METANOMICS: FEDERAL INTEREST AND SOCIAL SECURITY:

GOVERNMENT TAKES A SERIOUS LOOK AT VIRTUAL WORLDS

MAY 13, 2009

ANNOUNCER: Metanomics is brought to you by Remedy Communications and

Dusan Writer’s Metaverse.

ROBERT BLOOMFIELD: Hi. I’m Robert Bloomfield, professor at Cornell University’s

Johnson Graduate School of Management. Each week I have the honor of hosting a

discussion with the most insightful and the most influential people who are taking Virtual

Worlds seriously. We talk with the developers who are creating these fascinating new

platforms, the executives, entrepreneurs, educators, artists, government officials who are

putting these platforms to use. We talk with the researchers who are watching the whole

process unfold. And we talk with the government officials and policymakers who are taking a

very close look on how what happens in the Virtual World can affect our Real World society.

Now naturally, we hold our discussions about Virtual Worlds in Virtual Worlds. How else

could we find a very real place where a global community can convene, collaborate and

connect with one another? So our discussion is about to start. You can join us in any of our

live Virtual World studio audiences. You can join us live on the web. Welcome, because this

is Metanomics.

ANNOUNCER: Metanomics is filmed today in front of a live audience at our studios in

Second Life.

ROBERT BLOOMFIELD: Hi, and welcome again to Metanomics. Over a year ago,

Paulette Robinson, of National Defense University, appeared on Metanomics to talk about

her new initiative, the Federal Consortium for Virtual Worlds. She talked about the promise

Virtual Worlds held for federal agencies, but she also emphasized two challenges: the

government’s lack of familiarity with this new technology and the government’s strong and

understandable concern about cyber security. Today we’ll be getting an update from

Paulette on how effectively her consortium has been able to address these challenges, and

we’re also going to hear from Paulette’s colleague at National Defense University,

Rocky Young, an expert in cyber security, who has recently been doing some very

interesting work examining the vulnerabilities of Virtual Worlds.

Thanks to all of you who are attending Metanomics today, including those who are viewing

live on the web. Please do join in with your comments and your questions.

ANNOUNCER: We are pleased to broadcast weekly to our event partners and to welcome

discussion. We use ChatBridge technology to allow viewers to comment during the show.

Metanomics is sponsored by the Johnson Graduate School of Management at Cornell

University and Immersive Workspaces. Welcome. This is Metanomics.

ROBERT BLOOMFIELD: Before we get to our main guests, we’re going to take a few

minutes to pull back our usual focus on Virtual Worlds, to take a broader look at the state of

internet technology and policy. Just about every enterprise and every consumer relies on

the internet these days, but none quite so much as those who are exploring Virtual Worlds.

To us, the internet is an ocean we call home. Well, this season, we’ll be doing a fair bit of

oceanography and [earth?] time forecasting. Today we’re going to start in Washington, D.C.

because there are some major policy storms brewing there. To introduce us to the issues,

I’d like to welcome our new Washington correspondent, Sterling Wright, who will help us put

cyber security in the spotlight. Sterling, welcome to Metanomics.

STERLING WRIGHT: Hello, Robert. Thank you so much for having me.

ROBERT BLOOMFIELD: Yeah, my pleasure. I know you’ve been taking a close look at

S.773, the Cybersecurity Act of 2009, which was introduced on April 1st to the Senate

Committee on Commerce, Science and Transportation, by two moderate Senators,

Democrat John Rockefeller and Republican Olympia Snowe. As I understand it, the bill

draws heavily from a report by the Center for Strategic and International Studies, which

says, and this is a quote from their report from late 2008, “American’s failure to protect

cyberspace is one of the most urgent national security problems facing the new

Administration that will take office in January 2009. It is a battle fought mainly in the

shadows. It is a battle we are losing.” That sounds like pretty dramatic language. Are these

histrionics justified?

STERLING WRIGHT: Well, your delivery was certainly dramatic, Robert.

ROBERT BLOOMFIELD: I try.

STERLING WRIGHT: Well, let me tell you. In 2007, already the Departments of State,

Commerce, Homeland Security, the Defense Department, NASA and the National Defense

University suffered major intrusions by foreign entities. These were either foreign

intelligence services, militaries or criminal groups. Today the Department of Defense

computers are probed hundreds, if not thousands of times a day. The Department of State

said it has lost terabytes of information. The White House networks have been penetrated.

And intelligence sources claim that U.S. companies have lost billions in intellectual property.

These activities have continued to increase since then, so there’s a great deal of motivation

in Washington for the U.S. to become much more robust in addressing these threats, and,

more importantly or at least as importantly, in raising the public’s awareness of them.

