Som en fortsättning på mitt inlägg om Azure i Tyskland från i fredags kommer nu ett kraftfullt initiativ från Microsoft kallat ”Cloud for global good”. Min förhoppning är nu att samtliga större globala molnaktörer kliver fram och gör lika tydliga policybeslut. Dessutom har jag en lite mera hemlig förhoppning om utökat samarbete mellan våra lokala aktörer och ”de stora”. Men, den behåller jag för mig själv ett tag till…
Molnet och tjänster i molnet är vardagsmat för de flesta vid det här laget. Knäckfrågan i fråga om att ta steget upp i fluffet har handlat om hanteringen av data (information). Utöver de rent juridiska och säkerhetsmässiga frågeställningarna/värderingarna har det i lika hög grad handlat om psykologi/förtroende. Därför är det glädjande att Microsoft precis har lanserat en EU-/EFTA-specifik deklaration om ägarskap av data genom sin tyska satsning.
Ett bra initiativ och steg på vägen för att skapa tydlighet kring informationshantering (vem, när, hur och var).
”Med åren kommer insikterna…”! Ett talesätt jag har hört upprepas som ett mantra av äldre personer i min omgivning, privat såväl som professionellt. Inser att jag befinner mig i status ”med åren”, om än motvilligt och motsträvigt. Däremot kan jag inte ducka för insikterna som sköljer över mig. En tydlig sådan är frågan om antalet produktiva timmar per vecka.
Har hittat en otroligt bra presentation, ”Rules of productivity” av Daniel Cook, som pekar på erfarenheter hämtade ur spelindustrin när det gäller kreativitet och produktivitet. Det mest intressanta är vad som händer när man ökar antalet jobbtimmar från 40 till 60 per vecka. Det som är en imaginär produktivitetsökning den första perioden övergår snabbt till icke-produktion på ett radikalt sätt.
Själv använder jag mig alltmer av en modell för återhämtning som jag lärde mig på Krusenbergs Herrgård för snart 13 år sedan. Modellen heter kort och gott ”Cycle of energy” och återfinns på bilden nedanför den här raden.
Modellen utgår ifrån en sensation, eller förnimmelse, som på något vis lockar ens nyfikenhet/intellekt/tävlingsnerv. Antar man utmaningen mobiliseras energi för att handla på sensationen och åstadkomma något resultat. Efter en viss period behöver man landa i resultaten av handlingen och komma i kontakt med ens inre. Under ”landningsperioden” lär man sig av vad som har åstadkommits, vad som gjordes bra, vilka delar som eventuellt kunde ha gjorts bättre och så vidare. Så småningom är landningen klar och man är redo för mera sensationer.
Slutligen behöver jag en superdryck för att producera bra.
”Med åren kommer insikterna…”
This is the final piece of the trend report as promised.
Log book of sources and web searches
As promised earlier, here is the second part of my trend report a little earlier than stated. Tomorrow I will publish the Appendix with some or the sources I have used to compile this report. Suggestions and feedback are more than welcome.
Bitcoin is gaining a large market capitalization and acceptance among merchants. The underlying infrastructure, blockchain, is gaining traction in all segments of the society, not only within finance. Regulation in this field could both be an inhibitor and a driver of adoption. The main three driving forces are the diaspora and refugee streams, Internet of Things and the robotization of the Internet. The three inhibiting forces are a plummeting trust in bitcoin, feeling of a new ”.COM” bubble and the uninterested/uninformed user of the intended services.
The cyber threat landscape has evolved into a sophisticated money-making venture. Statistics from UK suggests that the cyber crime alone is larger than all other crime combined. By the transformation of payments and the underlying infrastructure in other areas, the innovation by the criminals will secure new income streams by cyber criminality.
Cyber Security Scenarios to come?
I have outlined a high-level graphic that illustrates the evolution of Cyber threats in figure 1.
Figure 1. Evolution of the Cyber threats: Vectors & motivations
What I am trying to illustrate in a very crude way is the evolution of the threat landscape from ”simple” viruses developed by curious academics to present-day stealth attack vectors developed for maximum effect. The motivation of todays adversaries are not so academicly curious. Instead, we se state-sponsored initiatives to gain advantage on the Internet and/or get hold of intellectual property to be by targeting R&D efforts. US IP theft is said to be the ”greatest transfer of wealth in history”, accounting for billion $300 annually [The IP Commission ”IP Theft Report 2013”]. Also, the organized criminals in mafia-like structures find new ways of income by innovating in the ”art” of cyber crime.
