Metanomics: Federal Interest in Virtual Worlds and Cybersecurity


Published on

Federal agencies are increasingly looking to virtual world technologies as both an opportunity and a potential threat. In this of an episode of Metanomics, Drs. Paulette Robinson and Robert Young, leading figures in the adoption of the metaverse at all levels of government, discuss how government is using virtual world technologies, and examine issues around security.

Metanomics is a weekly broadcast examining the serious uses of virtual worlds. Join us at

Published in: Technology, Business
  • Be the first to comment

Metanomics: Federal Interest in Virtual Worlds and Cybersecurity

  1. 1. METANOMICS: FEDERAL INTEREST AND SOCIAL SECURITY: GOVERNMENT TAKES A SERIOUS LOOK AT VIRTUAL WORLDS MAY 13, 2009 ANNOUNCER: Metanomics is brought to you by Remedy Communications and Dusan Writer’s Metaverse. ROBERT BLOOMFIELD: Hi. I’m Robert Bloomfield, professor at Cornell University’s Johnson Graduate School of Management. Each week I have the honor of hosting a discussion with the most insightful and the most influential people who are taking Virtual Worlds seriously. We talk with the developers who are creating these fascinating new platforms, the executives, entrepreneurs, educators, artists, government officials who are putting these platforms to use. We talk with the researchers who are watching the whole process unfold. And we talk with the government officials and policymakers who are taking a very close look on how what happens in the Virtual World can affect our Real World society. Now naturally, we hold our discussions about Virtual Worlds in Virtual Worlds. How else could we find a very real place where a global community can convene, collaborate and connect with one another? So our discussion is about to start. You can join us in any of our live Virtual World studio audiences. You can join us live on the web. Welcome, because this is Metanomics. ANNOUNCER: Metanomics is filmed today in front of a live audience at our studios in Second Life. ROBERT BLOOMFIELD: Hi, and welcome again to Metanomics. Over a year ago, Paulette Robinson, of National Defense University, appeared on Metanomics to talk about her new initiative, the Federal Consortium for Virtual Worlds. She talked about the promise Virtual Worlds held for federal agencies, but she also emphasized two challenges: the government’s lack of familiarity with this new technology and the government’s strong and understandable concern about cyber security. Today we’ll be getting an update from Paulette on how effectively her consortium has been able to address these challenges, and we’re also going to hear from Paulette’s colleague at National Defense University, Rocky Young, an expert in cyber security, who has recently been doing some very interesting work examining the vulnerabilities of Virtual Worlds. Thanks to all of you who are attending Metanomics today, including those who are viewing live on the web. Please do join in with your comments and your questions. ANNOUNCER: We are pleased to broadcast weekly to our event partners and to welcome discussion. We use ChatBridge technology to allow viewers to comment during the show. Metanomics is sponsored by the Johnson Graduate School of Management at Cornell University and Immersive Workspaces. Welcome. This is Metanomics. ROBERT BLOOMFIELD: Before we get to our main guests, we’re going to take a few minutes to pull back our usual focus on Virtual Worlds, to take a broader look at the state of internet technology and policy. Just about every enterprise and every consumer relies on the internet these days, but none quite so much as those who are exploring Virtual Worlds. To us, the internet is an ocean we call home. Well, this season, we’ll be doing a fair bit of oceanography and [earth?] time forecasting. Today we’re going to start in Washington, D.C. because there are
  2. 2. some major policy storms brewing there. To introduce us to the issues, I’d like to welcome our new Washington correspondent, Sterling Wright, who will help us put cyber security in the spotlight. Sterling, welcome to Metanomics. STERLING WRIGHT: Hello, Robert. Thank you so much for having me. ROBERT BLOOMFIELD: Yeah, my pleasure. I know you’ve been taking a close look at S.773, the Cybersecurity Act of 2009, which was introduced on April 1st to the Senate Committee on Commerce, Science and Transportation, by two moderate Senators, Democrat John Rockefeller and Republican Olympia Snowe. As I understand it, the bill draws heavily from a report by the Center for Strategic and International Studies, which says, and this is a quote from their report from late 2008, “American’s failure to protect cyberspace is one of the most urgent national security problems facing the new Administration that will take office in January 2009. It is a battle fought mainly in the shadows. It is a battle we are losing.” That sounds like pretty dramatic language. Are these histrionics justified? STERLING WRIGHT: Well, your delivery was certainly dramatic, Robert. ROBERT BLOOMFIELD: I try. STERLING WRIGHT: Well, let me tell you. In 2007, already the Departments of State, Commerce, Homeland Security, the Defense Department, NASA and the National Defense University suffered major intrusions by foreign entities. These were either foreign intelligence services, militaries or criminal groups. Today the Department of Defense computers are probed hundreds, if not thousands of times a day. The Department of State said it has lost terabytes of information. The White House networks have been penetrated. And intelligence sources claim that U.S. companies have lost billions in intellectual property. These activities have continued to increase since then, so there’s a great deal of motivation in Washington for the U.S. to become much more robust in addressing these threats, and, more importantly or at least as importantly, in raising the public’s awareness of them. There’s a sense within the broader population, when we think of cyber threats, we tend to think of identity theft or pedophilia or something like this, but there is an increasing need to inform the public of the threats from foreign players who many feel are intent on undermining the U.S. economy and its defenses. So here in Washington, we’ve heard terms like “a cyber 9/11” or “a cyber tsunami” or “a cyber Katrina” used to describe the potential for damage. Some are even referring to the threat from cyberspace as the soft underbelly of national security. ROBERT BLOOMFIELD: Okay. Those sounds like pretty serious challenges that no doubt call for some extraordinary measures. What do you see as some striking provisions in the bill? STERLING WRIGHT: Well, the bill is very sweeping in its initiatives. It calls for the establishment of a Cabinet-level Cybersecurity Czar, who would be answerable to the President. Although we have many of these czars being appointed now for various agencies so that may not be the most pressing point. But what the bill also seeks to establish is cybersecurity standards that would be mandated across all applicable government and private networks. It would also confer new powers on the President and onto the Secretary of Commerce. ROBERT BLOOMFIELD: What are some of these powers? I understand--shutting down--the President has some power to shut down internet traffic?
  3. 3. STERLING WRIGHT: Here’s the problem: Some of the language in the bill is extremely broad and open-ended, and this is causing a lot of concern among civil and digital rights groups. The Electronic Frontier Foundation, for example, and the Center for Democracy in Technology have both raised issues with some of the provisions. You’re right, the Act calls for the President to be given the power to shut down internet traffic in emergencies or to disconnect any infrastructure systems or networks on the grounds of national security. And the activists are concerned that the Act does not define these so-called emergencies. Therefore, it is left solely up to the President to decide what merits pulling the plug. I don’t see as much of a problem with this. It is more analogous, in my mind, to the President grounding all aircraft on 9/11, and I’m not sure that one could have defined the emergency of 9/11 ahead of time, but this is, nevertheless, a concern for some. I think more than the powers conferred upon the President, what seems to be disturbing people is that the Secretary of Commerce would be given access to all, quote, “relevant data concerning our critical networks,” and this is the operable point, without, and I quote again, “without regard to any provision of law, regulation, rule or policy restricting such access.” So the privacy advocates fear that this would allow the Commerce Secretary unrestricted access to our private data. Others have even raised the specter of unrelated illegal activity being inadvertently uncovered, and these fear that such evidence could be used against a defendant, for example, thereby undermining his or her Constitutional protection against unwarranted searches. ROBERT BLOOMFIELD: Well, you mentioned a term in there “critical infrastructure system or network.” How is that defined? STERLING WRIGHT: Typically, one would consider critical infrastructure as utilities, transportation, public health, financial services, food distribution, this sort of thing. And I think that, if language were inserted into the bill that simply or explicitly defined what constitutes a critical infrastructure system, I think some of the opponents could be assuaged. However, there are some who are arguing that the internet, as a whole, constitutes our critical communication infrastructure, and these voices would like to see limits defined in the Act, to assure that there are no loopholes left open which would allow the government to reach into our private communications. ROBERT BLOOMFIELD: And there are concerns about some user authentication proposals as well? STERLING WRIGHT: Yeah, there is a section that is proposing that user authentication be studied, but at this point the bill only states that, within a year after its enactment, the President or his or her designee, assuming his if this Act goes into effect shortly, that the President shall review and report to Congress on the feasibility of an identity management and an authentication program. Naturally, with the appropriate civil liberties and privacy protections in place. And activists are concerned about this because although it is intended to apply only to critical infrastructure, civil liberties groups fear that this will open the door to anonymity on the internet as a whole being completely abolished and thereby threatening not only privacy but also free speech. ROBERT BLOOMFIELD: Parts of this really have a feel to me, as an accountant, of the Sarbanes-Oxley Bill because this bill seems to be taking a lot of the power that is traditionally held by private firms and placing it in government hands. So as I understand it, the government would be overseeing private networks and mandating that government, not industry, sets standards, attests to them and so on and so the comparison to Sarbanes-Oxley. That was written in response to high-profile frauds like Enron and WorldCom. And one of the most controversial parts was Section 404, which dealt with internal controls. These have traditionally been viewed as a private matter for firms that [AUDIO GLITCH] protecting themselves from employee misbehavior, but 404
  4. 4. basically said you’re not doing a good enough job, and it imposed a lot of high-cost requirements, saying, basically, government was going to set the standards for internal control and require auditors to attest to that. Would you make the same argument here that private firms have every incentive to protect their security, and we should just leave the matter in their hands? STERLING WRIGHT: Well, let me clarify. The Act, as it’s currently written, would mandate that, again, that the security standards are set for critical infrastructure. This would also include software, and the government would be able to enforce those standards on all developers and distributors and vendors. It would also legislate the sharing of security information between the government and private entity. So I can understand that there would be some concern over this from the private sector. Opponents argue that this could stifle innovation, that if standardization of security were mandated across the board that the systems would become less secure because only one protocol would have to be breached by potential attackers. But the fundamental issue at stake, I think, is that, among security and intelligence experts in Washington, there is certainly the perception that the threat posed by cyber subversion is a strategic issue that is on par with the proliferation of weapons of mass destruction and global jihad. And it was these models of deterrence that were drawn upon in the CSIS study, in order to craft recommendations for how the government should approach cybersecurity. Certainly, the report’s authors--again, the report, not the bill--feel that it is the government which needs to be responsible for overseeing this space, and they do not feel that voluntary actions, which are most likely what is preferred by private industry, would go far enough. They also argued that the reliance on market forces to date have fallen short, and, as a result, the U.S. has been left vulnerable. So it’s possible that the open-ended broad, sweeping language of this bill may simply serve to incentivize the private industry to move more decisively on this front. There is certainly a concern against prescriptive mandates that would inflate costs and stifle innovation or encroach on civil liberties. ROBERT BLOOMFIELD: Okay. Well, I think we’re going to have to leave it there as a cliffhanger, as we wonder what’s going to happen with this bill as it moves through, how private industry is going to respond, especially the big corporate powers, not just tech, but the industries. I’m sure the electric utility industry, for example, is going to have a lot to say on this since they’re certainly going to be viewed as critical infrastructure. And I’m glad to know that you’re going to be coming back to talk more about policy issues as the season goes on. So thanks a lot, Sterling Wright, for talking with us about the Cybersecurity Bill. STERLING WRIGHT: Delighted to be here, Robert. Thank you so much. ROBERT BLOOMFIELD: Okay. I guess Sterling will be back next week when we discuss some more policy issues. Next week we’re going to have a legal expert on Virtual Worlds as our main guest, James Gatto, of the Pillsbury law firm, a colleague of Ben Duranske for those of you who know him. He’s been on Metanomics a number of times, so I’m looking forward to that. Our main guests today are Paulette Robinson and Robert Rocky Young. Paulette is assistant dean for teaching at the Information Resources Management College of National Defense University. But, for our purposes, her most salient credential is that she has organized the Federal Consortium for Virtual Worlds which supports federal government employees and contractors that are interested in exploring the use of Virtual Worlds in government. Robert Rocky Young is director of the National Defense University Information Assurance Lab and teaches Information Assurance at the IRM College. So, Paulette, Rocky, both of you, welcome to Metanomics. ROBERT YOUNG: Oh, great. Thanks for having me. I apologize if my avatar’s been down. I’m at a conference, and I lost my WiFi.
  5. 5. ROBERT BLOOMFIELD: Okay. Well, I understand these things happen. And, Paulette, welcome. PAULETTE ROBINSON: Thank you very much. ROBERT BLOOMFIELD: So before we get started, I’m sure both of you want to make some kind of disclaimer that everything you say here is just your own opinion. It doesn’t represent an official position of your college or the federal government. Paulette, you have anything to add to that disclaimer? PAULETTE ROBINSON: No, that’s pretty much right. ROBERT BLOOMFIELD: Okay. Just wanted to make sure we did that. So now let’s start with you. You were on Metanomics way back in January of ’08 so well over a year ago, and NDU was just starting to build a presence in Second Life. The Federal Consortium for Virtual Worlds had held, I believe, only one conference at that point. Can you give us an update on how the Consortium has progressed since then? Growth and so on. PAULETTE ROBINSON: Well, since I was last here, probably, we had a November meeting in 2007, that had about 200 there and about 300 or 400 online. In April of 2008, we had our first big meeting. It was a two-day conference, and we had on the campus almost 400, and we had online over 1,000 in Second Life. So it was interesting to see how many people were there. We had vendors that came in and showed the different parts of what’s happening in Virtual Worlds. We had panels and--was represented, so it was really a very enlightening kind of conference. There were over 1,000 people. We now have over 1,000 people in our database that are not only government but industry and academics because all together is when we’re going to make a difference. We have people from all the 12 Cabinet agencies, so we have a full complement of government represented at different levels in the Consortium so it’s really moved along. [AUDIO GLITCH] projects this year at our conference, we had a government poster session where we had over 30 government projects that were showing what they’re doing in different Virtual Worlds. We streamed out [six?] different Virtual Worlds and had over 1,000 that were attending. We’re still taking the numbers so I can’t give you exactly, online. So we really had an interesting mix of people that joined us on our program. ROBERT BLOOMFIELD: Well, I’ll say I was there. I had a great time. It was incredibly informative. Now last time when you were on the show, there was a question by Malburns Writer, a fairly regular attendee of Metanomics, and, in response to his question, you said the following: “If you talk to high-level administrators, you would think Second Life is a foreign land. I think they’re stunned.” And so now I see you are actually nominated for the 2009 Intergovernmental Solutions Award, and you’re talking about the growth of the Consortium. Is it safe to assume that high-level government administrators are more familiar with Virtual Worlds and are more ready take it seriously? PAULETTE ROBINSON: I think they’re more familiar with them. I know that one of the Senate Subcommittees had met in Virtual Worlds, one of them from Commerce, so there is more of an awareness. How seriously they take them, I think that’s not across the board, but several understand immediately. I think educators, training officers automatically see the power of it. And now that we have a new Administration, I think there’s also a renewed interest of finding ways to collaborate and communicate online. So I think there’s a renewed interest in what Virtual Worlds can do. But there’s still always the problem with security so that has to be fixed before there’s a real interest. Although, at every conference I go to, I ask the audience, “So how many of your children are in Club Penguin or Webkinz?” And about a third raise their hands, so I think some these new
  6. 6. administrators are becoming acquainted with what a Virtual World is through their children or grandchildren. ROBERT BLOOMFIELD: Yeah, I believe that. Now, on security, which you just mentioned, I understand the U.S. Department of Agriculture, of all places, is providing a solution. PAULETTE ROBINSON: Yes, we’re working closely with the USDA and the CIO there to create a trusted-source hosting solution that will be hosted at their data center in Kansas City. We’re using eAuthentication level 2 to ensure identity. So one of the problems is, who is in the space? Are they who they say they are? The second problem is, for all these Virtual Worlds, ports have to be open, and it depends on how many ports so the Enterprise versions of Virtual Worlds--and this is not like Second Life in the public spaces which offer a different kind of security problem. We would then be able to provide secure IP’s that we would ask CIOs to open to very specific IP’s for these Virtual Worlds. That’s still being worked out with those as well as the USDA, but we do have the prototype up. We have a couple of vendors that are integrating eAuthentication for this prototype, to see how it’s going to work. So we have a lot of hope. There’s many federal agencies that were at the conference that are interested in investing in the next stage, to be able to do something that’s multi-agency. Enterprise versions work well behind the firewall within an agency so then you don’t expose yourself to the same issues that have to be solved with interagency dialogue, and that’s what I’m trying to work on. I want multiple agencies being able to talk to each other. ROBERT BLOOMFIELD: You mentioned a couple. You said you’re working with a couple vendors, that’s what ProtoSphere and Forterra? PAULETTE ROBINSON: Yes. ROBERT BLOOMFIELD: ProtonMedia and Forterra. How about Second Life for the trust it’s source-hosting? PAULETTE ROBINSON: Well, Second Life has the unique problem of having ranges of ports that have to be opened. So even though you would take it behind the firewall, unless they get it down to a couple of ports, it would be extremely difficult to secure, or more difficult, and it would be difficult to take CIOs from the governments and convince them to open up ranges of ports. And I don’t blame them. So an Enterprise solution really has to be where they run over port 80 or only a few ports as a solution because of the need to protect the network. ROBERT BLOOMFIELD: Okay. Despite the fact that Second Life is working on their--I guess it’s code-named Nebraska, their behind the firewall solution, it still isn’t going to work for you? PAULETTE ROBINSON: Well, not for a multi-agency. It probably would work well for behind the firewall if it’s just within an agency where they’re not going out and opening up ports. But nowadays, most of the government problems are really multi-agency based, so unless you run like an internal chat tool in 3D or that kind of workspace or training space, it’s not going to solve the problems that we need in terms of a robust environment that has a sense of presence that we can work in across the government. ROBERT BLOOMFIELD: Okay. That was mostly focusing on the [behind?] firewall trusted-source hosting. But there are a lot of federal agencies that are working on what I understand government types call
  7. 7. forward-facing projects, public relations, outreach, and they want anyone to be able to go into the World. I know that there are a lot of these now in Second Life: NOAA, NASA, Air Force, Team Orlando, which I actually had a great talk with at the conference. So how are they dealing with the government security issues, while still using Second Life in what’s largely an unsecured environment? PAULETTE ROBINSON: Well, they have to go either go home and work on them, or their CIO has agreed, or their person that mitigates risk for them has set up an enclave off the network that allows one or two stations to work on Second Life because that’s part of their job. But that’s really rare. Most people that are working in Second Life, from their government desktop, cannot do it from their government desktop. They have to go home, on their home computer, and work on it because they also have to download a client, which, in most federal agencies like any other corporate enterprise, they have a desktop image that is regulated for security and for manageability and integration, so most of them work at home or on their own private computers. ROBERT BLOOMFIELD: Okay. Well, really distinguishes between the day job and the moonlighting there, huh. PAULETTE ROBINSON: Yeah. Probably not moonlighting. They just tele-work or find some other way to do the work. ROBERT BLOOMFIELD: Right. Now, Rocky, I’d like to bring you into the conversation. So thanks so much for joining us. It sounded like you were saying you had a bit of wireless problem. So I don’t know what we’ll be seeing on our screens, but we have you on your Blackberry. Is that right? ROBERT YOUNG: Yes, I’m on my Blackberry. I’m at the National 2009 OpSec Conference down in San Antonio, where we’re actually educating the people on cybersecurity down here. ROBERT BLOOMFIELD: Well, it won’t be the first time we filmed an empty chair on Metanomics. It’s the content that drives everything. Your specialty is security, and I guess first I’m wondering what do you see as being the primary risks of having federal agencies using both the public Worlds and the private Worlds, the trusted-source hosting solutions? What is the exposure that the federal agencies and the people who are doing this have? ROBERT YOUNG: Well, you know that on security, we’re always the “no” men. We’re never the “yes” men. We’re always saying security. But I agree with Paulette that the forward-facing and some of the things that you’re talking about for doing some type of publicity or something like the Air Force trying to bring people in, that’s great. The issue is that people are having to do it day to day. They’re having to use Second Life, in their job, and they’re a federal employee, the recommendation that Paulette had said and what we’ve built at _____ is an enclave. It’s a specialized area that will not bring the problems from Second Life and/or these Virtual Worlds onto our government systems which might be your production government system doing your national war-fighter job or maybe doing IRS tax returns; I’m not sure what your job may be. And Paulette’s agreement with the multi-agency, all of our problems are becoming multi because we’re so interconnected. Our networks have no boundaries anymore. So in order for us to make sure that we don’t have a [problem?] that say DOD brings in, it doesn’t bleed over to your EPA and your FAA and your DOT. Some of the agents are doing exactly what you said. It’s all bound to the software, the compliance and the server, and, as Paulette had said, we have the HBSFO(?) [base?] security system in the Department of Defense. It’s actually locked down for a specific reason, to protect us to the best of its abilities again. And [AUDIO GLITCH] people on these systems doing these things, and the issue is, we have government people now, insiders, that actually are
  8. 8. doing things that they’re not supposed to do. We know appropriate use of the network. We know appropriate function. Our worry is that as they get into Second Life and these other 3D Virtual Worlds, that sometime they forget that they’re at work. They may accept something that they wouldn’t normally do in the other world. But it’s all down to the software and evaluating the code and evaluating what that server-client relationship, what it has allowed in and out. And as Paulette said that the ports, what ports are we opening, and we watch them closely. Can we monitor what’s going on in this Virtual World? And the identity management looks huge for Paulette and for everyone else. Am I talking to who I really think I’m talking to? Do you have a federated ID or some way to say that, yes, you are indeed speaking to Dr. Rocky Young. No one has taken over the avatar. No one is misrepresenting or social engineering you to get information out of you. There’s so many ways to do social networking, and Paulette works through all of those at IRMC. And I just want to be person who says, “I want you all to go into these Virtual Worlds as security professionals, but I want you to understand the risks when you go into them and accept that risk that something could happen.” And, as long as you’re aware and you accept it, then you’re standing there when they reference it so that E-9/11 and these other, you know, the E-Pearl Harbor that may happen. We’re not saying, “Gee whiz! We never thought of this,” or, “Gee whiz! I had no idea this could happen. ROBERT BLOOMFIELD: I was at your talk in Washington, D.C., at Fort McNair, and you said some fairly terrifying things about the use of Twitter and Skype and a lot of other things that are kind of meat and potatoes to a lot of us who spend so much time collaborating by distance. Could you clarify for us a little what you see as the risks of those tools? And then is there something about Virtual Worlds that makes them more of a concern? ROBERT YOUNG: The big issue with your Skype and your other tools, it’s a voice of our [PCHK technology?], and we can gather that, unless you’re going to encrypt it. And normally, for us to pass through the Virtual Worlds, you can’t have as much encryption; it slows things down. It causes problems. It depends on what you’re doing in the Virtual World. Say that you’re my adversary, or I wanted to take your job or immerse you, and the biggest thing is reputation. Your reputation can be destroyed in seconds in any online avenue. The issue is, if I can gather all the conversations about you and you’re doing something inappropriate in a Virtual World, you’re a government employee. I know who you are even though you say you’re someone else. I could actually use that to blackmail you. And there are tools that we can use in the Virtual Worlds to build some bots to actually gather all the traffic that’s going on in the room, find all your movements, to record everything you do, and I would blackmail you with it. Now if you put it on a different [forums?], that I’m not talking to a government employee, you have to worry about you family, your daughter. I have a ten-year-old daughter. The big issue is what is she doing in that Virtual World? Who’s following her? With Twitter, we can tell exactly where you are because you’re going to tell us in that 140 characters, “I’m here, I’m doing this. I’m here, I’m doing that.” It links back to your phone. It links through the Virtual Worlds. There are ways for us to find out exactly where you are. So it’s like we can do E-stalking if we want to. Now that’s not a big concern for me. I’m a 6’-5” [AUDIO GLITCH]. But for someone, like a ten-year-old girl, for the E-bowling and things like that, Twitter and some of these other technologies, they all combine in, and you get so much information about people. On your cameras, you actually get [AUDIO GLITCH] data on every picture. So say you load up a picture into Second Life, that you took of yourself. There can actually be GPS coordinates in that data of that picture that will
  9. 9. tell me where you live or where it was taken. It can actually have information in the picture, and it’s all under Digital Forensics, if your listeners have an interest. In the information that goes with that camera, that photo, that picture, I can find out GPS coordinates. I can find out with the WiFi access points where it was loaded. And, if you’re dumb enough to load in your email address or register it, sometimes that is in the photograph information. For me, it’s really awareness-- ROBERT BLOOMFIELD: So here we’re not really talking about hacking. We’re not talking about who’s trying to carve their way into your system, it’s really just people unwittingly giving away all the information that others might want. ROBERT YOUNG: All that, yeah, for a social [aspect?], yes. Now, I didn’t even delve into the hacking. Every time you accept something from someone else in a Virtual World, which we were just demo-ing Virtual Worlds to a bunch of students before I leave the room. Every time you accept a piece of code from a [AUDIO GLITCH] accessing whatever they give you, and you don’t know what that piece will do. It may be making you dance. It may be making you have butterfly wings, but you don’t know what that tool or that piece of code really does. Maybe it’s actually installing a route kit on your system at the same time that it’s making you dance. Maybe it’s copying every one of your conversations or it’s going in and looking for your password file on your core drive. There are a lot of things that, when you accept something in a Virtual World. I tell my daughter when someone says, “Knock, knock,” in Second Life or when we’re in someplace, you do not say, “Who’s there?” because you are opening a communication between you and them, and you can accept things from them or they can push things to you. [AUDIO GLITCH], our avatar into sandboxes, and, in the sandboxes in Second Life, we watch what they’re doing and what they’re building and what they’re making, to try to get insight into what they’re doing. The big danger is the code. That when you’re in this Virtual World, and you accept an MP3 from someone in these Virtual Worlds or in these social working sites, we with MP3Stego--MP3Stego, it’s _____ triplets out there; go look it up--you can load things in MP3’s, and the MP3 still plays the music. So why not, if I’m targeting you, offer you a free MP3 of Biance’s new song? And don’t tell anyone that I gave it to you because it’s copyrighted music. You’re not going to tell Mom and Dad that you took that MP3 and loaded it into the system, but that’s actually bringing malware into the system. And, if I can’t get you electronically, maybe I just hand out free music at the bus stop where I know your kid is, and that’s how I’ll get into your system. ROBERT BLOOMFIELD: It looks like Dusan Writer, through our web audience chat has, you know, he--my advice on all this is to do what I do: Make your life so boring that no one wants to steal any of your identity or know anything about you. It seems to me that a lot of what you’re saying--I mean, to some extent, there’s just some common sense here, but some of it also sounds like basically if you want to have any sort of public profile, you’d be putting yourself at risk. How do you balance trying to remain secure and protected, while still having a [AUDIO GLITCH]? ROBERT YOUNG: You have a bit of a risk [acceptance?]. You have to assess the risk and accept it. If you’re going to put your face out there, you’re going to put your images out there, we build a fake email address for every one of our avatars, that only that email address is used with it. So you kind of build, like you said, that common sense. And you don’t put personal pictures of yourself out there, of your kids and stuff. The issue is, I still want you to go into Second Life. I want you to do these things, but I want you to be aware of the dangers that are out there. Because many times people that jump into computers, like my mom is 65, she doesn’t understand when someone IM’s her and that they can actually push code to her and actually take her system out.
  10. 10. And we all have bank accounts, right? We all are using online banking. And there’s a tool called SSL split that you need to look at about “man in the middle” attacks, with SSL. We think that we’re secure when we log onto our online banking. Well, go look into that tool, and you’ll see that we’re not so secure. I want everyone to know that, “Hey, you need to be aware of yourself.” There needs to be this my own checklist, to make sure that I’m ready to go into Second Life, what I’m ready to put out there and that risk acceptance because any time you put yourself out there, there’s going to be some risk, as Paulette will tell you. But it depends, if someone is in these Virtual Worlds actually portraying themselves as something they are not, a terrorist or something, trying to find out about Sergeant Snuffy’s deployment to Afghanistan or Iraq, now we’re talking about Real World operation security, OpSec. So that’s that I have. It’s like what are you using it for? What [AUDIO GLITCH] people you are? Are you doing inappropriate things that could be used maybe to blackmail you? And, really, it’s more like your digital presence, are you ready to jump headfirst in this pool? Or do you just dip your toes in, see how it is and not put everything out there? A good example is, my niece had her prom this weekend, and all of a sudden, on Facebook, all of her pictures are out there. And I showed her how you can get that [AUDIO GLITCH] those pictures by copying them and downloading them. So these are the big things. It’s just awareness. I really do want you to go into Virtual Worlds. I don’t want to be the security guy that stifles everybody and say, “No, don’t do it. Just go into your house, and sit in a dark closet, and you’ll be safe.” ROBERT BLOOMFIELD: And, Paulette, in light of all of these issues, how is this coloring not just what agencies are doing in Virtual Worlds, but how you make the pitch and just sort of comfort to agencies that are just starting to explore it, that this is a reasonable thing to do and the risks that it carries are appropriate? PAULETTE ROBINSON: I think it’s what you want a Virtual World to do for you, so it’s really deciding what type of outcome you want and how you want to use it and then sitting down and having a discussion about what the risk is and how to mitigate the risk. So for most agencies that want to do information delivery to the public and be public facing, Second Life has become probably the predominant Virtual World that they’re using. So we have created an IRM college-government center in Second Life, where anyone in the government can use this center free for meetings and for streaming conferences, that type of thing. They’re not doing the business of government particularly in there, but they are meeting more informally across agencies and having conference meetings. Like MuniGov just had a meeting there. We streamed our entire conference, that type of thing. So I think there are ways that government’s using it. The Air Force’s pilot--they’ve done rapid prototyping in there. So if I want to look at something very quickly, as long as it’s not classified, there’s interesting ways to get public opinion on government buildings, on certain types of initiatives I think you could get some interesting input. Public diplomacy: The State Department uses it. William [May?], over at the State Department, is doing interesting things. NASA’s got some real cool stuff. Eric’s in the back, Eric Hackathorn from NOAA. He’s done some interesting work for the public, to just use it as an educational mechanism, so I think that works really well. They don’t do it off of government networks unless special arrangements have been made with their CIO or they work from home. So they just try to make it work for them. ROBERT BLOOMFIELD: I actually see Eric chatting away in the audience. Hi, Eric. A couple things: First a shout out. I really liked Eric’s--he had a poster at the Consortium conference at Fort McNair about the “goverati,” like the literati, but the people who know about government, which I do view as an incredibly helpful resource, because just dealing with policy and government types for a couple days made me realize I really don’t
  11. 11. understand sort of the intricacies of how things get done within and between agencies. And then the other thing, I wanted to ask you to respond to something that Eric is saying in chat, which is, he says, “Rather than getting caught up in the details, it’s really a change in philosophy and orientation trying to be more open. It’s a cultural shift to openness,” he says, “that we need to support.” And so one question, Paulette, I have for you is: The Obama Administration has certainly been vocal about wanting transparency. Do you see that in action, and do you think it’s going to translate into funding and formal support for these sort of public Virtual World projects? PAULETTE ROBINSON: I think, from my observation, this year our conference was different in that people were ready to invest money in Virtual Worlds and what they could be used for, for a variety of reasons: education and training, analytical workspaces, a variety of things. In the past, I think there has been a reluctance to use them simply because there was a worry about what type of information can be made public and what couldn’t be made public. With Obama coming into office and his Administration, because they’ve used social media and software and communication, they’re encouraging people in the government to find ways to use it. And one of the things we’re all grappling with is secure ways to use that, where we protect the citizens’ data, but also get input from the citizens. So what Virtual Worlds are going to offer for the citizen in transparency, I think, at the first level, we have to find a way to secure it to do government work. But the next stages of this is really going to be outward facing Virtual Worlds that are secure, that we can bring citizens in to do the business of government and also to help inform the public. So I think it’s going to be a mixture of Wikis and blogs and Virtual Worlds and ways to communicate with the public. And now that there’s more of a willingness to entertain this, I’ve seen money starting to be put toward those efforts. ROBERT BLOOMFIELD: I don’t want to put you too much on the spot, but when you talk about money, can you give us a sense of what you think the funding might be over the next year or two? I know you’ve been working a lot with training in and between federal agencies. Can you give us a sense of how many users you think might get involved in Virtual Worlds through the government? PAULETTE ROBINSON: One of the issues are is making sure it’s a secure environment, that we don’t risk-- where there isn’t any network risk to the agency and to the data that we are responsible for. So once this is put in place, I think, for example, there’s interest in building IT security course for the government. We’re all required in the government to take a basic IT security on what phishing is and what spam is and what to avoid and what to work on. And so every agency pretty much is developing their own. And, quite frankly, they’re pretty boring. They’re just really pretty boring. So one of the possibilities is creating IT security that’s interesting and interactive in a Virtual World and then making it available to the entire government so we get economies of scale. So once that happens, you’ll have thousands of people in these Virtual Worlds. So I think you’re going to start seeing that kind of process happening. We have ethics training that all of us are required to take, and that too is pretty boring. So when that becomes possible in a Virtual World, where it’s interactive and more interesting, I think you’re going to see everybody want to come onboard. So we’re going to have economies of scale, in terms of different kinds of use cases. We’re creating a community of practice for the chief financial officer community in Virtual Worlds so they’ll have a knowledge base and be able to work together on complex problems. But it’ll be in a secure place. ROBERT BLOOMFIELD: If everyone in the government is going to need some sort of cybersecurity training
  12. 12. and they’re finding it more interesting to do this in Virtual Worlds, I mean you’re probably then talking tens, hundreds of thousands of people coming into Virtual Worlds to do that. PAULETTE ROBINSON: That’s correct. ROBERT BLOOMFIELD: Okay. ROBERT YOUNG: I would agree with Paulette wholeheartedly because the training right now is really boring for information security. And, if you could make it interactive, to have someone walk into an environment and see laptops secure; it’s the other things. And I think Paulette’s totally correct about using the Virtual Worlds for training. We’re using it for biological and other explosions, what can happen in this environment, what happens when you have a nuclear biological incident. And we’re using it for training of soldiers. As they’re going into these cityscapes, they can actually figure things out, do assessments. So for training and education, I think it’s wonderful, and it’s a great way to--behind the firewall we can actually set up an environment that’s secure and use it, and, as Paulette has said, as we do shares between the agencies and the CIOs, maybe it’s going to be an intranet between the and the so we can do it securely and work together. I think you’ll see a major explosion, like she said, economy of scale. If I can use the ethics training throughout the entire federal government, then we’d all be able to do the same exact thing. But it’s going to be that question of getting it somewhere where it’s secure, where I can’t hack into it in the middle of your ethics training, something unethical occurs because I made it happen. ROBERT BLOOMFIELD: Paulette, we have a question from Fleep Tuque, Chris Collins, from the state of Ohio, “For academic institutions who want to collaborate with government on Virtual Worlds research, what office is the best place to contact and look for more information?” PAULETTE ROBINSON: At the moment, my group’s become sort of the hub for federal government and doing work in Virtual Worlds. One of the reasons we have academics in the Federal Consortium is because we believe that they provide an interesting venue for research and helping us reflect on what’s best practices. There are a variety of agencies doing work with universities. Our particular--our instance in Second Life was created by a university, and we’ve gotten a couple of papers. I’m co-editing a special issue of the Journal for Virtual Worlds Research, where we’re going to be accepting some research papers, but also some project type of papers. If somebody’s interested, they can contact me. Some of the federal government projects are looking for research partners as well, so they can join the Consortium in our Wiki and asks those kinds of questions in the Wiki. ROBERT BLOOMFIELD: Okay. Great. We’re coming toward the end of our hour. Rocky, I don’t know how much you can talk about this, but I’d love to hear a little bit more about your lab at the college and how you’re using it to learn more about the security of Virtual Worlds. Can you give us a sense of what goes on in that lab? ROBERT YOUNG: Sure. Actually, we’re looking into many of the Virtual Worlds, including Second Life,, some of the other PlayStation Virtual Worlds. And what we do is, we go in with our avatar, Betwinda, and we actually go in and try to get people to hack us, and we try to capture what happens, look at the code, evaluate it. And just ten [minutes?] ago, we released students here. We actually reviewed the dangers of Virtual Worlds, what’s out there, so they’re aware of the Virtual World, and, like you said, we actually told them what a Virtual World was. They didn’t know. So we brought them into the lab, but we do not feel safe enough to let students venture into Second Life alone because I cannot control the content. We went into a couple places. We did go to IRMC, which is a protected island. We have our own island that Paulette manages and runs and took
  13. 13. them there to show them what was going on. But then we took them out in the wild and showed that, within like three to five seconds, people were actually already offering up tools. And I said, “Now we could look at this and see what’s actually in this code and try to figure out what it is. But when you accept something, hopefully, you’ll see a message that you accept it.” That’s what we’re trying to show them. Was it a route kit that was passed to you? Was it just a piece of digital clothing? Or was it just a sound or an action? And that’s a big thing is, don’t be hyper-paranoid, but also be aware that, when you accept something, it’s no different than expecting something that someone’s baked for you. If you don’t know who it is, you’re not going to accept something that you don’t know what it is and eat it. So we just tell [AUDIO GLITCH] take a bit of a chance. But we are using Second Life and a bunch of the other Virtual Worlds. Forterra is going to give us one World that we can actually put behind the firewall and bring students in securely. We also have a World of Warcraft, like a Virtual World, that we’re bringing students in to show them a little more fun. Because we don’t want security to not be fun. We really enjoy it. So we bring them into World of Warcraft and show them, like on eBay how you can buy gold levels and how you can buy different levels and how there is an entire market out there of cyber crime going on in some of these Virtual Worlds. So it’s kind of an awareness thing for them and also to know, if their kids are out there, you need to keep an eye on what they’re doing in Virtual Worlds, and if they’re using the same systems that you’re using for banking and for your tax returns and for all your private pictures, you may be actually loading route kits and other things, unknowingly, to them, of course, but unknowingly be loading malware or a home system that you use for everyday use. In the laboratory, all of our systems are scrubbed. We use virtual machines. We bring up a virtual machine. We launch into the Virtual World, and then we have a bit of protection between us and the actual clients of a relationship. ROBERT BLOOMFIELD: We have a member of the audience, Al Supercharge, who feels quite confident that the Second Life viewer cannot install a route kit. Do you want to respond to that? ROBERT YOUNG: Sure. I would need to know who he was before I starting telling him exactly how we know what it can do, and then we could exchange credentials, and then I would tell him how it did it. Because that’s the big thing is, when your adversary’s using new tools against you, you don’t run out and say, “Hey, we found this neat thing. We know it,” because we want to do the same exact thing to them. We want to watch what they’re doing, to see how they’re using the tool against us. You don’t put all your cards on the table. When someone’s using a tool against you, you watch what the tool’s doing. That’s the same thing we do. We get it into a network. We load what we need. We put a back door, and we observe and find out what we’re going to do. My thing is now the kids are being hacked, actually the young children, because their Social Security numbers are still clean and so are their bank accounts because they haven’t had them yet. So now you need to look at your kids are being the targets, not you. Your Social Number’s already out there. A bot collected it years ago. And your credit card numbers are already out there. But your kids are new clean accounts that are being collected and kept. ROBERT BLOOMFIELD: Interesting. So time for one more question for each of you, and I don’t know, Rocky, if you can answer this, but you used the words, “if you’re doing it to us, we want to try it on you.” Sonja Strom has a question, “Does the U.S. government use Virtual Worlds to gather information about people? And what’s going on in other countries?” And I guess I’m wondering more generally: Is your role looking at cybersecurity at all more offensive than simply defensive? ROBERT YOUNG: I can’t really answer that question because, remember, I teach at the National Defense
  14. 14. University. I’m in Information Assurance. I’m a professional. I have credentials and all that. I would never do anything illegal in the Virtual Worlds. What we do is watch, but the question that you asked is perfect. Wouldn’t you do that exactly if on your adversary, if you were a government and you knew things were being done to you? Would you not do the same thing and watch on the other side? If you don’t know your enemy and you don’t know how to defend against the attacks that are happening to your network, how could you ever possibly defend? If you don’t know what the heck they’re doing, how could you defend? That’s like trying to screw a light bulb in. If you’ve never see a light bulb, how can you possibly know how to screw it in? ROBERT BLOOMFIELD: Okay. Thank you. And, Paulette, my last question for you, and we talked about this a little in the pre-interview, is, I’ve been dealing with Virtual Worlds, it started out as a small part, just sort of a sideline of the research and teaching that I was doing and over the last couple years has grown like kudzu or bamboo, and it really establishes a foothold. I’m wondering, for you personally as an assistant dean at NDU, and NDU more generally as an organization that is doing inter-agency training, how do you see Virtual Worlds taking hold? Again, in your personal life and in the college as a whole. PAULETTE ROBINSON: Well, in my personal life, I find Virtual Worlds one of the most exciting places. I am also sitting for teaching, learning and technology so I’m responsible for appropriately integrating technology into our courses in ways that help to facilitate students learning. I think Virtual Worlds are incredibly interesting, in terms of from an instructional design point of view and engaging students. I think it’s incredibly interesting, in terms of using technology for analytical workspaces and doing our work in the future. So I find myself more and more involved in Virtual Worlds. I personally believe that Virtual Worlds will be the interface for the web, and it’s not going to be that far down the road. And I think it’s a responsibility for me and others and the government, as well anyplace else, particularly the government, to not let this happen to us, that we really can interact with the citizens in ways where we can meet them, where they gather information. It’s taken over--I like the kudzu metaphor--it’s really taken over a life of its own in my life because I value and am committed to it. And so I am like a cheerleader. I’ve been cheering away, and the band’s been following along. ROBERT BLOOMFIELD: Well, go, team, go! And we’re glad to have you. The only thing is, that makes it sounds like you’re on the sidelines when actually I think you’ve taken the ball and started running with it. PAULETTE ROBINSON: That’s pretty much what I’ve done. ROBERT BLOOMFIELD: Thanks so much to both of you for coming on, and I look forward to having you come on again in another year and tell us where you are then. PAULETTE ROBINSON: It’s been a pleasure. ROBERT YOUNG: Thanks so much. ROBERT BLOOMFIELD: Thank you. Okay, now it’s time for my regular closing comment, Connecting The Dots. And today the dots I want to connect are the ones that define the outer boundaries of Metanomics. Our challenge is to define those boundaries broadly enough that we can remain an influential voice for our community, people who are taking Virtual Worlds seriously, as that community grows, as the technology grows and as it, like kudzu, starts taking over more and more aspects of not just technology, but of our work and social lives. On the other hand, we still need to be narrow enough that we’re not attempting to be all things to all people
  15. 15. or, even worse, trying to become experts in everything. There are countless podcasts and webcasts about the internet as a whole, but I’m proud to say there’s still only one Metanomics, and we want to keep that position as a leading voice in this growing industry. The heart of Metanomics remains, I think, as I defined it back in September of 2007: business and policy in the so-called Metaverse of Virtual Worlds. What is a Virtual World? Every conference I have attended and Paulette, as well, includes a heated debated on the definition of a Virtual World. Does it need three dimensions? Does it need avatars? Does it have to have commerce? Are games Virtual Worlds, or are they something different? These debates are more of a blessing than a curse for Metanomics, and I take, personally, a very broad perspective on this. As long as someone has a reasonable justification for calling a platform a Virtual World, Metanomics is going to be there to take a good look at it, try to understand who’s taking it seriously and what they are getting out of it. But it’s more than just defining Virtual Worlds. We also need to decide when we should be spending time on the business and policy of the internet as a whole, as we did earlier today with the Cybersecurity Act, and, more generally, looking broadly at social movements that might be affected by technology. As I mentioned at the top of the hour, just about every enterprise and consumer relies on the internet, but none quite so much as those of us who are exploring Virtual Worlds. To us, and especially to people who have immersed themselves in Worlds like Second life, the internet is an ocean we call home. So we won’t be covering just any internet technology. We’re going to continue to view this ocean through the lens of our particular school of fish. So for example, for many users of Virtual Worlds, social networking sites, like Twitter, Plurk and Facebook, are really just an integral component of their businesses and their personal lives. And we can’t understand how these people are taking Virtual Worlds seriously, without understanding how they’re using these new technologies. From today’s conversation with Paulette and Rocky, you can see that there are a variety of cybersecurity issues that are of particular interest to Virtual World users, and we’re going to continue taking a close look at the practices and policies that can protect us from tropical storms and determined sharks. And, finally, we’ll be casting our policy net more broadly than that. We can’t understand the business case for Virtual Worlds, without understanding, for example, the recent energy bill, which may make carbon emissions far more costly than they are now. Whether that’s a boon for Virtual Worlds is, I think, a more open question than many Virtual World users seem to think. Sure, traveling is expensive, but Virtual Worlds have their own carbon footprint, and I don’t think we yet have a good handle on just how big those feet are. So this is going to be an exciting season for Metanomics as we grow into the new resources Remedy Communications is bringing to bear. So I invite you all to come on in. The water’s fine. That’s all we have for this week. Join us next week when we take a look at some legal issues, with James Gatto, of Pillsbury law firm. We’re going to look at topics, including current patent battles. Some of you may know of the, a battle going with NC Soft. We’re going to talk about terms of service, intellectual property rights, protections for children. And relevant to what we’ve discussed today, the legal liability that Virtual World developers, as well as users, might face due to breaches of security and other failures. Thanks to all of our staff members and volunteers who help us pull this off every week. This is Robert Bloomfield signing off. Take care. And, we’ll see you all next Wednesday.