Category Archives: Society

The state should not dictate cybersecurity policies to businesses

I read the Handelsblatt this morning and its headlines were all about IT security and what an immense threat such attacks represent for both corporations and government agencies. While I agree with the diagnosis of the situation -IT security is indeed critical- the response from the German government seems to me completely absurd.

Thomas de Maizières (CDU – Christian Democrat), the German minister of interior declared that Germany should take a leadership role in Europe to fight cybercrime and develop a comprehensive regulatory framework. This would make it compulsory for businesses to update and maintain their security infrastructure through an “IT security law”.

One should, however clearly differentiate whether the state wants to protect itself or German businesses. The former is a legitimate and perfectly acceptable mission, the latter can only lead to an increase of bureaucratic burden and costs and will most certainly not bring the expected benefits.

Thomas de Meizières announced an investment plan of 300€ millions in the cybersecurity infrastructure of the German secret service (Bundesnachrichtendienst, BND). This measure seems to make sense for three reasons. First, more and more people have an access to the Internet (which increases the pool of potential attackers, professional or not). Second, the increased sophistication of attacks makes it urgent to make sure that the intelligence agency is well protected. Finally, it is no secret that state agencies from various countries stand behind large scale attacks in order to gain access to technology or information.

The German government, however, also wants to help protect businesses through a law creating mandatory guidelines aiming at improving the information security, and hence the competitiveness of German companies.

I believe that this approach is completely ill-suited and will fail. Why? Because it is a company’s duty to protect its confidential information and there are probably as many ways to protect information as there are companies. One of the IT departments of a very large French bank, provides a key component of their security infrastructure. As one would expect from a financial services institution, they tend to be quite conservative, not applying the last updates to their systems. They simply favor stability over new features. A couple of months ago, Heartbleed, a security bug in an encryption system called OpenSSL was disclosed. This failure allowed an attacker to decipher any message presumably safe and hence get access to confidential information. This Heartbleed bug was only applicable to the OpenSSL versions 1.0.1 and above. The bank, however, ran an earlier version of OpenSSL that was still supported, which means that they were safe against this attack. With such an IT security law, the government would have had the authority to force a German bank in a similar case to use a pre-defined software versions. What would have happened if the state, for one reason or another, would have forced the bank to apply non-security related updates to the software, although they did not need it? It could lead to a situation where the bank is forced to update its software against its will and its interest, for a more than dubious advantage.

Moreover, the law would apply to all companies running an IT infrastructure, and it is almost impossible to create a baseline for companies that differ to such great extent. The electrical toothbrush company should have a similar security policy as Airbus, that builds fighter jets?

Finally, who will enforce the law? Will state agencies have to audit every company in Germany to make sure that security updates are applied? Where will they find the security experts for not only Linux, Windows, but also antiquated operating systems, such as OpenVMS (which runs some of the critical operations of many companies)? You can count people who understand this type of software (supported by their vendors) one two hands in Europe. Maximum. This law will lead either to a bad compromise, based on the lowest common denominator that will change nothing, and to a bureaucratic burden for companies that will reduce the competitiveness of Germany companies. Literally the opposite of what the government intended.

So what should the government do? US president Obama, according to the Handelsblatt, declared that “the government cannot do everything, because most of the IT infrastructure lies in the hand of the private sector. But the private sector alone can also not deal with everything, because the government very often has the most current in formation about threats.”. In my opinion, if the government is in possession of this type of information, it should release it as soon as possible to all. It is the responsibility of the government to protect itself against attacks, it is also a proof of being a good world citizen to alert as many people as possible of a possible security bug. This of course benefits businesses, who can protect themselves. Openness is the key and collaboration with IT providers and companies will help the latter become more aware about security threats that might endanger their competitiveness. Whether they do something about it or not is their prerogative and should be implemented according to their priorities.

Not state coercion, but full openness and collaboration between the state, IT providers and businesses will make Germany a leader in cybersecurity.

Linus Torvalds’ 7 leadership lessons

This video of the founder of the Linux kernel is fascinating. I am pretty sure that the world will stumble upon the one shocking phrase that Linus said during this conference at the Aalto University, in Finland : “F*** you Nvidia”.

