Future Crimes
Page 56
We the People
It’s not a faith in technology. It’s faith in people.
STEVE JOBS
Contemplating the full scale and scope of malicious activities perpetrated by organized criminals, terrorists, hackers, and rogue governments is enough to make anybody feel dispirited, frightened, and even depressed. But if there is one thing that gives me considerable solace after nearly two decades working in the field of global security, it is this: the good people in this world vastly outnumber the bad. That is a huge advantage but one that we have not yet fully leveraged to our benefit. Crime, Inc. is well versed in crowdsourcing, capable of mobilizing mobs of thousands, as we saw with the massive 2013 ATM cyber attack in which thieves carried out thirty-six thousand in-person transactions in ten hours in twenty-seven countries, pocketing a cool $45 million. Amazing for its speed, prowess, innovation, and impact. But where is the public safety equivalent of such an act? It doesn’t yet exist, and that is something we will have to change in order to bolster our self-defenses and our self-reliance at the dawn of this new digital age.
It has become painfully clear to me that our authorities are losing the technological edge to criminals. Law enforcement, overwhelmed by the workload and undermined by budget cuts, is under assault and struggling mightily to keep up. Moreover, policing is a closed system: it is nation based, while the threat is international. Our current paradigms of security—guns, border guards, and tall fences—are shockingly outdated. They do not keep out bits and bytes that can travel around the world at the speed of light. In order to overcome these obvious gaps in our current public safety institutions, we will need to find new and more radical ways to address the problem, ones that incorporate a more open and participatory form of crime fighting. Where are the neighborhood watch and community policing programs in cyberspace? Rather than having a small elite force of highly trained agents on hand to protect all of us, we are far better off enabling ordinary citizens to combat the problem as a group through crowdsourcing. To beat Crime, Inc. at its game, we must get good to scale, but bigger and better.
The idea of crowdsourcing law enforcement is hardly new. In 1865, when John Wilkes Booth assassinated President Lincoln, he became the first fleeing felon to have his photograph appear on a wanted poster. Today, 150 years after the murder of our nation’s sixteenth president, government’s implementation of crowdsourced law enforcement has changed nary a bit. Cops distribute photographs to local news channels, and broadcasters warn that the wanted party is “armed and dangerous, please contact local law enforcement should you see him.” Really? In 2015, surely we can do better to bolster public engagement besides “if you see something, say something.”
We the people, just like Crime, Inc., can take advantage of the bounty provided by technology to help protect and defend ourselves. Clay Shirky uses the term “cognitive surplus” to describe the “ability of the world’s population to volunteer, contribute, and collaborate on large, even global projects.” It’s high time we the people began using our available cognitive surplus to help protect and defend our own future. Open-source warfare and crowdsourced crime must be met with open-source security and crowdsourced public safety. Fortunately, there are a few bright spots where this new paradigm of public safety is beginning to shine. Organizations such as Crisis Commons and Ushahidi are reinventing disaster relief and saving lives by coordinating citizen response to public emergencies, including during the Haiti earthquake and the terrorist attack at the Westgate Mall in Nairobi. Citizens in Mexico, a country racked by fifty thousand narcotics-related murders from 2006 to 2012, are using tools such as Google Maps to crowdsource reporting on the cartels, their activities, and their whereabouts. In eastern Europe, the Organized Crime and Corruption Reporting Project, comprising journalists and citizens, crowdsources sophisticated multinational investigations to reveal which dictators, crooked officials, terrorists, and organized crime groups are moving and laundering their massive ill-gotten gains around the globe. Speaking of public corruption, in 2009 editors at the Guardian newspaper in Great Britain created software allowing citizens to “crowdvestigate” more than 455,000 pages of data they had obtained in order to identify flagrant expense claim violations by members of the U.K. Parliament. More than twenty-five thousand citizen volunteers joined in the digital investigation, and the results were truly amazing. Over 170,000 documents were reviewed in the first eighty hours, and the crowd’s discovery of thousands of flagrant misappropriations of public funds led to the forced resignation of numerous MPs, cabinet ministers, and even the Speaker of the House of Commons, a truly powerful outcome last seen in 1695.
