Metanomics is a weekly Web-based show on the serious uses of virtual worlds. This transcript is from a past show.
For this and other videos, visit us at http://metanomics.net.
051309 Federal Interest And Social Security Metanomics Transcript
1. METANOMICS: FEDERAL INTEREST AND SOCIAL SECURITY:
GOVERNMENT TAKES A SERIOUS LOOK AT VIRTUAL WORLDS
MAY 13, 2009
ANNOUNCER: Metanomics is brought to you by Remedy Communications and
Dusan Writerâs Metaverse.
ROBERT BLOOMFIELD: Hi. Iâm Robert Bloomfield, professor at Cornell Universityâs
Johnson Graduate School of Management. Each week I have the honor of hosting a
discussion with the most insightful and the most influential people who are taking Virtual
Worlds seriously. We talk with the developers who are creating these fascinating new
platforms, the executives, entrepreneurs, educators, artists, government officials who are
putting these platforms to use. We talk with the researchers who are watching the whole
process unfold. And we talk with the government officials and policymakers who are taking a
very close look on how what happens in the Virtual World can affect our Real World society.
Now naturally, we hold our discussions about Virtual Worlds in Virtual Worlds. How else
could we find a very real place where a global community can convene, collaborate and
connect with one another? So our discussion is about to start. You can join us in any of our
live Virtual World studio audiences. You can join us live on the web. Welcome, because this
is Metanomics.
ANNOUNCER: Metanomics is filmed today in front of a live audience at our studios in
Second Life.
2. ROBERT BLOOMFIELD: Hi, and welcome again to Metanomics. Over a year ago,
Paulette Robinson, of National Defense University, appeared on Metanomics to talk about
her new initiative, the Federal Consortium for Virtual Worlds. She talked about the promise
Virtual Worlds held for federal agencies, but she also emphasized two challenges: the
governmentâs lack of familiarity with this new technology and the governmentâs strong and
understandable concern about cyber security. Today weâll be getting an update from
Paulette on how effectively her consortium has been able to address these challenges, and
weâre also going to hear from Pauletteâs colleague at National Defense University,
Rocky Young, an expert in cyber security, who has recently been doing some very
interesting work examining the vulnerabilities of Virtual Worlds.
Thanks to all of you who are attending Metanomics today, including those who are viewing
live on the web. Please do join in with your comments and your questions.
ANNOUNCER: We are pleased to broadcast weekly to our event partners and to welcome
discussion. We use ChatBridge technology to allow viewers to comment during the show.
Metanomics is sponsored by the Johnson Graduate School of Management at Cornell
University and Immersive Workspaces. Welcome. This is Metanomics.
ROBERT BLOOMFIELD: Before we get to our main guests, weâre going to take a few
minutes to pull back our usual focus on Virtual Worlds, to take a broader look at the state of
internet technology and policy. Just about every enterprise and every consumer relies on
the internet these days, but none quite so much as those who are exploring Virtual Worlds.
To us, the internet is an ocean we call home. Well, this season, weâll be doing a fair bit of
3. oceanography and [earth?] time forecasting. Today weâre going to start in Washington, D.C.
because there are some major policy storms brewing there. To introduce us to the issues,
Iâd like to welcome our new Washington correspondent, Sterling Wright, who will help us put
cyber security in the spotlight. Sterling, welcome to Metanomics.
STERLING WRIGHT: Hello, Robert. Thank you so much for having me.
ROBERT BLOOMFIELD: Yeah, my pleasure. I know youâve been taking a close look at
S.773, the Cybersecurity Act of 2009, which was introduced on April 1st to the Senate
Committee on Commerce, Science and Transportation, by two moderate Senators,
Democrat John Rockefeller and Republican Olympia Snowe. As I understand it, the bill
draws heavily from a report by the Center for Strategic and International Studies, which
says, and this is a quote from their report from late 2008, âAmericanâs failure to protect
cyberspace is one of the most urgent national security problems facing the new
Administration that will take office in January 2009. It is a battle fought mainly in the
shadows. It is a battle we are losing.â That sounds like pretty dramatic language. Are these
histrionics justified?
STERLING WRIGHT: Well, your delivery was certainly dramatic, Robert.
ROBERT BLOOMFIELD: I try.
STERLING WRIGHT: Well, let me tell you. In 2007, already the Departments of State,
Commerce, Homeland Security, the Defense Department, NASA and the National Defense
4. University suffered major intrusions by foreign entities. These were either foreign
intelligence services, militaries or criminal groups. Today the Department of Defense
computers are probed hundreds, if not thousands of times a day. The Department of State
said it has lost terabytes of information. The White House networks have been penetrated.
And intelligence sources claim that U.S. companies have lost billions in intellectual property.
These activities have continued to increase since then, so thereâs a great deal of motivation
in Washington for the U.S. to become much more robust in addressing these threats, and,
more importantly or at least as importantly, in raising the publicâs awareness of them.
Thereâs a sense within the broader population, when we think of cyber threats, we tend to
think of identity theft or pedophilia or something like this, but there is an increasing need to
inform the public of the threats from foreign players who many feel are intent on
undermining the U.S. economy and its defenses. So here in Washington, weâve heard terms
like âa cyber 9/11â or âa cyber tsunamiâ or âa cyber Katrinaâ used to describe the potential for
damage. Some are even referring to the threat from cyberspace as the soft underbelly of
national security.
ROBERT BLOOMFIELD: Okay. Those sounds like pretty serious challenges that no doubt
call for some extraordinary measures. What do you see as some striking provisions in the
bill?
STERLING WRIGHT: Well, the bill is very sweeping in its initiatives. It calls for the
establishment of a Cabinet-level Cybersecurity Czar, who would be answerable to the
President. Although we have many of these czars being appointed now for various agencies
so that may not be the most pressing point. But what the bill also seeks to establish is
5. cybersecurity standards that would be mandated across all applicable government and
private networks. It would also confer new powers on the President and onto the Secretary
of Commerce.
ROBERT BLOOMFIELD: What are some of these powers? I understand--shutting down--
the President has some power to shut down internet traffic?
