Stephen Cobb
Ones and Zeroes – A Tale of Two Futures
TEDxSanDiego 2015

I would like to share with you a tale of two very different futures. One of these futures is bright and shiny. The other, the second future, is dismal and disappointing.

I also want to share with you some things I’ve learned recently in school that may help us find our way to the brighter, more appealing future.

This first future is indeed bright. It represents the triumph of technology over adversity. In this bright future, we’ve finally realized the full potential of digital technology, ubiquitous networking, cloud computing, big data, the internet of things.

We harness the huge flows of data from billions of sensors, in our homes, in our cars, streetlights, even our bodies, to make us healthier, safer and more secure, but also more energy efficient.

Fossil fuel consumption is down because we’ve increased the efficiency with which we distribute renewable energy. The smart grid and other innovations allow us to make the best of renewable energy.

Fossil fuel consumption down; pollution down. Global tension down as more countries around the world become energy independent.

In this bright and shiny future, illness and disease are in retreat because of advances in genetic medicine, made possible by affordable super computing. Telemedicine is improving the quality of life in rural communities around the world.

Societies long neglected are thriving thanks to technologies like universal broadband wireless and distance learning.

This bright future is indeed very appealing. Something to work for. First of all, to get there, we’re going to have to get out of the ditch. The second future is not the cyber apocalypse that some people have talked about.

It’s just more of the same. More of what we have today, which are digital products that don’t really deliver, that are unsafe for their intended purpose, that have security holes in them.

This vehicle is in the ditch because it was shipped with a big hole in the security of the onboard computer system. That security hole enabled an attacker, from miles away, to take control of the vehicle, using just a cellphone and a laptop.

Someone made the decision that it was okay to ship this product with this problem, that the risk of this was acceptable.

We talk about it as though it’s a security problem, which it is, but it’s also I think, a safety issue. When we ship products to the public – there are 1.4 million vehicles like this out there – we’re shipping unsafe products.

Unfortunately, there are tens of millions of unsafe products out there at the moment. At home, when we get the internet, a lot of us get it out of a router. The router is what serves up the internet at home, to our laptops, our smartphones, our tablets, our smart TVs, our smart refrigerators, our thermostats, our nanny cams.

Unfortunately, a lot of these routers have holes in them, holes that the bad guys are only too happy to exploit to steal information, to send spam and sell illegal products, or to attack other systems on the internet.

We actually walk around with a bunch of these digital holes, these security vulnerabilities, in our pockets. This tells me that I have email from my bank, but I don’t. It’s email from some guy who wants to steal my money.

It tells me that I have a message from my favorite airline. My frequent flyer miles are about to expire unless I click here. I don’t want to click there because it’s some guy who’s trying to scam me.
What are we going to do about this? How are we going to avoid being stuck in the ditch and stuck in this disappointing future, a future where we don’t know which information we can trust? We don’t know whether or not someone’s going to expose our most personal information. We live in fear of the technology. We don’t trust the technology.

I think one of the things we obviously have to work on is cybercrime and cybercriminals. A few years ago I started to say, “When we catch these guys,” -unfortunately it’s mainly guys- “we need to lock them up for a long time. Lock them up and throw away the key.”

My wife, who has studied network security and many forms of cyber badness for a long time, said, “How do you know harsher sentences will work as a crime deterrent?”

It was a good question because I didn’t have an answer. I didn’t know. I decided to go back to school. I used one of those bright and shiny pieces of technology, distance learning, to enroll in the criminology department at the University of Leicester, which is in England, just down the road from where my mom lives.

I quickly learned in criminology that people have been studying this problem for decades, what works as a deterrent. It turns out that harsher sentences don’t work well as a deterrent. Why is that?
If you look at the research, a lot of criminals just don’t think they’ll get caught. If you’re not going to get caught, the sentence doesn’t really matter. What does work is a greater expectation that you will be caught.

That put in my mind something that we can maybe do. Let’s push for more resources for law enforcement, not only to catch more of these bad guys, but to catch them quicker. That does work as a deterrent, I think.