The Office of National Statistics (ONS) in the UK has included cyber crime for the first time in its statistics for the period ending in march 2016 [”Crime in England and Wales: year ending mar 2016”]. In the statistics data I interpret the cyber-related criminality to be as high as all other crimes combined. If this should be the case world-wide it is easy to make some probabilistic assumptions about cybercrime developments in the future by taking a historical look at the development so far. In general over the suggested probabilistic scenarios I do the assumption that fraudulent activities will continue to increase.
Probabilistic consumer scenario
During the last decade cyber criminals have been effective in harvesting technologies that rely upon phishing schemes. As consumers get more aware of the risks associated on the Internet when using computers, the more efforts goes into other areas. Smartphones of today are powerful computers, but very few consumers perceive them that way. So, we are seeing more targeted attacks on the smartphones.
As time passes by we will see more and more form factors that have both computing power and are networked. Watches, glasses, health gadgets and digital wallets are gaining more and more ground. New ways of interacting with those devices are introduced or under development. This means that consumers will interact with their computing environment in new manners, leaving the field open for innovative ways to commit fraud. Instead of links in e-mails I believe that the criminals will find new ways to lure us in fraudulent schemes.
Since our devices are all connected to databases, storage networks and collect incredible amounts of behavior/geolocation data, they will be the perfect entrance point to those treasures. By successfully exploiting health data, banking details and profiling a person the criminals will be able to both commit traditional frauds, but also do some more extortion schemes beyond ransomware11.
Probabilistic enterprise scenario
More amounts of company data will be distributed over many different providers who deliver services in the cloud. The data that companies rely upon ”in-house” will be serviced by even more automated and virtualized environments that, in turn, are interconnected with the services that live in the cloud. More and more of the workforce have developed big data analytical capabilities and major programs are developed to aid in possible transitions to robotics and artificial intelligence. Mapping of historical data, ongoing conversations and behaviors are performed to aid the transition. Pilot projects are set-up to automate the marketplaces serving every specific industry. By the use of smart agents and smart contracts the business case is to minimize human intervention and maximize profits by cutting marginal costs.
For the adversaries there are opportunities to tap into new ways of wealth transfer. One apparent tactic would be to introduce rogue and passive agents in any kind of automated industrial market mesh network. This way, they will gather intelligence on patterns and streams of communications and also proved means to do some reconnaissance and find weaknesses to exploit later on. The smart adversary understands that automation usually means that humans place to much trust in the system and thus will have windows of opportunity to steal valuables.
Consumer technology advancements will surely find places within the corporate environments, meaning that vulnerabilities in new form factors and user interactions will open new threats. This will drive the separation of information from devices and identified users. A new breed of information protection lifecycle technologies will be developed. The potential for blockchain technology in this field should be apparent.
Probabilistic blockchain scenario
Today companies like Google and Facebook earn a lot of money by leveraging everything they ”know” about its users. We accept giving up our digital personas for free services or apps and contribute to the wealth of many companies, and sometimes crooks. The more computerized and networked gadgets we use the amount of profile data that we leave as a trail grows exponentially. Is it far-fetched to believe that new areas of ”gray area” exploitations will grow in the same manner?
I sense the future potential of blockchain infrastructure to provide trust and authenticity to the information that is propagated. The examples that I can ”see”:
- By leveraging a combination of Creative Commons and a Digital IP ledger every user can enforce a set of properties that are cryptographically signed. Properties could be in the form of privacy information, ownership of creations or similar
- Contributor incentives in form of micro-payments when delivering some value in a network of networks.
Wrapping it all up
It is challenging to sum up all different signals gathered during a 3 month research in a single trend report and make some substantial prediction and analysis. But in an attempt to wrap everything up there are some more substantial signals to point at, than others.
- Cryptocurrencies are gaining market capitalization and acceptance
- Blockchain infrastructure is proofing itself as a foundation upon which trust and authenticity can be built
- Criminals and other adversaries are tapping into the shift and innovating on how to keep their income streams coming
- Blockchain needs to be proofed over time, but one consequence of the infrastructure could be privacy enhancing in the future.
Ross, Alec (2016). The industries of the future, Simon & Schuster
Brynjolfsson, Erik & McAfee, Andrew (2014). Den andra maskinåldern – arbete, utveckling och välstånd i en tid av lysande teknologi, Daidalos
Hines, Andy & Bishop, Peter (2006). Thinking about the Future – Guidelines for Strategic Foresight, Washington D.C. Social Technologies
ISBN: 097893170X, 9780978931704
Tapscott, Don & Alex (2016). Blockchain revolution – How the technology behind Bitcoin is changing money, business, and the world, Penguin Canada
Pasquale, Frank (2015). The black box society – The secret algorithms that control money and information, Harvard University Press
This paper is the final work at the course ”Trendspotting in theory and practice” at Mälardalen University. The assignment is to select a topic of interest and start collecting indicators in terms of weak signals and similar intelligence. The output will then be a report or article that presents the findings.
