Dan Geer on Web Intelligence and Cyber Security

Posted: 23rd May 2014

Editor’s Note

The following interview is with Dan Geer and is from our Web Intelligence Perspectives Series. Dan is currently the chief information security officer for In-Q-Tel.

What is it about Web intelligence that is such an important opportunity to you?

This is a space where all the curves are non-linear. If I add one datum to a body of data about Topic X, does that body of data track the linear sum of each datum? No, it’s bigger than that.

Metcalfe’s Law says the number of potential two-way connections scales the network’s value. Reed’s Law says it’s the number of potential multi-way connections. Metcalfe is N^2; Reed is 2^N. I rely on that non-linearity both for my own productivity and for my own self protection. The former in that hypothesis generation and testing alike are stunningly faster when data fusion is possible (without tedious negotiation for every datum), the latter in that the more I know about what data fusion makes possible, the better informed I am as to the level of non-participation I have to personally adopt to keep myself non-targetable.

What drives interest in Web intelligence in your community? What hole in your world does it fill?

Open source intelligence (OSINT) is cheaper to acquire. The use of OSINT never risks exposing methods that mayn’t be exposed. The very open-ness of OSINT lets you in on what others are seeing, too, thus making measurement of action and reaction easy enough that you can calibrate expectations about such matters even before the reaction is itself visible. It is a game theorist’s nirvana.

What does a critical insight from Web intelligence look like?

The HTTP archive, to pick an example, is bursting with insights based on the plainest, simplest, most mundane measurements. For example, the average Web page today makes out-references to 16 different domains as well as making 17 Javascript requests per page, and the JavaScript byte count is five times the HTML byte count. A lot of that JavaScript is about analytics which is to say surveillance of the user “experience.”

(And we’re not even talking about getting your visitors to unknowingly mine Bitcoin for you by adding JavaScript to your website that does exactly that.)

This tells me the degree to which the client has become the server’s server and how easy it is to get a target, any target, to accept remote procedure calls and how little giftwrap you need to obscure what you are really doing.

To continue that example, suppose your Web page contains an auto-refresh, even a one-pixel auto-refresh. Any end-user who leaves your page up will thereby give you geolocated tracking as they move from network to network, all the while refreshing your page. If the surfeit of IP addresses available under IPv6 leads to effectively permanent (i.e. non-DHCP-asssigned) addresses, then the tracking only gets better. And it’s the end user who is both capitalizing the surveillance and providing the compute cycles and the network fabric that makes it possible.

The commercial world is catching up to the military world in traffic analytic capability, but it has not grasped that fact as yet. It will.

What’s your vision of how Web intelligence could be used?

As Jonathan Zittrain (Harvard Law) would suggest, as soon as health monitors (like exercise wristbands) become commonplace, you will be able to tell if a riot is about to break out by simply noting a conglomeration of physically adjacent spikes in blood pressure. Put differently, this is why self-surveillance and (to use Shoshana Zuboff’s term) “anticipatory conformity” is not going to be a choice but rather a duty unless you choose to live in a 19th century (or earlier) style and, even then, when one-inch block letters can be read from orbit, you’ll be seen just not heard.

The public health mindset, which I know well as that is, in fact, my background, says one case is not worth noting unless it is Patient Zero for an outbreak of something communicable. The public health mindset talks about changing behavior by changing reinforcers and punishers.

(Think how much of the anti-tobacco agitation would be condemned if it were equally vigorous but applied to obesity, inter-racial marriage, or body art.)

With fully electronic health records, which is to say not one health record but a cloud of health records, a combination with Web tracking will yield public health insights. The question is what then?

Will Web intelligence become a standard piece of tradecraft in your community? Will it “go viral”?

If, and only if, it is completely and totally automated. Otherwise, the data volume contributed by an Internet of Things will DoS any and all analytic processes that have a human-scale limitation built in. It is not a question of if but when kill decisions will be made robotically. The only built-in delay to any of this is the sunrise interval required to get a handle on normal so that anomalies can be identified and thus brought forward — brought forward with all their preponderance of false positives to be sure, but that’s where the automation kicks in.

(Viz. the handling of false positives and the meta-analytic combination of all sensors all the time.)

Vernor Vinge, author of the landmark science fiction True Names, said, “When I began writing, it seemed very easy to come up with ideas that took decades to percolate into the cultural consciousness; now the lead time seems more like eighteen months.” Put differently, it is irrelevant how Web intelligence is used by those who are today practicing tradecraft but, rather, the question is what communities will Web intelligence make possible by its very existence and is that where the path to the singularity passes?

Dan Geer

Dan Geer is a risk-management pioneer who’s often described as “the dean of the security deep-thinkers’ set.” Dan is currently the chief information security officer for In-Q-Tel, a venture capital firm based in Arlington, Virginia.