What were you trying to prove when you turned a bunch of computer experts
loose to find out as much as they possibly could find out about you?
Manager of Information Security, Frank Russell Company.
Bailey has worked as an information technology professional in the healthcare,
banking, and financial services industries for the last 27 years. In response
to growing security concerns posed by emerging technologies, he founded in
1995 'the Agora,' a regional association of information systems security
professionals. He served as an Advisory Panelist to the United States Security
Policy Board on private sector perspectives concerning critical infrastructure
As a security professional, it's become clearer and clearer to me . . . that
there are growing problems out there on the internet with use of different
technologies. One of my largest challenges as a professional is educating
people about what these issues are all about. I felt the only way that I could
educate people about the issue of privacy where I had the freedom to do it was
to exercise my choice to disclose my privacy . . . so people could see how easily it was compromised, how easily my life was
invaded by this technology and by the investigators. . . .
What sort of stuff did they find out about you?
It was a remarkable cache of information. Real quickly, the most damaging
document was a certified copy of my birth certificate. This is a legal
document that can be used for the purposes of identifying myself. A complete
color copy of my college transcripts with the embossed seal from the
university. From online, they got out a complete listing of online court
documents that are related to me, everything from my dissolution of marriage
documents to a failed business . That information was out there. They got
maps of how to get to my house . . . and the names of all my different
neighbors, possible properties I've owned . . . a whole laundry list of
personal information. . . .
We take for granted that all this information is out there about everybody.
But what we don't understand is that, basically, it's accessible by anybody.
For the most part, that's true. I think the average citizen would be amazed at
the thin veneer of control that really exists for their privacy. There are
assumptions everybody makes every day about what's available and what's not
available about them and how much control they have over that. . . .
Is there any easy way working within the technology of protecting
Yes, there are there are ways that you can construct technology configurations
that harbor personal data that allow for the protection of that data, or at
least create a situation where the privacy is reasonably protected. That
can be achieved. The problem with that is . . . that what has to be done
represents complexities in accessing the data, it means delays, restrictions
or more money associated with the access and control of that data. . . .
People do not like waiting in line.
For instance, I remember, in banking, the startling revelation that I received
from the company newsletter . . . There was an interesting announcement from
the marketing department. They had done surveys and research, and had
determined that the teller window now had only really an eight-second time
frame to operate in before the customer felt uncomfortable with the
institution. In other words, if I wanted to cash a check and if I handed the
check to the teller to ask for the check to be cashed . . . there's really a
narrow range of time before people begin to feel encroached on. We want our
identity and our transactions to go through quickly and swiftly . . .
So where will the protection of privacy come from, if it's not going to come
from a general grassroots consensus?
There's an interesting process taking place in the health care industry and in
the financial services industry. Both are large industries that respectively
harbor sensitive data about all of us in one regard or another. They have now
been given the responsibility to comply with very strong security and privacy
regulations that have been passed down. In health care, it's been through HIPAA, the Health Insurance
Portability and Accountability Act of 1996, and in financial industry, it's the
Gramm-Leach-Bliley Act. [This legislation provides] very strong
requirements that help support protection of the way those industries handle
the data. . . . How those industries respond and how well those regulations
work . . . will be a good indictor for a lot of us, about how well legislation
works, how well enforced regulations work, as opposed to busines's best
practices [and] codes of conduct that they come up with on their own. It will
also show us what people could do through their own efforts as individuals
interacting with their service providers. . . .
But what would a secure system really look like?
For an individual at their desktop, or for a corporation? If I were at home,
for instance, and I wanted to have internet access, there would be some
essential tools that I would have that aren't sold with the computer that you
buy. First thing I'd do is evaluate carefully whether I wanted broadband with
connections like the cable modem or a DSL connection. Those are fine
services, but they come with some additional configuration challenges that
maybe the average person wouldn't be aware of. If they're not properly
configured, those are the kinds of connections to the internet which I refer to
often as the "dirty" public wire. Those connections need to have something
that stands in the way as a gatekeeper between you and that public
environment. So I would buy a personal firewall of some sort that would
provide me a couple of services. One, it would let me see clearly who was
knocking at my door through that connection. That's another thing that the
public surprisingly is not aware of. The internet isn't something you plug
into and feed data into and accept from people who have directed it to you. It
is a random connection that gets lots of random interaction. A firewall can
clearly show you where those random hits against your particular address are
coming from, what they are.
I would also be careful to manage my desktop and the data on my system to limit
the kind of data I would have in my system. I'd also be careful in my habits
on the internet. I'd be careful where I'd go. I'd be more responsible and
understand that environment better than just ad hoc travelling around on that
Can you describe a scenario where you could have a major catastrophe in
terms of information leakage?