I have focused on the digitalization of payments, cryptocurrencies and mobile cashless alternatives, with a look at the driving forces behind the transformation. I also try to do some predictive analysis of potential cyber security scenarios that could be fueled by the transformation. This is of particular interest for me both on a professional and personal level. I have been in diverse security advisory roles for at least 17 years and seen the shift in motivations from cyber vandalism to cyber criminality for profit.
The disposition of this trend report is as follows:
- Executive summary with key findings and recommendations
- Methods section where I describe the methodology used to produce the trend report
- A brief history of digital payments and currencies to give a historical perspective to present day developments and innovations
- Signals, trends and indicators is the actual trend-spotting section where the collection of the materials to be analyzed is done
- A cyber security section with historic illustration of the development of criminality on-line and some assumptions of probable futures
- Bibliography and sources section contains reference litterature and sources of collection of signals
Methods used in this report
My approach is to first do a drop in the short history of digital currencies and payments. To describe the development we have seen so far and then focus on foresight intelligence to do predictions about the future for digital payments and currencies. In more detail, I will use these methods in the process:
- Scanning in the broadest sense. My goal is to gather intelligence to be able to identify weak signals (or micro observations), trends and potentially find data to support potential wild cards
- Collation and summarization – This is the process of sorting all gathered data and finding a way to sort out the crucial and eliminate the irrelevant
- Translation and interpretation – This is the process of translating different kinds of jargon language to ”plain English” and then interpret the gathered knowledge in a language that makes sense for the audience
- Assimilation and presentation – This is the final steps to make the ”package” tasteful and may include visualizations (roadmaps, infographs, mindmaps etc), scenario mappings or some other kind of visioning. I have made an attempt to work with predictability models to aid the envisioning of future scenarios.
A brief history of digital payments and currencies
To be able to do some kind of foresight activities in this new field I believe that a brief history of the key milestones is needed. I have deliberately narrowed my list to include the major steps in the development of digital currencies and payments. I have also excluded the transaction networks and the clearinghouses:
- E-gold 1996 – A web based service offering its customers accounts tied to the gram price of gold. E-gold was the worlds first service that made micro payments possible since computers could calculate values as small as 1/10 000 grams of gold. After numerous hacking attacks and other cyberrelated frauds the founders faced charges, leading to the closure of the service in 2009.
- PayPal 1998 – Founded as a service for moneytransfers on-line. PayPal was introduced to the stock market in 2002, and shortly after its IPO it was acquired by eBay. Since the summer of 2015 it operates as a spin-off under its own name again. The company is now developing mobile-first payment services through PayPal.Me.
- Webmoney 1998 – Introduces in Russia to serve the former Soviet republics, but is established world-wide. The users of the service doesn´t need any bank account or credit card. They deposit values in a ”wallet” through bank transfers, credit card, pre-paid cards, vouchers or through conversion from other digital currencies. The values are calculated as US dollars, Euro, Rubel or bitcoins, to name a few. When a transaction is made the values are guaranted by so called guarantors (underwriters).
- Alipay 2004 – Service founded by the e-commerce company AliBaba as an on-line payment service with no transaction fees. Serves approximately 300 million Chinese users.
- M Pesa 2007 – The ”M” in the name stands for ”Mobile” and ”Pesa” is the equivalent for money in Swahili. It is a mobile phone based system for money transfers and financing, including micro-financing. The service relies on an account that resides within the mobile phone. Transfers are made through PIN-secured SMS text messages between users. Deposits and withdrawals are made through a widespread network of agents.
- Perfect money 2007 – Another on-line payment system working with multi-currency accounts (USD, EUR, Gold and Bitcoin). The idea is to provide a service for internet transfers between members or to conduct regular payments for goods and services.
- Bitcoin 2009 – A system for peer-to-peer transaction and released as open source software. All transactions are noted in a distributed ledger called blockchain by the nodes in the network. The units in the ledger are registered as bitcoins. Users of bitcoins have a wallet that stores the associated digital credentials for their balance. The vital part for any participant is to securely store the private key associated with the public key. The user can either keep a local wallet on its computer/phone, use an on-line service or have the private key stored off-line.
- Square 2009 – The company offers several services within finance, merchanting and mobile payments.