In each of these cases, individuals were able to do more than just report crimes to authorities. They were able to marshal evidence by channeling time and energy to decipher data to produce results faster than any policing or governmental organization could have done alone. Crowdsourcing public safety delivers clear results and must become an integral component of our global security strategy in an exponentially changing world, especially one so short on full-time cyber-security personnel. The Rand Corporation has noted that the nationwide shortage of technical security professionals within the federal government is so critical that it is putting both our national and our homeland security at risk. The finding was echoed by Cisco’s 2014 Annual Security Report, which estimated that there was a talent scarcity of more than a million cyber-security professionals worldwide, expected to grow to two million by 2017. We desperately need more public engagement in protecting our technological future, and even the channels of officialdom have begun to concede the point.
In 2012, the FBI’s top cyber lawyer, Steven Chabinsky, called government efforts in fighting cyber crime “a failed approach,” adding that much stronger efforts would be required by members of the public in combating cyber threats. That work is slowly starting to begin. In one case, a professor at the University of Alabama worked with the students in his criminal justice class to help the FBI crack a $70 million cyber-crime ring run by Crime, Inc. out of Ukraine and Russia. The student-run “crowdvestigation” successfully identified numerous suspects in the United States who had used the Zeus banking Trojan to steal millions—individuals who were all eventually arrested by the FBI as a result of the students’ work. In order to have lasting and meaningful success, however, such crowdsourcing efforts cannot be merely ad hoc but rather have to be formalized systemically in order to scale for growth. In 2011, police in the U.K. took a step in that direction, creating a nationwide cadre of volunteer special constables with relevant skills required to help tackle cyber crime.
Here in the United States and elsewhere in the world, we should build on these successes and take them even further. We already have reserve and auxiliary police officers. In the military, there are part-time reserve army, navy, air force, and marine citizen soldiers. On the civilian side, we have the Peace Corps and AmeriCorps. We need a National Cyber Civil Defense Corps. Such an organization would be reminiscent of other civil defense efforts in our nation’s history dating back to World War I. Experts would be drawn from all corners of society in order to protect our critical information infrastructures from attack and our nation from the mounting technological threats before us. Members would be carefully screened, undergo extensive training and background investigations, and operate under clearly defined operational and legal frameworks. Timing is of the essence to establish and build such a crowdsourced force for good—now before the cyber crisis occurs. There are many private sector professional organizations that could prove immensely helpful in jump-starting such efforts, such as the International Information Systems Security Certification Consortium, or (ISC)2, a nonprofit with over 100,000 certified cybersecurity professionals at the ready, capable of having a positive impact on any such effort should they choose.
Crime, Inc. is out there busily recruiting minions for its efforts. Shouldn’t we be doing the same? People of all stripes and backgrounds can help with these endeavors—young, ol
d, and even some hackers who surely have the skill set to make a difference, should they wish to direct their talents for public benefit. As the Apple co-founder Steve Wozniak reminds us, “Some challenging of the rules is good.” We need to help create opportunities, particularly for young people, to channel their considerable talents and energies for good, lest Crime, Inc. engage them for ill. The exponential nature of technology and the linear response of government mean we will need many more hands on deck to help build a safe and stable society that won’t destroy itself. Our public safety and security are just too important to leave to the professionals. In today’s exponentially advancing world, in the battle between good and evil, victory will belong to whichever group proves itself most capable of mobilizing the larger crowd. It’s time to start gaming this system in our favor to ensure our technological tools inure to the greatest overall benefit of humanity.
Gaming the System
Every game designer should make one explicitly world-changing game. Lawyers do pro bono work, why can’t we?
