A Postcard From Brazil, 2002-03-07
An emerging Internet society could hold a few lessons for Americans in dealing with security issues.
“
They are not inclined to create the same quagmires that bog down security efforts in other parts of the world.
”
I recently spent a week in major cities across Brazil lecturing on computer crime and Internet security to audiences of lawyers, state magistrates, and senior business and government leaders. In discussion with my audiences, several common sources of concern emerged. The problems are not much different than here in America, or elsewhere. They are, primarily: privacy of electronic communications, secure programming, and secure implementation of technologies.
However, while the problems may be the same, the solutions are not. The Brazilian approach is more rooted in reality than is that of the United States. In particular, the Brazilians seemed more skeptical about blindly basing critical systems on untrusted products or ‘bleeding edge’ solutions. Unlike American legislators, they seem hesitant to enact laws that are unbalanced and full loopholes that favor a single sector of society. I got the sense that, rather than rush into something quickly and risk causing problems down the road, that Brazilian government and commercial entities have learned by observing the experiences of others, such as the Americans. And they are not inclined to create the same quagmires that bog down security efforts in other parts of the world.
Privacy
The Brazilians that I spoke to expressed the most concern about the privacy of electronic communications, e-mail, and voting records in electronic elections. Much-ballyhooed American projects like Carnivore and “Echelon” were a recurrent topic of interest. On the domestic front, as elsewhere, the concern of Brazilians was to effectively balance individual privacy rights with the needs of law enforcement. They are concerned about the growth of centralized commercial databases that can track user activities and preferences – issues such as centralized log-in servers, industry-controlled streaming video servers, and centralized, inflexible software licensing schemes.
Interestingly, whereas Americans continue to wrestle with the mixed blessings of privacy-enhancing software, my audiences almost unanimously favored the use of encryption to protect personal and commercial communications. The Brazilians seemed to understand that strong encryption is a fact of life. And despite Stateside concerns about dark forces using encryption for nefarious purposes – and the ensuing push to outlaw the technology - my audiences understood that encryption is here to stay. My guess is that the Brazilians watched the United States Government try unsuccessfully to choke off public access to encryption (for example, the FBI’s prolonged battle against PGP, and the Clipper Chip key-escrow fiasco in the 1990s) and don’t want to endure a similar legal debacle.
Secure Programming
Several audiences – mostly in the commercial sector – expressed significant concern about the security and stability of commercial software and operating systems. They questioned the political will and the ability of software vendors – namely Microsoft – to deliver secure software solutions for the business sector.
Even though Redmond has promoted security as a major priority in recent weeks, several CIO-level officials were quick to point out that Microsoft products are no longer being considered in vital network-centric services like Web servers and “back-office” systems that run databases and central servers at a company. Furthermore, they are highly skeptical of Microsoft’s “software as a service”. The idea of linking all applications, data, and operating systems to centralized servers, a central tenet of the Microsoft .NET business strategy, raised concerns about security, privacy and availability.
Many of the organizations I consulted with were implementing new IT services, not expanding previous ones. They were basing their decisions not on problems they experienced, but on the many Microsoft-based security incidents seen elsewhere in the world. Unlike American companies and government agencies who are already neck-deep in the Microsoft security morass (victims of numerous viruses, Trojans, and seemingly incessant critical upgrades), it appears that Brazilian organizations are resisting the siren song of Redmond’s marketing, and are instead choosing products designed with security, stability, and flexibility in mind. That’s not to say Microsoft products are completely out of the picture. However, they are not always considered the default product of choice for every IT application….which may not necessarily be a bad thing!
The Weakest Security Link
What was refreshing to me coming was that the Brazilian audiences were quick to recognize that their problem was not one with TECHNOLOGY but with PEOPLE. They were well aware that people are responsible for developing, implementing, and administering technology products and solutions; that people are responsible for securing such technologies; that people are responsible for compromising such technologies; and that people are responsible for crafting the laws, processes, and policies governing such technologies.
The Brazilians know that they are behind the technological curve (as are most other nations). The magistrates and lawyers I spoke with understood their general ignorance of the computer crime environment. They were aware of the unique nature of computer crime investigations and evidentiary procedures. They understood the need for public-private partnerships and bilateral information-sharing regarding Internet security, investigations, and policy development. As a result, there was a well-intentioned desire to learn about these issues so they could be effective in dealing with them in an informed manner at the national level. Their willingness to learn was refreshing, to say the least.
Developing Multilateral Solutions
Several audiences expressed concern about rushing to implement security controls on technology. Many agreed that national policymakers should not make laws based on the input of a single industry group’s recommendations or interests. Rather, they must involve the equal participation of academics, researchers, and other interested parties. Simply put, they seem to recognize that rushing into a regulatory environment that favors select industries or groups, or drafting regulations that conflict with existing laws, is not in the best interest of fostering widespread use of Internet technologies in Brazilian society.
For me, this prudence stood in stark contrast to American legislation such as the controversial Digital Millennium Copyright Act and the currently proposed Security Systems Standards and Certification Act which would require any device capable of storing electronic content – from hard drives to CD burners, MP3 players, and DVD-RAMs, - to have built-in anti-piracy features that prevent any duplication of creative content. Contrary to the holistic Brazilian philosophy, these legislative acts favor regulation and control of technology not for the benefit of society as a whole, but for the profit of a few major players in specific industries.
One must admire the objective wisdom and common sense the Brazilian are demonstrating in this area - something that United States and European lawmakers seem to have routinely ignored in recent years. Even though the United States is the leader in technology societies, it is not above reproach, and would be wise to learn from its neighbors. Sometimes it’s better to learn from others than to blindly rush toward completion, especially when society’s best interests are at stake.
