienna cartel.

Hence Russia’s accounts are stable and are bound to improve, despite the severity of its recent economic crisis.

Since the beginning of 2016, inflation has been falling as a result of lower consumption.

In March 2016, however, the Russian prices increased by 7.3% as against the previous year, after an 8.1% rise in February. Anyway the Russian consumer prices are below market forecasts, which pointed to 7.5%.

Moreover the current rate of Russian inflation is the lowest of the last two years.

Thus inflation has absorbed the ruble devaluation, by also allowing further monetary easing margins.

Nevertheless the decrease of disposable income was over 5% in 2015, with rapidly falling wages and an obvious massive impoverishment.

However, the share of the Russian population living below the poverty line is already limited compared to the data of previous years.

Russian poverty grew from 3.1 million needy people to 19.2 in 2015, the highest rate ever since 2006, and is now partially on the wane.

Again last year wages and salaries fell by 2.6% on average, while the Russian Stock Exchange index (MICEX) grew by 7.9% according to the 2015 data.

Nevertheless all Western analysts maintain that the worst is over for the Russian economy.

All Russian macroeconomic data and statistics point to a significant growth of exports throughout the second half of 2016, while the strategic link between the growth of the Iranian economy, after the JCPOA signature, and the increase in Russian oil and non-oil exports, makes us think that Russia used its military forces in Syria well, also at domestic geoeconomic level.

In all likelihood, the rational solution taken by the Russian government was the increase in oil and gas taxes decided in 2014.

This 15% increase in the oil and gas taxes allowed to reduce the tax burden on other Russian productive sectors, more oriented to the internal market and, in the future, to exports.

Another Russian rational decision was to make the ruble fluctuate, so as to save on currency reserves and better absorb the downward shock of oil prices.

Hence more rubles for oil and gas units exported, with a longer duration of the reserve fund.

All while the public deficit, already low by current Western standards, can be easily covered by the issue of government debt securities for the domestic capital market.

Basically the Russian economic crisis, which had been planned to “file Russian strategic nails” is now over and the Russians’ infinite patience mentioned by Tolstoj will do the rest.

After the sanctions imposed on the Russian Federation in 2014 and the drop in oil prices, which have delayed recovery, also the World Bank has predicted a slow improvement of Russia’s economy. Hence, a timid growth which, according to US analysts, will be based particularly on the fiscal and monetary policies of President Putin’s elite.

Moreover, despite persisting sanctions, the Russian Federation is using the weak ruble to expand non-oil exports, which are already rising especially after the agreements between Russia and China and between Russia and the Eurasian Customs Union.

However, which is the link between the Russian economic adjustment underway and its current and future geopolitics?

Perhaps the key factor lies in the creation of a new political and military entity, namely the Russian National Guard, recently established by President Putin.

In principle, it is the merger of various pre-existing armed structures and units.

As many as 170,000 soldiers from the troops of the Ministry for Internal Affairs; an unreported amount of staff coming from the Ministry for Emergency Situations; 40,000 operational units of the OMON police forces, specialized in managing and suppressing riots; 5,500 officials of the SOBR rapid- reaction forces, in addition to the Operational Reaction Forces and Aviation of the Ministry for Internal Affairs, selected by its Special Designation Center, including the Zubr, Rys and Iastreb Special Forces units.

In the latter case we speak of at least 800 military men available for the new structure.

Therefore the total number of the National Guard military staff will range between 250,000 and 300,000 units.

The Guard’s tasks and functions will be managing and preventing problems of public order, combating terrorism and taking actions against “extremist” groups, namely the Chechen gangs and the future protesters in the future “orange revolutions” almost certainly planned by the West against Russia.

Then, the Guard will be responsible for homeland defense and security; the protection of State structures and special internal and foreign transport; the protection of the assets and companies of Russian citizens and organizations approved by the Government; the support to border troops, that are traditionally an integral part of the Russian Intelligence Services; the fight against arms trafficking; the command of all National Guard troops and finally the protection of men and means of the Guard itself.

Hence the whole internal security will be entrusted to the National Guard and this will obviously relieve the Russian internal and foreign Intelligence Services of a whole range of traditional and routine tasks.