- Google Wallet 2011 – A peer-to-peer payment service connected to a debit card or bank account in the USA.
- Seqr 2011 – Set up as a mobile wallet for payments, money transfers and loyalty programs for redeeming offers.
- CurrentC 2012 – A mobile payment platform with an app and associated wallet. When making a purchase the user either scans a QR-code shown on the cashiers screen or has the cashier scan a QR-code from the phone´s screen.
- Host Card Emulation (HCE) 2012 – A software solution that enables mobile applications to act as payment cards or access card solutions. It is built on top of the contactless technology Near-Field Communication (NFC).
- Swish 2012 – A mobile application for money transfers between individuals. Application for merchants was launched in 2015, but the solution is re-designed and will be launched in the autumn of 2016.
- Apple Pay 2014 – A contactless payment service and digital wallet from Apple, similar to HCE. Uses the contactless technology NFC.
- Android Pay 2015 – A similar payment service and digital wallet as Apple Pay, but running on Android devices.
- Samsung Pay 2016 – A payment service, digital wallet and solution for loyalty card programs.
Signals, trends, trend indicators
The possibilities within the field of digital payments, cryptocurrencies and cashless mobile solutions are huge. A whole new industry has seen the light of day the past couple of years, FinTech [Wikipedia definition]. Businesses like banking and insurances are solely made up of bits and bytes with no physical goods. This makes those businesses excellent candidates for digitalization and innovation. The music, media and video industry has experiences of the effects of digitalization and looking at things in the rear mirror the owners of those outlets would have innovated more and earlier.
So, the pure existence of digital possibilities to handle payments, money transfers and trade online in new ways will drive fierce competition and innovation. And there are numerous happenings in the world that will support those movements. Also, there are signals on anti-movements. Forces in the world that will do anything in their power to keep either a status-quo or establish new policies that insures their continued dominance within the new landscape.
First, I will start with a signal that I can´t categorize either as a driving force or impediment in relation to digitalization of payments.
Independent of high-profile thefts in diverse bitcoin exchanges the market capitalization of the bitcoin is growing steadily and finding acceptance among ever growing community of merchants. This fact alone means that regulation of some kind will most certainly happen in most parts of the world. The challenges are many when it comes to the bitcoin. The most intrinsic part is to understand what the blockchain actually is and how it works. So, there are clear risks if the regulatory frameworks don´t separate the blockchain from the crypto-currencies that are on top of the ledger.
One regulation that has already happened is in Japan where the bill has been passed in bot lower- and upper house meaning that virtual exchange operators will need to register with the Japanese Financial Services Agency to be able to operate legally in Japan. This kind of regulation should mean that the trust for crypto-currencies grows and helps wash out bad perceptions.
Second, I will look at the movements that supports the digitalization of payments.
Refugee streams, diaspora and the non-customer of banks
According to figures from the UNHCR [UNHCR statistics database] there are more than 21 million refugees in the world today. More than 30 thousand people are forced to flee their country each day. In many parts of the world refugees don´t have the opportunity, nor the means, to open a bank account.
People in diaspora around the world are sending huge portions of money to relatives and family in their originating countries. According to a World Bank report [Migration and development brief report 2016] migrants are sending remittances in the amount of $431 billion in 2015. Banks and money transfer services like Western Union charge some percentage for each transfer, meaning that a part of the money feeds executives instead of families. One example is sending money from the US to Kosovo. In the example I am living in Washington state and sending $100 to Kosovo. The cost of the transfer would be $12 if I pay by debit or credit card and $10 if I pay by a bank account. By using the more expensive option the money is going to be delivered immediately and the other option will take 3 – 4 business days.
By using a peer-to-peer (P2P) money transfer system like bitcoin networks could make those transfer instantaneous, if assuming that the countries of residence accept bitcoins. Otherwise there will be an intermediary like an exchange with waiting times and transfer costs.
Internet of things (or everything)
Internet of things (IoT) is an acronym that refers to physical objects connected to the Internet in forms of sensors, actuators or other single- or multipurpose devices. The IoT devices collect and/or transmit information about specific objects to aid in optimization and/or operational decisions. Forecasts are made that 20 – 30 billion devices will be a part of the Internet by 2020 [Bauer, Patel, Veira 2014]. As all forecasts there is a big measure of over-/underestimation of the actual figures. But the major takeaway here is the fact that the world is getting even more interconnected and the data generated by those new interconnected devices will serve completely new innovations.