There’s a sense within the broader population, when we think of cyber threats, we tend to

think of identity theft or pedophilia or something like this, but there is an increasing need to

inform the public of the threats from foreign players who many feel are intent on

undermining the U.S. economy and its defenses. So here in Washington, we’ve heard terms

like “a cyber 9/11” or “a cyber tsunami” or “a cyber Katrina” used to describe the potential for

damage. Some are even referring to the threat from cyberspace as the soft underbelly of

national security.

ROBERT BLOOMFIELD: Okay. Those sounds like pretty serious challenges that no doubt

call for some extraordinary measures. What do you see as some striking provisions in the

bill?

STERLING WRIGHT: Well, the bill is very sweeping in its initiatives. It calls for the

establishment of a Cabinet-level Cybersecurity Czar, who would be answerable to the

President. Although we have many of these czars being appointed now for various agencies

so that may not be the most pressing point. But what the bill also seeks to establish is

cybersecurity standards that would be mandated across all applicable government and

private networks. It would also confer new powers on the President and onto the Secretary

of Commerce.

ROBERT BLOOMFIELD: What are some of these powers? I understand--shutting down--

the President has some power to shut down internet traffic?

STERLING WRIGHT: Here’s the problem: Some of the language in the bill is extremely

broad and open-ended, and this is causing a lot of concern among civil and digital rights

groups. The Electronic Frontier Foundation, for example, and the Center for Democracy in

Technology have both raised issues with some of the provisions. You’re right, the Act calls

for the President to be given the power to shut down internet traffic in emergencies or to

disconnect any infrastructure systems or networks on the grounds of national security. And

the activists are concerned that the Act does not define these so-called emergencies.

Therefore, it is left solely up to the President to decide what merits pulling the plug. I don’t

see as much of a problem with this. It is more analogous, in my mind, to the President

grounding all aircraft on 9/11, and I’m not sure that one could have defined the emergency

of 9/11 ahead of time, but this is, nevertheless, a concern for some.

I think more than the powers conferred upon the President, what seems to be disturbing

people is that the Secretary of Commerce would be given access to all, quote, “relevant

data concerning our critical networks,” and this is the operable point, without, and I quote

again, “without regard to any provision of law, regulation, rule or policy restricting such

access.” So the privacy advocates fear that this would allow the Commerce Secretary

unrestricted access to our private data. Others have even raised the specter of unrelated

illegal activity being inadvertently uncovered, and these fear that such evidence could be

used against a defendant, for example, thereby undermining his or her Constitutional

protection against unwarranted searches.

ROBERT BLOOMFIELD: Well, you mentioned a term in there “critical infrastructure system

or network.” How is that defined?

STERLING WRIGHT: Typically, one would consider critical infrastructure as utilities,

transportation, public health, financial services, food distribution, this sort of thing. And I

think that, if language were inserted into the bill that simply or explicitly defined what

constitutes a critical infrastructure system, I think some of the opponents could be

assuaged. However, there are some who are arguing that the internet, as a whole,

constitutes our critical communication infrastructure, and these voices would like to see

limits defined in the Act, to assure that there are no loopholes left open which would allow

the government to reach into our private communications.

ROBERT BLOOMFIELD: And there are concerns about some user authentication

proposals as well?

STERLING WRIGHT: Yeah, there is a section that is proposing that user authentication be

studied, but at this point the bill only states that, within a year after its enactment, the

President or his or her designee, assuming his if this Act goes into effect shortly, that the

President shall review and report to Congress on the feasibility of an identity management

and an authentication program. Naturally, with the appropriate civil liberties and privacy

protections in place. And activists are concerned about this because although it is intended

to apply only to critical infrastructure, civil liberties groups fear that this will open the door to

anonymity on the internet as a whole being completely abolished and thereby threatening

not only privacy but also free speech.

ROBERT BLOOMFIELD: Parts of this really have a feel to me, as an accountant, of the

Sarbanes-Oxley Bill because this bill seems to be taking a lot of the power that is

traditionally held by private firms and placing it in government hands. So as I understand it,

the government would be overseeing private networks and mandating that government, not

industry, sets standards, attests to them and so on and so the comparison to

Sarbanes-Oxley. That was written in response to high-profile frauds like Enron and

WorldCom. And one of the most controversial parts was Section 404, which dealt with

internal controls. These have traditionally been viewed as a private matter for firms that

[AUDIO GLITCH] protecting themselves from employee misbehavior, but 404 basically said

you’re not doing a good enough job, and it imposed a lot of high-cost requirements, saying,

basically, government was going to set the standards for internal control and require

auditors to attest to that. Would you make the same argument here that private firms have

every incentive to protect their security, and we should just leave the matter in their hands?

