The bankfication of tech and the role of infosec

With the time for '2018 predictions' nearly over (and the list thankfully short this year) I think it is useful to look at some more in-depth, longer term predictions for the technology sector. Of course I'm especially interested in their implications for security professionals. Among the 'predictions articles' this year this one (Alexis C. Madrigal: 8 Overly Confident, Mostly Pessimistic Predictions About Tech in 2018, The Atlantic, 29 Dec 2017) stood out as my favourite pick: focused not so much on the tech whizz-bang, but more on social changes and impacts that the steady news-feed of January has already put very much in evidence.In this article, I want to focus on the first (and one of the main) trends mentioned by Madrigal: the 'bankification' of big tech. The bankification of Big Tech refers to the situation in which

• Big Tech is very profitable (unreasonably profitable, some would argue)
• Most people use it out of necessity
• No one trusts it

I personally believe that this is one of the major trends for big tech which will really accelerate in 2018. December 2018 will have a very different 'feel' to it than January. For instance, think about the long-term damage that the current bitcoin implosion (less than US$ 9000 as I write this, down from over US $ 20,000) will do to the general public's trust in technology and its worldview of unfettered (government-and-border-less) libertarianism. And that is only one example. Another one is this amazing long-read about the NZ Citizenship (and subsequent 'ghosting' of NZ) by Peter Thiel.As a society we are running in a systemic problem here. The technology sector is responsible for the 'fourth industrial revolution', but has deliberately been created to be as independent as possible from national borders and national jurisdictions. It is built on the optimistic assumption that internet communities operating on a level playing field will be self-correcting and self-policing, and thereby inherently self-cleaning and trustworthy. This is one of the miscalculations enabled by the term 'cyberspace'. It is moreover one that can be immediately disproved empirically by a single dive into sites like 4chan.2018 is the year when the the problem with those assumptions will rise to the fore in the public consciousness. The mechanism for that (I think) will largely be wide dissemination of stories about 'fake news', cryptocurrency scams (accompanied by stories about people who lost their houses and jobs), internet addiction (and more stories about how social media is designed to enable addition through small helpings of dopamine), large data leaks, hopelessly vulnerable ICS systems, big-data enabled national security risks (such as the Strava leak) and a general cascading of risk to the general public enabled by IoT (we haven't really seen a big scandal here, but that will happen some day).All of this will drive concerns about security and privacy into the minds of the public in a way not really seen before, not even during the heights of the Snowden mania. Up to now, as security professionals, we have mainly considered our obligations to our employers - i.e. ensure they maintain a workable security posture vis a vis the threats posed by the bad actors on the internet, ensure they stay on the right side of the law with respect to privacy and obligations to their customers, and deal with incidents professionally as they occur. The assumption has been that fulfilment of our obligations to our employers also entailed fulfilling our obligations as members of the public.With the bankification of big tech, I think it is time that we as security professionals start considering our wider obligations. Without wanting to sound alarmist, there may not really be an alternative: if not us, someone will step in to fill that gap (hint if you don't speak Dutch: you will not like the results. I could only watch this interview in 20 second chunks and literally, physically, had to stop to collect my jaw from the floor and fight waves of nausea).So I'm suggesting that it is high time to reconsider our wider obligations as a profession, and have a wider discussion about the possible forms this could take. Not thinking about it too deeply or for too long, I can see three possible directions, all of which are to a larger or lesser degree in use at the moment.

1. Further professionalisation. We could develop the profession in the direction of the legal profession, where a ground rule is that everyone (no matter how guilty or otherwise bad) is entitled to legal representation. To enable this principles lawyers do a certain amount of 'pro bono' work. In the same way, as security professionals, we could adopt a principle that everyone is entitled to a certain level of 'security' and act accordingly (the problem is of course defining what this basic level is and how to ensure it).
2. A Hippocratic oath. The idea of the Hippocratic oath is that doctors do not knowingly contribute to harm. As a result, doctors do not usually assist in things like torture or the death penalty. Similarly, we could adopt a principle that states that as security professionals, we withhold our services from activities that are contributing to social harms. In practice, the hippocratic norm is somewhat vague and open to interpretation -- what would be a social harm to some is the free expression of enterprise to others (the problem is of course that this depends on one's definition of social harm, and will vary from person to person).
3. Hacker ethic. The hacker ethic approach is the most antagonistic of the three. Hackers stir where it stinks. And then they expose the results. The underlying idea is that public naming and shaming is the best disinfectant. The effects of this approach will only be visible longer-term if they are visible at all -- in the short term, the 'hack 'em and expose 'em' approach will lead to an increase, not a decrease in public mistrust. Another problem with this approach is that it is most closely aligned with the techno-libertarianism that is in important measure the root of the problem.

All of the above is of course an irresponsible short summary of where that direction might lead. And there may be other directions possible that I haven't considered. For each of the possible directions, I can also think of a dozen (or more) pitfalls and problems. But they key point is that for the integrity of our profession, we have to start thinking about it, and come up with some answers.