President Putin wants a more geostrategic intelligence, less overburden with public order tasks, and this is a lesson we should learn also in Italy and in the West.

Some people think that President Putin wants to create a “personal army”, but the Russian President’s power is such that it is thought that he does not certainly need this new Guard only to strengthen his personal power, which is already pervasive and without any credible internal opposition.

Conversely, in all likelihood, with this new military organization, President Putin wants to avoid the coalescence of two dangers he sees looming over the Russian Federation’s near future.

These dangers are the imported jihad and the sequence of the various orange revolutions which, even combined with Islamist terrorism, could destabilize Russia permanently and make it viable for the financial and strategic interests of the West.

Probably President Putin is convinced that the United States and some US allies may make Russia pay a very high price for its ongoing engagement in Syria and the Middle East, which is the real game changer of contemporary geopolitics.

Not to mention the fact that, by opening its Syrian-Mediterranean front, the Russian Federation knocks out and bypasses the whole military network that NATO and the United States are placing along the Russian Federation’s land borders, from Estonia to Poland and the Czech Republic, up to Romania.

Certainly Putin thinks that this is a challenge which is worth a slow and relentless internal destabilization of the Russian society and politics.

This would also explain the “free hand” given by the Russian leader to the internal Services with the creation of the new Guard.

Hence the Services would now find it much easier to take actions to face external and internal threats to the Russian Federation’s political (and economic) system.

The designated Head of the new National Guard is General Viktor Zolotov, former Head of the President’s Security Service.

A man certainly trusted by Putin and a great intelligence expert.

Zolotov was born in 1964 and is a member of the Russian Security Council, an advisory body to the President, reformed in 1996, which meets at least once a month and coordinates the Russian Federation’ security, in close cooperation with the Services’ leadership.

In the past he was the bodyguard of Anatoly Sobchak, the mayor of St. Petersburg, who protected President’s Putin first steps in the very complex post-Soviet era.

Member of the KGB “active reserve”, as Putin, Zolotov was given up for dead several times but, as often happens in the great Russian intelligence game, he is obviously alive and “operational.”

In the 2000 “siloviki war” (the siloviki are the former KGB members), which was a war between some groups of agents of the old Services and the inner circle of the already powerful Putin, Zolotov stood with the losers, the men of Viktor Cherkesov against the siloviki Nikolai Patrushev and Igor Sechin.

Zolotov was later “forgiven” by Putin, as the General never made public his positions of “liberal siloviki” who supported Dimitri Medvedev as Putin’ successor in 2008.

Later Zolotov took command of the forces of the Ministry for Internal Affairs, now led by General Ragozhin, who has fewer ties with President Putin, while the President of the Judo Federation of St. Petersburg, a longtime friend of President Putin, who is a well-known judoka, has been appointed Head of the Military Police.

Zolotov’s appointment is also an action of President Putin who intends to bring peace to the vast community of the siloviki, a highly fragmented group as early as his return to the Presidency in 2012.

The fight between the former KGB agents regards power, the relationship with the economy and, above all, the struggle for the succession to Vladimir Putin.

And this will be the new scenario for which the National Guard seems to be already prepared, although Vladimir Putin has recently indicated that he is likely to run again in the next presidential election.

Advisory Board Co-chair Honoris Causa Professor Giancarlo Elia Valori is an eminent Italian economist and businessman. He holds prestigious academic distinctions and national orders. Mr. Valori has lectured on international affairs and economics at the world’s leading universities such as Peking University, the Hebrew University of Jerusalem and the Yeshiva University in New York. He currently chairs “International World Group”, he is also the honorary president of Huawei Italy, economic adviser to the Chinese giant HNA Group. In 1992 he was appointed Officier de la Légion d’Honneur de la République Francaise, with this motivation: “A man who can see across borders to understand the world” and in 2002 he received the title “Honorable” of the Académie des Sciences de l’Institut de France. “

Continue Reading
Comments

Intelligence

The global strategy of computer hacking

Giancarlo Elia Valori

Published

on

Whoever operates on the Web and has even interesting or relevant data sooner or later will always be hacked by someone or by some organizations.

 Usually “economic” hackers take the data of interest from the victim’s network and resell it in the dark web, i.e. the system of websites that cannot be reached by normal search engines.

Currently, however, after the Bayonet operation of July 2017 in which many dark web areas were penetrated, we are witnessing a specialization of the dark web and an evolution of web espionage methods against companies and States.

 These operations which, in the past, were carried out by web amateurs, such as youngsters at home, are currently carried out by structured and connected networks of professional hackers that develop long-term projects and often sell themselves to certain States or, sometimes, to some international crime organizations.

As often happens in these cases, the dark web was born from research in the military field. In fact, in the 1990s, the Department of Defense had developed a covert and encrypted network that could permanently protect the communications of the U.S. espionage “operatives” who worked abroad.

Later the secret network became a non-profit network that could be used for the usual “human rights” and for protecting privacy, the last religion of our decadence.

 That old network of the State Department then intersected with the new TOR Network, which is the acronym of The Onion Router, the IT “onion” covering communication with different and often separable encryption systems.

 TOR lives on the Internet edge and it acts as the basic technology for its dark web.

 Like the “Commendatore” vis-à-vis Don Giovanni in Mozart’s opera.

 TOR, however, is a free browser that can be easily extracted from the Web.

Obviously, the more the anonymity of those who use TOR and go on the dark web is covered by effective encryption systems, the more unintentional signals are left when browsing the dark web.

Moreover, the farther you have to go, the more pebbles you need to go back, as in the Thumbelina fairy tale.

 TOR and the Dark Web were born to allow the communications of U.S. secret agents, but were later downgraded to “free” communication system to defend Web surfers from “authoritarian governments”. Currently the dark web hosts a wide underground market where drugs, stolen identities, child pornography, jihadist terrorism and all forms of illegal business are traded.

Moreover, if these dark web services are paid with uncontrollable cryptocurrencies, it is very difficult to track any kind of dark web operations.

Nowadays, about 65,000 URLs operate in the dark web, which means Internet websites and Universal Resource Locators that operate mainly via TOR.

A recent study of a company dealing with cybersecurity has demonstrated that about 15% of all dark web URLs facilitate peer-to-peer communication between users and websites usually by means of chat rooms or websites collecting images, pictures and photos, which are often steganographic means and transmit hidden and concealed texts, but also for the exchange of real goods via specialized websites for peer-to-peer trading that are also encrypted, as can easily be imagined.

 Moreover, a further study conducted by a U.S. communication company specialized in web operations has shown that at least 50% of the dark websites is, in fact, legal.

 This means they officially deals with things, people, data and pictures that, apparently, also apply to “regular” websites.

  In other words, the dark websites have been created by means of a regular request to the national reference office of ICANN, which grants the domains and registers the permitted websites, thus communicating them to the Californian cooperative that owns the web “source codes”, although not in a monopolistic way.

Currently all the large web organizations have a dark “Commendatore” in the TOR area, such as Facebook, and the same holds true for almost all major U.S. newspapers, for some European magazines but also for some security agencies such as CIA.

Nevertheless, about 75% of the TOR websites listed by the above stated IT consultancy companies are specialized URLs for trading.

 Many of these websites operate only with Bitcoins or with other types of cryptocurrencies.

Mainly illegal pharmaceuticals or drugs, items and even weapons are sold in the dark web. Said weapons are often advanced and not available in the visible and overt networks.

 Some URLs also sell counterfeit documents and access keys for credit cards, or even bank credentials, which are real but for subjects other than those for whom they were issued.

In 2018 Bitcoin operations were carried out in the dark web to the tune of over 872 million US dollars. This amount will certainly exceed one billion US dollars in late 2019.

It should be recalled that the total amount of money “laundered” in the world accounts for almost 5% of the world GDP, equal to 4 trillion US dollars approximately.

Who invented the Bitcoin?

 In 2011, the cryptocurrency was used for the first time as a term of trade only for drug traffickers operating in the dark web, mainly through a website called Silk Road.

 The alias used for those exchanges was called Satoshi Nakamoto, that was also filmed and interviewed, but was obviously another.

We should also recall web frauds or blackmails: for example, InFraud, a U.S. organization specialized in the collection, distribution and sale of stolen credit cards and other personal data.

Before being discovered, InFraud had illegally made a net gain of 530 million US dollars.

 Another group of illegal operators, Fin7, also known as Carbanak, again based in the United States, has collected over a billion US dollars on the web and has put in crisis, by blackmailing them, some commercial organizations such as Saks Fifth Avenue and Chipotle, a widespread chain of burritos and other typical dishes of Mexican cuisine.

 Obviously the introduction of new control and data processing technologies, ranging from 5G to biometric sensors, or of personal monitoring technologies, increases the criminal potential of the dark web.

Hence the dark web criminals will have an even larger mass of data from which to derive what they need.

 The methods used will be the usual ones, such as phishing, i.d. the fraudulent attempt to obtain or to deceive people into sharing sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication possibly with a fake website, or the so-called “social engineering”, which is an online scam in which a third party pretends to be a company or an important individual in order to obtain the sensitive data and personal details of the potential victim,  in an apparently legal way, or blackmail by e-mail and finally the manipulation of credentials.

With a mass of additional data on their “customers”, the web criminals will be able to perfect their operations, thus making them quicker and more effective. Or the new web technologies will be able to accelerate the time needed for blackmail or compromise, thus allowing a greater number of frauds for more victims.

 Biometrics certainly expands the time for the use of data in the hands of cybercriminals. Facial detection or genetic and health data are stable, not to mention the poor security of data held by hospitals. Or we have to do with the widespread dissemination of genetic research, which will provide even more sensitive data to web swindlers.

 According to some recent analyses carried out by the specialized laboratories for the Web, 56% of the data most used by web criminals comes from the victims’ personal data, while 44% of the data used by swindlers comes from financial news.

 Moreover, specific types of credit cards, sold by geographical area, commercial type and issuing bank, can be bought in the dark web.

 85% of them are credit cards accredited for a bank ceiling, while 15% of “customers” asks for debit cards.

The web scammers, however, always prefer e-mail addresses even to passwords.

Furthermore, less than 25% of the 40,000 dark web files have a single title.

  In the “dark” web there are over 44,000 manuals for e-frauds, available for sale and often sold at very low prices.

The large and sometimes famous companies are the mainly affected ones. In 2018 the following companies were the target of cyberattacks in the United States: Dixus, a mobile phone company which was stolen 10 million files; the Cathay Pacific airline, with 9.4 million files removed, but also the Marriott’s hotel chain (500 million data/files removed) and finally Quora, a website of scientific documents and generic data. Over 45 million files were removed from Quora.

 How can we know whether we are the target of an attack from the Dark Web? There is certainly the presence of ransomware, such as the recent Phobos, which uses the Remote Desktop Protocols (RDP) that allow to control computers remotely.

 Then there is the Distributed Denial of Service (DDoS), which is a temporary block of the Web, apparently accidental, and finally there is the traditional malware, the “malicious” software that is used to disrupt the victims’ computer operations and collects the data present on their computers.

 However, the Dark Web ambiguity between common crime and the defence of “human rights” and safe communications in “authoritarian regimes” always remains.

The United States, Iran, China and other countries have already created a “fourth army”, composed only of hackers, that operates with cyberattacks against the enemies’ defence and civilian networks.

 The US Cyber Command, for example, is estimated to be composed of as many as 100,000 men and women, who operate 24 hours a day to hit enemy servers (and also allies’ ones, when they contain useful information).

Just think also of the private group Telecomix, which supported the 2011 Arab rebellions and, often, also the subsequent ones.

Also in these months both Telecomix and Anonymous are working to permit the free use of the Syrian computer network.

 There is often an operative interface between these groups and the Intelligence Agencies, which often autonomously acquire data from private networks, which, however, soon become aware of the State operations.

 There is also cyber-rebellion, which tries – often successfully – to strike at the victims’ data stored, by deleting them.

 DDoS, the most frequent type of attack, often uses a program called Low Orbit Ion Cannot (LOIC) which allows a large number of connections to be established simultaneously, thus leading to fast  saturation of the enemy server.