STERLING WRIGHT: Well, let me clarify. The Act, as it’s currently written, would mandate

that, again, that the security standards are set for critical infrastructure. This would also

include software, and the government would be able to enforce those standards on all

developers and distributors and vendors. It would also legislate the sharing of security

information between the government and private entity. So I can understand that there

would be some concern over this from the private sector. Opponents argue that this could

stifle innovation, that if standardization of security were mandated across the board that the

systems would become less secure because only one protocol would have to be breached

by potential attackers.

But the fundamental issue at stake, I think, is that, among security and intelligence experts

in Washington, there is certainly the perception that the threat posed by cyber subversion is

a strategic issue that is on par with the proliferation of weapons of mass destruction and

global jihad. And it was these models of deterrence that were drawn upon in the CSIS study,

in order to craft recommendations for how the government should approach cybersecurity.

Certainly, the report’s authors--again, the report, not the bill--feel that it is the government

which needs to be responsible for overseeing this space, and they do not feel that voluntary

actions, which are most likely what is preferred by private industry, would go far enough.

They also argued that the reliance on market forces to date have fallen short, and, as a

result, the U.S. has been left vulnerable. So it’s possible that the open-ended broad,

sweeping language of this bill may simply serve to incentivize the private industry to move

more decisively on this front. There is certainly a concern against prescriptive mandates that

would inflate costs and stifle innovation or encroach on civil liberties.

ROBERT BLOOMFIELD: Okay. Well, I think we’re going to have to leave it there as a

cliffhanger, as we wonder what’s going to happen with this bill as it moves through, how

private industry is going to respond, especially the big corporate powers, not just tech, but

the industries. I’m sure the electric utility industry, for example, is going to have a lot to say

on this since they’re certainly going to be viewed as critical infrastructure. And I’m glad to

know that you’re going to be coming back to talk more about policy issues as the season

goes on. So thanks a lot, Sterling Wright, for talking with us about the Cybersecurity Bill.

STERLING WRIGHT: Delighted to be here, Robert. Thank you so much.

ROBERT BLOOMFIELD: Okay. I guess Sterling will be back next week when we discuss

some more policy issues. Next week we’re going to have a legal expert on Virtual Worlds as

our main guest, James Gatto, of the Pillsbury law firm, a colleague of Ben Duranske for

those of you who know him. He’s been on Metanomics a number of times, so I’m looking

forward to that.

Our main guests today are Paulette Robinson and Robert Rocky Young. Paulette is

assistant dean for teaching at the Information Resources Management College of National

Defense University. But, for our purposes, her most salient credential is that she has

organized the Federal Consortium for Virtual Worlds which supports federal government

employees and contractors that are interested in exploring the use of Virtual Worlds in

government. Robert Rocky Young is director of the National Defense University Information

Assurance Lab and teaches Information Assurance at the IRM College. So, Paulette,

Rocky, both of you, welcome to Metanomics.

ROBERT YOUNG: Oh, great. Thanks for having me. I apologize if my avatar’s been down.

I’m at a conference, and I lost my WiFi.

ROBERT BLOOMFIELD: Okay. Well, I understand these things happen. And, Paulette,

welcome.

PAULETTE ROBINSON: Thank you very much.

ROBERT BLOOMFIELD: So before we get started, I’m sure both of you want to make

some kind of disclaimer that everything you say here is just your own opinion. It doesn’t

represent an official position of your college or the federal government. Paulette, you have

anything to add to that disclaimer?

PAULETTE ROBINSON: No, that’s pretty much right.

ROBERT BLOOMFIELD: Okay. Just wanted to make sure we did that. So now let’s start

with you. You were on Metanomics way back in January of ’08 so well over a year ago, and

NDU was just starting to build a presence in Second Life. The Federal Consortium for

Virtual Worlds had held, I believe, only one conference at that point. Can you give us an

update on how the Consortium has progressed since then? Growth and so on.

PAULETTE ROBINSON: Well, since I was last here, probably, we had a November

meeting in 2007, that had about 200 there and about 300 or 400 online. In April of 2008, we

had our first big meeting. It was a two-day conference, and we had on the campus almost

400, and we had online over 1,000 in Second Life. So it was interesting to see how many

people were there. We had vendors that came in and showed the different parts of what’s

happening in Virtual Worlds. We had panels and--was represented, so it was really a very

enlightening kind of conference. There were over 1,000 people. We now have over 1,000

people in our database that are not only government but industry and academics because

all together is when we’re going to make a difference. We have people from all the 12

Cabinet agencies, so we have a full complement of government represented at different

levels in the Consortium so it’s really moved along.

