Wednesday, October 26, 2016

It's past time for governments to mandate security levels for all internet-connected devices

On the tail of the 2016's Census issues dealing with four relatively small distributed denial of service (DDOS) attacks, the US East Coast was recently hit by a massive DDOS attack that succeeded in taking offline, or at least slowing down, major sites - from Amazon, Twitter and Spotify to PayPal and Netflix.

This major attack, involving millions of devices, had global impacts - including impacting the websites of range of Australian companies - retailers, banks, media services, insurance companies and hotels.

This type of attack isn't new - for years organisations have had to harden their computers and networks to fend off DDOS and more focused hacking attempts.

In fact a DDOS attack is often considered one of the most unsophisticated approaches - simply flooding a network with an unmanageable number of requests from hundreds, thousands or millions of hijacked devices until the routers and web servers collapse under the pressure.

However this latest attack was different in several regards to what organisations now should plan for.

Firstly it was on a scale that few had imagined. The company targeted, Dyn, provides backbone services for the internet and was well prepared for massive DDOS attacks. However this attack was at a scale that even such a service was unable to fend off without significant disruption for hours.

Secondly, the approach didn't use the normal range of compromised and poorly patched internet-connected devices to launch and sustain the DDOS attack. Normally hackers conscript or buy access to 'botnets' made up of hundreds or thousands of poorly maintained computers on insecure networks, using malware on these PCs to launch an attack.

In this case, however, the people responsible used open source hacking software to tap into a network of devices connected to the internet - security cameras,  Digital Video Recorders and web cameras, amongst other types.

The majority of these devices were older, with many were linked to one specific Chinese manufacturer who develops white-label products for others to brand and sell. Most relevant, these devices had little if any security in place to prevent hijacking. They are also unpatchable - they can never be secured in ways that make it hard, if not impossible, for hackers to take them over.

In other words, these non-computing insecure devices are a permanent threat to the internet. They can easily be used in malicious or military cyberattacks by anyone with the inclination to do so.

While the manufacturer has issued a recall for these permanently insecure devices (though its unknown how many devices will be returned as part of this process), the growth of the 'internet of things', where DVRs, smart fridges, air conditioners, cars and all kinds of household and work appliances are linked to the internet for monitoring and management purposes, poses a growing threat to the ongoing viability of the internet.

With billions of devices progressively being connected to the internet, there's little in the way of mandated or legislated requirements for devices to be secure to a given standard at a point in time, or have their software regularly upgraded to ensure that known security risks are patched.

While most countries specifically regulate and test products designed for health use, power use and radio spectrum to verify they won't cause harm, few nations have similar requirements for security.

Largely this remains in the general 'fit for purpose' terms in relevant trade practice legislation, which is effectively useless when a device, such as a baby monitor or smart fridge, can remain fit for purpose and be used in a economic or politically inspired cyberattack at the same time.

This isn't a future issue. I can name six types of non-computing devices in my home which are, right now, internet capable - DVRs, TVs, web cameras, security cameras, air conditioners and light globes.

Households across Australia, and the world, are rapidly adopting or upgrading to these devices for convenience and improved management purposes - but security requirements are lagging badly.

This is an area where it's not sufficient for governments to trust that manufacturers and retailers will 'do the right thing' on an ongoing basis.

Some manufacturers and supplies  might cut corners in their software, or not realise the significance of how their devices could be remotely accessed and used maliciously. Others may discontinue products or go bankrupt, leaving devices unsupported.

The end result is not necessarily a risk to the consumer who bought the product, but rather a broader risk to society that these devices are used in an attack that damages companies or governments.

There's also a risk that companies or unscrupulous governments may use these 'smart' connected devices themselves to spy on citizens. Indeed this may already be happening.


Now some governments, such as the Australian Government have begun offering advice to citizens on how to secure their personal networks. A good home firewall will, currently, help keep many potentially insecure devices protected against external risks.

However this is merely a stopgap. Firewalls have flaws, can be bypassed and are not consistently installed or maintained by households.

With internet-connected devices already proliferating, many already in households and businesses may be impossible to secure, as were many of those used in the recent US cyberattack.

For governments to protect societies against cyberintrusions - economic loss, political damage and inconvenience, there needs to be far more consideration of the potential risks around internet-connected devices - and fast.

Extra: I've just read a post that sums up this issue very eloquently, so have embedded it below...

Monday, October 24, 2016

For how long should we judge people by a few intemperate comments?

Over the last few weeks we've seen several prime examples of individuals being judged and convicted by comments they made at some point in the past.

Most would now be aware of the leaked tape of Donald Trump and Billy Bush, whose 'locker room talk' recorded in 2005 has led to an exodus of support and new sexual harassment claims against the US Presidential Candidate, and Bush's exit as a NBC News anchor. Trump has said that 'no-one respects women more than him' and apologised for his words, stating they were merely words and that he'd never act in such a way (prompting a number of women to come forward with examples of a pattern of behaviour).