That's a question that's often been asked. The President's Commission on
Critical Infrastructure did a lot of research into that. There have already
been some very intriguing incidents. For instance, the theft of large listings
of credit card numbers are much more provocative to me than how the average
public may view it. A lot of people I've talked to are comforted by the fact
that their financial liability is limited to maybe $50 with the credit card
company that they're associated with. I'm not worried about my credit card
being used to financially harm [me]. Well, I'm worried about that, but what
concerns me most about the theft of my credit card is the fact that that's a
piece of identification that can be used to leverage an identity theft. And
I'm worried about scenarios where whole groupings of people are victimized by
identity thefts. . . .
. . . This technology cannot be secured, and that's fact. I would debate that
with any vendor, with any inventor of internet technologies, with any business
that is deployed . . . . I would debate that with anybody. I believe it
cannot be secured. It can only be risk-managed. All the technology that
underlies this whole internet web phenomena is technology that was meant for
communication. It was not meant to conduct business. It is open technology.
Everything that you have to do to secure it is . . . afterthought stuff. And
because it is afterthought stuff, because it is not part of the infrastructure
itself, it creates a slew of problems and costs. The fundamental problem is
that vendors and people are involved in the myth of how good it is, and they
don't want to diminish that story by recognizing the fact that it may not be as
cost-effective or as sensible a use as they would like to think it is. People
are having a hard time giving up what they believe this is, what the internet
is going to be, what this technology can provide. . . .
So what should it be doing--what are the limits? . . .
Well, I don't know if you have to limit it. You just have to understand how
you are going to use it, and use it wisely. I have been in many conversations
with bright people who are trying to market worthwhile products, and I
challenge them often when they say that this technology is going to save you
money. . . . I always interrupt them at that point and tell them that that is
not necessarily true. As a matter of fact, my contention is, that by electing
to deploy business technologies on the web and on the internet, you have
chosen probably the single-most expensive environment to deploy services onto.
Because if you properly deploy them, to protect privacy, to protect the
environment that is created there, to protect the people who visit that service
or that business, you have to spend a lot more money than businesses are
And would that make it slow and cumbersome and safe?
Well, the impression could be that it would be slow and a little bit more
cumbersome . . . .
Would it be safe?
It would be safer. . . .
Okay, let's assume that people are not willingly going to go more
expensive or less convenient and are, therefore, going to be left with more
unsafe. What can you do to protect them in spite of themselves?
Education is a big thing. I think, ultimately . . . more and more users will
want to start to protect themselves. There will be tool sets developed that
can be deployed to the desktops, a digital toolbox that they can use to support
their business transactions. They will assume the responsibility and force who
they are working with to accept those tool sets. Richer encryption, better
authentication, certain means of creating a non-refutable transactions . . .
the consumer . . . will force those things eventually, I think. . . .
We are getting away from the rather abstract level. You have become part of
this group called the "Agora." You didn't do that because you need another
place to socialize. You did that because you see a specific problem.
It's a whole bunch of you guys who have the common concerns, a common set of
talents. What is that all about?
. . . About six years ago, I came to the startling conclusion that, as a
security professional, I was not going to be successful in my job if I
continued down the path that I was going down. I was coming into work 8 to 5
or whatever timeframes I had to come in to get my job done. I wrote the
policies that I had to write and I enforced the activities associated with
security policies that I had to enforce. And if I implemented all the best
risk management practices, only focusing on my business responsibilities and
with blinders on, I was ignoring most of my problems, a good portion of my
problems. And I realized if I ignored it and did not seek out a broad range of
other expertise and more information about how to do my job, I knew I was going
to fail. And I did not want to fail. . . .
Managing risk is a challenge; coming up with the best solution at the most
economical price is a challenge. It is presumptuous to think that I am the
only one that knows how to do that or that I can find that answer just in a
conference or in a book. . . . I needed the best information . . . and who
better to ask about ideas how to contain . . . information, but people of my
same job in competing organizations? What are they doing? When I got
permission to ask them and talk to them, it became clear that they were glad we
were talking to one another, because they needed as many creative ideas as I
needed. And I found that I have changed the course of policy based on what
others are doing, because it fit better than what I thought I needed to do for
the company. That information sharing, as simple as it sounds, is pretty
Why is it so dramatic?
Let's say . . . we are rolling a particular application out on the web. . . . For me to call up a competing counterpart in a competing organization and
say, "Gosh, what would you do if you were rolling this kind of application
out? What would you do to protect that application?" By me disclosing that to
an employee of a competitor, in theory I have given up trade secrets or company
information, proprietor information. Through the Agora, you can do that, and
not have that information be misused, or come back to haunt the organizations
that are disclosing it. And that is one of the ways it is a powerful
The average person does not quite understand why it is necessary? Why aren't
a whole bunch of you working on the same kinds of problems in isolation from
each other? Why isn't that good enough?