The attacking computers can be used remotely and some groups of hackers use thousands of computers simultaneously, called “zombie machines”, to hit the database in which they are interested to delete it or to remove its files.

 This type of “fourth army” can inflict greater damage on a target country than a conventional armed attack. The faster the attack, the easier is to identify the origin of the operation.

It is currently estimated that the “zombie” computers in the world are over 250 million – a greater network than any other today present in the military, scientific and financial world.

Hence a very dangerous military threat to critical infrastructure or to the economic resources of any country, no matter how “advanced” it is technologically or in terms of military Defence.

 There have been reports of hackers linked to global drug organizations, especially Mexican cartels, and to jihadist or fundamentalist terrorist groups.

Financial hacking, which often supports all these initiatives, remains fundamental.

 The South Korean intelligence services’ operative Lim was found “suicidal” after having purchased a program from the Milanese Hacking Team.

A necessary tool for these operations is often a briefcase containing circuits which mimic the towers of cellular repeaters and store in the briefcase itself all the data which is transferred via cetel or via the Internet Network.

The Central Bank of Cyprus, the German CDU Party and many LinkedIn accounts – a particularly favourite target of hackers – some NATO websites and, in Italy, some business and financial consultancy companies were attacked in this way.

 It is a completely new war logic, which must be analysed both at technical and operational levels and at theoretical and strategic levels.

Continue Reading

Intelligence

The Failures of 737 Max: Political consequences in the making

Sisir Devkota

Published

on

Last month, as Boeing scaled new contracts for the 737 Max, horrific remains in Bishoftu, from the crashed Ethiopian Airlines Flight 302, witnessed the Dubai Air show in despair; the plane manufacturer had sealed another 70 contracts for the future. Still, the dreaded MCAS software is looking for a resolution at last. Two of the fatal Max 8 crashes have been reportedly caused by censor failures, accounted to software malfunctions. Hundred and fifty-seven people died inside flight 302, only months after Lion Air 610 crashed into the Java Sea with 180 passengers on board.

Both accidents are predisposed towards the highly sophisticated Maneuvering Characteristics Augmentation System (MCAS), an algorithm that prevents 737 aircrafts from steep take offs; or de-escalates the vehicle at its own will. However, there is more to Boeing accidents than just a co-incidental MCAS failure. Largely, it is only a consequence of political and economic interests.

While Boeing’s European competitor, Airbus, relaunched its A320’s in 2010, there were fewer changes in the operating manual. Airbus 320 Neo, as it was re-named, had larger engines on the wings, primarily designed for fuel efficiency. The Neo models claimed a whopping 7% increment in the overall performance; inviting thousands of orders worldwide. Consequently, Boeing’s market share of more than 35% was immediately under threat after Lufthansa introduced it for the first time in 2016. Despite of major competition from the A320, 737’s lack of ground clearance space, hindered for a major engine configuration. Nevertheless, Boeing responded to the mechanical challenge and introduced the MCAS for flight safety. As bigger engines in 737 was increasing the take-off weight, the MCAS would automatically re-orient the aeroplane’s steepness to avoid stall. Boeing’s lust to stay afloat in the competitive market, led by a robotic intrusion in flight controls did not fare too long. Flight investigations claimed that although Lion Air 610 was gaining altitude in normal circumstances, the MCAS read it wrongly; hence, pulling the aircraftlower, beyond the control of physical pilots. It was a design flaw, motivated by the need to overcome dwindling sales profits.

Neither is Airbus enjoying smooth performances over the years; it however has not performed as miserly as the 737. Indigo, a major Indian airline is the largest importer of A320 Neo; despite new technologies, it has been warned of repeating problems like momentary engine vibration. Months back, an Indigo flight stalled on its way from Kolkata to Pune, before being forced to return to its departure. Unlike the Boeing 737, Airbus malfunctioning does not lead to a major disaster. There is an element of mechanical interference available to pilots flying the European prototypes. Still, it is not everything that separates the two giants.

The Ethiopian disaster, scrutinized Boeing’s leadership at home; a congressional hearing concluded that after repeated attempts to warn the airline manufacturer to present information as transparently as possible, deaf ears have persisted. As the statement read, Boeing was hiding significant information away from airline companies and pilots. While it plans to resume sales in 2020, progress has been waning, in terms of improving the knowledge behind operating the 737 Max. The investigative hearing concluded that Boeing was manufacturing flying coffins.

Unsurprisingly, there is little amusement towards the development of airline sales around the world. Visibly, there is a band of companies, preferring the American manufacturer to the other. The politics is simple; it is merely about technological superiority, but more related with subsidies and after sales services. Regardless of whether Boeing will scrap the 737 Max or improve the software configuration, doubts have presided over choosing to fly altogether with choosing to fly a specific model. Air travel could not be safer in 2020. That claim is in serious trouble.

Continue Reading

Intelligence

Digital Privacy vs. Cybersecurity: The Confusing Complexity of Information Security in 2020

Dr. Matthew Crosston

Published

on

There is a small and potentially tumultuous revolution building on the horizon of 2020. Ironically, it’s a revolution very few people on the street are even aware of but literally every single corporation around the globe currently sits in finger-biting, hand-wringing anticipation: is it ready to meet the new challenge of the California Consumer Privacy Act, which comes into full effect on January 1, 2020. Interestingly, the CCPA is really nothing more than California trying to both piggy-back AND surpass the GDPR (General Data Protection Regulation) of the European Union, which was passed all the way back in 2016. In each case, these competing/coincident pieces of regulation aim to do something quite noble at first glance for all consumers: to enhance the privacy rights and data protection of all people from all digital threats, shenanigans, and malfeasance. While the EU legislation first of all focuses on the countries that make up the European Union and the California piece formally claims to be about the protection of California residents alone, the de facto reality is far more reaching. No one, literally no one, thinks these pieces can remain geographically contained or limited. Instead, they will either become governing pieces across a far greater transregional area (the EU case) or will become a driving spur for other states to develop their own set of client privacy regulations (the California case). Despite the fact that most people welcome the idea of formal legal repercussions for corporations that do not adequately protect consumer data/information privacy, there are multiple confusions and complexity hidden within this overly simple statement. As we head into 2020, what should be chief for corporations is not trying to just blindly satisfy both GDPR and CCPA. Rather, it should be about how to remedy these confusions first. However, that elimination is not nearly as easy to achieve as some might think.

First off, a not-so-simple question: what is privacy? It is a bit awe-inspiring to consider that there are many ways to define privacy. When considering GDPR and CCPA, it is essential to have precise and explicit definitions so that corporations can at least have a realistic chance to set goals that are manageable and achievable, let alone provide them with security against reckless litigation. Failure to define privacy explicitly carries radically ambiguous legal consequences in the coming CCPA atmosphere, something all corporations should rightly avoid like the plague. Perhaps worse, no matter how much time you spend defining consumer privacy beforehand, trying to create this improved consumer protection digitally becomes almost hopelessly complicated. The high-technology, instant-communication, constant-access, massively-diversified world we live in today makes some argue that ‘digital privacy’ in any real sense is dead and buried without the possibility for resurrection. If this is true, then how quixotic will it be for corporations to try to meet the regulation demands of legislative projects like GDPR and CCPA if they do not first try to establish both clarity and transparency of terms and goals?

This is not a nihilistic argument just trying to have every corporation around the world throw up its hands in despair and give up on improved consumer privacy and data protection. But note the word ‘improved.’ In order for corporations to realistically provide consumer data protection, the irony of ironies may be that the first successful step will be finally embracing transparency in admitting that ‘perfect digital privacy’ will not and cannot exist. Realistic cyber expectations mean admitting that external threats always have an upper hand over internal defenders. Not because they are more talented or more committed or more diligent. But because what it takes to successfully perpetrate a threat is far simpler, quicker, cheaper, and easier than what is necessary to successfully enact a comprehensive defense program that can answer those threats and remain agile, flexible, and adaptive far into the future.