Some may also be aware that last week Twitter fired Greg Gopman after a month, when TechCrunch republished one of Gopman's Facebook comments from 2013, in which he called homeless people 'trash'. Subsequently to his comment, and before the Twitter firing, Gopman had quickly apologised and taken a number of actions to help the homeless community in his city.

Without commenting on the merits of either sequence of events, I believe that society, and organisations, need to seriously consider how to manage intemperate comments by individuals and their ongoing impact on lives.

We now live in a world where almost any comment may be recorded and kept indefinitely - and can resurface at anytime.

These comments may be said in the heat of the moment and later repented, or may form part of a long-term pattern of behaviour that defines an individual's approach and thinking.

However in the hothouse of modern media, context is quickly lost. The distinction between a pattern of abuse or bad character and an occasional momentary weakness or bad behaviour rarely survives a media and social media scrum.

Even positive or neutral comments, or a moment in time video, recording or photo , when used out of context, can have a devastating impact on an individual's future prospects, their ability to contribute to society, as well as on their family, friends and employer.

With teenagers experimenting with social norms in public social channels, and fast-shifting social norms catching older people out for unwise comments made decades ago, few of us can truly say that none of our past comments cannot, and will never, be used against us.

Moving forward do we want to be a society where we drag everyone down to the worst versions of ourselves - where we glory in ripping and tearing others apart for momentary lapses of judgement, fast regretted?

Or do we wish to be a society that glories in redemption, that allows people to make mistakes, correct them and move forward and upwards to their best selves - provided they actually do.

Organisations need to decide when they will they stand behind individuals who make a few mistakes and correct themselves, even in the face of a media storm. They need to decide where to draw the line between intemperate mistakes and intolerable character flaws and patterns.

Otherwise we're heading toward a society where there's no second chances, no room to grow and improve from one's 17 year old self. A society where those of truly bad character conceal themselves and thrive (even into high office) by claiming that everyone who has ever made a mistake is just as bad as them.

The first step required is to have that conversation - in the media and in organisations. We should not 'walk past' a discussion and simply seek to control information in the hope of protecting otherwise good people from the mistakes of their past.

The standard you walk past is the standard you accept.

Wednesday, October 19, 2016

Support my ePetition for a better Australian ePetition site

Openness in government is supported by low barriers to engagement between citizens, agencies and politicians.

For example, making the House of Members' Register of Interests available publicly is great - but not THAT great if it is only available for viewing in hardcopy in one location in Canberra between the hours of 9-5pm (which used to be the case).

Recently the Australian Government launched its ePetitions site, designed to make it easier for citizens to petition government on specific issues or goals.

You probably didn't see any media headlines about it, or even government announcements - nor is the site easy to find via search or within the Parliament House's website.

If you do find it - the approach is uninspired and basic. I reviewed it compared to three other ePetitions sites internationally, and it just didn't stack up on usability, accessibility, attractiveness or tone. Read my comparison here.

There's ePetition platforms available that are far more developed and inviting, and there's lessons from international ePetition sites that clearly weren't learnt.

The cost to us, to Australia, is that people won't engage with Parliament and the Government in the ways they could, reducing the openness and effectiveness of the process.

So... I created an ePetition to Parliament. It ask them to mandate the Department to work with the broader community to implement a true Web 2.0 ePetitions platform.

This platform should be equivalent to the best of breed internationally and embed best practice design principles (such as from the Digital Transformation Office).

Slightly to my surprise, they've published my ePetition, though without actually telling me - another issue with the Aussie process.

Therefore I'd appreciate if you could sign my ePetition at: http://www.aph.gov.au/Parliamentary_Business/Petitions/House_of_Representatives_Petitions/Petitions_General/Petitions_List?id=EN0028

And then please share this ePetition with your networks.

Thursday, October 13, 2016

Disruption is often simply a failure to prepare and evolve

Digital disruption is one of the buzz terms of the last few years, underscoring the increasingly rapid changes in society, industries and governments as new ideas and techniques enabled by digital technologies take hold.

Photo by Tsahi Levent-Levi
While some embrace this disruption (generally those doing the disrupting), for many it remains an unsettling or even negative concept.

Disruption implies a disturbance or breakdown in the existing order, a situation where the status quo is overturned in an unpleasant way. To disrupt a process is seen as interfering with the ordinary course of events, and 'disruptors' of events or organisations are rarely looked on in a positive light.

While many disruptions are predictable, they are often not avoidable - such as the impacts of a natural disaster or the consequences of a terminal illness.