STERLING WRIGHT: Hereâs the problem: Some of the language in the bill is extremely
broad and open-ended, and this is causing a lot of concern among civil and digital rights
groups. The Electronic Frontier Foundation, for example, and the Center for Democracy in
Technology have both raised issues with some of the provisions. Youâre right, the Act calls
for the President to be given the power to shut down internet traffic in emergencies or to
disconnect any infrastructure systems or networks on the grounds of national security. And
the activists are concerned that the Act does not define these so-called emergencies.
Therefore, it is left solely up to the President to decide what merits pulling the plug. I donât
see as much of a problem with this. It is more analogous, in my mind, to the President
grounding all aircraft on 9/11, and Iâm not sure that one could have defined the emergency
of 9/11 ahead of time, but this is, nevertheless, a concern for some.
I think more than the powers conferred upon the President, what seems to be disturbing
people is that the Secretary of Commerce would be given access to all, quote, ârelevant
data concerning our critical networks,â and this is the operable point, without, and I quote
again, âwithout regard to any provision of law, regulation, rule or policy restricting such
access.â So the privacy advocates fear that this would allow the Commerce Secretary
6. unrestricted access to our private data. Others have even raised the specter of unrelated
illegal activity being inadvertently uncovered, and these fear that such evidence could be
used against a defendant, for example, thereby undermining his or her Constitutional
protection against unwarranted searches.
ROBERT BLOOMFIELD: Well, you mentioned a term in there âcritical infrastructure system
or network.â How is that defined?
STERLING WRIGHT: Typically, one would consider critical infrastructure as utilities,
transportation, public health, financial services, food distribution, this sort of thing. And I
think that, if language were inserted into the bill that simply or explicitly defined what
constitutes a critical infrastructure system, I think some of the opponents could be
assuaged. However, there are some who are arguing that the internet, as a whole,
constitutes our critical communication infrastructure, and these voices would like to see
limits defined in the Act, to assure that there are no loopholes left open which would allow
the government to reach into our private communications.
ROBERT BLOOMFIELD: And there are concerns about some user authentication
proposals as well?
STERLING WRIGHT: Yeah, there is a section that is proposing that user authentication be
studied, but at this point the bill only states that, within a year after its enactment, the
President or his or her designee, assuming his if this Act goes into effect shortly, that the
President shall review and report to Congress on the feasibility of an identity management
and an authentication program. Naturally, with the appropriate civil liberties and privacy
7. protections in place. And activists are concerned about this because although it is intended
to apply only to critical infrastructure, civil liberties groups fear that this will open the door to
anonymity on the internet as a whole being completely abolished and thereby threatening
not only privacy but also free speech.
ROBERT BLOOMFIELD: Parts of this really have a feel to me, as an accountant, of the
Sarbanes-Oxley Bill because this bill seems to be taking a lot of the power that is
traditionally held by private firms and placing it in government hands. So as I understand it,
the government would be overseeing private networks and mandating that government, not
industry, sets standards, attests to them and so on and so the comparison to
Sarbanes-Oxley. That was written in response to high-profile frauds like Enron and
WorldCom. And one of the most controversial parts was Section 404, which dealt with
internal controls. These have traditionally been viewed as a private matter for firms that
[AUDIO GLITCH] protecting themselves from employee misbehavior, but 404 basically said
youâre not doing a good enough job, and it imposed a lot of high-cost requirements, saying,
basically, government was going to set the standards for internal control and require
auditors to attest to that. Would you make the same argument here that private firms have
every incentive to protect their security, and we should just leave the matter in their hands?
STERLING WRIGHT: Well, let me clarify. The Act, as itâs currently written, would mandate
that, again, that the security standards are set for critical infrastructure. This would also
include software, and the government would be able to enforce those standards on all
developers and distributors and vendors. It would also legislate the sharing of security
information between the government and private entity. So I can understand that there
would be some concern over this from the private sector. Opponents argue that this could
8. stifle innovation, that if standardization of security were mandated across the board that the
systems would become less secure because only one protocol would have to be breached
by potential attackers.
But the fundamental issue at stake, I think, is that, among security and intelligence experts
in Washington, there is certainly the perception that the threat posed by cyber subversion is
a strategic issue that is on par with the proliferation of weapons of mass destruction and
global jihad. And it was these models of deterrence that were drawn upon in the CSIS study,
in order to craft recommendations for how the government should approach cybersecurity.
Certainly, the reportâs authors--again, the report, not the bill--feel that it is the government
which needs to be responsible for overseeing this space, and they do not feel that voluntary
actions, which are most likely what is preferred by private industry, would go far enough.
They also argued that the reliance on market forces to date have fallen short, and, as a
result, the U.S. has been left vulnerable. So itâs possible that the open-ended broad,
sweeping language of this bill may simply serve to incentivize the private industry to move
more decisively on this front. There is certainly a concern against prescriptive mandates that
would inflate costs and stifle innovation or encroach on civil liberties.
ROBERT BLOOMFIELD: Okay. Well, I think weâre going to have to leave it there as a
cliffhanger, as we wonder whatâs going to happen with this bill as it moves through, how
private industry is going to respond, especially the big corporate powers, not just tech, but
the industries. Iâm sure the electric utility industry, for example, is going to have a lot to say
on this since theyâre certainly going to be viewed as critical infrastructure. And Iâm glad to
know that youâre going to be coming back to talk more about policy issues as the season
9. goes on. So thanks a lot, Sterling Wright, for talking with us about the Cybersecurity Bill.
STERLING WRIGHT: Delighted to be here, Robert. Thank you so much.
ROBERT BLOOMFIELD: Okay. I guess Sterling will be back next week when we discuss
some more policy issues. Next week weâre going to have a legal expert on Virtual Worlds as
our main guest, James Gatto, of the Pillsbury law firm, a colleague of Ben Duranske for
those of you who know him. Heâs been on Metanomics a number of times, so Iâm looking
forward to that.