Linus is obviously an opinionated person and this sentence was tweeted, re-tweeted and shared all around the world. But it misses all the other points Linus made during this presentation; to me, this presentation was an excellent leadership lesson in 7 points:

1) You don’t have to plan something to be successful at it

When Linus started his operating system, he was “looking at a new project to use [his] computer”. Today, according to Google, 900 000 Linux-based Android devices are activated. How more successful could an “accidental” project be ?

However, I think that even though Linus had no exact plan about what his OS would become, several factors helped him along the way. He stated, for instance that “when [he] started Linux, [he] had been programming half of his life”. He was not a complete beginner. He had time to create and shape something entirely new, as he was a student. Linus mentioned that the “development of Linux was very natural.”. I think that this development was natural because the external factors were positive at that time. You don’t have to make big plans for something to be successful, but watch your environment if, even without planning, you want to be successful.

2) Focus on your strength

According to Linus, the strength of open-source is that people can do what they are best at. It helped him focus and not have to bother about minor tasks. He  put his passion, interest and energy where they were the most effective: the development of an operating system kernel.

3) Trust is limited, put it in people who deserve it

Although people might have thousands of LinkedIn contacts, for instance, they really trust only a handful of them. In Linus’ case, it is between 5 and 15 people and only 3 to 4 can really take his job over. It is not that many, they have to be the right ones.

4) You have the right to be opinionated

Linus is honest in his statements, he uses strong language and if people are offended “it’s their problem”. The story with Nvidia is, again, a blatant example of it. However, if the media only remembers this three-words sentence, it might forget the five-minutes explanation that preceded it. Torvalds explained in a lot of detail what went wrong with this company and why he was displeased. His wording might be offensive, he has very valid reasons to be angry, though.

Moreover, these opinions are important as a leader. As Linus said “people take him seriously […] and in an open-source community, other developers need to know how he feels”. He explains very well in this interview how, in the past, not to have taken a decision early enough leaded to trouble subsequently. As a leader, people should not misread you and you should take decisions as early as possible to show where the way is going.

5) Give credit to others

I found remarkable that Linus gave credit to others. He did it in particular to Dennis Ritchie and Brian Kernighan, two of the inventors in the 70s of Unix, which leaded the way to Linux in the 90s. Leadership, to me, is about showing to the world what you have done, if it makes an impact, but also recognizing when you sit on the shoulders of giants.

6) Work hard and execute

For Linus, “execution is more important than vision”. He  believes in hard work and attention to detail and in Edison’s definition of genius : 90% of perspiration – 10% of inspiration. This is what made him successful.

I found his sentence very inspiring “If you look at the stars all the time, you’ll stumble upon the pothole in the garden”.

7) Do it with passion

During the last minutes of the conference, Linus said “I believe that having passion, caring about what you do is more important  than having this mental vision of a golden future you want to reach”. As a leader, people should do everything they do with passion. In my opinion, it is a trait of leaders that they really care about the things they are doing and that passion is a driving force for their efforts.

A little bit of paranoia is always good

I use some Google services (such as Gmail) and I respect Google’s focus on innovation and its contribution to some Free software projects, but I must admit that I try to be as careful as possible when it comes to privacy. For instance, I tend to use OpenStreetMap instead of Google Maps when I look for a simple map. I use Firefox instead of the default web browser on my Android phone and I never let the Android’s GPS enabled when I do not use it.

However, Google will soon introduce a new privacy policy, that worries me. So far, your research history was not combined with other Google products. They could not combine your feed reader or Google plus account to target their ads towards what they think you were looking for in their search engine. With the new privacy policy, this separation stops and Google will use all its possible data to match your search or action to target their ads even more.

One simple step to avoid that is to follow the Electronic Frontier Foundation’s advice to have Google stop saving your search history. Do it ! It takes just a couple of seconds and your privacy will thank you (a bit).

And if you want to go a bit further, the EFF’s 6 privacy tips will also help you keep your data for yourself !

An interesting presentation about today’s economy

In this interesting and easy-to-understand presentation, Professor Arturo Bris from the IMD business school in Lausanne, Switzerland, explains the latest economic evolutions in the world:
– what is happening in the US from an economic perspective
– the effects of the quantitative easing on the economy and on the finance industry
– an analysis of the PIIGS (Portugal, Italy, Ireland, Greece, Spain) countries which encounter serious difficulties with their sovereign debt.

