At last week’s Cyber Security Summit at Stanford, President Obama sought to reset his administration’s relationship with a tech community alienated by an endless stream of disclosures of the government’s penetration of technology companies to achieve its surveillance goals. He appealed for both sides to unite to build an “Internet Cathedral” that will protect our online society. It’s a nice idea – but who are the priests? Article by Simon Crosby, Co-founder and CTO at Bromium.
The two sides seem diametrically opposed: The tech sector is annoyed and distrustful, and committed to delivering secure services and products that meet the needs of customers world-wide. The government is necessarily concerned with US-centric notions of security and privacy, and online surveillance is a tool that serves its needs. But if customers suspect that US tech vendors are complicit in US government surveillance it could hit their bottom lines, which represent a substantial component ( percent) of US GDP. And the government isn’t in the driving seat: our online future is clearly in the hands of the tech giants and consumers, not the government.
How can we resolve this? Apple CEO Tim Cook addressed the meeting before the President, making an impassioned commitment on the part of Apple to developing products that protect individuals and their information – rejecting technology that permits a government or commercial entity (a nice dig at Google) to surreptitiously gather data. Cook was the only major tech CEO to attend – Microsoft, Google and Yahoo execs turned down the invitation due to their continued frustration at naive and poorly thought-through moves by the government. Cook stressed that Apple succeeds because it delivers what consumers want – secure devices and services that don’t expose them to unwanted surveillance. His message was doubly impactful: It had the cred of a tech CEO whose company just delivered the biggest ever quarterly earnings of any US company, and the passion of a courageous gay man firmly committed to individual privacy.
Then there was the President. His address started out in a folksy way, with nice compliments to Stanford and innovation in the Bay Area. Clearly aware of the tension between his administration and the tech community, he set out to build a middle ground. The pillar of his address was the idea that we as a society are collectively building an “Internet Cathedral” that must protect our online society and allow us to build robust online institutions. He highlighted the relative infancy of the web – at a mere 28 years – compared to the centuries-old cathedrals in Europe, and reminded us that the latter were enhanced over many generations. Pointing out that the foundations of today’s Internet Cathedral are vulnerable, he called on the tech community to build more secure infrastructure and on educators to train the next generation to be better builders. Technology innovation will enable us to perfect the Internet Cathedral just as flying buttresses, fan vaulted ceilings, and ornate windows did in years past. It’s a seductive analogy.
Obama’s idea that the government and the tech sectors should unite to develop a stronger Internet Cathedral is a fine one, but it is missing (and Obama omitted) any mention of its priests. He signed an executive order to encourage better sharing of threat information between industry and the government, but its implementation will be fraught with issues of trust. If the government sees the tech sector as architects and builders, but reserves for itself the role of appointing the priests, then it is difficult to see how the two sides can agree. And though his appeal is elegant and non-partisan, it is the architects and builders who will decide how the Internet Cathedral is built. At the end of the day, a secure foundation is precisely that – a secure foundation for all Internet users, and not just the US government.
No government should be foolish enough to believe that requiring backdoors in the technology foundations upon which its society and its economy rely will lead to a more secure future for its people. Governments that subvert the tech used by their citizens, or that fail to fully embrace a secure-first approach to technology inevitably leave their citizens less secure.