Our main guests today are Paulette Robinson and Robert Rocky Young. Paulette is
assistant dean for teaching at the Information Resources Management College of National
Defense University. But, for our purposes, her most salient credential is that she has
organized the Federal Consortium for Virtual Worlds which supports federal government
employees and contractors that are interested in exploring the use of Virtual Worlds in
government. Robert Rocky Young is director of the National Defense University Information
Assurance Lab and teaches Information Assurance at the IRM College. So, Paulette,
Rocky, both of you, welcome to Metanomics.
ROBERT YOUNG: Oh, great. Thanks for having me. I apologize if my avatarâs been down.
Iâm at a conference, and I lost my WiFi.
ROBERT BLOOMFIELD: Okay. Well, I understand these things happen. And, Paulette,
welcome.
PAULETTE ROBINSON: Thank you very much.
10. ROBERT BLOOMFIELD: So before we get started, Iâm sure both of you want to make
some kind of disclaimer that everything you say here is just your own opinion. It doesnât
represent an official position of your college or the federal government. Paulette, you have
anything to add to that disclaimer?
PAULETTE ROBINSON: No, thatâs pretty much right.
ROBERT BLOOMFIELD: Okay. Just wanted to make sure we did that. So now letâs start
with you. You were on Metanomics way back in January of â08 so well over a year ago, and
NDU was just starting to build a presence in Second Life. The Federal Consortium for
Virtual Worlds had held, I believe, only one conference at that point. Can you give us an
update on how the Consortium has progressed since then? Growth and so on.
PAULETTE ROBINSON: Well, since I was last here, probably, we had a November
meeting in 2007, that had about 200 there and about 300 or 400 online. In April of 2008, we
had our first big meeting. It was a two-day conference, and we had on the campus almost
400, and we had online over 1,000 in Second Life. So it was interesting to see how many
people were there. We had vendors that came in and showed the different parts of whatâs
happening in Virtual Worlds. We had panels and--was represented, so it was really a very
enlightening kind of conference. There were over 1,000 people. We now have over 1,000
people in our database that are not only government but industry and academics because
all together is when weâre going to make a difference. We have people from all the 12
Cabinet agencies, so we have a full complement of government represented at different
11. levels in the Consortium so itâs really moved along.
[AUDIO GLITCH] projects this year at our conference, we had a government poster session
where we had over 30 government projects that were showing what theyâre doing in
different Virtual Worlds. We streamed out [six?] different Virtual Worlds and had over 1,000
that were attending. Weâre still taking the numbers so I canât give you exactly, online. So we
really had an interesting mix of people that joined us on our program.
ROBERT BLOOMFIELD: Well, Iâll say I was there. I had a great time. It was incredibly
informative. Now last time when you were on the show, there was a question by
Malburns Writer, a fairly regular attendee of Metanomics, and, in response to his question,
you said the following: âIf you talk to high-level administrators, you would think Second Life
is a foreign land. I think theyâre stunned.â And so now I see you are actually nominated for
the 2009 Intergovernmental Solutions Award, and youâre talking about the growth of the
Consortium. Is it safe to assume that high-level government administrators are more familiar
with Virtual Worlds and are more ready take it seriously?
PAULETTE ROBINSON: I think theyâre more familiar with them. I know that one of the
Senate Subcommittees had met in Virtual Worlds, one of them from Commerce, so there is
more of an awareness. How seriously they take them, I think thatâs not across the board, but
several understand immediately. I think educators, training officers automatically see the
power of it. And now that we have a new Administration, I think thereâs also a renewed
interest of finding ways to collaborate and communicate online. So I think thereâs a renewed
interest in what Virtual Worlds can do. But thereâs still always the problem with security so
12. that has to be fixed before thereâs a real interest. Although, at every conference I go to, I ask
the audience, âSo how many of your children are in Club Penguin or Webkinz?â And about a
third raise their hands, so I think some these new administrators are becoming acquainted
with what a Virtual World is through their children or grandchildren.
ROBERT BLOOMFIELD: Yeah, I believe that. Now, on security, which you just mentioned,
I understand the U.S. Department of Agriculture, of all places, is providing a solution.
PAULETTE ROBINSON: Yes, weâre working closely with the USDA and the CIO there to
create a trusted-source hosting solution that will be hosted at their data center in Kansas
City. Weâre using eAuthentication level 2 to ensure identity. So one of the problems is, who
is in the space? Are they who they say they are? The second problem is, for all these Virtual
Worlds, ports have to be open, and it depends on how many ports so the Enterprise
versions of Virtual Worlds--and this is not like Second Life in the public spaces which offer a
different kind of security problem. We would then be able to provide secure IPâs that we
would ask CIOs to open to very specific IPâs for these Virtual Worlds. Thatâs still being
worked out with those as well as the USDA, but we do have the prototype up. We have a
couple of vendors that are integrating eAuthentication for this prototype, to see how itâs
going to work.
So we have a lot of hope. Thereâs many federal agencies that were at the conference that
are interested in investing in the next stage, to be able to do something thatâs multi-agency.
Enterprise versions work well behind the firewall within an agency so then you donât expose
yourself to the same issues that have to be solved with interagency dialogue, and thatâs
13. what Iâm trying to work on. I want multiple agencies being able to talk to each other.
ROBERT BLOOMFIELD: You mentioned a couple. You said youâre working with a couple
vendors, thatâs what ProtoSphere and Forterra?
PAULETTE ROBINSON: Yes.
ROBERT BLOOMFIELD: ProtonMedia and Forterra. How about Second Life for the trust
itâs source-hosting?
PAULETTE ROBINSON: Well, Second Life has the unique problem of having ranges of
ports that have to be opened. So even though you would take it behind the firewall, unless
they get it down to a couple of ports, it would be extremely difficult to secure, or more
difficult, and it would be difficult to take CIOs from the governments and convince them to
open up ranges of ports. And I donât blame them. So an Enterprise solution really has to be
where they run over port 80 or only a few ports as a solution because of the need to protect
the network.
ROBERT BLOOMFIELD: Okay. Despite the fact that Second Life is working on their--I
guess itâs code-named Nebraska, their behind the firewall solution, it still isnât going to work
for you?