[AUDIO GLITCH] projects this year at our conference, we had a government poster session

where we had over 30 government projects that were showing what they’re doing in

different Virtual Worlds. We streamed out [six?] different Virtual Worlds and had over 1,000

that were attending. We’re still taking the numbers so I can’t give you exactly, online. So we

really had an interesting mix of people that joined us on our program.

ROBERT BLOOMFIELD: Well, I’ll say I was there. I had a great time. It was incredibly

informative. Now last time when you were on the show, there was a question by

Malburns Writer, a fairly regular attendee of Metanomics, and, in response to his question,

you said the following: “If you talk to high-level administrators, you would think Second Life

is a foreign land. I think they’re stunned.” And so now I see you are actually nominated for

the 2009 Intergovernmental Solutions Award, and you’re talking about the growth of the

Consortium. Is it safe to assume that high-level government administrators are more familiar

with Virtual Worlds and are more ready take it seriously?

PAULETTE ROBINSON: I think they’re more familiar with them. I know that one of the

Senate Subcommittees had met in Virtual Worlds, one of them from Commerce, so there is

more of an awareness. How seriously they take them, I think that’s not across the board, but

several understand immediately. I think educators, training officers automatically see the

power of it. And now that we have a new Administration, I think there’s also a renewed

interest of finding ways to collaborate and communicate online. So I think there’s a renewed

interest in what Virtual Worlds can do. But there’s still always the problem with security so

that has to be fixed before there’s a real interest. Although, at every conference I go to, I ask

the audience, “So how many of your children are in Club Penguin or Webkinz?” And about a

third raise their hands, so I think some these new administrators are becoming acquainted

with what a Virtual World is through their children or grandchildren.

ROBERT BLOOMFIELD: Yeah, I believe that. Now, on security, which you just mentioned,

I understand the U.S. Department of Agriculture, of all places, is providing a solution.

PAULETTE ROBINSON: Yes, we’re working closely with the USDA and the CIO there to

create a trusted-source hosting solution that will be hosted at their data center in Kansas

City. We’re using eAuthentication level 2 to ensure identity. So one of the problems is, who

is in the space? Are they who they say they are? The second problem is, for all these Virtual

Worlds, ports have to be open, and it depends on how many ports so the Enterprise

versions of Virtual Worlds--and this is not like Second Life in the public spaces which offer a

different kind of security problem. We would then be able to provide secure IP’s that we

would ask CIOs to open to very specific IP’s for these Virtual Worlds. That’s still being

worked out with those as well as the USDA, but we do have the prototype up. We have a

couple of vendors that are integrating eAuthentication for this prototype, to see how it’s

going to work.

So we have a lot of hope. There’s many federal agencies that were at the conference that

are interested in investing in the next stage, to be able to do something that’s multi-agency.

Enterprise versions work well behind the firewall within an agency so then you don’t expose

yourself to the same issues that have to be solved with interagency dialogue, and that’s

what I’m trying to work on. I want multiple agencies being able to talk to each other.

ROBERT BLOOMFIELD: You mentioned a couple. You said you’re working with a couple

vendors, that’s what ProtoSphere and Forterra?

PAULETTE ROBINSON: Yes.

ROBERT BLOOMFIELD: ProtonMedia and Forterra. How about Second Life for the trust

it’s source-hosting?

PAULETTE ROBINSON: Well, Second Life has the unique problem of having ranges of

ports that have to be opened. So even though you would take it behind the firewall, unless

they get it down to a couple of ports, it would be extremely difficult to secure, or more

difficult, and it would be difficult to take CIOs from the governments and convince them to

open up ranges of ports. And I don’t blame them. So an Enterprise solution really has to be

where they run over port 80 or only a few ports as a solution because of the need to protect

the network.

ROBERT BLOOMFIELD: Okay. Despite the fact that Second Life is working on their--I

guess it’s code-named Nebraska, their behind the firewall solution, it still isn’t going to work

for you?

PAULETTE ROBINSON: Well, not for a multi-agency. It probably would work well for

behind the firewall if it’s just within an agency where they’re not going out and opening up

ports. But nowadays, most of the government problems are really multi-agency based, so

unless you run like an internal chat tool in 3D or that kind of workspace or training space, it’s

not going to solve the problems that we need in terms of a robust environment that has a

sense of presence that we can work in across the government.

