Drive for better: Public safety and privacy

August 6, 2010
It was not too long ago that failures on Wall Street and the soaring price of fuel appeared to spell impending doom for the U.S. automotive industry.

Sales plummeted, tens of thousands of auto workers lost their jobs, and the CEOs from General Motors, Chrysler and Ford traveled to Washington D.C. to beg Congress for help. Adding insult to injury, the executives each took private luxury jets to their appointment on Capitol Hill – a decision many viewed as a slap in the face. In their next trip, the maligned executives chose a different mode of transportation: They hit the road in a trio of new-model hybrid cars.

But now, almost miraculously really, both the coffers and PR image of an industry that is as American as apple pie appear on the road to recovery, and the venerable Ford Motor Co., the only one of Detroit's Big Three to avoid a government bailout and bankruptcy, has been leading the comeback. In May, U.S. auto sales rose for the seventh consecutive month.

Investment in fuel-efficient technology and a recovering economy, of course, are widely credited for the resurgence. But Ford has one other trick up its sleeve that sets it apart from the competition: It was the first to market a factory-installed, in-car communications and entertainment system, to which drivers are able to connect their phones and MP3 players. The system, known as SYNC, then allows motorists to receive audible text messages and turn-by-turn directions, as well as control their music through voice commands. The latest generation of the platform also lets occupants plug in a USB modem to acquire wireless broadband access, essentially turning the car into a moving hotspot.

“Our vision is one of seeing the vehicle as a node on the network and, as a result, the vehicle being a natural extension of information sources,” says Scott Roundy, Ford's director of IT security and strategy. “Our entire design goal is premised around trying to create that type of environment for the consumers of our product.”

And just as safety consistently rates as the number one factor that owners consider when buying a new car (the world's largest automaker, Toyota, continues to reel from its massive accelerator recall), Ford is priding itself on the data security and privacy features of its novel technology, Roundy says.

In an environment where mega breaches, cyberespionage, revenge-fueled insider malfeasance and social networking privacy crises are a common refrain, some organizations have chosen to not sit back and wait for something bad to happen. Instead, they have decided to go the extra mile on behalf of the customer. This concept is most evident in the online banking and retail world, where a number of providers have exceeded what the regulations require to protect sensitive transactions on the internet.

Ford, specifically, has taken the stance that without the trust of its client base, it might as well fold up shop, Roundy says.

“We've got a lot of interest in not only keeping a safe environment, but also a secure environment,” he says. “We have a responsibility to the consumers and the people who have decided to spend their money to acquire our product. From a public safety and privacy perspective, that is one of the key pillars we have as a philosophy at Ford. It is wired into our DNA.”

There may be no better example of the benefits of doing the right thing than the crisis of reputation that oil giant BP currently faces. The company responsible for the worst environmental catastrophe in history rebranded its image several years ago to appear as a leader in the green movement. Despite that, its investment in oil exploration far exceeded any investment ever made in renewable energy development (nevermind rectifying its abysmal safety record). So now, millions of gallons of spilled oil later, the company is staring its demise right in the face.

 

Ford trying to get ahead

Ford just as easily could have waited for the SYNC equivalent of an oil spill to happen, such as some curious car mechanic – who knows a thing or two about embedded systems – hacking his way in to retrieve sensitive information, like a cell phone address book belonging to an unwitting celebrity or politician.

Such a breach admittedly would not result in a fraction of the backlash BP is facing (and certainly no crude-fouled beaches or pelicans to illustrate the damage), but Ford chose not to wait. After all, a research report in May warned that as cars increasingly become computerized and internet-enabled, hackers may be able to overtake critical functions, such as the braking system.

“We need to have security designed in from the beginning,” Roundy says. “It needs to be there by default. It is very important to invest the energy and time into doing it right instead of thinking of security as a bolt-on or after-market action.”

When designing SYNC, Ford turned to the same “threat modeling” techniques it uses for internal software development projects, Roundy says. The process examines potential issues that may result, such as information leakage, privilege escalation and denial-of-service attacks.

“We take a look at all the information, the data flow, participants and then try to model that in terms of, ‘Do we have exposure?'” Roundy says.

As most anyone with a security background will tell you, nothing is hacker proof. Specifically with SYNC, though, the platform includes a firewall equipped with WPA2 security to prevent wireless piggybacking, in addition to password and encryption technology to prevent the disclosure of sensitive data, such as drivers' home addresses or phone directories.

“You can't take a unit out of a vehicle and stick it in a secondary vehicle,” Roundy says. “You can't install software on the module unless you have the private key pair. And you can't access any of the private protected storage unless you have the applications that are already keyed to access the storage.”

The competitive advantage

Two of the most commonly targeted industries, finance and retail, are where consumers are most likely to see security controls as a value-add. PayPal's token offerings and Bank of America's SiteKey multifactor authentication are two well-known examples.

Surf to the home page of Zions Bank, with 128 branches in Utah and Idaho, and you'll discover that security has earned prime website real estate. A click to the bank's Online Security Center offers tips and answers frequently asked questions.

It also encourages users to install the Rapport plug-in, an increasingly popular fraud prevention program that, according to its maker Trusteer, “locks down your browser once you connect to a sensitive website such as your bank. Any malicious software that tries to ride on the browser is left out of the locked-down browser, and cannot access your sensitive information and transactions.”

In particular, the software – purchased by Zions but offered to its customers for free – provides protection against the insidious Zeus trojan, which has allowed cybercriminals to steal millions of dollars from the financial accounts of mostly small- and mid-size businesses.