PAULETTE ROBINSON: Well, not for a multi-agency. It probably would work well for
behind the firewall if itâs just within an agency where theyâre not going out and opening up
14. ports. But nowadays, most of the government problems are really multi-agency based, so
unless you run like an internal chat tool in 3D or that kind of workspace or training space, itâs
not going to solve the problems that we need in terms of a robust environment that has a
sense of presence that we can work in across the government.
ROBERT BLOOMFIELD: Okay. That was mostly focusing on the [behind?] firewall
trusted-source hosting. But there are a lot of federal agencies that are working on what I
understand government types call forward-facing projects, public relations, outreach, and
they want anyone to be able to go into the World. I know that there are a lot of these now in
Second Life: NOAA, NASA, Air Force, Team Orlando, which I actually had a great talk with
at the conference. So how are they dealing with the government security issues, while still
using Second Life in whatâs largely an unsecured environment?
PAULETTE ROBINSON: Well, they have to go either go home and work on them, or their
CIO has agreed, or their person that mitigates risk for them has set up an enclave off the
network that allows one or two stations to work on Second Life because thatâs part of their
job. But thatâs really rare. Most people that are working in Second Life, from their
government desktop, cannot do it from their government desktop. They have to go home, on
their home computer, and work on it because they also have to download a client, which, in
most federal agencies like any other corporate enterprise, they have a desktop image that is
regulated for security and for manageability and integration, so most of them work at home
or on their own private computers.
ROBERT BLOOMFIELD: Okay. Well, really distinguishes between the day job and the
moonlighting there, huh.
15. PAULETTE ROBINSON: Yeah. Probably not moonlighting. They just tele-work or find some
other way to do the work.
ROBERT BLOOMFIELD: Right. Now, Rocky, Iâd like to bring you into the conversation. So
thanks so much for joining us. It sounded like you were saying you had a bit of wireless
problem. So I donât know what weâll be seeing on our screens, but we have you on your
Blackberry. Is that right?
ROBERT YOUNG: Yes, Iâm on my Blackberry. Iâm at the National 2009 OpSec Conference
down in San Antonio, where weâre actually educating the people on cybersecurity down
here.
ROBERT BLOOMFIELD: Well, it wonât be the first time we filmed an empty chair on
Metanomics. Itâs the content that drives everything. Your specialty is security, and I guess
first Iâm wondering what do you see as being the primary risks of having federal agencies
using both the public Worlds and the private Worlds, the trusted-source hosting solutions?
What is the exposure that the federal agencies and the people who are doing this have?
ROBERT YOUNG: Well, you know that on security, weâre always the ânoâ men. Weâre
never the âyesâ men. Weâre always saying security. But I agree with Paulette that the
forward-facing and some of the things that youâre talking about for doing some type of
publicity or something like the Air Force trying to bring people in, thatâs great. The issue is
that people are having to do it day to day. Theyâre having to use Second Life, in their job,
and theyâre a federal employee, the recommendation that Paulette had said and what weâve
16. built at _____ is an enclave. Itâs a specialized area that will not bring the problems from
Second Life and/or these Virtual Worlds onto our government systems which might be your
production government system doing your national war-fighter job or maybe doing IRS tax
returns; Iâm not sure what your job may be.
And Pauletteâs agreement with the multi-agency, all of our problems are becoming multi
because weâre so interconnected. Our networks have no boundaries anymore. So in order
for us to make sure that we donât have a [problem?] that say DOD brings in, it doesnât bleed
over to your EPA and your FAA and your DOT. Some of the agents are doing exactly what
you said. Itâs all bound to the software, the compliance and the server, and, as Paulette had
said, we have the HBSFO(?) [base?] security system in the Department of Defense. Itâs
actually locked down for a specific reason, to protect us to the best of its abilities again. And
[AUDIO GLITCH] people on these systems doing these things, and the issue is, we have
government people now, insiders, that actually are doing things that theyâre not supposed to
do. We know appropriate use of the network. We know appropriate function.
Our worry is that as they get into Second Life and these other 3D Virtual Worlds, that
sometime they forget that theyâre at work. They may accept something that they wouldnât
normally do in the other world. But itâs all down to the software and evaluating the code and
evaluating what that server-client relationship, what it has allowed in and out. And as
Paulette said that the ports, what ports are we opening, and we watch them closely. Can we
monitor whatâs going on in this Virtual World? And the identity management looks huge for
Paulette and for everyone else. Am I talking to who I really think Iâm talking to? Do you have
a federated ID or some way to say that, yes, you are indeed speaking to Dr. Rocky Young.
17. No one has taken over the avatar. No one is misrepresenting or social engineering you to
get information out of you.
Thereâs so many ways to do social networking, and Paulette works through all of those at
IRMC. And I just want to be person who says, âI want you all to go into these Virtual Worlds
as security professionals, but I want you to understand the risks when you go into them and
accept that risk that something could happen.â And, as long as youâre aware and you accept
it, then youâre standing there when they reference it so that E-9/11 and these other, you
know, the E-Pearl Harbor that may happen. Weâre not saying, âGee whiz! We never thought
of this,â or, âGee whiz! I had no idea this could happen.
ROBERT BLOOMFIELD: I was at your talk in Washington, D.C., at Fort McNair, and you
said some fairly terrifying things about the use of Twitter and Skype and a lot of other things
that are kind of meat and potatoes to a lot of us who spend so much time collaborating by
distance. Could you clarify for us a little what you see as the risks of those tools? And then
is there something about Virtual Worlds that makes them more of a concern?
ROBERT YOUNG: The big issue with your Skype and your other tools, itâs a voice of our
[PCHK technology?], and we can gather that, unless youâre going to encrypt it. And
normally, for us to pass through the Virtual Worlds, you canât have as much encryption; it
slows things down. It causes problems. It depends on what youâre doing in the Virtual World.
Say that youâre my adversary, or I wanted to take your job or immerse you, and the biggest
thing is reputation. Your reputation can be destroyed in seconds in any online avenue. The
issue is, if I can gather all the conversations about you and youâre doing something
18. inappropriate in a Virtual World, youâre a government employee. I know who you are even
though you say youâre someone else. I could actually use that to blackmail you.