ROBERT BLOOMFIELD: Okay. That was mostly focusing on the [behind?] firewall

trusted-source hosting. But there are a lot of federal agencies that are working on what I

understand government types call forward-facing projects, public relations, outreach, and

they want anyone to be able to go into the World. I know that there are a lot of these now in

Second Life: NOAA, NASA, Air Force, Team Orlando, which I actually had a great talk with

at the conference. So how are they dealing with the government security issues, while still

using Second Life in what’s largely an unsecured environment?

PAULETTE ROBINSON: Well, they have to go either go home and work on them, or their

CIO has agreed, or their person that mitigates risk for them has set up an enclave off the

network that allows one or two stations to work on Second Life because that’s part of their

job. But that’s really rare. Most people that are working in Second Life, from their

government desktop, cannot do it from their government desktop. They have to go home, on

their home computer, and work on it because they also have to download a client, which, in

most federal agencies like any other corporate enterprise, they have a desktop image that is

regulated for security and for manageability and integration, so most of them work at home

or on their own private computers.

ROBERT BLOOMFIELD: Okay. Well, really distinguishes between the day job and the

moonlighting there, huh.

PAULETTE ROBINSON: Yeah. Probably not moonlighting. They just tele-work or find some

other way to do the work.

ROBERT BLOOMFIELD: Right. Now, Rocky, I’d like to bring you into the conversation. So

thanks so much for joining us. It sounded like you were saying you had a bit of wireless

problem. So I don’t know what we’ll be seeing on our screens, but we have you on your

Blackberry. Is that right?

ROBERT YOUNG: Yes, I’m on my Blackberry. I’m at the National 2009 OpSec Conference

down in San Antonio, where we’re actually educating the people on cybersecurity down

here.

ROBERT BLOOMFIELD: Well, it won’t be the first time we filmed an empty chair on

Metanomics. It’s the content that drives everything. Your specialty is security, and I guess

first I’m wondering what do you see as being the primary risks of having federal agencies

using both the public Worlds and the private Worlds, the trusted-source hosting solutions?

What is the exposure that the federal agencies and the people who are doing this have?

ROBERT YOUNG: Well, you know that on security, we’re always the “no” men. We’re

never the “yes” men. We’re always saying security. But I agree with Paulette that the

forward-facing and some of the things that you’re talking about for doing some type of

publicity or something like the Air Force trying to bring people in, that’s great. The issue is

that people are having to do it day to day. They’re having to use Second Life, in their job,

and they’re a federal employee, the recommendation that Paulette had said and what we’ve

built at _____ is an enclave. It’s a specialized area that will not bring the problems from

Second Life and/or these Virtual Worlds onto our government systems which might be your

production government system doing your national war-fighter job or maybe doing IRS tax

returns; I’m not sure what your job may be.

And Paulette’s agreement with the multi-agency, all of our problems are becoming multi

because we’re so interconnected. Our networks have no boundaries anymore. So in order

for us to make sure that we don’t have a [problem?] that say DOD brings in, it doesn’t bleed

over to your EPA and your FAA and your DOT. Some of the agents are doing exactly what

you said. It’s all bound to the software, the compliance and the server, and, as Paulette had

said, we have the HBSFO(?) [base?] security system in the Department of Defense. It’s

actually locked down for a specific reason, to protect us to the best of its abilities again. And

[AUDIO GLITCH] people on these systems doing these things, and the issue is, we have

government people now, insiders, that actually are doing things that they’re not supposed to

do. We know appropriate use of the network. We know appropriate function.

Our worry is that as they get into Second Life and these other 3D Virtual Worlds, that

sometime they forget that they’re at work. They may accept something that they wouldn’t

normally do in the other world. But it’s all down to the software and evaluating the code and

evaluating what that server-client relationship, what it has allowed in and out. And as

Paulette said that the ports, what ports are we opening, and we watch them closely. Can we

monitor what’s going on in this Virtual World? And the identity management looks huge for

Paulette and for everyone else. Am I talking to who I really think I’m talking to? Do you have

a federated ID or some way to say that, yes, you are indeed speaking to Dr. Rocky Young.

No one has taken over the avatar. No one is misrepresenting or social engineering you to

get information out of you.

There’s so many ways to do social networking, and Paulette works through all of those at

IRMC. And I just want to be person who says, “I want you all to go into these Virtual Worlds

as security professionals, but I want you to understand the risks when you go into them and

accept that risk that something could happen.” And, as long as you’re aware and you accept

it, then you’re standing there when they reference it so that E-9/11 and these other, you

know, the E-Pearl Harbor that may happen. We’re not saying, “Gee whiz! We never thought

of this,” or, “Gee whiz! I had no idea this could happen.

