051309 Federal Interest And Social Security Metanomics Transcript
METANOMICS: FEDERAL INTEREST AND SOCIAL SECURITY:
GOVERNMENT TAKES A SERIOUS LOOK AT VIRTUAL WORLDS
MAY 13, 2009
ANNOUNCER: Metanomics is brought to you by Remedy Communications and
Dusan Writer’s Metaverse.
ROBERT BLOOMFIELD: Hi. I’m Robert Bloomfield, professor at Cornell University’s
Johnson Graduate School of Management. Each week I have the honor of hosting a
discussion with the most insightful and the most influential people who are taking Virtual
Worlds seriously. We talk with the developers who are creating these fascinating new
platforms, the executives, entrepreneurs, educators, artists, government officials who are
putting these platforms to use. We talk with the researchers who are watching the whole
process unfold. And we talk with the government officials and policymakers who are taking a
very close look on how what happens in the Virtual World can affect our Real World society.
Now naturally, we hold our discussions about Virtual Worlds in Virtual Worlds. How else
could we find a very real place where a global community can convene, collaborate and
connect with one another? So our discussion is about to start. You can join us in any of our
live Virtual World studio audiences. You can join us live on the web. Welcome, because this
ANNOUNCER: Metanomics is filmed today in front of a live audience at our studios in
ROBERT BLOOMFIELD: Hi, and welcome again to Metanomics. Over a year ago,
Paulette Robinson, of National Defense University, appeared on Metanomics to talk about
her new initiative, the Federal Consortium for Virtual Worlds. She talked about the promise
Virtual Worlds held for federal agencies, but she also emphasized two challenges: the
government’s lack of familiarity with this new technology and the government’s strong and
understandable concern about cyber security. Today we’ll be getting an update from
Paulette on how effectively her consortium has been able to address these challenges, and
we’re also going to hear from Paulette’s colleague at National Defense University,
Rocky Young, an expert in cyber security, who has recently been doing some very
interesting work examining the vulnerabilities of Virtual Worlds.
Thanks to all of you who are attending Metanomics today, including those who are viewing
live on the web. Please do join in with your comments and your questions.
ANNOUNCER: We are pleased to broadcast weekly to our event partners and to welcome
discussion. We use ChatBridge technology to allow viewers to comment during the show.
Metanomics is sponsored by the Johnson Graduate School of Management at Cornell
University and Immersive Workspaces. Welcome. This is Metanomics.
ROBERT BLOOMFIELD: Before we get to our main guests, we’re going to take a few
minutes to pull back our usual focus on Virtual Worlds, to take a broader look at the state of
internet technology and policy. Just about every enterprise and every consumer relies on
the internet these days, but none quite so much as those who are exploring Virtual Worlds.
To us, the internet is an ocean we call home. Well, this season, we’ll be doing a fair bit of
oceanography and [earth?] time forecasting. Today we’re going to start in Washington, D.C.
because there are some major policy storms brewing there. To introduce us to the issues,
I’d like to welcome our new Washington correspondent, Sterling Wright, who will help us put
cyber security in the spotlight. Sterling, welcome to Metanomics.
STERLING WRIGHT: Hello, Robert. Thank you so much for having me.
ROBERT BLOOMFIELD: Yeah, my pleasure. I know you’ve been taking a close look at
S.773, the Cybersecurity Act of 2009, which was introduced on April 1st to the Senate
Committee on Commerce, Science and Transportation, by two moderate Senators,
Democrat John Rockefeller and Republican Olympia Snowe. As I understand it, the bill
draws heavily from a report by the Center for Strategic and International Studies, which
says, and this is a quote from their report from late 2008, “American’s failure to protect
cyberspace is one of the most urgent national security problems facing the new
Administration that will take office in January 2009. It is a battle fought mainly in the
shadows. It is a battle we are losing.” That sounds like pretty dramatic language. Are these
STERLING WRIGHT: Well, your delivery was certainly dramatic, Robert.
ROBERT BLOOMFIELD: I try.
STERLING WRIGHT: Well, let me tell you. In 2007, already the Departments of State,
Commerce, Homeland Security, the Defense Department, NASA and the National Defense
University suffered major intrusions by foreign entities. These were either foreign
intelligence services, militaries or criminal groups. Today the Department of Defense
computers are probed hundreds, if not thousands of times a day. The Department of State
said it has lost terabytes of information. The White House networks have been penetrated.
And intelligence sources claim that U.S. companies have lost billions in intellectual property.
These activities have continued to increase since then, so there’s a great deal of motivation
in Washington for the U.S. to become much more robust in addressing these threats, and,
more importantly or at least as importantly, in raising the public’s awareness of them.
There’s a sense within the broader population, when we think of cyber threats, we tend to
think of identity theft or pedophilia or something like this, but there is an increasing need to
inform the public of the threats from foreign players who many feel are intent on
undermining the U.S. economy and its defenses. So here in Washington, we’ve heard terms
like “a cyber 9/11” or “a cyber tsunami” or “a cyber Katrina” used to describe the potential for
damage. Some are even referring to the threat from cyberspace as the soft underbelly of
ROBERT BLOOMFIELD: Okay. Those sounds like pretty serious challenges that no doubt
call for some extraordinary measures. What do you see as some striking provisions in the
STERLING WRIGHT: Well, the bill is very sweeping in its initiatives. It calls for the
establishment of a Cabinet-level Cybersecurity Czar, who would be answerable to the
President. Although we have many of these czars being appointed now for various agencies
so that may not be the most pressing point. But what the bill also seeks to establish is
cybersecurity standards that would be mandated across all applicable government and
private networks. It would also confer new powers on the President and onto the Secretary
ROBERT BLOOMFIELD: What are some of these powers? I understand--shutting down--
the President has some power to shut down internet traffic?