And there are tools that we can use in the Virtual Worlds to build some bots to actually
gather all the traffic thatâs going on in the room, find all your movements, to record
everything you do, and I would blackmail you with it. Now if you put it on a different
[forums?], that Iâm not talking to a government employee, you have to worry about you
family, your daughter. I have a ten-year-old daughter. The big issue is what is she doing in
that Virtual World? Whoâs following her? With Twitter, we can tell exactly where you are
because youâre going to tell us in that 140 characters, âIâm here, Iâm doing this. Iâm here, Iâm
doing that.â It links back to your phone. It links through the Virtual Worlds. There are ways
for us to find out exactly where you are. So itâs like we can do E-stalking if we want to. Now
thatâs not a big concern for me. Iâm a 6â-5â [AUDIO GLITCH]. But for someone, like a
ten-year-old girl, for the E-bowling and things like that, Twitter and some of these other
technologies, they all combine in, and you get so much information about people.
On your cameras, you actually get [AUDIO GLITCH] data on every picture. So say you load
up a picture into Second Life, that you took of yourself. There can actually be GPS
coordinates in that data of that picture that will tell me where you live or where it was taken.
It can actually have information in the picture, and itâs all under Digital Forensics, if your
listeners have an interest. In the information that goes with that camera, that photo, that
picture, I can find out GPS coordinates. I can find out with the WiFi access points where it
was loaded. And, if youâre dumb enough to load in your email address or register it,
sometimes that is in the photograph information. For me, itâs really awareness--
19. ROBERT BLOOMFIELD: So here weâre not really talking about hacking. Weâre not talking
about whoâs trying to carve their way into your system, itâs really just people unwittingly
giving away all the information that others might want.
ROBERT YOUNG: All that, yeah, for a social [aspect?], yes. Now, I didnât even delve into
the hacking. Every time you accept something from someone else in a Virtual World, which
we were just demo-ing Virtual Worlds to a bunch of students before I leave the room. Every
time you accept a piece of code from a [AUDIO GLITCH] accessing whatever they give you,
and you donât know what that piece will do. It may be making you dance. It may be making
you have butterfly wings, but you donât know what that tool or that piece of code really does.
Maybe itâs actually installing a route kit on your system at the same time that itâs making you
dance. Maybe itâs copying every one of your conversations or itâs going in and looking for
your password file on your core drive. There are a lot of things that, when you accept
something in a Virtual World. I tell my daughter when someone says, âKnock, knock,â in
Second Life or when weâre in someplace, you do not say, âWhoâs there?â because you are
opening a communication between you and them, and you can accept things from them or
they can push things to you. [AUDIO GLITCH], our avatar into sandboxes, and, in the
sandboxes in Second Life, we watch what theyâre doing and what theyâre building and what
theyâre making, to try to get insight into what theyâre doing.
The big danger is the code. That when youâre in this Virtual World, and you accept an MP3
from someone in these Virtual Worlds or in these social working sites, we with
MP3Stego--MP3Stego, itâs _____ triplets out there; go look it up--you can load things in
20. MP3âs, and the MP3 still plays the music. So why not, if Iâm targeting you, offer you a free
MP3 of Bianceâs new song? And donât tell anyone that I gave it to you because itâs
copyrighted music. Youâre not going to tell Mom and Dad that you took that MP3 and loaded
it into the system, but thatâs actually bringing malware into the system. And, if I canât get you
electronically, maybe I just hand out free music at the bus stop where I know your kid is, and
thatâs how Iâll get into your system.
ROBERT BLOOMFIELD: It looks like Dusan Writer, through our web audience chat has,
you know, he--my advice on all this is to do what I do: Make your life so boring that no one
wants to steal any of your identity or know anything about you. It seems to me that a lot of
what youâre saying--I mean, to some extent, thereâs just some common sense here, but
some of it also sounds like basically if you want to have any sort of public profile, youâd be
putting yourself at risk. How do you balance trying to remain secure and protected, while still
having a [AUDIO GLITCH]?
ROBERT YOUNG: You have a bit of a risk [acceptance?]. You have to assess the risk and
accept it. If youâre going to put your face out there, youâre going to put your images out
there, we build a fake email address for every one of our avatars, that only that email
address is used with it. So you kind of build, like you said, that common sense. And you
donât put personal pictures of yourself out there, of your kids and stuff. The issue is, I still
want you to go into Second Life. I want you to do these things, but I want you to be aware of
the dangers that are out there. Because many times people that jump into computers, like
my mom is 65, she doesnât understand when someone IMâs her and that they can actually
push code to her and actually take her system out.
21. And we all have bank accounts, right? We all are using online banking. And thereâs a tool
called SSL split that you need to look at about âman in the middleâ attacks, with SSL. We
think that weâre secure when we log onto our online banking. Well, go look into that tool, and
youâll see that weâre not so secure. I want everyone to know that, âHey, you need to be
aware of yourself.â There needs to be this my own checklist, to make sure that Iâm ready to
go into Second Life, what Iâm ready to put out there and that risk acceptance because any
time you put yourself out there, thereâs going to be some risk, as Paulette will tell you. But it
depends, if someone is in these Virtual Worlds actually portraying themselves as something
they are not, a terrorist or something, trying to find out about Sergeant Snuffyâs deployment
to Afghanistan or Iraq, now weâre talking about Real World operation security, OpSec. So
thatâs that I have.
Itâs like what are you using it for? What [AUDIO GLITCH] people you are? Are you doing
inappropriate things that could be used maybe to blackmail you? And, really, itâs more like
your digital presence, are you ready to jump headfirst in this pool? Or do you just dip your
toes in, see how it is and not put everything out there? A good example is, my niece had her
prom this weekend, and all of a sudden, on Facebook, all of her pictures are out there. And I
showed her how you can get that [AUDIO GLITCH] those pictures by copying them and
downloading them. So these are the big things. Itâs just awareness. I really do want you to
go into Virtual Worlds. I donât want to be the security guy that stifles everybody and say,
âNo, donât do it. Just go into your house, and sit in a dark closet, and youâll be safe.â
ROBERT BLOOMFIELD: And, Paulette, in light of all of these issues, how is this coloring
22. not just what agencies are doing in Virtual Worlds, but how you make the pitch and just sort
of comfort to agencies that are just starting to explore it, that this is a reasonable thing to do
and the risks that it carries are appropriate?