JANE MCGONIGAL
According to the American game designer and researcher Jane McGonigal, today there are more than half a billion people worldwide playing computer and video games at least an hour a day, with more than 183 million in the United States alone. That works out to three billion hours a week as a planet playing video games. What if these efforts could be directed for particular public goods? Imagine the enormous power and potential that could be unleashed. Doing so would allow the wisdom of the crowds to be funneled in a way that addresses some of the world’s greatest challenges. To test this theory, DARPA in 2009 created its Network Challenge (also known as the Red Balloon Challenge), hiding ten large red helium balloons outdoors across the United States in cities from Miami to Portland, offering a $40,000 prize to the first team that could find all the balloons. DARPA created its competition to explore the role the Internet and social networking might play in real-time communication and wide-area collaboration in order to solve time-critical problems, such as disaster relief in time of crisis. Remarkably, a team from MIT found all ten balloons hidden in the farthest reaches of our country in a mere nine hours, by crowdsourcing the task over social media to forty-four hundred volunteers.
As it turns out, playing games needn’t be a waste of time and can actually be a highly productive activity. Gamification is a new field of study that allows the use of game thinking and mechanics in non-gaming contexts to motivate and engage players in solving actual real-world problems. One such example has been in public health via the diagnosis and treatment of malaria. Worldwide, there are more than 600,000 malaria cases per day, with one child dying every minute. The disease is spread by mosquito bites that transfer parasites into the human body, infecting our red blood cells. Diagnosing malaria is time-consuming, taking up to thirty minutes for a specialist to manually look for parasites in blood under a microscope, leaving many undiagnosed to die. MalariaSpot is a game that changes that by taking virtual images of actual patient blood slides and presenting them to players, challenging them to tag as many parasites as they can in just one minute. The results were impressive: in just one month, anonymous players from ninety-five countries played twelve thousand games. After receiving just a few moments of online training explaining what the parasite looked like, MalariaSpot players have correctly identified over 700,000 parasite diagnoses. Because the same image is shown to multiple players, these nonmedical-expert game players have achieved an accuracy rate higher than 99 percent, a “game changer” in the world of malaria treatment and diagnosis. In another case, a game called Foldit allows members of the public with no specialized training in molecular biology to solve puzzles for science by using their 3-D spatial-orientation skills to manipulate and fold protein molecules as a means of studying and treating disease. In one remarkable case, Foldit players correctly identified the structure of an enzyme crucial in the reproduction of HIV in just a few days, a discovery that had eluded AIDS researchers around the world who had been actively trying to solve the problem for more than a decade.
Crowdsourced games such as MalariaSpot and Foldit should provide far-reaching inspiration and important take-away lessons we can apply to the conundrum we face with regard to our technological insecurity. What enjoyable puzzles might we create to further engage the public, particularly young people, in using their love of gaming to improve our cyber security? Imagine the possibilities. Rather than showing blood slide images looking for malaria, we could serve up phishing e-mails in real time and ask the crowd to correctly identify malicious spam requests for bank account information—awarding points and prizes to the best players. Gamification of securing software might help technology companies avoid the obvious pitfalls of the “Just ship it” mentality by getting tens of thousands of players around the world to go on “bug hunts” for flaws in their software or hardware products, flaws that would otherwise be exploited by Crime, Inc. hackers to the public’s detriment. Such an idea is already under development by DARPA, as well as by several start-ups, including Topcoder and Bugcrowd. These same techniques could be applied to our nation’s critical infrastructure systems as well. Players could be shown anonymized data in a SimCity-style animated game and let loose to find security vulnerabilities in everything from our virtual electrical grids to our transportation networks. In the end, individual gamers may hold the potential to make significant breakthroughs in cyber security, doing it for no other reason than that they enjoy playing the game. Others will be motivated by their ability to solve real-world problems and helping their fellow man. For those that find neither appealing, there’s always cold hard cash.
Eye on the Prize: Incentive Competitions for Global Security
The day before something becomes a breakthrough, it’s a crazy idea.