STERLING WRIGHT: Here’s the problem: Some of the language in the bill is extremely
broad and open-ended, and this is causing a lot of concern among civil and digital rights
groups. The Electronic Frontier Foundation, for example, and the Center for Democracy in
Technology have both raised issues with some of the provisions. You’re right, the Act calls
for the President to be given the power to shut down internet traffic in emergencies or to
disconnect any infrastructure systems or networks on the grounds of national security. And
the activists are concerned that the Act does not define these so-called emergencies.
Therefore, it is left solely up to the President to decide what merits pulling the plug. I don’t
see as much of a problem with this. It is more analogous, in my mind, to the President
grounding all aircraft on 9/11, and I’m not sure that one could have defined the emergency
of 9/11 ahead of time, but this is, nevertheless, a concern for some.
I think more than the powers conferred upon the President, what seems to be disturbing
people is that the Secretary of Commerce would be given access to all, quote, “relevant
data concerning our critical networks,” and this is the operable point, without, and I quote
again, “without regard to any provision of law, regulation, rule or policy restricting such
access.” So the privacy advocates fear that this would allow the Commerce Secretary
unrestricted access to our private data. Others have even raised the specter of unrelated
illegal activity being inadvertently uncovered, and these fear that such evidence could be
used against a defendant, for example, thereby undermining his or her Constitutional
protection against unwarranted searches.
ROBERT BLOOMFIELD: Well, you mentioned a term in there “critical infrastructure system
or network.” How is that defined?
STERLING WRIGHT: Typically, one would consider critical infrastructure as utilities,
transportation, public health, financial services, food distribution, this sort of thing. And I
think that, if language were inserted into the bill that simply or explicitly defined what
constitutes a critical infrastructure system, I think some of the opponents could be
assuaged. However, there are some who are arguing that the internet, as a whole,
constitutes our critical communication infrastructure, and these voices would like to see
limits defined in the Act, to assure that there are no loopholes left open which would allow
the government to reach into our private communications.
ROBERT BLOOMFIELD: And there are concerns about some user authentication
proposals as well?
STERLING WRIGHT: Yeah, there is a section that is proposing that user authentication be
studied, but at this point the bill only states that, within a year after its enactment, the
President or his or her designee, assuming his if this Act goes into effect shortly, that the
President shall review and report to Congress on the feasibility of an identity management
and an authentication program. Naturally, with the appropriate civil liberties and privacy
protections in place. And activists are concerned about this because although it is intended
to apply only to critical infrastructure, civil liberties groups fear that this will open the door to
anonymity on the internet as a whole being completely abolished and thereby threatening
not only privacy but also free speech.
ROBERT BLOOMFIELD: Parts of this really have a feel to me, as an accountant, of the
Sarbanes-Oxley Bill because this bill seems to be taking a lot of the power that is
traditionally held by private firms and placing it in government hands. So as I understand it,
the government would be overseeing private networks and mandating that government, not
industry, sets standards, attests to them and so on and so the comparison to
Sarbanes-Oxley. That was written in response to high-profile frauds like Enron and
WorldCom. And one of the most controversial parts was Section 404, which dealt with
internal controls. These have traditionally been viewed as a private matter for firms that
[AUDIO GLITCH] protecting themselves from employee misbehavior, but 404 basically said
you’re not doing a good enough job, and it imposed a lot of high-cost requirements, saying,
basically, government was going to set the standards for internal control and require
auditors to attest to that. Would you make the same argument here that private firms have
every incentive to protect their security, and we should just leave the matter in their hands?
STERLING WRIGHT: Well, let me clarify. The Act, as it’s currently written, would mandate
that, again, that the security standards are set for critical infrastructure. This would also
include software, and the government would be able to enforce those standards on all
developers and distributors and vendors. It would also legislate the sharing of security
information between the government and private entity. So I can understand that there
would be some concern over this from the private sector. Opponents argue that this could
stifle innovation, that if standardization of security were mandated across the board that the
systems would become less secure because only one protocol would have to be breached
by potential attackers.
But the fundamental issue at stake, I think, is that, among security and intelligence experts
in Washington, there is certainly the perception that the threat posed by cyber subversion is
a strategic issue that is on par with the proliferation of weapons of mass destruction and
global jihad. And it was these models of deterrence that were drawn upon in the CSIS study,
in order to craft recommendations for how the government should approach cybersecurity.
Certainly, the report’s authors--again, the report, not the bill--feel that it is the government
which needs to be responsible for overseeing this space, and they do not feel that voluntary
actions, which are most likely what is preferred by private industry, would go far enough.
They also argued that the reliance on market forces to date have fallen short, and, as a
result, the U.S. has been left vulnerable. So it’s possible that the open-ended broad,
sweeping language of this bill may simply serve to incentivize the private industry to move
more decisively on this front. There is certainly a concern against prescriptive mandates that
would inflate costs and stifle innovation or encroach on civil liberties.
ROBERT BLOOMFIELD: Okay. Well, I think we’re going to have to leave it there as a
cliffhanger, as we wonder what’s going to happen with this bill as it moves through, how
private industry is going to respond, especially the big corporate powers, not just tech, but
the industries. I’m sure the electric utility industry, for example, is going to have a lot to say
on this since they’re certainly going to be viewed as critical infrastructure. And I’m glad to
know that you’re going to be coming back to talk more about policy issues as the season
goes on. So thanks a lot, Sterling Wright, for talking with us about the Cybersecurity Bill.
STERLING WRIGHT: Delighted to be here, Robert. Thank you so much.
ROBERT BLOOMFIELD: Okay. I guess Sterling will be back next week when we discuss
some more policy issues. Next week we’re going to have a legal expert on Virtual Worlds as
our main guest, James Gatto, of the Pillsbury law firm, a colleague of Ben Duranske for
those of you who know him. He’s been on Metanomics a number of times, so I’m looking
forward to that.
Our main guests today are Paulette Robinson and Robert Rocky Young. Paulette is
assistant dean for teaching at the Information Resources Management College of National
Defense University. But, for our purposes, her most salient credential is that she has
organized the Federal Consortium for Virtual Worlds which supports federal government
employees and contractors that are interested in exploring the use of Virtual Worlds in
government. Robert Rocky Young is director of the National Defense University Information
Assurance Lab and teaches Information Assurance at the IRM College. So, Paulette,
Rocky, both of you, welcome to Metanomics.
ROBERT YOUNG: Oh, great. Thanks for having me. I apologize if my avatar’s been down.
I’m at a conference, and I lost my WiFi.
ROBERT BLOOMFIELD: Okay. Well, I understand these things happen. And, Paulette,
PAULETTE ROBINSON: Thank you very much.
ROBERT BLOOMFIELD: So before we get started, I’m sure both of you want to make
some kind of disclaimer that everything you say here is just your own opinion. It doesn’t
represent an official position of your college or the federal government. Paulette, you have
anything to add to that disclaimer?
PAULETTE ROBINSON: No, that’s pretty much right.
ROBERT BLOOMFIELD: Okay. Just wanted to make sure we did that. So now let’s start
with you. You were on Metanomics way back in January of ’08 so well over a year ago, and
NDU was just starting to build a presence in Second Life. The Federal Consortium for
Virtual Worlds had held, I believe, only one conference at that point. Can you give us an
update on how the Consortium has progressed since then? Growth and so on.
PAULETTE ROBINSON: Well, since I was last here, probably, we had a November
meeting in 2007, that had about 200 there and about 300 or 400 online. In April of 2008, we
had our first big meeting. It was a two-day conference, and we had on the campus almost
400, and we had online over 1,000 in Second Life. So it was interesting to see how many
people were there. We had vendors that came in and showed the different parts of what’s
happening in Virtual Worlds. We had panels and--was represented, so it was really a very
enlightening kind of conference. There were over 1,000 people. We now have over 1,000
people in our database that are not only government but industry and academics because
all together is when we’re going to make a difference. We have people from all the 12
Cabinet agencies, so we have a full complement of government represented at different
levels in the Consortium so it’s really moved along.
[AUDIO GLITCH] projects this year at our conference, we had a government poster session
where we had over 30 government projects that were showing what they’re doing in
different Virtual Worlds. We streamed out [six?] different Virtual Worlds and had over 1,000
that were attending. We’re still taking the numbers so I can’t give you exactly, online. So we
really had an interesting mix of people that joined us on our program.
ROBERT BLOOMFIELD: Well, I’ll say I was there. I had a great time. It was incredibly
informative. Now last time when you were on the show, there was a question by
Malburns Writer, a fairly regular attendee of Metanomics, and, in response to his question,
you said the following: “If you talk to high-level administrators, you would think Second Life
is a foreign land. I think they’re stunned.” And so now I see you are actually nominated for
the 2009 Intergovernmental Solutions Award, and you’re talking about the growth of the
Consortium. Is it safe to assume that high-level government administrators are more familiar
with Virtual Worlds and are more ready take it seriously?
PAULETTE ROBINSON: I think they’re more familiar with them. I know that one of the
Senate Subcommittees had met in Virtual Worlds, one of them from Commerce, so there is
more of an awareness. How seriously they take them, I think that’s not across the board, but
several understand immediately. I think educators, training officers automatically see the
power of it. And now that we have a new Administration, I think there’s also a renewed
interest of finding ways to collaborate and communicate online. So I think there’s a renewed
interest in what Virtual Worlds can do. But there’s still always the problem with security so
that has to be fixed before there’s a real interest. Although, at every conference I go to, I ask
the audience, “So how many of your children are in Club Penguin or Webkinz?” And about a
third raise their hands, so I think some these new administrators are becoming acquainted
with what a Virtual World is through their children or grandchildren.
ROBERT BLOOMFIELD: Yeah, I believe that. Now, on security, which you just mentioned,
I understand the U.S. Department of Agriculture, of all places, is providing a solution.
PAULETTE ROBINSON: Yes, we’re working closely with the USDA and the CIO there to
create a trusted-source hosting solution that will be hosted at their data center in Kansas
City. We’re using eAuthentication level 2 to ensure identity. So one of the problems is, who
is in the space? Are they who they say they are? The second problem is, for all these Virtual
Worlds, ports have to be open, and it depends on how many ports so the Enterprise
versions of Virtual Worlds--and this is not like Second Life in the public spaces which offer a
different kind of security problem. We would then be able to provide secure IP’s that we
would ask CIOs to open to very specific IP’s for these Virtual Worlds. That’s still being
worked out with those as well as the USDA, but we do have the prototype up. We have a
couple of vendors that are integrating eAuthentication for this prototype, to see how it’s
going to work.
So we have a lot of hope. There’s many federal agencies that were at the conference that
are interested in investing in the next stage, to be able to do something that’s multi-agency.
Enterprise versions work well behind the firewall within an agency so then you don’t expose
yourself to the same issues that have to be solved with interagency dialogue, and that’s
what I’m trying to work on. I want multiple agencies being able to talk to each other.
ROBERT BLOOMFIELD: You mentioned a couple. You said you’re working with a couple
vendors, that’s what ProtoSphere and Forterra?
PAULETTE ROBINSON: Yes.
ROBERT BLOOMFIELD: ProtonMedia and Forterra. How about Second Life for the trust
PAULETTE ROBINSON: Well, Second Life has the unique problem of having ranges of
ports that have to be opened. So even though you would take it behind the firewall, unless
they get it down to a couple of ports, it would be extremely difficult to secure, or more
difficult, and it would be difficult to take CIOs from the governments and convince them to
open up ranges of ports. And I don’t blame them. So an Enterprise solution really has to be
where they run over port 80 or only a few ports as a solution because of the need to protect
ROBERT BLOOMFIELD: Okay. Despite the fact that Second Life is working on their--I
guess it’s code-named Nebraska, their behind the firewall solution, it still isn’t going to work
PAULETTE ROBINSON: Well, not for a multi-agency. It probably would work well for
behind the firewall if it’s just within an agency where they’re not going out and opening up
ports. But nowadays, most of the government problems are really multi-agency based, so
unless you run like an internal chat tool in 3D or that kind of workspace or training space, it’s
not going to solve the problems that we need in terms of a robust environment that has a
sense of presence that we can work in across the government.
ROBERT BLOOMFIELD: Okay. That was mostly focusing on the [behind?] firewall
trusted-source hosting. But there are a lot of federal agencies that are working on what I
understand government types call forward-facing projects, public relations, outreach, and
they want anyone to be able to go into the World. I know that there are a lot of these now in
Second Life: NOAA, NASA, Air Force, Team Orlando, which I actually had a great talk with
at the conference. So how are they dealing with the government security issues, while still
using Second Life in what’s largely an unsecured environment?
PAULETTE ROBINSON: Well, they have to go either go home and work on them, or their
CIO has agreed, or their person that mitigates risk for them has set up an enclave off the
network that allows one or two stations to work on Second Life because that’s part of their
job. But that’s really rare. Most people that are working in Second Life, from their
government desktop, cannot do it from their government desktop. They have to go home, on
their home computer, and work on it because they also have to download a client, which, in
most federal agencies like any other corporate enterprise, they have a desktop image that is
regulated for security and for manageability and integration, so most of them work at home
or on their own private computers.
ROBERT BLOOMFIELD: Okay. Well, really distinguishes between the day job and the
moonlighting there, huh.
PAULETTE ROBINSON: Yeah. Probably not moonlighting. They just tele-work or find some
other way to do the work.
ROBERT BLOOMFIELD: Right. Now, Rocky, I’d like to bring you into the conversation. So
thanks so much for joining us. It sounded like you were saying you had a bit of wireless
problem. So I don’t know what we’ll be seeing on our screens, but we have you on your
Blackberry. Is that right?
ROBERT YOUNG: Yes, I’m on my Blackberry. I’m at the National 2009 OpSec Conference
down in San Antonio, where we’re actually educating the people on cybersecurity down
ROBERT BLOOMFIELD: Well, it won’t be the first time we filmed an empty chair on
Metanomics. It’s the content that drives everything. Your specialty is security, and I guess
first I’m wondering what do you see as being the primary risks of having federal agencies
using both the public Worlds and the private Worlds, the trusted-source hosting solutions?
What is the exposure that the federal agencies and the people who are doing this have?
ROBERT YOUNG: Well, you know that on security, we’re always the “no” men. We’re
never the “yes” men. We’re always saying security. But I agree with Paulette that the
forward-facing and some of the things that you’re talking about for doing some type of
publicity or something like the Air Force trying to bring people in, that’s great. The issue is
that people are having to do it day to day. They’re having to use Second Life, in their job,
and they’re a federal employee, the recommendation that Paulette had said and what we’ve
built at _____ is an enclave. It’s a specialized area that will not bring the problems from
Second Life and/or these Virtual Worlds onto our government systems which might be your
production government system doing your national war-fighter job or maybe doing IRS tax
returns; I’m not sure what your job may be.
And Paulette’s agreement with the multi-agency, all of our problems are becoming multi
because we’re so interconnected. Our networks have no boundaries anymore. So in order
for us to make sure that we don’t have a [problem?] that say DOD brings in, it doesn’t bleed
over to your EPA and your FAA and your DOT. Some of the agents are doing exactly what
you said. It’s all bound to the software, the compliance and the server, and, as Paulette had
said, we have the HBSFO(?) [base?] security system in the Department of Defense. It’s
actually locked down for a specific reason, to protect us to the best of its abilities again. And
[AUDIO GLITCH] people on these systems doing these things, and the issue is, we have
government people now, insiders, that actually are doing things that they’re not supposed to
do. We know appropriate use of the network. We know appropriate function.
Our worry is that as they get into Second Life and these other 3D Virtual Worlds, that
sometime they forget that they’re at work. They may accept something that they wouldn’t
normally do in the other world. But it’s all down to the software and evaluating the code and
evaluating what that server-client relationship, what it has allowed in and out. And as
Paulette said that the ports, what ports are we opening, and we watch them closely. Can we
monitor what’s going on in this Virtual World? And the identity management looks huge for
Paulette and for everyone else. Am I talking to who I really think I’m talking to? Do you have
a federated ID or some way to say that, yes, you are indeed speaking to Dr. Rocky Young.
No one has taken over the avatar. No one is misrepresenting or social engineering you to
get information out of you.
There’s so many ways to do social networking, and Paulette works through all of those at
IRMC. And I just want to be person who says, “I want you all to go into these Virtual Worlds
as security professionals, but I want you to understand the risks when you go into them and
accept that risk that something could happen.” And, as long as you’re aware and you accept
it, then you’re standing there when they reference it so that E-9/11 and these other, you
know, the E-Pearl Harbor that may happen. We’re not saying, “Gee whiz! We never thought
of this,” or, “Gee whiz! I had no idea this could happen.
ROBERT BLOOMFIELD: I was at your talk in Washington, D.C., at Fort McNair, and you
said some fairly terrifying things about the use of Twitter and Skype and a lot of other things
that are kind of meat and potatoes to a lot of us who spend so much time collaborating by
distance. Could you clarify for us a little what you see as the risks of those tools? And then
is there something about Virtual Worlds that makes them more of a concern?
ROBERT YOUNG: The big issue with your Skype and your other tools, it’s a voice of our
[PCHK technology?], and we can gather that, unless you’re going to encrypt it. And
normally, for us to pass through the Virtual Worlds, you can’t have as much encryption; it
slows things down. It causes problems. It depends on what you’re doing in the Virtual World.
Say that you’re my adversary, or I wanted to take your job or immerse you, and the biggest
thing is reputation. Your reputation can be destroyed in seconds in any online avenue. The
issue is, if I can gather all the conversations about you and you’re doing something
inappropriate in a Virtual World, you’re a government employee. I know who you are even
though you say you’re someone else. I could actually use that to blackmail you.
And there are tools that we can use in the Virtual Worlds to build some bots to actually
gather all the traffic that’s going on in the room, find all your movements, to record
everything you do, and I would blackmail you with it. Now if you put it on a different
[forums?], that I’m not talking to a government employee, you have to worry about you
family, your daughter. I have a ten-year-old daughter. The big issue is what is she doing in
that Virtual World? Who’s following her? With Twitter, we can tell exactly where you are
because you’re going to tell us in that 140 characters, “I’m here, I’m doing this. I’m here, I’m
doing that.” It links back to your phone. It links through the Virtual Worlds. There are ways
for us to find out exactly where you are. So it’s like we can do E-stalking if we want to. Now
that’s not a big concern for me. I’m a 6’-5” [AUDIO GLITCH]. But for someone, like a
ten-year-old girl, for the E-bowling and things like that, Twitter and some of these other
technologies, they all combine in, and you get so much information about people.
On your cameras, you actually get [AUDIO GLITCH] data on every picture. So say you load
up a picture into Second Life, that you took of yourself. There can actually be GPS
coordinates in that data of that picture that will tell me where you live or where it was taken.
It can actually have information in the picture, and it’s all under Digital Forensics, if your
listeners have an interest. In the information that goes with that camera, that photo, that
picture, I can find out GPS coordinates. I can find out with the WiFi access points where it
was loaded. And, if you’re dumb enough to load in your email address or register it,
sometimes that is in the photograph information. For me, it’s really awareness--
ROBERT BLOOMFIELD: So here we’re not really talking about hacking. We’re not talking
about who’s trying to carve their way into your system, it’s really just people unwittingly
giving away all the information that others might want.
ROBERT YOUNG: All that, yeah, for a social [aspect?], yes. Now, I didn’t even delve into
the hacking. Every time you accept something from someone else in a Virtual World, which
we were just demo-ing Virtual Worlds to a bunch of students before I leave the room. Every
time you accept a piece of code from a [AUDIO GLITCH] accessing whatever they give you,
and you don’t know what that piece will do. It may be making you dance. It may be making
you have butterfly wings, but you don’t know what that tool or that piece of code really does.
Maybe it’s actually installing a route kit on your system at the same time that it’s making you
dance. Maybe it’s copying every one of your conversations or it’s going in and looking for
your password file on your core drive. There are a lot of things that, when you accept
something in a Virtual World. I tell my daughter when someone says, “Knock, knock,” in
Second Life or when we’re in someplace, you do not say, “Who’s there?” because you are
opening a communication between you and them, and you can accept things from them or
they can push things to you. [AUDIO GLITCH], our avatar into sandboxes, and, in the
sandboxes in Second Life, we watch what they’re doing and what they’re building and what
they’re making, to try to get insight into what they’re doing.
The big danger is the code. That when you’re in this Virtual World, and you accept an MP3
from someone in these Virtual Worlds or in these social working sites, we with
MP3Stego--MP3Stego, it’s _____ triplets out there; go look it up--you can load things in
MP3’s, and the MP3 still plays the music. So why not, if I’m targeting you, offer you a free
MP3 of Biance’s new song? And don’t tell anyone that I gave it to you because it’s
copyrighted music. You’re not going to tell Mom and Dad that you took that MP3 and loaded
it into the system, but that’s actually bringing malware into the system. And, if I can’t get you
electronically, maybe I just hand out free music at the bus stop where I know your kid is, and
that’s how I’ll get into your system.
ROBERT BLOOMFIELD: It looks like Dusan Writer, through our web audience chat has,
you know, he--my advice on all this is to do what I do: Make your life so boring that no one
wants to steal any of your identity or know anything about you. It seems to me that a lot of
what you’re saying--I mean, to some extent, there’s just some common sense here, but
some of it also sounds like basically if you want to have any sort of public profile, you’d be
putting yourself at risk. How do you balance trying to remain secure and protected, while still
having a [AUDIO GLITCH]?
ROBERT YOUNG: You have a bit of a risk [acceptance?]. You have to assess the risk and
accept it. If you’re going to put your face out there, you’re going to put your images out
there, we build a fake email address for every one of our avatars, that only that email
address is used with it. So you kind of build, like you said, that common sense. And you
don’t put personal pictures of yourself out there, of your kids and stuff. The issue is, I still
want you to go into Second Life. I want you to do these things, but I want you to be aware of
the dangers that are out there. Because many times people that jump into computers, like
my mom is 65, she doesn’t understand when someone IM’s her and that they can actually
push code to her and actually take her system out.
And we all have bank accounts, right? We all are using online banking. And there’s a tool
called SSL split that you need to look at about “man in the middle” attacks, with SSL. We
think that we’re secure when we log onto our online banking. Well, go look into that tool, and
you’ll see that we’re not so secure. I want everyone to know that, “Hey, you need to be
aware of yourself.” There needs to be this my own checklist, to make sure that I’m ready to
go into Second Life, what I’m ready to put out there and that risk acceptance because any
time you put yourself out there, there’s going to be some risk, as Paulette will tell you. But it
depends, if someone is in these Virtual Worlds actually portraying themselves as something
they are not, a terrorist or something, trying to find out about Sergeant Snuffy’s deployment
to Afghanistan or Iraq, now we’re talking about Real World operation security, OpSec. So
that’s that I have.
It’s like what are you using it for? What [AUDIO GLITCH] people you are? Are you doing
inappropriate things that could be used maybe to blackmail you? And, really, it’s more like
your digital presence, are you ready to jump headfirst in this pool? Or do you just dip your
toes in, see how it is and not put everything out there? A good example is, my niece had her
prom this weekend, and all of a sudden, on Facebook, all of her pictures are out there. And I
showed her how you can get that [AUDIO GLITCH] those pictures by copying them and
downloading them. So these are the big things. It’s just awareness. I really do want you to
go into Virtual Worlds. I don’t want to be the security guy that stifles everybody and say,
“No, don’t do it. Just go into your house, and sit in a dark closet, and you’ll be safe.”
ROBERT BLOOMFIELD: And, Paulette, in light of all of these issues, how is this coloring
not just what agencies are doing in Virtual Worlds, but how you make the pitch and just sort
of comfort to agencies that are just starting to explore it, that this is a reasonable thing to do
and the risks that it carries are appropriate?
PAULETTE ROBINSON: I think it’s what you want a Virtual World to do for you, so it’s
really deciding what type of outcome you want and how you want to use it and then sitting
down and having a discussion about what the risk is and how to mitigate the risk. So for
most agencies that want to do information delivery to the public and be public facing,
Second Life has become probably the predominant Virtual World that they’re using. So we
have created an IRM college-government center in Second Life, where anyone in the
government can use this center free for meetings and for streaming conferences, that type
of thing. They’re not doing the business of government particularly in there, but they are
meeting more informally across agencies and having conference meetings. Like MuniGov
just had a meeting there. We streamed our entire conference, that type of thing.
So I think there are ways that government’s using it. The Air Force’s pilot--they’ve done
rapid prototyping in there. So if I want to look at something very quickly, as long as it’s not
classified, there’s interesting ways to get public opinion on government buildings, on certain
types of initiatives I think you could get some interesting input. Public diplomacy: The State
Department uses it. William [May?], over at the State Department, is doing interesting
things. NASA’s got some real cool stuff. Eric’s in the back, Eric Hackathorn from NOAA.
He’s done some interesting work for the public, to just use it as an educational mechanism,
so I think that works really well. They don’t do it off of government networks unless special
arrangements have been made with their CIO or they work from home. So they just try to
make it work for them.
ROBERT BLOOMFIELD: I actually see Eric chatting away in the audience. Hi, Eric. A
couple things: First a shout out. I really liked Eric’s--he had a poster at the Consortium
conference at Fort McNair about the “goverati,” like the literati, but the people who know
about government, which I do view as an incredibly helpful resource, because just dealing
with policy and government types for a couple days made me realize I really don’t
understand sort of the intricacies of how things get done within and between agencies. And
then the other thing, I wanted to ask you to respond to something that Eric is saying in chat,
which is, he says, “Rather than getting caught up in the details, it’s really a change in
philosophy and orientation trying to be more open. It’s a cultural shift to openness,” he says,
“that we need to support.” And so one question, Paulette, I have for you is: The Obama
Administration has certainly been vocal about wanting transparency. Do you see that in
action, and do you think it’s going to translate into funding and formal support for these sort
of public Virtual World projects?
PAULETTE ROBINSON: I think, from my observation, this year our conference was
different in that people were ready to invest money in Virtual Worlds and what they could be
used for, for a variety of reasons: education and training, analytical workspaces, a variety of
things. In the past, I think there has been a reluctance to use them simply because there
was a worry about what type of information can be made public and what couldn’t be made
With Obama coming into office and his Administration, because they’ve used social media
and software and communication, they’re encouraging people in the government to find
ways to use it. And one of the things we’re all grappling with is secure ways to use that,
where we protect the citizens’ data, but also get input from the citizens. So what Virtual
Worlds are going to offer for the citizen in transparency, I think, at the first level, we have to
find a way to secure it to do government work.
But the next stages of this is really going to be outward facing Virtual Worlds that are
secure, that we can bring citizens in to do the business of government and also to help
inform the public. So I think it’s going to be a mixture of Wikis and blogs and Virtual Worlds
and ways to communicate with the public. And now that there’s more of a willingness to
entertain this, I’ve seen money starting to be put toward those efforts.
ROBERT BLOOMFIELD: I don’t want to put you too much on the spot, but when you talk
about money, can you give us a sense of what you think the funding might be over the next
year or two? I know you’ve been working a lot with training in and between federal agencies.
Can you give us a sense of how many users you think might get involved in Virtual Worlds
through the government?
PAULETTE ROBINSON: One of the issues are is making sure it’s a secure environment,
that we don’t risk--where there isn’t any network risk to the agency and to the data that we
are responsible for. So once this is put in place, I think, for example, there’s interest in
building IT security course for the government. We’re all required in the government to take
a basic IT security on what phishing is and what spam is and what to avoid and what to
work on. And so every agency pretty much is developing their own. And, quite frankly,
they’re pretty boring. They’re just really pretty boring. So one of the possibilities is creating
IT security that’s interesting and interactive in a Virtual World and then making it available to
the entire government so we get economies of scale. So once that happens, you’ll have
thousands of people in these Virtual Worlds. So I think you’re going to start seeing that kind
of process happening.
We have ethics training that all of us are required to take, and that too is pretty boring. So
when that becomes possible in a Virtual World, where it’s interactive and more interesting, I
think you’re going to see everybody want to come onboard. So we’re going to have
economies of scale, in terms of different kinds of use cases. We’re creating a community of
practice for the chief financial officer community in Virtual Worlds so they’ll have a
knowledge base and be able to work together on complex problems. But it’ll be in a secure
ROBERT BLOOMFIELD: If everyone in the government is going to need some sort of
cybersecurity training and they’re finding it more interesting to do this in Virtual Worlds, I
mean you’re probably then talking tens, hundreds of thousands of people coming into Virtual
Worlds to do that.
PAULETTE ROBINSON: That’s correct.
ROBERT BLOOMFIELD: Okay.
ROBERT YOUNG: I would agree with Paulette wholeheartedly because the training right
now is really boring for information security. And, if you could make it interactive, to have
someone walk into an environment and see laptops secure; it’s the other things. And I think
Paulette’s totally correct about using the Virtual Worlds for training. We’re using it for
biological and other explosions, what can happen in this environment, what happens when
you have a nuclear biological incident. And we’re using it for training of soldiers. As they’re
going into these cityscapes, they can actually figure things out, do assessments. So for
training and education, I think it’s wonderful, and it’s a great way to--behind the firewall we
can actually set up an environment that’s secure and use it, and, as Paulette has said, as
we do shares between the agencies and the CIOs, maybe it’s going to be an intranet
between the dot.gov and the dot.mil so we can do it securely and work together. I think
you’ll see a major explosion, like she said, economy of scale. If I can use the ethics training
throughout the entire federal government, then we’d all be able to do the same exact thing.
But it’s going to be that question of getting it somewhere where it’s secure, where I can’t
hack into it in the middle of your ethics training, something unethical occurs because I made
ROBERT BLOOMFIELD: Paulette, we have a question from Fleep Tuque, Chris Collins,
from the state of Ohio, “For academic institutions who want to collaborate with government
on Virtual Worlds research, what office is the best place to contact and look for more
PAULETTE ROBINSON: At the moment, my group’s become sort of the hub for federal
government and doing work in Virtual Worlds. One of the reasons we have academics in the
Federal Consortium is because we believe that they provide an interesting venue for
research and helping us reflect on what’s best practices. There are a variety of agencies
doing work with universities. Our particular--our instance in Second Life was created by a
university, and we’ve gotten a couple of papers. I’m co-editing a special issue of the Journal
for Virtual Worlds Research, where we’re going to be accepting some research papers, but
also some project type of papers. If somebody’s interested, they can contact me. Some of
the federal government projects are looking for research partners as well, so they can join
the Consortium in our Wiki and asks those kinds of questions in the Wiki.
ROBERT BLOOMFIELD: Okay. Great. We’re coming toward the end of our hour. Rocky, I
don’t know how much you can talk about this, but I’d love to hear a little bit more about your
lab at the college and how you’re using it to learn more about the security of Virtual Worlds.
Can you give us a sense of what goes on in that lab?
ROBERT YOUNG: Sure. Actually, we’re looking into many of the Virtual Worlds, including
Second Life, There.com, some of the other PlayStation Virtual Worlds. And what we do is,
we go in with our avatar, Betwinda, and we actually go in and try to get people to hack us,
and we try to capture what happens, look at the code, evaluate it. And just ten [minutes?]
ago, we released students here. We actually reviewed the dangers of Virtual Worlds, what’s
out there, so they’re aware of the Virtual World, and, like you said, we actually told them
what a Virtual World was. They didn’t know. So we brought them into the lab, but we do not
feel safe enough to let students venture into Second Life alone because I cannot control the
content. We went into a couple places. We did go to IRMC, which is a protected island. We
have our own island that Paulette manages and runs and took them there to show them
what was going on.
But then we took them out in the wild and showed that, within like three to five seconds,
people were actually already offering up tools. And I said, “Now we could look at this and
see what’s actually in this code and try to figure out what it is. But when you accept
something, hopefully, you’ll see a message that you accept it.” That’s what we’re trying to
show them. Was it a route kit that was passed to you? Was it just a piece of digital clothing?
Or was it just a sound or an action? And that’s a big thing is, don’t be hyper-paranoid, but
also be aware that, when you accept something, it’s no different than expecting something
that someone’s baked for you. If you don’t know who it is, you’re not going to accept
something that you don’t know what it is and eat it. So we just tell [AUDIO GLITCH] take a
bit of a chance. But we are using Second Life and a bunch of the other Virtual Worlds.
Forterra is going to give us one World that we can actually put behind the firewall and bring
students in securely. We also have a World of Warcraft, like a Virtual World, that we’re
bringing students in to show them a little more fun. Because we don’t want security to not be
fun. We really enjoy it. So we bring them into World of Warcraft and show them, like on
eBay how you can buy gold levels and how you can buy different levels and how there is an
entire market out there of cyber crime going on in some of these Virtual Worlds. So it’s kind
of an awareness thing for them and also to know, if their kids are out there, you need to
keep an eye on what they’re doing in Virtual Worlds, and if they’re using the same systems
that you’re using for banking and for your tax returns and for all your private pictures, you
may be actually loading route kits and other things, unknowingly, to them, of course, but
unknowingly be loading malware or a home system that you use for everyday use. In the
laboratory, all of our systems are scrubbed. We use virtual machines. We bring up a virtual
machine. We launch into the Virtual World, and then we have a bit of protection between us
and the actual clients of a relationship.
ROBERT BLOOMFIELD: We have a member of the audience, Al Supercharge, who feels
quite confident that the Second Life viewer cannot install a route kit. Do you want to respond
ROBERT YOUNG: Sure. I would need to know who he was before I starting telling him
exactly how we know what it can do, and then we could exchange credentials, and then I
would tell him how it did it. Because that’s the big thing is, when your adversary’s using new
tools against you, you don’t run out and say, “Hey, we found this neat thing. We know it,”
because we want to do the same exact thing to them. We want to watch what they’re doing,
to see how they’re using the tool against us. You don’t put all your cards on the table. When
someone’s using a tool against you, you watch what the tool’s doing. That’s the same thing
we do. We get it into a network. We load what we need. We put a back door, and we
observe and find out what we’re going to do.
My thing is now the kids are being hacked, actually the young children, because their Social
Security numbers are still clean and so are their bank accounts because they haven’t had
them yet. So now you need to look at your kids are being the targets, not you. Your Social
Number’s already out there. A bot collected it years ago. And your credit card numbers are
already out there. But your kids are new clean accounts that are being collected and kept.
ROBERT BLOOMFIELD: Interesting. So time for one more question for each of you, and I
don’t know, Rocky, if you can answer this, but you used the words, “if you’re doing it to us,
we want to try it on you.” Sonja Strom has a question, “Does the U.S. government use
Virtual Worlds to gather information about people? And what’s going on in other countries?”
And I guess I’m wondering more generally: Is your role looking at cybersecurity at all more
offensive than simply defensive?
ROBERT YOUNG: I can’t really answer that question because, remember, I teach at the
National Defense University. I’m in Information Assurance. I’m a professional. I have
credentials and all that. I would never do anything illegal in the Virtual Worlds. What we do
is watch, but the question that you asked is perfect. Wouldn’t you do that exactly if on your
adversary, if you were a government and you knew things were being done to you? Would
you not do the same thing and watch on the other side? If you don’t know your enemy and
you don’t know how to defend against the attacks that are happening to your network, how
could you ever possibly defend? If you don’t know what the heck they’re doing, how could
you defend? That’s like trying to screw a light bulb in. If you’ve never see a light bulb, how
can you possibly know how to screw it in?
ROBERT BLOOMFIELD: Okay. Thank you. And, Paulette, my last question for you, and we
talked about this a little in the pre-interview, is, I’ve been dealing with Virtual Worlds, it
started out as a small part, just sort of a sideline of the research and teaching that I was
doing and over the last couple years has grown like kudzu or bamboo, and it really
establishes a foothold. I’m wondering, for you personally as an assistant dean at NDU, and
NDU more generally as an organization that is doing inter-agency training, how do you see
Virtual Worlds taking hold? Again, in your personal life and in the college as a whole.
PAULETTE ROBINSON: Well, in my personal life, I find Virtual Worlds one of the most
exciting places. I am also sitting for teaching, learning and technology so I’m responsible for
appropriately integrating technology into our courses in ways that help to facilitate students
learning. I think Virtual Worlds are incredibly interesting, in terms of from an instructional
design point of view and engaging students. I think it’s incredibly interesting, in terms of
using technology for analytical workspaces and doing our work in the future. So I find myself
more and more involved in Virtual Worlds. I personally believe that Virtual Worlds will be the
interface for the web, and it’s not going to be that far down the road.
And I think it’s a responsibility for me and others and the government, as well anyplace else,
particularly the government, to not let this happen to us, that we really can interact with the
citizens in ways where we can meet them, where they gather information. It’s taken over--I
like the kudzu metaphor--it’s really taken over a life of its own in my life because I value and
am committed to it. And so I am like a cheerleader. I’ve been cheering away, and the band’s
been following along.
ROBERT BLOOMFIELD: Well, go, team, go! And we’re glad to have you. The only thing is,
that makes it sounds like you’re on the sidelines when actually I think you’ve taken the ball
and started running with it.
PAULETTE ROBINSON: That’s pretty much what I’ve done.
ROBERT BLOOMFIELD: Thanks so much to both of you for coming on, and I look forward
to having you come on again in another year and tell us where you are then.
PAULETTE ROBINSON: It’s been a pleasure.
ROBERT YOUNG: Thanks so much.
ROBERT BLOOMFIELD: Thank you. Okay, now it’s time for my regular closing comment,
Connecting The Dots. And today the dots I want to connect are the ones that define the
outer boundaries of Metanomics. Our challenge is to define those boundaries broadly
enough that we can remain an influential voice for our community, people who are taking
Virtual Worlds seriously, as that community grows, as the technology grows and as it, like
kudzu, starts taking over more and more aspects of not just technology, but of our work and
social lives. On the other hand, we still need to be narrow enough that we’re not attempting
to be all things to all people or, even worse, trying to become experts in everything. There
are countless podcasts and webcasts about the internet as a whole, but I’m proud to say
there’s still only one Metanomics, and we want to keep that position as a leading voice in
this growing industry.
The heart of Metanomics remains, I think, as I defined it back in September of 2007:
business and policy in the so-called Metaverse of Virtual Worlds. What is a Virtual World?
Every conference I have attended and Paulette, as well, includes a heated debated on the
definition of a Virtual World. Does it need three dimensions? Does it need avatars? Does it
have to have commerce? Are games Virtual Worlds, or are they something different? These
debates are more of a blessing than a curse for Metanomics, and I take, personally, a very
broad perspective on this. As long as someone has a reasonable justification for calling a
platform a Virtual World, Metanomics is going to be there to take a good look at it, try to
understand who’s taking it seriously and what they are getting out of it.
But it’s more than just defining Virtual Worlds. We also need to decide when we should be
spending time on the business and policy of the internet as a whole, as we did earlier today
with the Cybersecurity Act, and, more generally, looking broadly at social movements that
might be affected by technology. As I mentioned at the top of the hour, just about every
enterprise and consumer relies on the internet, but none quite so much as those of us who
are exploring Virtual Worlds. To us, and especially to people who have immersed
themselves in Worlds like Second life, the internet is an ocean we call home. So we won’t
be covering just any internet technology. We’re going to continue to view this ocean through
the lens of our particular school of fish.
So for example, for many users of Virtual Worlds, social networking sites, like Twitter, Plurk
and Facebook, are really just an integral component of their businesses and their personal
lives. And we can’t understand how these people are taking Virtual Worlds seriously, without
understanding how they’re using these new technologies. From today’s conversation with
Paulette and Rocky, you can see that there are a variety of cybersecurity issues that are of
particular interest to Virtual World users, and we’re going to continue taking a close look at
the practices and policies that can protect us from tropical storms and determined sharks.
And, finally, we’ll be casting our policy net more broadly than that. We can’t understand the
business case for Virtual Worlds, without understanding, for example, the recent energy bill,
which may make carbon emissions far more costly than they are now. Whether that’s a
boon for Virtual Worlds is, I think, a more open question than many Virtual World users
seem to think. Sure, traveling is expensive, but Virtual Worlds have their own carbon
footprint, and I don’t think we yet have a good handle on just how big those feet are. So this
is going to be an exciting season for Metanomics as we grow into the new resources
Remedy Communications is bringing to bear. So I invite you all to come on in. The water’s
That’s all we have for this week.
Join us next week when we take a look at some legal issues, with James Gatto, of Pillsbury
law firm. We’re going to look at topics, including current patent battles. Some of you may
know of the Worlds.com, a battle going with NC Soft. We’re going to talk about terms of
service, intellectual property rights, protections for children. And relevant to what we’ve
discussed today, the legal liability that Virtual World developers, as well as users, might face
due to breaches of security and other failures.
Thanks to all of our staff members and volunteers who help us pull this off every week. This
is Robert Bloomfield signing off. Take care. And, we’ll see you all next Wednesday.
Transcribed by: http://www.hiredhand.com
Second Life Avatar: Transcriptionist Writer