PAULETTE ROBINSON: I think itâs what you want a Virtual World to do for you, so itâs
really deciding what type of outcome you want and how you want to use it and then sitting
down and having a discussion about what the risk is and how to mitigate the risk. So for
most agencies that want to do information delivery to the public and be public facing,
Second Life has become probably the predominant Virtual World that theyâre using. So we
have created an IRM college-government center in Second Life, where anyone in the
government can use this center free for meetings and for streaming conferences, that type
of thing. Theyâre not doing the business of government particularly in there, but they are
meeting more informally across agencies and having conference meetings. Like MuniGov
just had a meeting there. We streamed our entire conference, that type of thing.
So I think there are ways that governmentâs using it. The Air Forceâs pilot--theyâve done
rapid prototyping in there. So if I want to look at something very quickly, as long as itâs not
classified, thereâs interesting ways to get public opinion on government buildings, on certain
types of initiatives I think you could get some interesting input. Public diplomacy: The State
Department uses it. William [May?], over at the State Department, is doing interesting
things. NASAâs got some real cool stuff. Ericâs in the back, Eric Hackathorn from NOAA.
Heâs done some interesting work for the public, to just use it as an educational mechanism,
so I think that works really well. They donât do it off of government networks unless special
arrangements have been made with their CIO or they work from home. So they just try to
23. make it work for them.
ROBERT BLOOMFIELD: I actually see Eric chatting away in the audience. Hi, Eric. A
couple things: First a shout out. I really liked Ericâs--he had a poster at the Consortium
conference at Fort McNair about the âgoverati,â like the literati, but the people who know
about government, which I do view as an incredibly helpful resource, because just dealing
with policy and government types for a couple days made me realize I really donât
understand sort of the intricacies of how things get done within and between agencies. And
then the other thing, I wanted to ask you to respond to something that Eric is saying in chat,
which is, he says, âRather than getting caught up in the details, itâs really a change in
philosophy and orientation trying to be more open. Itâs a cultural shift to openness,â he says,
âthat we need to support.â And so one question, Paulette, I have for you is: The Obama
Administration has certainly been vocal about wanting transparency. Do you see that in
action, and do you think itâs going to translate into funding and formal support for these sort
of public Virtual World projects?
PAULETTE ROBINSON: I think, from my observation, this year our conference was
different in that people were ready to invest money in Virtual Worlds and what they could be
used for, for a variety of reasons: education and training, analytical workspaces, a variety of
things. In the past, I think there has been a reluctance to use them simply because there
was a worry about what type of information can be made public and what couldnât be made
public.
With Obama coming into office and his Administration, because theyâve used social media
24. and software and communication, theyâre encouraging people in the government to find
ways to use it. And one of the things weâre all grappling with is secure ways to use that,
where we protect the citizensâ data, but also get input from the citizens. So what Virtual
Worlds are going to offer for the citizen in transparency, I think, at the first level, we have to
find a way to secure it to do government work.
But the next stages of this is really going to be outward facing Virtual Worlds that are
secure, that we can bring citizens in to do the business of government and also to help
inform the public. So I think itâs going to be a mixture of Wikis and blogs and Virtual Worlds
and ways to communicate with the public. And now that thereâs more of a willingness to
entertain this, Iâve seen money starting to be put toward those efforts.
ROBERT BLOOMFIELD: I donât want to put you too much on the spot, but when you talk
about money, can you give us a sense of what you think the funding might be over the next
year or two? I know youâve been working a lot with training in and between federal agencies.
Can you give us a sense of how many users you think might get involved in Virtual Worlds
through the government?
PAULETTE ROBINSON: One of the issues are is making sure itâs a secure environment,
that we donât risk--where there isnât any network risk to the agency and to the data that we
are responsible for. So once this is put in place, I think, for example, thereâs interest in
building IT security course for the government. Weâre all required in the government to take
a basic IT security on what phishing is and what spam is and what to avoid and what to
work on. And so every agency pretty much is developing their own. And, quite frankly,
25. theyâre pretty boring. Theyâre just really pretty boring. So one of the possibilities is creating
IT security thatâs interesting and interactive in a Virtual World and then making it available to
the entire government so we get economies of scale. So once that happens, youâll have
thousands of people in these Virtual Worlds. So I think youâre going to start seeing that kind
of process happening.
We have ethics training that all of us are required to take, and that too is pretty boring. So
when that becomes possible in a Virtual World, where itâs interactive and more interesting, I
think youâre going to see everybody want to come onboard. So weâre going to have
economies of scale, in terms of different kinds of use cases. Weâre creating a community of
practice for the chief financial officer community in Virtual Worlds so theyâll have a
knowledge base and be able to work together on complex problems. But itâll be in a secure
place.
ROBERT BLOOMFIELD: If everyone in the government is going to need some sort of
cybersecurity training and theyâre finding it more interesting to do this in Virtual Worlds, I
mean youâre probably then talking tens, hundreds of thousands of people coming into Virtual
Worlds to do that.
PAULETTE ROBINSON: Thatâs correct.
ROBERT BLOOMFIELD: Okay.
ROBERT YOUNG: I would agree with Paulette wholeheartedly because the training right
26. now is really boring for information security. And, if you could make it interactive, to have
someone walk into an environment and see laptops secure; itâs the other things. And I think
Pauletteâs totally correct about using the Virtual Worlds for training. Weâre using it for
biological and other explosions, what can happen in this environment, what happens when
you have a nuclear biological incident. And weâre using it for training of soldiers. As theyâre
going into these cityscapes, they can actually figure things out, do assessments. So for
training and education, I think itâs wonderful, and itâs a great way to--behind the firewall we
can actually set up an environment thatâs secure and use it, and, as Paulette has said, as
we do shares between the agencies and the CIOs, maybe itâs going to be an intranet
between the dot.gov and the dot.mil so we can do it securely and work together. I think
youâll see a major explosion, like she said, economy of scale. If I can use the ethics training
throughout the entire federal government, then weâd all be able to do the same exact thing.