ROBERT BLOOMFIELD: I was at your talk in Washington, D.C., at Fort McNair, and you

said some fairly terrifying things about the use of Twitter and Skype and a lot of other things

that are kind of meat and potatoes to a lot of us who spend so much time collaborating by

distance. Could you clarify for us a little what you see as the risks of those tools? And then

is there something about Virtual Worlds that makes them more of a concern?

ROBERT YOUNG: The big issue with your Skype and your other tools, it’s a voice of our

[PCHK technology?], and we can gather that, unless you’re going to encrypt it. And

normally, for us to pass through the Virtual Worlds, you can’t have as much encryption; it

slows things down. It causes problems. It depends on what you’re doing in the Virtual World.

Say that you’re my adversary, or I wanted to take your job or immerse you, and the biggest

thing is reputation. Your reputation can be destroyed in seconds in any online avenue. The

issue is, if I can gather all the conversations about you and you’re doing something

inappropriate in a Virtual World, you’re a government employee. I know who you are even

though you say you’re someone else. I could actually use that to blackmail you.

And there are tools that we can use in the Virtual Worlds to build some bots to actually

gather all the traffic that’s going on in the room, find all your movements, to record

everything you do, and I would blackmail you with it. Now if you put it on a different

[forums?], that I’m not talking to a government employee, you have to worry about you

family, your daughter. I have a ten-year-old daughter. The big issue is what is she doing in

that Virtual World? Who’s following her? With Twitter, we can tell exactly where you are

because you’re going to tell us in that 140 characters, “I’m here, I’m doing this. I’m here, I’m

doing that.” It links back to your phone. It links through the Virtual Worlds. There are ways

for us to find out exactly where you are. So it’s like we can do E-stalking if we want to. Now

that’s not a big concern for me. I’m a 6’-5” [AUDIO GLITCH]. But for someone, like a

ten-year-old girl, for the E-bowling and things like that, Twitter and some of these other

technologies, they all combine in, and you get so much information about people.

On your cameras, you actually get [AUDIO GLITCH] data on every picture. So say you load

up a picture into Second Life, that you took of yourself. There can actually be GPS

coordinates in that data of that picture that will tell me where you live or where it was taken.

It can actually have information in the picture, and it’s all under Digital Forensics, if your

listeners have an interest. In the information that goes with that camera, that photo, that

picture, I can find out GPS coordinates. I can find out with the WiFi access points where it

was loaded. And, if you’re dumb enough to load in your email address or register it,

sometimes that is in the photograph information. For me, it’s really awareness--

ROBERT BLOOMFIELD: So here we’re not really talking about hacking. We’re not talking

about who’s trying to carve their way into your system, it’s really just people unwittingly

giving away all the information that others might want.

ROBERT YOUNG: All that, yeah, for a social [aspect?], yes. Now, I didn’t even delve into

the hacking. Every time you accept something from someone else in a Virtual World, which

we were just demo-ing Virtual Worlds to a bunch of students before I leave the room. Every

time you accept a piece of code from a [AUDIO GLITCH] accessing whatever they give you,

and you don’t know what that piece will do. It may be making you dance. It may be making

you have butterfly wings, but you don’t know what that tool or that piece of code really does.

Maybe it’s actually installing a route kit on your system at the same time that it’s making you

dance. Maybe it’s copying every one of your conversations or it’s going in and looking for

your password file on your core drive. There are a lot of things that, when you accept

something in a Virtual World. I tell my daughter when someone says, “Knock, knock,” in

Second Life or when we’re in someplace, you do not say, “Who’s there?” because you are

opening a communication between you and them, and you can accept things from them or

they can push things to you. [AUDIO GLITCH], our avatar into sandboxes, and, in the

sandboxes in Second Life, we watch what they’re doing and what they’re building and what

they’re making, to try to get insight into what they’re doing.

The big danger is the code. That when you’re in this Virtual World, and you accept an MP3

from someone in these Virtual Worlds or in these social working sites, we with

MP3Stego--MP3Stego, it’s _____ triplets out there; go look it up--you can load things in

MP3’s, and the MP3 still plays the music. So why not, if I’m targeting you, offer you a free

MP3 of Biance’s new song? And don’t tell anyone that I gave it to you because it’s

copyrighted music. You’re not going to tell Mom and Dad that you took that MP3 and loaded

it into the system, but that’s actually bringing malware into the system. And, if I can’t get you

electronically, maybe I just hand out free music at the bus stop where I know your kid is, and

that’s how I’ll get into your system.