Among the challenges with this kind of explosion in interconnectedness is of course security, but equally challenging is the paradigm of management centralization. By this I mean the centralized model known as client/server, where the devices are identified, authenticated and provisioned through cloud data centers. This paradigm is working well in enterprise scenarios with tens our hundreds of thousand users. As soon as the managed population grows beyond those figures the costs of maintenance and the underlying infrastructure easily skyrocket. Another risk is that the central management infrastructure becomes a bottleneck; if something disrupts the operation then the whole model can be at risk.
Overcoming the challenges and limitations with the centralized model is therefore something that the players in the IoT filed are looking to do. By deploying a P2P model of networking the IoT would then become decentralized and the billions of transactions happening daily would be distributed amongst the devices in the network. So far, the first issue of security has been hard to solve in such a setup. That is just until recently. Blockchain is now tested in large scale as the underlying mechanism of establishing the security level necessary in a P2P environment for IoT. On a high level it works like this: Participants in a IoT P2P environment are registered in blockchain ledger(s) and enabled to record transactions that are cryptographically signed to the ledger(s). Transactions are verified through the other nodes in the P2P network and makes tampering very hard. The ledger(s) is distributed among the peers in the network and takes away the need of central management.
Robotization (or AI)
AI, Artificial Intelligence, is the notion of an ”intelligent” machine that acts as a rational agent and takes actions based after reasoning like we humans do. A multitude of services that we take for granted when frequenting the Internet are actually completely automated services that adapt themselves based on our preferences and choices. The more data we share to the network, the more personalized services we receive. With the population of tens of billions new Internet ”users” (as outlined in the IoT section previously) the amounts of data will grow exponentially and make even more space for automated ”robots”.
In early-days experiments, IBM is performing prototype work where device-owners in a IoT-setup registers their devices in a blockchain and uses smart contracts to interact with other devices and/or users in the network. Depending on the level of service, different entities receive differentiated services and personalized experiences. If these experiments scale well we will soon se some more promising prototypes.
Now lets take a look at the opposing forces that I have identified through this research round.
Plummeting trust in Bitcoin
Since the introduction of the Bitcoin there has been numerous articles about thefts and misconducts. The 20 most high-profile thefts [Satoshilabs] amounts for almost 1,1 million bitcoins and in the case of three of those thefts the amounts stolen are unknown. As of the writing of this report the bitcoin price is $583 [Coindesk Bitcoin price index] and historical values span from $0.06 to $1 300. The thefts span from technical malfunctions, inside jobs to hackers stealing from both hot- and cold wallets. The terms hot- and cold wallet (or cold storage) refer to the way that bitcoins are stored. In the case of a hot wallet, the coins are stored on-line and the analogy to money would be the cash stored in the bank office. Cold wallet (storage) refers to the storage of bitcoins off-line and the analogy to money would be when the money is stored in a vault.
Another trust issue is due to the ”common knowledge” [Wikipedia on Silk Road seizure of bitcoins] that bitcoins are used by mafia organizations, drug cartels and other criminal actors on the dark web, thus scaring of the potential new user of the cryptocurrency.
.COM bubble feeling
Blockchain is hot and VC´s are flocking around startups where blockchain is present [Weusecoins]8. The main driving force have initially been within fields of bitcoin networks, but new VC rounds are around broader use of blockchain technology. There are wide discrepancies between the advocates and the opponents of blockchain. At one end of the spectrum we find supporters that see the blockchain technology as the next big revolution that will make a large paradigm shift of the current internet landscape. On the other side are the sceptics that are just waiting for the bubble to burst.
In between the advocates and the sceptics of blockchain is the general public. The potential users and beneficiaries of the technology. For the general public the only contact (if any) with blockchain technology is through headlines of bitcoin thefts and mischiefs. For a paradigm shift to happen, the general public needs to endorse the shifting technology and use it in a broad way through services they understand and trust. Otherwise the potential game-changing technology will just be a solution searching for a problem to solve.
Har fått förlängd tidsfrist för min trendrapport där jag tittar på blockchain, IoT, AI, bitcoin och cybersäkerhetsfrågorna. Ny deadline är den 30/8, men jag kommer att publicera den första delen redan under morgondagen som tidigare utlovat.
Allt innehåll kommer att vara på engelska och min plan är att publicera i tre omgångar:
- Omgång 1 den 25/8 där jag presenterar inledingen, metodiken och bakgrunden
- Omgång 2 den 1/9 där jag presenterar en executive summary, signaler/trender/indikatorer, analys och prediktioner
- Omgång 3 den 2/9 där jag presenterar mina källor och referenser
Ha en härlig sommarkväll denna fantastiska onsdag 🙂