But itâs going to be that question of getting it somewhere where itâs secure, where I canât
hack into it in the middle of your ethics training, something unethical occurs because I made
it happen.
ROBERT BLOOMFIELD: Paulette, we have a question from Fleep Tuque, Chris Collins,
from the state of Ohio, âFor academic institutions who want to collaborate with government
on Virtual Worlds research, what office is the best place to contact and look for more
information?â
PAULETTE ROBINSON: At the moment, my groupâs become sort of the hub for federal
government and doing work in Virtual Worlds. One of the reasons we have academics in the
Federal Consortium is because we believe that they provide an interesting venue for
27. research and helping us reflect on whatâs best practices. There are a variety of agencies
doing work with universities. Our particular--our instance in Second Life was created by a
university, and weâve gotten a couple of papers. Iâm co-editing a special issue of the Journal
for Virtual Worlds Research, where weâre going to be accepting some research papers, but
also some project type of papers. If somebodyâs interested, they can contact me. Some of
the federal government projects are looking for research partners as well, so they can join
the Consortium in our Wiki and asks those kinds of questions in the Wiki.
ROBERT BLOOMFIELD: Okay. Great. Weâre coming toward the end of our hour. Rocky, I
donât know how much you can talk about this, but Iâd love to hear a little bit more about your
lab at the college and how youâre using it to learn more about the security of Virtual Worlds.
Can you give us a sense of what goes on in that lab?
ROBERT YOUNG: Sure. Actually, weâre looking into many of the Virtual Worlds, including
Second Life, There.com, some of the other PlayStation Virtual Worlds. And what we do is,
we go in with our avatar, Betwinda, and we actually go in and try to get people to hack us,
and we try to capture what happens, look at the code, evaluate it. And just ten [minutes?]
ago, we released students here. We actually reviewed the dangers of Virtual Worlds, whatâs
out there, so theyâre aware of the Virtual World, and, like you said, we actually told them
what a Virtual World was. They didnât know. So we brought them into the lab, but we do not
feel safe enough to let students venture into Second Life alone because I cannot control the
content. We went into a couple places. We did go to IRMC, which is a protected island. We
have our own island that Paulette manages and runs and took them there to show them
what was going on.
28. But then we took them out in the wild and showed that, within like three to five seconds,
people were actually already offering up tools. And I said, âNow we could look at this and
see whatâs actually in this code and try to figure out what it is. But when you accept
something, hopefully, youâll see a message that you accept it.â Thatâs what weâre trying to
show them. Was it a route kit that was passed to you? Was it just a piece of digital clothing?
Or was it just a sound or an action? And thatâs a big thing is, donât be hyper-paranoid, but
also be aware that, when you accept something, itâs no different than expecting something
that someoneâs baked for you. If you donât know who it is, youâre not going to accept
something that you donât know what it is and eat it. So we just tell [AUDIO GLITCH] take a
bit of a chance. But we are using Second Life and a bunch of the other Virtual Worlds.
Forterra is going to give us one World that we can actually put behind the firewall and bring
students in securely. We also have a World of Warcraft, like a Virtual World, that weâre
bringing students in to show them a little more fun. Because we donât want security to not be
fun. We really enjoy it. So we bring them into World of Warcraft and show them, like on
eBay how you can buy gold levels and how you can buy different levels and how there is an
entire market out there of cyber crime going on in some of these Virtual Worlds. So itâs kind
of an awareness thing for them and also to know, if their kids are out there, you need to
keep an eye on what theyâre doing in Virtual Worlds, and if theyâre using the same systems
that youâre using for banking and for your tax returns and for all your private pictures, you
may be actually loading route kits and other things, unknowingly, to them, of course, but
unknowingly be loading malware or a home system that you use for everyday use. In the
laboratory, all of our systems are scrubbed. We use virtual machines. We bring up a virtual
29. machine. We launch into the Virtual World, and then we have a bit of protection between us
and the actual clients of a relationship.
ROBERT BLOOMFIELD: We have a member of the audience, Al Supercharge, who feels
quite confident that the Second Life viewer cannot install a route kit. Do you want to respond
to that?
ROBERT YOUNG: Sure. I would need to know who he was before I starting telling him
exactly how we know what it can do, and then we could exchange credentials, and then I
would tell him how it did it. Because thatâs the big thing is, when your adversaryâs using new
tools against you, you donât run out and say, âHey, we found this neat thing. We know it,â
because we want to do the same exact thing to them. We want to watch what theyâre doing,
to see how theyâre using the tool against us. You donât put all your cards on the table. When
someoneâs using a tool against you, you watch what the toolâs doing. Thatâs the same thing
we do. We get it into a network. We load what we need. We put a back door, and we
observe and find out what weâre going to do.
My thing is now the kids are being hacked, actually the young children, because their Social
Security numbers are still clean and so are their bank accounts because they havenât had
them yet. So now you need to look at your kids are being the targets, not you. Your Social
Numberâs already out there. A bot collected it years ago. And your credit card numbers are
already out there. But your kids are new clean accounts that are being collected and kept.
ROBERT BLOOMFIELD: Interesting. So time for one more question for each of you, and I
donât know, Rocky, if you can answer this, but you used the words, âif youâre doing it to us,
30. we want to try it on you.â Sonja Strom has a question, âDoes the U.S. government use
Virtual Worlds to gather information about people? And whatâs going on in other countries?â
And I guess Iâm wondering more generally: Is your role looking at cybersecurity at all more
offensive than simply defensive?
ROBERT YOUNG: I canât really answer that question because, remember, I teach at the
National Defense University. Iâm in Information Assurance. Iâm a professional. I have
credentials and all that. I would never do anything illegal in the Virtual Worlds. What we do
is watch, but the question that you asked is perfect. Wouldnât you do that exactly if on your
adversary, if you were a government and you knew things were being done to you? Would
you not do the same thing and watch on the other side? If you donât know your enemy and
you donât know how to defend against the attacks that are happening to your network, how
could you ever possibly defend? If you donât know what the heck theyâre doing, how could
you defend? Thatâs like trying to screw a light bulb in. If youâve never see a light bulb, how
can you possibly know how to screw it in?