ROBERT BLOOMFIELD: It looks like Dusan Writer, through our web audience chat has,

you know, he--my advice on all this is to do what I do: Make your life so boring that no one

wants to steal any of your identity or know anything about you. It seems to me that a lot of

what you’re saying--I mean, to some extent, there’s just some common sense here, but

some of it also sounds like basically if you want to have any sort of public profile, you’d be

putting yourself at risk. How do you balance trying to remain secure and protected, while still

having a [AUDIO GLITCH]?

ROBERT YOUNG: You have a bit of a risk [acceptance?]. You have to assess the risk and

accept it. If you’re going to put your face out there, you’re going to put your images out

there, we build a fake email address for every one of our avatars, that only that email

address is used with it. So you kind of build, like you said, that common sense. And you

don’t put personal pictures of yourself out there, of your kids and stuff. The issue is, I still

want you to go into Second Life. I want you to do these things, but I want you to be aware of

the dangers that are out there. Because many times people that jump into computers, like

my mom is 65, she doesn’t understand when someone IM’s her and that they can actually

push code to her and actually take her system out.

And we all have bank accounts, right? We all are using online banking. And there’s a tool

called SSL split that you need to look at about “man in the middle” attacks, with SSL. We

think that we’re secure when we log onto our online banking. Well, go look into that tool, and

you’ll see that we’re not so secure. I want everyone to know that, “Hey, you need to be

aware of yourself.” There needs to be this my own checklist, to make sure that I’m ready to

go into Second Life, what I’m ready to put out there and that risk acceptance because any

time you put yourself out there, there’s going to be some risk, as Paulette will tell you. But it

depends, if someone is in these Virtual Worlds actually portraying themselves as something

they are not, a terrorist or something, trying to find out about Sergeant Snuffy’s deployment

to Afghanistan or Iraq, now we’re talking about Real World operation security, OpSec. So

that’s that I have.

It’s like what are you using it for? What [AUDIO GLITCH] people you are? Are you doing

inappropriate things that could be used maybe to blackmail you? And, really, it’s more like

your digital presence, are you ready to jump headfirst in this pool? Or do you just dip your

toes in, see how it is and not put everything out there? A good example is, my niece had her

prom this weekend, and all of a sudden, on Facebook, all of her pictures are out there. And I

showed her how you can get that [AUDIO GLITCH] those pictures by copying them and

downloading them. So these are the big things. It’s just awareness. I really do want you to

go into Virtual Worlds. I don’t want to be the security guy that stifles everybody and say,

“No, don’t do it. Just go into your house, and sit in a dark closet, and you’ll be safe.”

ROBERT BLOOMFIELD: And, Paulette, in light of all of these issues, how is this coloring

not just what agencies are doing in Virtual Worlds, but how you make the pitch and just sort

of comfort to agencies that are just starting to explore it, that this is a reasonable thing to do

and the risks that it carries are appropriate?

PAULETTE ROBINSON: I think it’s what you want a Virtual World to do for you, so it’s

really deciding what type of outcome you want and how you want to use it and then sitting

down and having a discussion about what the risk is and how to mitigate the risk. So for

most agencies that want to do information delivery to the public and be public facing,

Second Life has become probably the predominant Virtual World that they’re using. So we

have created an IRM college-government center in Second Life, where anyone in the

government can use this center free for meetings and for streaming conferences, that type

of thing. They’re not doing the business of government particularly in there, but they are

meeting more informally across agencies and having conference meetings. Like MuniGov

just had a meeting there. We streamed our entire conference, that type of thing.

So I think there are ways that government’s using it. The Air Force’s pilot--they’ve done

rapid prototyping in there. So if I want to look at something very quickly, as long as it’s not

classified, there’s interesting ways to get public opinion on government buildings, on certain

types of initiatives I think you could get some interesting input. Public diplomacy: The State

Department uses it. William [May?], over at the State Department, is doing interesting

things. NASA’s got some real cool stuff. Eric’s in the back, Eric Hackathorn from NOAA.

He’s done some interesting work for the public, to just use it as an educational mechanism,

so I think that works really well. They don’t do it off of government networks unless special

arrangements have been made with their CIO or they work from home. So they just try to

make it work for them.

ROBERT BLOOMFIELD: I actually see Eric chatting away in the audience. Hi, Eric. A

couple things: First a shout out. I really liked Eric’s--he had a poster at the Consortium

conference at Fort McNair about the “goverati,” like the literati, but the people who know

about government, which I do view as an incredibly helpful resource, because just dealing

with policy and government types for a couple days made me realize I really don’t

understand sort of the intricacies of how things get done within and between agencies. And

then the other thing, I wanted to ask you to respond to something that Eric is saying in chat,

which is, he says, “Rather than getting caught up in the details, it’s really a change in

philosophy and orientation trying to be more open. It’s a cultural shift to openness,” he says,

“that we need to support.” And so one question, Paulette, I have for you is: The Obama

Administration has certainly been vocal about wanting transparency. Do you see that in

action, and do you think it’s going to translate into funding and formal support for these sort

of public Virtual World projects?