The key take-aways for me were:
– the ration debt to GDP that is shown in every explanation of the Euro crisis is not an efficient indicator to measure how endangered a country is with its own sovereign debt. It all depends on his capacity to reimburse his creditors.
– Germany benefits from the sovereign debt crisis of the PIIGS crisis, but Angela Merkel must be careful with the German public opinion not to give the impression to bail out the other countries’ mistakes with German taxpayers money… tough task !

One remark : the USA can afford to have a weak dollar to export, since the oil, which in industrialized countries plays a critical role in imports, is payed in dollars. They don’t have the currency effects that affect other countries. This system will be beneficial to them as long as investors trust the value of the dollar. Will it always be the case ?

Finally, I have one question: Professor Arturo Bris states that the PIIGS countries, since they are net importers (i.e. with a negative trade balance), have an interest in a strong euro. But if the main providers of Spanish imports are already in the Euro zone, a strong Euro would not make a difference. Wouldn’t it ? And wouldn’t a weak Euro help increase the inflation and hence reduce the debt burden that the PIIGS country have to carry ?

Any input appreciated 🙂

Big Brother is watching you

Since Internet has become a huge communication platform for million of people, some badly disposed-people have discovered, that they can take advantage of it. The motives for such activities are very different : from the hacker, who wants to help companies to enhance their IT-security, to people who download mp3’s, from terrorists, to people who counterfeit Vuitton bags and sell it on eBay, these people all break laws daily and are seen as a threat.

In order to fight them, some governments try to catch the authors, not by investigating only them, but by controlling the whole Internet traffic on their soil.

Chinese authorities forbid access to some websites made by opponents to the regime or Tibetan activists. You cannot reach them if you are connected through a Chinese official Internet provider (you can see if your website is available from China). Nonetheless, much nearer from us, in Europe, both French and German governments – both surprisingly democratic countries – plan to introduce new laws, in order to reduce considerably the privacy of their citizens.
In Germany, the Minister of Interior Department, Wolfgang Schäuble, proposed to install a Trojan horse on every personal computer in Germany, so that authorities can exactly know what is going on on it and have access to the hard disks.

In France, according to the newspapers “Le Monde“, a new law project has been proposed, in which the whole Internet data traffic (i.e. all data, credit card numbers, passwords, contents, logins. etc…) must be saved, either by the Internet providers, or by those who offer services on the web. Not only judges and policemen of the judiciary police will have the right to check it, but any administration ( the RG -the intelligence department of the French police- for instance ) and that, without any legal control.

Both projects are a real nightmare for anyone. who cares for his privacy and liberties. People who think, they have nothing to hide, are wrong. Because if you give up freedom in the name of fighting criminality, you take the risk of giving up much more freedoms, for the same reasons.
The postal secrecy is guaranteed in most democratic countries, why would this right not apply for emails ?
Democracy and civil rights are not just a matter of some activists in the third world ! It is an issue, people must daily fight for. Nothing is acquired and we are all concerned about it.
These initiatives remind me the book of George Orwell “1984”, in which all citizen are supervised. As soon as they express any opinion against the regime, they disappear. Of course, this book is primarily a criticism against the communism and it cannot be transposed directly to our western societies, but it is an interesting introduction in how you can direct people and control what they are doing.

The Internet is known to be one of the greatest factors of economical growth during the last five years. If all data were stored, a lot of citizens would mistrust the actors of the new economy. Moreover, most of the companies would have to pay a lot of money in order to improve their storage capacity and this could reduce their competitiveness.

In the end, this freedom-killing policy will not be a serious obstacle for terrorists who plan an attack. When I see, how easy it is to buy a cell phone (My name is officially Jaqes Macy for Vodafone in Germany), I think this is really not a problem to obtain one with forged identity papers. All those measures will not just be inefficient, but they also will create mistrust and, in the end, limit the economic growth of the whole country.

Of course, terrorists sites and, in general, illegal content must be forbidden, but this must be done without treating the privacy and the freedoms of the Internet users so badly.