Do You Know How Much Trouble You’re in? On the Future of Online Security

 See the full graph

You’ve just glanced over a list of some of the major data breaches from the last year, presented as the number of stolen data records.

Let’s dive deeper.

The number of annual data hacks in the US has grown from 157 millions in 2005 to an astonishing 1.5 billion in 2017. The most common type of data breach is identity theft (69 percent of all global hacks in 2017, see graph). Solely in the United States, companies experience an annual loss of more than USD 525m due to cybercrime (compared to USD 1.3bn in losses reported globally, see graph).

It’s getting more and more difficult for policymakers and Internet companies to keep up with the creativity and sophistication of online crime. From infected X-Ray machines, ongoing cyber wars, to prospects of AI-enabled terrorism, cyber security issues have appeared not only on top of the agendas of policymakers worldwide, but also high on our personal priority lists.

We’ve talked with Steve Shillingford, co-founder and CEO of Anonyome Labs, the company behind SudoApp and SudoPay apps. Anonyome Labs’ products enable consumers to create Sudo identities (digital extensions of you) that shield your personal and private information from strangers, corporations, and the rest of the online world. Sudo identities come with a customizable name, email, phone number and private browser—so you can talk, text, email and browse safely and securely. The company's mission is focused on bringing control over our online privacy back to us, the end users.

Karolina Kurstak: Are you a Facebook user?

Steve Shillingford: No. 

Are there any social media platforms that are doing it right in terms of security?  

Not a huge social media person, but any that provide a strong authentication mechanism, like two-factor authentications are a great start.

We believe privacy is a human right. We should have the right to control and protect our personal and private information. Having this freedom gives us the safety and security we need for the modern, digital world.

Anonyome Labs' Mission Statement

Anonyome Labs' mission statement is truly visionary. At the same time, it flags an alarming development happening right now, globally: our privacy is not a given anymore, and we need to fight for it.

On a scale from 1 to 10, how bad is the situation?

I can only speak from a US-based perspective, but it’s clear that our politics, cultural landscape, and tribalism have only gotten worse. I think the world is in a transitional moment, moving away from central authorities – whether those are governments or corporations (like Facebook and Google) – towards a decentralization.

In politics, this is evidenced in the US by the election of an outsider in the form of Donald Trump. If you believe the Russians elected Trump, you still have to explain other populist movements in Europe like Brexit, Austria, and even recent German elections.

There’s a worldwide movement to resist centralised governance. In the digital realm, we’ve already seen great power wielded by Internet giants who’ve consolidated power by virtue of their scale, data mining, and insidious manipulation of feeds and searches. People have naturally resisted this. Ad blocker usage has soared from virtually zero in 2010 to over 500M users today.  Alternative search engines like DuckDuckGo have seen a rapid rise in use, and over 200M people have deleted their Facebook accounts. I firmly believe the advent of the blockchain and its killer application – cryptocurrency – are a direct response to the lack of accountability in the financial sector.

Privacy, in its simplest form, is the right to be let alone. When so much of our social and political world is regulated, harvested, and controlled by a select few, there is an inherent danger to freedom of expression. That is what we’re fighting for. It’s not that we have things to hide, but rather, it’s that we have things we just choose not to share. Today, it’s very difficult.  We hope tomorrow, it will be very different.

And what does the cybersecurity landscape of 2018 look like in terms of legal regulations? Are recent governmental regulatory movements doing any good?

We’re kidding ourselves to think that governments will be any good at regulating technology specifically. They lack both the competence and efficiencies to keep up. However, what they are very good at is legislating broad parameters and letting markets operate within those boundaries. The Sherman Antitrust Act is a great example. Passed in the United States in the early 1900s, it was simply meant to prevent inordinate power accruing to a select few. At that time, oil and railroad companies were the worst offenders. That act works today, but the offenders are Facebook, Google, and others who seek to dominate both our digital identities and what those identities are exposed to. We don’t need more laws, we need more existing law enforcement.

Are there any regions where the cyber security law enforcement works? Are certain regions of the world better protected than others?

The US and EU are setting the agenda, but my experience suggests their goals are more self-serving. That is, they are looking to promote status quo (or more) for surveillance and prevent any major kinetic attacks from the usual suspects.

In March, the US Cyber Command released a white paper called “Achieve and Maintain Cyberspace Superiority.” EU’s NIS Directive went into effect on 9 May, and the introduction of the GDPR took place on 25 May. But as you have mentioned – many are sceptical about the end results of those actions. In terms of the current state of affairs and real capabilities, do you think the US and EU governments are doing enough to protect its citizens from cyber-attacks?

With regards to GDPR, I want to praise the EU authorities, who drafted it for their intent. Unlike the US, they are clearly trying to provide more protection for individuals. Unfortunately, the net result, I believe, will be an Internet tax for EU citizens and a ridiculously handsome payout for lawyers using it to sue. I think the US, as well as the EU countries are making valiant attempts to enhance their citizens’ security.