Equally disruptions in business and governance, through new technologies, ideas and approaches, can often appear to come rapidly out of 'left field', even when they can have been expected for a long time.

However in many of these cases, disruption has a much greater impact on societies and organisations than it needs too, not because it was unexpected or not discussed, but because leaders refused to see the writing on the wall, and begin a process of communication, adaptation and evolution soon enough.

A classic example is Kodak Eastman - the inventor of the digital camera, whose business was destroyed by the product it originally designed and marketed.

Kodak did not go bankrupt because no-one within or outside the company could see the impact of digital cameras, or their widespread adoption into mobile phones, laptops, tablets, drones and more. The company failed because the company's leaders chose to believe that their business could not be disrupted, that their name, reputation and products would allow them to survive no matter where the market went.

As a result they adapted too little and too late to the 'digipocalypse', where film cameras rapidly disappeared and even the digital camera market fell as people started using other devices as their primary photographic tool.

When I hear business and government leaders speak of disruption, of new industries replacing old or new thinking flushing out the old, I often wonder how much is just talk and how much actual action is taking place in their organisations to adapt to new realities.

Few disruptions are truly unpredicted, although their course may be unpredictable, with some technologies being rapidly adopted and others festering amongst early adopters for decades.

Organisations that are truly committed to survival and growth don't talk about the 'disruption' due to digital, but of the opportunity to re-imagine their business models and redesign their operations, preparing for and adopting innovations and new ideas in an evolutionary manner.

By preparing early and evolving continuously these organisations never actually face actual disruption, because they are almost always in the right place at the right time, with the talent, tools and techniques at hand to move with the market, rather than trying vainly to keep up.

When these organisations are tripped up by market or social change, it's due to velocity, not disruption, and they remain well-equipped in talent and tools to pivot their operations to minimise any disruption.

If your organisation is facing digital disruption, consider why that might be the case.

Was the disruption truly unpredictable? Or did your management fail to watch the market closely, or ignored advice on the basis of their belief that the status quo was unshakeable?

Is the disruption due to a lack of preparation in the face of a clear and present danger? Or due to an unwillingness to change, even at the point of extinction?

While change is a constant feature of business and social environments, disruption is simply what happens to organisations who fail or fear to face change. Organisations that do not design structures, generate strategies or train and recruit staff who can lead and support the internal transition in a prepared and evolutionary way.

Therefore any organisation that has been disrupted should first look inwards, not outwards, for the cause, and take appropriate steps to ensure that, if it survives, it never makes the same mistake again - to inadequately prepare itself for environmental and market change.

And any organisation that foresees disruption ahead should be preparing now. In order to turn a potential disruptive event into a much less impactful, evolutionary step, that causes far less disruption or damage and buoys the organisation to greater future success. 

Thursday, October 06, 2016

Free range 'strike teams' of specialists are a long overdue innovation for Australia's public service

I'm very pleased to see that the Australian Public Service Commission is finally considering the introduction of 'free range' teams of public servants, unattached to specific agencies, who can provide specialist skills as and where needed.

I proposed this type of team while I was working within government almost ten years ago now, as I could see that there were a range of skills that agencies did not require continuously, but were needed across the public service all the time.

This included experienced community engagement professionals, a range of digital talents as well as design and implementation specialists.

Until now the hierarchies of the public sector have been designed against such free-roaming talent, able to converge as 'strike teams' to assist agencies when they need it, and move on to other assignments when the need wanes.

There's still the strong (almost feudal) hierarchies in place, but it seems that the innovation agenda, combined with diminishing resources and an increasing need for specialists, are helping to wear away the resistance to the recognition that it's all one federal public service.

I always found it peculiar that senior public servants were adamant that they served the government of the day, but chose to do so by building rigid organisations that made it harder for skills to move around, to be 'lent' or 'shared', but instead hoarded people as jealously as they hoarded data.

This always seemed a sub-optimal strategy for government, but one with very deep roots.

There's still a number of challenges ahead for the APSC in realising this idea. It still has to navigate the hierarchies of power - some agencies might wish to hold onto talent for too long, with brush fires between agencies that need similar resources at similar times. There's also likely to be all kinds of power struggled between agency 'owned' resources and the floating specialists, who may be seen as fly-by-nights, dropping in to offer their wisdom, then leaving the mess behind for agency staff to clean up.

The APSC must find public servants with the right psychology and mindset to move around, without having a 'fixed abode' or a hierarchy to protect their position and career progression.

Many people who work in this way already are contractors or consultants and may see little benefit in giving up salary for supposed job security, while new entrants from the private sector, who might be more used to mobility, may not find public service cultures or approaches congenial to their working styles.

However I'm glad the APSC is making the attempt, and hope it will be widely supported, particularly by smaller agencies with less capacity to hire or contract the specialist skills they need.