Zions believes that providing the combined offering of education and technology resources is paramount to its mission, says Matt Wilcox, the bank's interactive department manager.

“We're not obligated to communicate all that information out,” he says. “There are the things that are mandated, and we certainly respect and make sure we're up to speed on that stuff. But just from a customer service and relationship standpoint, we try to do as much due diligence as possible to protect them and offer them comfort when banking online.”

Meanwhile, concerns over privacy, fueled by cloud computing, also are spurring companies to take action.

Richard Bejtlich (left), director of incident response for General Electric, says he knows of some cloud providers sensing the worries that businesses have over entrusting their data to a third party. These firms are providing customers with additional information – such as packet captures and log data – should an incident occur.

“They recognize that not everything is perfect,” he says. “They're going to help you figure out what happened and provide expertise and data to do forensics and restore service as quickly as possible.”

Of course, to claim complete altruism on behalf of some of these leading-edge companies would be a mistake. Forward-thinking businesses may truly want to do the right thing, but any investment in security and privacy can be viewed as much of a move to keep customers safeguarded as it is to protect their own bottom line, says Avivah Litan, vice president and distinguished analyst at Gartner.

“They're doing it to foster customer loyalty, protect their accounts, protect their own reputation and beat the fraudsters,” Litan says, referencing banks. “They want to do the right thing, and they also want to minimize losses. They're more progressive. They're more with it.”

But the trend is probably against doing the right thing for most companies, Litan adds, noting one firm she recently met with that would rather absorb the cost of a breach that may never happen than invest in security from the outset. “Most companies aren't great companies.”

Some may be just scared to be. There is the belief in some corners that publicizing efforts around customer security may actually have the reverse effect of inciting attackers' interest rather than deterring them, says Craig Spiezle, a former Microsoft executive who now is executive director and president of the Online Trust Alliance

Customer satisfaction

Customers also share part of the blame for not impelling businesses to do more. After all, despite a vocal minority of privacy advocates and federal lawmakers harshly calling on Facebook to make privacy reforms, the social networking site barely felt a hit to its mass user base. Think about it: Did anyone really leave Facebook on May 31, dubbed “Quit Facebook Day” by a group of grassroots protesters? Still, MySpace has begun touting its privacy controls as superior to Facebook's – a move to get the fallen social networking darling back in the public's good graces.

“The customer still votes by the value they see of those services,” Spiezle says. “That's a tradeoff they're making today. I think the challenge today is there are business practices that may be within the letter of the law, but clearly not in the spirit of the law, and consumers are vastly unaware of what's happening.”

GE's Bejtlich says that, for the most part, consumers have difficulty connecting the dots when it comes to differences in security. They expect protection, but controls that go above and beyond may not resonate with them. Still, companies should recognize security as “table stakes” for doing business, he says.

“If you can't do that, you don't even deserve to be in the marketplace,” Bejtlich says. “I wouldn't do business with the dry cleaners up the street if I used a single credit card with them and it's always being stolen by the Mafia.”

Across other industries, many executives are less worried about customer data protection and more about protecting proprietary information, Bejtlich says. Trying to persuade executives about the need for security dollars becomes an exercise in futility if security professionals speak about it in terms of risk reduction and cost savings. Instead, CISOs should take a different approach and tailor their argument around how security can help protect intellectual property and other proprietary data – and keep it out of the hands of rival companies.

“[Senior executives] are very aggressive and they want to compete, and security as a means to help them compete has more traction than ‘I'm going to decrease your risk by 10 percent,'” Bejtlich says. “They're almost built to take risks. They want something that's going to give them an edge in competition.”

Can security be a differentiator?

The jury is still out on how much impact a breach or negative publicity around privacy and security has on a business.

Facebook seems to be doing just fine. TJX, the discount retail parent that lost 45.7 million card numbers in 2007, actually saw sales modestly rise after the breach was announced. And payment processing giant Heartland Payment Systems, which reported the largest data-loss incident of all time in January 2009, has lost few customers, according to its CEO.

But as privacy and security increasingly become regulated, and more customers and small businesses bear the consequences of stolen and misused data, that mindset may very well change.

Back at Ford, considered a leader in air bag advancements and one which has rallied around legislative bans on text-messaging-while-driving, the auto giant is treating information protection with the same gusto it does driver safety.

“We believe it's an entry point of doing business,” Roundy says. “Whether it leads to a competitive advantage, that will be based on consumer preference. But we don't have another way to operate.”

[sidebar]

Doing more: Security as a value-add

A host of companies are doing more than their competitors to protect customers against cybercrime. For example, office supplies retailer OfficeMax has launched a program that asks customers additional information at checkout, such as their ZIP code, if they use a credit card. Here, courtesy of Gartner's Avivah Litan, are a few other examples of how retailers are shutting the door on digital crooks.

Walmart: The world's largest company is pushing to bring chip-and-PIN to its 2,500 U.S. stores. The technology works so that each debit or credit card contains a unique microchip that corresponds to a PIN number. Walmart's hardware is already set up to implement such an initiative.

Whole Foods Market: Why does the world's largest retailer of organic goods not offer a shopper rewards program? Because it doesn't want to have the responsibility of storing and protecting that data. The company would rather offer discounts to all than face a breach of confidential customer records.

McDonald's: The fast-food giant has designed its payment system so that anytime a card is swiped at one of its locations, the data is immediately sent out of the restaurant to what effectively is a “black box.” So even if hackers break in, there is nothing to steal. The system also is built so transactions are faster.

prestitial ad