ROBERT BLOOMFIELD: Okay. Thank you. And, Paulette, my last question for you, and we
talked about this a little in the pre-interview, is, Iâve been dealing with Virtual Worlds, it
started out as a small part, just sort of a sideline of the research and teaching that I was
doing and over the last couple years has grown like kudzu or bamboo, and it really
establishes a foothold. Iâm wondering, for you personally as an assistant dean at NDU, and
NDU more generally as an organization that is doing inter-agency training, how do you see
Virtual Worlds taking hold? Again, in your personal life and in the college as a whole.
31. PAULETTE ROBINSON: Well, in my personal life, I find Virtual Worlds one of the most
exciting places. I am also sitting for teaching, learning and technology so Iâm responsible for
appropriately integrating technology into our courses in ways that help to facilitate students
learning. I think Virtual Worlds are incredibly interesting, in terms of from an instructional
design point of view and engaging students. I think itâs incredibly interesting, in terms of
using technology for analytical workspaces and doing our work in the future. So I find myself
more and more involved in Virtual Worlds. I personally believe that Virtual Worlds will be the
interface for the web, and itâs not going to be that far down the road.
And I think itâs a responsibility for me and others and the government, as well anyplace else,
particularly the government, to not let this happen to us, that we really can interact with the
citizens in ways where we can meet them, where they gather information. Itâs taken over--I
like the kudzu metaphor--itâs really taken over a life of its own in my life because I value and
am committed to it. And so I am like a cheerleader. Iâve been cheering away, and the bandâs
been following along.
ROBERT BLOOMFIELD: Well, go, team, go! And weâre glad to have you. The only thing is,
that makes it sounds like youâre on the sidelines when actually I think youâve taken the ball
and started running with it.
PAULETTE ROBINSON: Thatâs pretty much what Iâve done.
ROBERT BLOOMFIELD: Thanks so much to both of you for coming on, and I look forward
to having you come on again in another year and tell us where you are then.
32. PAULETTE ROBINSON: Itâs been a pleasure.
ROBERT YOUNG: Thanks so much.
ROBERT BLOOMFIELD: Thank you. Okay, now itâs time for my regular closing comment,
Connecting The Dots. And today the dots I want to connect are the ones that define the
outer boundaries of Metanomics. Our challenge is to define those boundaries broadly
enough that we can remain an influential voice for our community, people who are taking
Virtual Worlds seriously, as that community grows, as the technology grows and as it, like
kudzu, starts taking over more and more aspects of not just technology, but of our work and
social lives. On the other hand, we still need to be narrow enough that weâre not attempting
to be all things to all people or, even worse, trying to become experts in everything. There
are countless podcasts and webcasts about the internet as a whole, but Iâm proud to say
thereâs still only one Metanomics, and we want to keep that position as a leading voice in
this growing industry.
The heart of Metanomics remains, I think, as I defined it back in September of 2007:
business and policy in the so-called Metaverse of Virtual Worlds. What is a Virtual World?
Every conference I have attended and Paulette, as well, includes a heated debated on the
definition of a Virtual World. Does it need three dimensions? Does it need avatars? Does it
have to have commerce? Are games Virtual Worlds, or are they something different? These
debates are more of a blessing than a curse for Metanomics, and I take, personally, a very
broad perspective on this. As long as someone has a reasonable justification for calling a
platform a Virtual World, Metanomics is going to be there to take a good look at it, try to
33. understand whoâs taking it seriously and what they are getting out of it.
But itâs more than just defining Virtual Worlds. We also need to decide when we should be
spending time on the business and policy of the internet as a whole, as we did earlier today
with the Cybersecurity Act, and, more generally, looking broadly at social movements that
might be affected by technology. As I mentioned at the top of the hour, just about every
enterprise and consumer relies on the internet, but none quite so much as those of us who
are exploring Virtual Worlds. To us, and especially to people who have immersed
themselves in Worlds like Second life, the internet is an ocean we call home. So we wonât
be covering just any internet technology. Weâre going to continue to view this ocean through
the lens of our particular school of fish.
So for example, for many users of Virtual Worlds, social networking sites, like Twitter, Plurk
and Facebook, are really just an integral component of their businesses and their personal
lives. And we canât understand how these people are taking Virtual Worlds seriously, without
understanding how theyâre using these new technologies. From todayâs conversation with
Paulette and Rocky, you can see that there are a variety of cybersecurity issues that are of
particular interest to Virtual World users, and weâre going to continue taking a close look at
the practices and policies that can protect us from tropical storms and determined sharks.
And, finally, weâll be casting our policy net more broadly than that. We canât understand the
business case for Virtual Worlds, without understanding, for example, the recent energy bill,
which may make carbon emissions far more costly than they are now. Whether thatâs a
boon for Virtual Worlds is, I think, a more open question than many Virtual World users
34. seem to think. Sure, traveling is expensive, but Virtual Worlds have their own carbon
footprint, and I donât think we yet have a good handle on just how big those feet are. So this
is going to be an exciting season for Metanomics as we grow into the new resources
Remedy Communications is bringing to bear. So I invite you all to come on in. The waterâs
fine.
Thatâs all we have for this week.
Join us next week when we take a look at some legal issues, with James Gatto, of Pillsbury
law firm. Weâre going to look at topics, including current patent battles. Some of you may
know of the Worlds.com, a battle going with NC Soft. Weâre going to talk about terms of
service, intellectual property rights, protections for children. And relevant to what weâve
discussed today, the legal liability that Virtual World developers, as well as users, might face
due to breaches of security and other failures.
Thanks to all of our staff members and volunteers who help us pull this off every week. This
is Robert Bloomfield signing off. Take care. And, weâll see you all next Wednesday.
Document: cor1058.doc
Transcribed by: http://www.hiredhand.com
Second Life Avatar: Transcriptionist Writer