The broken glass analogy helps illustrate this conundrum. I am in charge of protecting 100 windows from being broken. But I must protect them from 1000 people coming toward me with rocks. Ultimately, it is far easier for the 1000 to individually achieve a single success (breaking a window) than it is for me to achieve success in totality (keeping all 100 windows intact). The resolution, therefore, is transparency: there is greater chance of ‘success’ for the chief actors (namely, me as defender and the client as owner of the windows) if I can be liberated from the impossible futility of ‘perfect protection’ and set a more realistic definition of protection as ‘true success.’ As long as there are recovery/restitution processes in place (replacing/repairing a broken window), then ‘success’ should be legitimately defined as a percentage less than 100. This is the same for corporations dealing with clients/consumers in the new world of 2020 CCPA: if the idea is that these pieces of legislations finally make corporations commit to perfect digital privacy and such perfection is the only definition of success against which they can measure themselves, then 2020 will be nothing but a year of frustration and failure.

The funny thing in all of this is that the EU legislation somewhat admits the above. Consider the seven principles of data protection as laid out by GDPR:

  • Lawfulness, fairness, and transparency.
  • Purpose limitation.
  • Data minimization.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality.
  • Accountability.

Nothing in these seven principles would bring about the establishment of perfect digital privacy or sets the expectation that failures in consumer protection must never occur. But they do hint at a darker secret underlying the European concept of client privacy that sits in contradiction to the very essence of American economics.

When people call CCPA the ‘almost GDPR,’ it is hinting at how the spirit of the two legislations are somewhat diametrically opposed to one another. The EU crafted GDPR under strong social democratic norms that encompass many of the core member governments. As such, it is most decidedly not legislation engineered to first protect the sacred right to free market business enterprise and a fundamental belief in the market to solve its own problems. Rather, GDPR has within it, implicitly, a questioning skepticism about the core priorities of major corporations and the belief that governance is the only way to make free-market economics work fairly. As such, GDPR is not just about protecting consumer data and information privacy from hackers, outside agents, and foreign actors: it is alsoabout protecting consumers from “untrustworthy corporations” themselves. This is something that should not infuse the CCPA (whether it does or not is yet to be determined and 2020 will therefore prove to be a very interesting judgment year). Because while California is staunchly to the left on the American political spectrum, it still operates as a constituent member of the US, the most fiercely protective country of its capitalist roots and belief in the sanctity of the free-market system. As such, government regulation in the EU that works for consumer privacy protection will not be looking at corporations as a willing or even necessarily helpful partner in a joint initiative. American government regulation should and must. As time progresses, if CCPA proves itself to be too close to GDPR, to European as opposed to American market norms, expect to see other states in the US create competing legislation. And even if those competing pieces aim to create a more ‘American’ conceptualization of consumer digital privacy as opposed to ‘European,’ what it means in real terms for corporations is yet more competing standards to try to synergize and make sense of. Thus, executive leaders in charge of information security in 2020 are going to need to have critical reasoning and analytical research skills far more than they ever have in the past.

In the end, protecting consumer privacy and providing client data protection is an essential, proper, and critical element for doing business in 2020. Legislation like GDPR and CCPA are meant to help provide an acknowledged framework for all actors to understand the expectations and consequences of the success/failure of that mission. Having such protocols is a good thing. But when protocols do not recognize reality, skip over crucial elements of clarity and transparency, hide some of the futility that likely cannot be overcome, and ignore their own competing contradictions, then those protocols might end up providing more problems than protection. What corporations must do, as they head into 2020, is not blindly follow CCPA. Nor should they facetiously do superficial work to achieve ‘CCPA compliance’ while not really providing ‘privacy.’ What is most crucial is innovative executive thinking, where new analytical minds are brought in to positions like CISO (Chief Information Security Officer) that are intellectually innovative, entrepreneurial, adaptive, and agile in how they approach the mission of privacy and security. Traditionally, these positions have often been hired from very rigid and orthodox backgrounds. The enactment of CCPA in 2020 means it might be time to throw that hiring rulebook out. In real terms, the injection of new thinking, new intellectualism, new concept agility, and new practical backgrounds will be crucial for all information security leadership positions. Failure to do so will not just be the death of privacy, but the crippling of corporate success in the client relationship experience.

Continue Reading

Latest

Trending