But the problem is ceaseless. Cyber threats are asymmetric. An enemy can take an infinite number of “shots” and only needs one to be successful.  These governments need to literally be “correct” every single time. Moreover, many if not all attacks involve human error which is impossible to prevent. As long as humans are in control (and that may not be that long), this will be an intractable problem, in my opinion. 

And not all of us are even fairly aware of the thread. But that seems to be also changing. Do worldwide scandals such as the Russian sponsored hack of the American 2016 election or the Cambridge Analytica files end up bringing value to the society by opening a debate about cyber security issues?

I’m hopeful but pessimistic. While I do think people’s eyes have been opened, there’s a sense of “what else can I do?”. Until someone provides an alternative, there’s lots of friction involved in change. Having said that, we’ve seen great platforms “fall” overnight. There was a word processor before MS Word that had 90% of the market called WordPerfect. There was a networking company with 90% market share before MicrosoftNT servers. Google at the outset was one of 13 search engines. There was MySpace and Friendster before there was Facebook. Monopolies can and do fall; be it governments or corporations.

What are the most dangerous, current trends in cybercrime, in your opinion?

In the US, it is literally impossible to verify someone’s legal identity thanks to the carelessness of Equifax*. Companies now have to create more PII just to compensate. What happens when that’s compromised too?  Insanity is doing the same thing over and over again and expecting a different result. In a world where no one knows if the other party is actually who we believe them to be, how do we prevent identity theft, bank fraud, and the like?   

* Equifax Inc. a consumer credit reporting agency. In September 2017, Equifax announced a cyber-security breach, where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers' personal data; source: Wikipedia.

What about the future? What kinds of attacks can we expect?   

Imagine the lights not working for a week. Imagine electricity not working at all. How long does food at the grocery last? Three days at most. Gas pumps require electricity to pump. Sanitation systems require electricity to sanitize. Now, check the average lifespan of power plants in the US. They’re older than I am (and I’m no spring chicken). How hardened do you think those facilities are? And getting them locked down would be like putting a car alarm on a stagecoach. Pretty ineffectual. That’s what keeps me up at night.

What can we, individual users, do in order to protect our data online?

Use your legal identity (e.g., name, date of birth, mobile number, personal email, etc.) less and less. Start taking steps to reduce your future digital exhaust. Always enable secondary authentication mechanism like two-factor authentication (Apple does a very good job of this) when you can. It’s more friction, but knowing when someone is logging into your account is the first step toward minimizing the impact of a hack.

How does MySudo fit into this picture?

MySudo fits into this paradigm as it allows users to control when to share their legal identity. By providing users with the ability to create personal Sudo identities for interacting in the online and offline worlds, they finally get to choose how they share their personal information – without being forced to provide their personal and private credentials. Even further, having to opt out of the participation in an online world that permeates our everyday life.

Think of MySudo as a personal identity app with customizable Sudo. These Sudo can be used anywhere you want to control or compartmentalize your relationships with people or companies. When you use a Sudo identity you create a protective shield from unwanted or unknown risks, whether those are spam, robocalls, data mining or hacking, identity theft, or worse. No one else offers this kind of personalization, control, and protection inside a holistic solution that allows users to call, text, email, pay, and browse. 

How do you plan to expand MySudo’s functionalities? In what direction do you want to evolve?

In the future we’ll be adding things that consumers have come to expect like video calling and refer-a-friend. We want to provide a consumer experience that anyone who is privacy aware (not just privacy geeks!) will enjoy. 

How did you find Netguru? What made you choose our offer? 

Our head of engineering, Jeff Poulton was in San Diego at a tech conference and met an entrepreneur from Poland. He gave him an amazing overview of the state of tech in Poland. We’ve made our research – Netguru was miles ahead of their local competitors. Their focus on design, aesthetics, technical depth, talent acquisition, and process made them a winning combination for what we were looking for.

We have found Netguru to be very professional, proactive, and great to work with. They have done a good job of understanding the skills and requirements of our teams and have matched their engineers accordingly. Overall, the Netguru engineers are engaged, highly skilled and have augmented our teams seamlessly. The management team is proactive in their approach.

Thank you for such a great review. As a closing note: is there any hope for online privacy? In the hyperconnected world of the future, will it be possible to stay anonymous? 

Yes, this I am optimistic about. As mentioned above, decentralization is a theme that is slowly taking over the world. This will come to personal identity and digital safety. GDPR was an attempt, albeit a bad one, at giving people more control. There’ll be others, and they will be much improved. I ultimately believe that the solutions will come from individuals who create nameless, faceless, no-skin-in-the-game innovations versus politicians.  

Thank you very much for the interview.

Graph 1

Graph 2

Graph 3