PETER DIAMANDIS
Prizes have a way of focusing the mind. Just ask the throngs who show up for a chance at the Mega Millions lottery jackpot. But prizes can also be the spark that produces a revolutionary solution to an intractable problem. Such was the case when the British Parliament established the Longitude Prize in 1714 in an effort to help with maritime navigation in order to ensure the “safety and quickness of voyages, the preservation of ships, and the lives of men.” Though latitude (north-south positioning) was easy to measure using the position of the sun, until the early eighteenth century there was no way for sailors to calculate their position longitudinally from east to west. By an act of Parliament, the British government offered £20,000 (more than £1 million today) for a solution that could find longitude to within half a degree. The incentive prize inspired John Harrison, a self-educated working-class clock maker, to invent the marine chronometer, a clocklike device that solved the problem. Two hundred years later, another incentive prize was launched, this time to stimulate advances in the nascent field of aviation.
Charles Lindbergh became the first man to fly across the Atlantic, not just because of his sense of adventure, but because a seldom-recalled hotel magnate named Raymond Orteig offered $25,000 of his own money in 1919 as a prize to “the first aviator of any Allied Country crossing the Atlantic in one flight, from Paris to New York or New York to Paris.” Orteig offered the purse to drive forward an exciting new technology of his day: the flying machine. The effort was funded by no government and there was no immediate profit to be made, but that didn’t stop nine separate teams from spending around $400,000 in pursuit of the $25,000 prize. The prize was the fundamental kindling, the thing that sparked the innovation that solved the problem and helped create today’s aviation industry. In 1996, the physician, space enthusiast, and serial entrepreneur Peter Diamandis took up the Orteig mantle and created the XPRIZE Foundation, a nonprofit organization that designs and manages public competitions intended to encourage technological development for the betterment of mankind. Perhaps it is time for such a competition in cyber security.
According to Diamandis, “An XPRIZE is a highly leveraged, incentivized prize competition that pushes
the limits of what’s possible to change the world for the better. It captures the world’s imagination and inspires others to reach for similar goals, spurring innovation and accelerating the rate of positive change.” The first competition Diamandis ever announced was the $10 million Ansari XPRIZE, which challenged teams to launch a manned-spaceship past the Karman Line (100 km altitude) before safely returning to Earth. As if that wasn’t enough, the rules also stated that the spaceship must be able to accommodate the weight of two additional adults and undertake a second launch within the span of two weeks. Without any government funding, twenty-six teams spent upward of $100 million trying to reach this lofty goal, and in the fall of 2004, the Mojave Aerospace Ventures team succeeded, potentially paving the way for space tourism and other commercial spaceflights. Incentive prizes are bold and audacious and capture the world’s attention—exactly the type of thinking we need to make a significant leap forward in protecting ourselves from the profound technological risks we face today.
An XPRIZE for cyber security could serve as an engine of innovation, an outstanding impetus to drive exponential change for good and address the world’s technological insecurity to the overall benefit of humanity. In clearly defining the cyber-security problems we face, the XPRIZE could incentivize teams around the world to find the most effective solutions in a way that may well avert crises, empower people, generate new technologies, and even create new industries. An XPRIZE for cyber security could help us overcome perhaps one of the greatest challenges we face with regard to the risks from exponential technologies—the belief that these problems are intractable and unsolvable and that there is no clear path forward toward a solution. Bull. We’ve faced tough times before and as a species have repeatedly achieved things that just a day before seemed like crazy ideas. Incentive prizes inspire hope through vision of a better future, and those who win them are proof that some of our seemingly impossible problems can and will be solved. One individual or a small team can surely make a difference as Lindbergh, Harrison, and countless others have demonstrated. Importantly, an XPRIZE for cyber security could just be the beginning in making significant advances in global security. Other emerging threats such as bioterrorism, artificial intelligence run amok, autonomous weapons systems, and nanotechnology are all also ripe for incentive prizes, particularly given the potentially existential risk they might pose to the world.