That’s not the only thing I learned in criminology. I also learned about the connection between the opportunity for crime and crime generation. I learned about something called Routine Activity Theory.
This was developed in the 1970s when there was huge crime wave in this country at a time of relative prosperity. This was confusing.

Some sociologists studied different types of crime relative to changes in routine activity. There were less people at home during the day. There were more valuable consumer products around to be stolen and sold for money by thieves.

Routine Activity Theory came up with this very prescient statement: The opportunity for predatory crime appears to be enmeshed in the opportunity structure for legitimate activities.

When I saw that phrase “opportunity structure for legitimate activities” I thought, “That’s the internet.” It’s full of opportunities for crime because of the security holes in all of these digital products.
What can we do about that? Maybe we should show, as consumers, our preference for more secure products. If you talk to the people who made digital products, a lot of them will say, “Consumers won’t pay for security.”

Maybe if we showed by our buying preferences a preference for secure products that might help. For example, if you’re thinking of getting a new router, go for the one that has the security features up front on the box.

If you’re wondering, “Why don’t they all have security front and center?” there’s another theory that can maybe explain that. That’s the Culture Theory of Risk Perception, again developed in the 70s as a way to understand why it is that different groups of people have different perceptions of the hazard involved in technology.

If you asked people about pollution and climate change, some people see risk, others don’t. Why is that? An anthropologist was able to map this against how we align ourselves culturally. Connection to community, a sense of hierarchy, a sense of individualism, these affect how we see risk.
They came up with something pretty interesting. There’s one group of people who consistently underestimate risk: white males. It’s actually called the White Male Effect.

In study after study, you can see this. The line representing white male perception of risk is lower than that of females; it’s lower than that of non-white males and non-white females.

When I saw that, I thought, “Well, that explains a lot.” Who dominates the tech industry? White males. Then my wife asked me another good question. She said, “What about the people who are working to make technology safer?”

She had a good point, because nine out of ten people involved in cybersecurity today are male and most of us are very white. I had to do a bit more research. I looked into the studies.

Apparently, there’s one group of males who skew the whole picture. About 30% of males, who tend to be affluent, well-educated, aligned with elements of hierarchy and individualism, drastically underestimate the risk in technology.

Let me give you an example. Suppose you run a car company that sells a lot of diesel engine cars. Suppose those diesel engines are subject to tough emissions tests. What are you going to do about that?

You steal a trick from the cybercrime playbook. Cybercriminals, if they want to get their malicious code into your system, they will have that code behave itself. If it’s being tested by a malware researcher or an anti-malware detection program, it will behave itself.

That’s what they did with the emissions control software. When the test is being run, it behaves itself. I’m pretty sure that the people at that car company who decided the risk of that strategy was acceptable were mainly white and mainly male.

That brings me to something that I think we can do something about. Let’s get more women and minorities into technology. There I can offer some hope. Let me tell you about something called Cyber Boot Camp.

This is a fantastic program here in San Diego, an educational program for high school and middle school students. Five days of intensive instruction in cybersecurity. This year, 40% of the students who made it to the class were girls. This is more than ever before.

I want to share a video, just a few seconds of what they had to say. “This year, it’s been almost a 50-50 ratio. It’s like 40-60, girls to boys. They’re back with reinforcements.”

“I do believe girls do bring something unique into the field, because we think differently. Guys have their own way of thinking and then we have our way of thinking, but we understand what cyber is about. I think it’s just going to do good to the cyber world in general, and females will definitely play a huge role in it.”

“I think, probably, in the field, from the speakers I’ve seen, it is a pretty male-dominated field. But I think I’d still try to go in it anyways.”

“I feel it’s cool that if a female goes into this field, it gives her a sort of power. We’re definitely getting more into it and that’s good, because we can do anything that men can do.”

This represents, I think, hope. Hope that we can make it to that bright and shiny future. There’s going to be a lot of work that needs to be done. We’re going to have to work on a lot of things, but there are three things that we can work on now.

We can work to get more resources to law enforcement to catch more cybercriminals more quickly. As consumers, we can use our buying power to choose safer, more secure products. As members of this wonderfully diverse society of ours, we can get more women and minorities involved in decision-making in technology. Thank you.