It was the only way I could see at the time, and today as a matter of fact,
that I could bring together all the resources I needed to adequately protect
the networks I was charged to protect. It's that simple. There was no single
other source I could go to. There was no other authority. There were no other
textbooks, guides, or experts that I could go to, other than the collective of
experts that were out there. That is why I had to go to them.
Traditionally, we would expect the Federal Trade Commission or the
Department of Justice or Department of Commerce to do that.
So why not now?
There are a lot of good reasons why corporations are hesitant to bring those
in. For instance, corporations understand their business and their
technologies far better than most of those regulatory agencies. I am not
saying they don't have their own professionals and their own environments, and
they manage some of their own technology deployments. But in the corporate
world, those deployments, their technology tool sets, their engines that drive
their revenue streams are critical. At one of the companies I was working
before, the value of those systems running 24 hours a day, 7 days a week, was
close to a quarter of a million dollars an hour, 24 hours a day, 7 days a week.
Encroaching on the functionality of the systems, bringing those systems down
or stopping them from working, means a lot of money. If I wanted to protect
those systems, and if I wanted to work with law enforcement to keep those
systems up in the event of problem issues or criminal activities, the
likelihood of law enforcement . . . coming in or government public sector
people coming in and trampling on the systems is quite high. . . .
I no longer can do my job without having a strong relationship with my
understanding of my business partners networks. I cannot live in a
fortress-like world any more. I have to be very well informed. I am a part of
something much larger, and that requires broader associations, more
responsibilities and different skill sets in what we traditionally had to do.
. . .
How serious is the threat to the economy, to the individual, that drives you
in this direction, that is, making new partnerships. . . How big a problem is
Sizing the threat is tough. There is a whole spectrum of different threats.
The possibility of abuse of people's privacy is a large threat. The threat of
internal abuse by employees on systems incidentally, just by mistake because
the systems are poorly configured, continues to rise. The possibility of data
being inappropriately shipped somewhere or downloaded somewhere or disclosed
goes up daily--that threat is rising as an incidental. On deliberate
attempts, I believe that the threat of people taking action against
organizations in a technological manner is increasing every day. It is all
second-guessing. There is no real intelligence or strong data to support it.
But instinctively, it is easy for me to foresee the technology threat, the
threat of abuse of technology against a company or person becoming greater and
greater every day.
And where do you see that threat originating?
. . . I do know that there are programs out there that can be downloaded and
used. You are probably familiar with them in talking with the hacker
community. There are scripts and there are programs that can be executed
almost inadvertently, or with very little effort, that can cause some harm. .
What about corporate hackers? It's not just people with green hair, right?
There are big companies who are hacking into our private lives. What do we
make of that?
I believe that the privacy abuses that are taking place on the internet are
real. I believe there's some legitimate personalization activities, where
companies try to accommodate their customers or individuals that seek their
services. They try to make that electronic touchpoint more worthwhile and more
valuable for them. And that piece of it is legitimate. I do not like and I
resent abuse of people's sharing of information and privacy on the web.
The placement of "cookies" or the requesting of information when you log onto
the site. Forms that are filled out and then that information is rolled up
into databases, or tracking your activities on their web sites to create a
profile of what your interests might be, then using those conjectures and that
real data and wrapping it within a profile and selling it that information. We
know those things take place. I resent those kinds of things. I find that
unacceptable. It's not necessary. . . .
How extensively is this new technology, this phenomenon, changing the way
companies do business and relate to each other?
It's dramatic. One of the reasons that I need all the expertise from all my
colleagues is that I can't do it alone. The next step in that picture is that
I can't operate my risk management without understanding what I'm connected to.
I can't have a fortress mentality. The fact is that we're all networks
together, which means that new and different relationships are starting to be
born into the business world.
In HIPAA, for instance, there are regulations now that that suggest that we
certify who we do business with, to ensure that they have the same standards of
treatment of data that you would expect them to have. And how that translates
in the future is that we're going to probably see contractual requirements as
well as auditing requirements-- invasive audit requirements, or an exchange
of audits--to prove that certain standards have been applied with the people
that you're doing business with.
And that's a different relationship than businesses have had in the past. It's
going to be a growing piece of doing business, and it's going to change how we
interact with one another in the business world. . . .
What will this new corporate world look like? How do differently will
companies relate to each other in this new world?
In our current world--and this is my own speculation--we all now have our own
business liability insurance. Corporations have their own business liability
insurance. We understand our own risks and we're accountable to those. .I can
see in the future where corporations are going to have to have shared risks
positions. They're going to have to forge their strategic plans in certain
areas, especially in the area of technology and data management, in a more
open, blended fashion. And that is a different model than what we have now.
That creates different possibilities for business culture to evolve. It's an
interesting road to start walking down.
No corporation is an island?
Exactly. And it's going to be an interesting story to watch as companies move
through those challenges.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation