homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

interview: kirk bailey

photo of kirk bailey

Manager of Information Security, Frank Russell Company. Bailey has worked as an information technology professional in the healthcare, banking, and financial services industries for the last 27 years. In response to growing security concerns posed by emerging technologies, he founded in 1995 'the Agora,' a regional association of information systems security professionals. He served as an Advisory Panelist to the United States Security Policy Board on private sector perspectives concerning critical infrastructure issues.
What were you trying to prove when you turned a bunch of computer experts loose to find out as much as they possibly could find out about you?

As a security professional, it's become clearer and clearer to me . . . that there are growing problems out there on the internet with use of different technologies. One of my largest challenges as a professional is educating people about what these issues are all about. I felt the only way that I could educate people about the issue of privacy where I had the freedom to do it was to exercise my choice to disclose my privacy . . . so people could see how easily it was compromised, how easily my life was invaded by this technology and by the investigators. . . .

What sort of stuff did they find out about you?

It was a remarkable cache of information. Real quickly, the most damaging document was a certified copy of my birth certificate. This is a legal document that can be used for the purposes of identifying myself. A complete color copy of my college transcripts with the embossed seal from the university. From online, they got out a complete listing of online court documents that are related to me, everything from my dissolution of marriage documents to a failed business . That information was out there. They got maps of how to get to my house . . . and the names of all my different neighbors, possible properties I've owned . . . a whole laundry list of personal information. . . .

We take for granted that all this information is out there about everybody. But what we don't understand is that, basically, it's accessible by anybody.

For the most part, that's true. I think the average citizen would be amazed at the thin veneer of control that really exists for their privacy. There are assumptions everybody makes every day about what's available and what's not available about them and how much control they have over that. . . .

Is there any easy way working within the technology of protecting privacy?

Yes, there are there are ways that you can construct technology configurations that harbor personal data that allow for the protection of that data, or at least create a situation where the privacy is reasonably protected. That can be achieved. The problem with that is . . . that what has to be done represents complexities in accessing the data, it means delays, restrictions or more money associated with the access and control of that data. . . . People do not like waiting in line.

I think the average citizen would be amazed at the thin veneer of control that really exists for their privacy.  For instance, I remember, in banking, the startling revelation that I received from the company newsletter . . . There was an interesting announcement from the marketing department. They had done surveys and research, and had determined that the teller window now had only really an eight-second time frame to operate in before the customer felt uncomfortable with the institution. In other words, if I wanted to cash a check and if I handed the check to the teller to ask for the check to be cashed . . . there's really a narrow range of time before people begin to feel encroached on. We want our identity and our transactions to go through quickly and swiftly . . .

So where will the protection of privacy come from, if it's not going to come from a general grassroots consensus?

There's an interesting process taking place in the health care industry and in the financial services industry. Both are large industries that respectively harbor sensitive data about all of us in one regard or another. They have now been given the responsibility to comply with very strong security and privacy regulations that have been passed down. In health care, it's been through HIPAA, the Health Insurance Portability and Accountability Act of 1996, and in financial industry, it's the Gramm-Leach-Bliley Act. [This legislation provides] very strong requirements that help support protection of the way those industries handle the data. . . . How those industries respond and how well those regulations work . . . will be a good indictor for a lot of us, about how well legislation works, how well enforced regulations work, as opposed to busines's best practices [and] codes of conduct that they come up with on their own. It will also show us what people could do through their own efforts as individuals interacting with their service providers. . . .

But what would a secure system really look like?

For an individual at their desktop, or for a corporation? If I were at home, for instance, and I wanted to have internet access, there would be some essential tools that I would have that aren't sold with the computer that you buy. First thing I'd do is evaluate carefully whether I wanted broadband with connections like the cable modem or a DSL connection. Those are fine services, but they come with some additional configuration challenges that maybe the average person wouldn't be aware of. If they're not properly configured, those are the kinds of connections to the internet which I refer to often as the "dirty" public wire. Those connections need to have something that stands in the way as a gatekeeper between you and that public environment. So I would buy a personal firewall of some sort that would provide me a couple of services. One, it would let me see clearly who was knocking at my door through that connection. That's another thing that the public surprisingly is not aware of. The internet isn't something you plug into and feed data into and accept from people who have directed it to you. It is a random connection that gets lots of random interaction. A firewall can clearly show you where those random hits against your particular address are coming from, what they are.

I would also be careful to manage my desktop and the data on my system to limit the kind of data I would have in my system. I'd also be careful in my habits on the internet. I'd be careful where I'd go. I'd be more responsible and understand that environment better than just ad hoc travelling around on that environment.

Can you describe a scenario where you could have a major catastrophe in terms of information leakage?

That's a question that's often been asked. The President's Commission on Critical Infrastructure did a lot of research into that. There have already been some very intriguing incidents. For instance, the theft of large listings of credit card numbers are much more provocative to me than how the average public may view it. A lot of people I've talked to are comforted by the fact that their financial liability is limited to maybe $50 with the credit card company that they're associated with. I'm not worried about my credit card being used to financially harm [me]. Well, I'm worried about that, but what concerns me most about the theft of my credit card is the fact that that's a piece of identification that can be used to leverage an identity theft. And I'm worried about scenarios where whole groupings of people are victimized by identity thefts. . . .

. . . This technology cannot be secured, and that's fact. I would debate that with any vendor, with any inventor of internet technologies, with any business that is deployed . . . . I would debate that with anybody. I believe it cannot be secured. It can only be risk-managed. All the technology that underlies this whole internet web phenomena is technology that was meant for communication. It was not meant to conduct business. It is open technology. Everything that you have to do to secure it is . . . afterthought stuff. And because it is afterthought stuff, because it is not part of the infrastructure itself, it creates a slew of problems and costs. The fundamental problem is that vendors and people are involved in the myth of how good it is, and they don't want to diminish that story by recognizing the fact that it may not be as cost-effective or as sensible a use as they would like to think it is. People are having a hard time giving up what they believe this is, what the internet is going to be, what this technology can provide. . . .

So what should it be doing--what are the limits? . . .

Well, I don't know if you have to limit it. You just have to understand how you are going to use it, and use it wisely. I have been in many conversations with bright people who are trying to market worthwhile products, and I challenge them often when they say that this technology is going to save you money. . . . I always interrupt them at that point and tell them that that is not necessarily true. As a matter of fact, my contention is, that by electing to deploy business technologies on the web and on the internet, you have chosen probably the single-most expensive environment to deploy services onto. Because if you properly deploy them, to protect privacy, to protect the environment that is created there, to protect the people who visit that service or that business, you have to spend a lot more money than businesses are spending now.

And would that make it slow and cumbersome and safe?

Well, the impression could be that it would be slow and a little bit more cumbersome . . . .

Would it be safe?

It would be safer. . . .

Okay, let's assume that people are not willingly going to go more expensive or less convenient and are, therefore, going to be left with more unsafe. What can you do to protect them in spite of themselves?

Education is a big thing. I think, ultimately . . . more and more users will want to start to protect themselves. There will be tool sets developed that can be deployed to the desktops, a digital toolbox that they can use to support their business transactions. They will assume the responsibility and force who they are working with to accept those tool sets. Richer encryption, better authentication, certain means of creating a non-refutable transactions . . . the consumer . . . will force those things eventually, I think. . . .

We are getting away from the rather abstract level. You have become part of this group called the "Agora." You didn't do that because you need another place to socialize. You did that because you see a specific problem.

That's true.

It's a whole bunch of you guys who have the common concerns, a common set of talents. What is that all about?

. . . About six years ago, I came to the startling conclusion that, as a security professional, I was not going to be successful in my job if I continued down the path that I was going down. I was coming into work 8 to 5 or whatever timeframes I had to come in to get my job done. I wrote the policies that I had to write and I enforced the activities associated with security policies that I had to enforce. And if I implemented all the best risk management practices, only focusing on my business responsibilities and with blinders on, I was ignoring most of my problems, a good portion of my problems. And I realized if I ignored it and did not seek out a broad range of other expertise and more information about how to do my job, I knew I was going to fail. And I did not want to fail. . . .

Managing risk is a challenge; coming up with the best solution at the most economical price is a challenge. It is presumptuous to think that I am the only one that knows how to do that or that I can find that answer just in a conference or in a book. . . . I needed the best information . . . and who better to ask about ideas how to contain . . . information, but people of my same job in competing organizations? What are they doing? When I got permission to ask them and talk to them, it became clear that they were glad we were talking to one another, because they needed as many creative ideas as I needed. And I found that I have changed the course of policy based on what others are doing, because it fit better than what I thought I needed to do for the company. That information sharing, as simple as it sounds, is pretty dramatic.

Why is it so dramatic?

Let's say . . . we are rolling a particular application out on the web. . . . For me to call up a competing counterpart in a competing organization and say, "Gosh, what would you do if you were rolling this kind of application out? What would you do to protect that application?" By me disclosing that to an employee of a competitor, in theory I have given up trade secrets or company information, proprietor information. Through the Agora, you can do that, and not have that information be misused, or come back to haunt the organizations that are disclosing it. And that is one of the ways it is a powerful relationship.

The average person does not quite understand why it is necessary? Why aren't a whole bunch of you working on the same kinds of problems in isolation from each other? Why isn't that good enough?

It was the only way I could see at the time, and today as a matter of fact, that I could bring together all the resources I needed to adequately protect the networks I was charged to protect. It's that simple. There was no single other source I could go to. There was no other authority. There were no other textbooks, guides, or experts that I could go to, other than the collective of experts that were out there. That is why I had to go to them.

Traditionally, we would expect the Federal Trade Commission or the Department of Justice or Department of Commerce to do that.


So why not now?

There are a lot of good reasons why corporations are hesitant to bring those in. For instance, corporations understand their business and their technologies far better than most of those regulatory agencies. I am not saying they don't have their own professionals and their own environments, and they manage some of their own technology deployments. But in the corporate world, those deployments, their technology tool sets, their engines that drive their revenue streams are critical. At one of the companies I was working before, the value of those systems running 24 hours a day, 7 days a week, was close to a quarter of a million dollars an hour, 24 hours a day, 7 days a week. Encroaching on the functionality of the systems, bringing those systems down or stopping them from working, means a lot of money. If I wanted to protect those systems, and if I wanted to work with law enforcement to keep those systems up in the event of problem issues or criminal activities, the likelihood of law enforcement . . . coming in or government public sector people coming in and trampling on the systems is quite high. . . .

I no longer can do my job without having a strong relationship with my understanding of my business partners networks. I cannot live in a fortress-like world any more. I have to be very well informed. I am a part of something much larger, and that requires broader associations, more responsibilities and different skill sets in what we traditionally had to do. . . .

How serious is the threat to the economy, to the individual, that drives you in this direction, that is, making new partnerships. . . How big a problem is out there?

Sizing the threat is tough. There is a whole spectrum of different threats. The possibility of abuse of people's privacy is a large threat. The threat of internal abuse by employees on systems incidentally, just by mistake because the systems are poorly configured, continues to rise. The possibility of data being inappropriately shipped somewhere or downloaded somewhere or disclosed goes up daily--that threat is rising as an incidental. On deliberate attempts, I believe that the threat of people taking action against organizations in a technological manner is increasing every day. It is all second-guessing. There is no real intelligence or strong data to support it. But instinctively, it is easy for me to foresee the technology threat, the threat of abuse of technology against a company or person becoming greater and greater every day.

And where do you see that threat originating?

. . . I do know that there are programs out there that can be downloaded and used. You are probably familiar with them in talking with the hacker community. There are scripts and there are programs that can be executed almost inadvertently, or with very little effort, that can cause some harm. . . .

What about corporate hackers? It's not just people with green hair, right? There are big companies who are hacking into our private lives. What do we make of that?

I believe that the privacy abuses that are taking place on the internet are real. I believe there's some legitimate personalization activities, where companies try to accommodate their customers or individuals that seek their services. They try to make that electronic touchpoint more worthwhile and more valuable for them. And that piece of it is legitimate. I do not like and I resent abuse of people's sharing of information and privacy on the web.

Like what?

The placement of "cookies" or the requesting of information when you log onto the site. Forms that are filled out and then that information is rolled up into databases, or tracking your activities on their web sites to create a profile of what your interests might be, then using those conjectures and that real data and wrapping it within a profile and selling it that information. We know those things take place. I resent those kinds of things. I find that unacceptable. It's not necessary. . . .

How extensively is this new technology, this phenomenon, changing the way companies do business and relate to each other?

It's dramatic. One of the reasons that I need all the expertise from all my colleagues is that I can't do it alone. The next step in that picture is that I can't operate my risk management without understanding what I'm connected to. I can't have a fortress mentality. The fact is that we're all networks together, which means that new and different relationships are starting to be born into the business world.

In HIPAA, for instance, there are regulations now that that suggest that we certify who we do business with, to ensure that they have the same standards of treatment of data that you would expect them to have. And how that translates in the future is that we're going to probably see contractual requirements as well as auditing requirements-- invasive audit requirements, or an exchange of audits--to prove that certain standards have been applied with the people that you're doing business with.

And that's a different relationship than businesses have had in the past. It's going to be a growing piece of doing business, and it's going to change how we interact with one another in the business world. . . .

What will this new corporate world look like? How do differently will companies relate to each other in this new world?

In our current world--and this is my own speculation--we all now have our own business liability insurance. Corporations have their own business liability insurance. We understand our own risks and we're accountable to those. .I can see in the future where corporations are going to have to have shared risks positions. They're going to have to forge their strategic plans in certain areas, especially in the area of technology and data management, in a more open, blended fashion. And that is a different model than what we have now. That creates different possibilities for business culture to evolve. It's an interesting road to start walking down.

No corporation is an island?

Exactly. And it's going to be an interesting story to watch as companies move through those challenges.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation