Governance & Risk Management , Insider Threat
WikiLeaks Backlash: 'We Are Going to Take You Down'Hemu Nigam, ex-CSO at MySpace, on Security and Privacy in the Social Media Age
From the exposure of private documents to the public's right to know, the WikiLeaks drama has raised a host of issues about security and privacy in the social media age.
And the three keys to maintaining security and privacy, Nigam says, are technology, training ... and teeth in organizations' policies and regulations.
"When you have something like this happen," Nigam says, referring both to the WikiLeaks exposures and subsequent backlash against organizations deemed "unfriendly" to Assange, "you have to send a very quick, strong message that you care, and that you're willing to take action - law enforcement or filing a lawsuit."
In an interview, Nigam, former CSO at MySpace and News Corp, discusses:
- The WikiLeaks backlash;
- The greatest threats to security and privacy in social media;
- Key tenets of social media policies for organizations.
From 2006 to 2010, Hemu was Chief Security Officer for News Corporation's numerous online properties, responsible for the company's strategy and vision and for protecting the personal information of over 200 million users around the world. He has been credited with making MySpace safe and secure after launching initiatives including Sentinel SAFE, technology to identify and remove criminals. He also introduced strong incident response programs for viruses, worms, and phishing.
Hemu recently worked with Harvard University's Berkman Center for Internet & Society and the State Attorneys General to develop widely-used online safety standards. He currently serves as co-chair of President Obama's Online Safety Technology Working Group and on the board of the National Center for Missing and Exploited Children.
TOM FIELD: To start out, why don't you tell us a little bit about yourself and what's now your former role with News Corp and MySpace, as well as the work that you are doing today in this field.
HEMANSHU NIGAM: Absolutely. I actually started off as a line prosecutor in the Los Angeles County District Attorney's office, where I ended up specializing in child exploitation, rape crimes, child abuse, which led me to the Justice Department as one of their first internet predator prosecutors. I was focused on internet child pornography, internet predators, trafficking women and children from around the world into the United States, and then moved into the computer crime section, where I taught and also handled service attacks, virus attacks. Then I eventually went to the Motion Picture Association to help them build their first ever world wide internet enforcement department against movie piracy online. Then from there I went up to Microsoft in Seattle and helped with creating a business strategy around security, around safety, and around child safety issues, which actually is what resulted in my ending up at MySpace as one of the first Chief Security Officers when the issues surrounding safety, security and privacy were brewing. Then eventually I was elevated into News Corp in the same type of position, but handling this for all the digital property that they own.
Information Security ThreatsFIELD: Well a broad question for you Heman, which is when you talk about news and media and especially social media, what have you found to be the biggest information security challenges for these organizations in terms of protecting staff as well as clients or customers or members?
NIGAM: I think you are actually going to be surprised by my answer, because I think most of the time when I hear that question asked I often hear people respond with, "It's the technical this or the technical that." I think the greatest challenge facing any company that is trying to protect information is people, and its people in the sense that they're behaving in a way that puts their company assets at risk or puts their personal assets at risk. And by assets I mean data, whether it's personal information, its trade secret, it's copyrighted information. It's the way people behave when they are surfing or they're downloading some new thing that they found, or they are sharing a file. All the different actions they're taking, if they are not conscious of the security risk that they are engaging in that is probably the biggest danger.
The second biggest danger is the lack of updating. This is the technical side and the IT groups that manage data and protection of data where -- I don't know if you remember the last time you did this, but I can guarantee you've done this before, Tom. You've got something on your computer that says there is a security update please update now or install now, or the next button is remind me later. What do you do? You can say; you can admit it. You hit "remind me later," and that is another way of saying "I know there is a hole in my computer. The hacker obviously knows, otherwise there would be no update needed, and I'm going to leave that hole or door open for that person or group to come in and do whatever they want." That is true in the organization structures, and it is also true in home computers.
WikiLeaks LessonsFIELD: Hemu, one of the stories that we've been watching this week has been the aftermath of the WikiLeaks disclosures. where the supporters have been coming out and launching attacks against sites such as PayPal, Twitter, MasterCard. As someone who has worked at a prominent social media site, how do you secure such a public site from an external attack such as what we've seen this week?
NIGAM: I've got to you, the WikiLeaks thing what you're seeing is in essence the cyber messiah. I mean that is what Julian Assange has become, and his followers are in essence saying, "You turn your back on our messiah; we're going to take you down." So whether you are Visa or you are some smaller site, it behooves you to engage immediately in what I call "layered security." It is a holistic approach to security, safety and privacy. What that means is start with an assessment. Assess everything that you have. Figure out what is secure or not, and you're going to probably have to bring in an outside party. My company does this for example. We go into different companies and clients and look at what is already there and what is not there. Once you figure out where the gaps are, start implementing the solutions. That is the first step.
The second is plan for a crisis. It is such a shock to companies when a crisis occurs and they don't know what step one is supposed to be. Do I call legal? Do I call the PR folks? Do I call the IT guy who is in charge at 2 a.m.? Who am I suppose to call? And by the time those decisions are made, the attack continues and for example on MasterCard, the site goes down. The reality is many of these plans when you implement them, and having put plans in place, it's surprising to see how much there is a lack of awareness around this.
Then finally, raise the awareness at the executive level as well as the employee level. The more people have a stake in the game and they realize if you don't engage in these things in the way that you are being trained to, it can cause damage to your company, to your assets, and at the end of the day that means to your own paycheck. Then people care.
FIELD: Now one of the issues, the issue at the core of the WikiLeaks is privacy. There are documents and conversations that people thought were going to be private have been made public. How does one go about insuring user's privacy as you've had to do at MySpace and elsewhere?
NIGAM: I think it is an approach that takes many facets but the first is technology. If you build technological solutions on the back-end that will say, well let's trigger an alert when someone anomalous behavior for example happens. That is a great example of where tech engineers and support operations can come in and say something is funny going on in this account, let's take a look or let's limit access to this particular area because that person shouldn't have access to a. They should only have access to b. Then giving the users themselves tools to use to protect their own privacy. That can be something like controlling what parts of your site you want to keep private. When you think that somebody is engaging in a way that you don't agree with you have the ability to block to them and to report them.
Then second facet is education. You can build the greatest solutions like these, but if people are not educated on what to do, how to do it, then they are going to fail in the end. So educating your user base on what it means, how to behave more properly, and when they do it on your site they just become a better internet citizen because they'll do it in other places as well. So that actually helps the entire community.
The third is partnering. You may not be an expert in safety, security or privacy, but there are plenty of experts out there. And whether they are paid consultants like myself, or they are non-profit organizations, or advocacy groups, it's in your own best interest and your users' best interest to start partnering with them. Bring them in and say, can you help me out here and you will be surprised at how many people are willing to help you.
Finally, it's enforcement. When you have something like this happen, you have to send a very quick very strong message that you care and that you're willing to take action. That means action, whether it's referring to law enforcement or filing a lawsuit. Looking at the government right now, the leak that has happened, there is a soldier in a bunker, but there are also thousands and thousands and thousands of documents that are out there, and I would expect if you want to really send a message on not to have this happen in the future, the government should start lining up individuals saying "you're responsible, you are, you are, you are, and we're going to prosecute." Until that day comes, I think people are going to be inclined to feel as though it is okay or they can get away with it because hey, nobody really gets prosecuted.
Social Media RisksFIELD: So we've seen social media explode over the past few years and threats to people that participate in social media. From your perspective, what do you see as the greatest threats to privacy and security of individuals and organizations in social media?
NIGAM: I am, and I'm laughing to myself a little, because I actually look at this from the prospective like we had talked about before of people. I think the greatest threat is the lack of understanding in human beings who go online, who treat the online world as a different place then the physical world. What I mean by that is this: The social media space has in essence created a mirror image of what exists in your physical world, in a town when it is a smaller site. In a city when it is bigger, a country when it's larger, a whole continent like Facebook for example has over 550 million users per month around the world. That has gone large -- it is almost twice the size of the United States at this point. Given that, you have the same types of issues you will have in the physical world in the online space. Until people who are using it online recognize that, they may treat it differently. They may say, "Well, you know what? I can post this photo of me with just this thong or nothing on; who is going to see it?" But if you asked them to take that same photo and stick it on a billboard on Time Square, the reaction would be "Oh my God, why would I do something like that?" And yet, that is what they are doing online. So I think educating individuals to understand that they really are one in the same. That the assessments that use in the physical world apply just as well in the online world, then they will go much further and that is how you would have to deal with these threats.
FIELD: Hemu, where do you see the greatest value of social networking sites such as MySpace and others, particularly for corporations?
NIGAM: I think a lot of it -- and this is its corporations as well as just the sites like Facebook and MySpace -- it's the power and ability social media gives you to reach people and connect directly. So if you're a brand, if you're a brand for example like, let's take a sport, Adidas. You are a brand like Adidas, you can connect directly using the power of social media with your consumer, engage in conversation, and get a loyal following that you may not be able to do just by television advertisements. That is one area.
The other is philanthropy. There are so many groups that are non-profits, who now have the ability to reach and raise awareness about their cause around the world, which they didn't have before because they would have to go to door knocking door by door by door. That is another.
The third is the ability to do good. For example, you can set up mechanisms where you're highlighting if there is somebody who say is being suicidal online; you give the user who sees that the ability to report it. On the back end you have the support team who can call the police right away, call the National Suicide Prevention Lifeline right away and get that person taken care of. You can create amber alerts that go from the physical highway sign to the online place where a lot of people may actually have information to provide. So there are lots of abilities to do good in society whether it's philanthropy, helping somebody in a time of crisis, or on the brand side, reaching consumers.
Social Media PolicyFIELD: One of the things that we hear an awful lot about today is the necessity for a social medial policy for employees. I'm curious, when you are were at MySpace, did you have a social media policy for your staff?
NIGAM: I can't talk as a spokesperson for MySpace, but in general what I can tell you is that companies who are, even if they're not a social media company, if you at all have any inclination of allowing internet access in your company networks, then you need to have a social media policy. I say that, because your users are going to use Facebook or MySpace or Twitter or all sorts of other sites out there in order, during work hours, to post something or comment on somebody's wall, and the question becomes are they allowed to do that? Number one, number two, what can or can they not say when they do speak? Do they have to speak on behalf of the company if it is done during working hours, or can they still do personal business? All sorts of these decisions have to be made. Every company is different. Every company has a different philosophy, which means every social media policy is going to be slightly tweaked one from the next.
FIELD: What would you say are the key tenets that have be in a social media policy?
NIGAM: I think the most important one is to distinguish between what is allowed as a company. Number one, are you allowed to do it in the first place? Can an individual whose not technically "the authorized spokesperson" of a company, go on a social media site and engage in that during working hours? If the answer is yes, we want our employees to feel like they can do things like that and it makes them more productive, then the second question is do they need to act in official capacity or personal capacity, even though it is happening during working hours? The third, I think, is what are the ramifications for violating, because until employees understand what can happen if you violate, not just to the company, but also to the individual employee then enforcement becomes rather difficult.
FIELD: Final question for you Hemu. For organizations looking to maximize their social networking opportunities, what advise would you offer to them?
NIGAM: I would say the first thing that you have to do before you even get into a social networking opportunity is focus first on laying a foundation of safety, security, and privacy. Think these issues through. Figure out how you're going to implement the facets of each one, and do all of that before you start getting into social networking or social media engagement.