PAULETTE ROBINSON: I think, from my observation, this year our conference was

different in that people were ready to invest money in Virtual Worlds and what they could be

used for, for a variety of reasons: education and training, analytical workspaces, a variety of

things. In the past, I think there has been a reluctance to use them simply because there

was a worry about what type of information can be made public and what couldn’t be made

public.

With Obama coming into office and his Administration, because they’ve used social media

and software and communication, they’re encouraging people in the government to find

ways to use it. And one of the things we’re all grappling with is secure ways to use that,

where we protect the citizens’ data, but also get input from the citizens. So what Virtual

Worlds are going to offer for the citizen in transparency, I think, at the first level, we have to

find a way to secure it to do government work.

But the next stages of this is really going to be outward facing Virtual Worlds that are

secure, that we can bring citizens in to do the business of government and also to help

inform the public. So I think it’s going to be a mixture of Wikis and blogs and Virtual Worlds

and ways to communicate with the public. And now that there’s more of a willingness to

entertain this, I’ve seen money starting to be put toward those efforts.

ROBERT BLOOMFIELD: I don’t want to put you too much on the spot, but when you talk

about money, can you give us a sense of what you think the funding might be over the next

year or two? I know you’ve been working a lot with training in and between federal agencies.

Can you give us a sense of how many users you think might get involved in Virtual Worlds

through the government?

PAULETTE ROBINSON: One of the issues are is making sure it’s a secure environment,

that we don’t risk--where there isn’t any network risk to the agency and to the data that we

are responsible for. So once this is put in place, I think, for example, there’s interest in

building IT security course for the government. We’re all required in the government to take

a basic IT security on what phishing is and what spam is and what to avoid and what to

work on. And so every agency pretty much is developing their own. And, quite frankly,

they’re pretty boring. They’re just really pretty boring. So one of the possibilities is creating

IT security that’s interesting and interactive in a Virtual World and then making it available to

the entire government so we get economies of scale. So once that happens, you’ll have

thousands of people in these Virtual Worlds. So I think you’re going to start seeing that kind

of process happening.

We have ethics training that all of us are required to take, and that too is pretty boring. So

when that becomes possible in a Virtual World, where it’s interactive and more interesting, I

think you’re going to see everybody want to come onboard. So we’re going to have

economies of scale, in terms of different kinds of use cases. We’re creating a community of

practice for the chief financial officer community in Virtual Worlds so they’ll have a

knowledge base and be able to work together on complex problems. But it’ll be in a secure

place.

ROBERT BLOOMFIELD: If everyone in the government is going to need some sort of

cybersecurity training and they’re finding it more interesting to do this in Virtual Worlds, I

mean you’re probably then talking tens, hundreds of thousands of people coming into Virtual

Worlds to do that.

PAULETTE ROBINSON: That’s correct.

ROBERT BLOOMFIELD: Okay.

ROBERT YOUNG: I would agree with Paulette wholeheartedly because the training right

now is really boring for information security. And, if you could make it interactive, to have

someone walk into an environment and see laptops secure; it’s the other things. And I think

Paulette’s totally correct about using the Virtual Worlds for training. We’re using it for

biological and other explosions, what can happen in this environment, what happens when

you have a nuclear biological incident. And we’re using it for training of soldiers. As they’re

going into these cityscapes, they can actually figure things out, do assessments. So for

training and education, I think it’s wonderful, and it’s a great way to--behind the firewall we

can actually set up an environment that’s secure and use it, and, as Paulette has said, as

we do shares between the agencies and the CIOs, maybe it’s going to be an intranet

between the dot.gov and the dot.mil so we can do it securely and work together. I think

you’ll see a major explosion, like she said, economy of scale. If I can use the ethics training

throughout the entire federal government, then we’d all be able to do the same exact thing.

But it’s going to be that question of getting it somewhere where it’s secure, where I can’t

hack into it in the middle of your ethics training, something unethical occurs because I made

it happen.

ROBERT BLOOMFIELD: Paulette, we have a question from Fleep Tuque, Chris Collins,

from the state of Ohio, “For academic institutions who want to collaborate with government

on Virtual Worlds research, what office is the best place to contact and look for more

information?”

PAULETTE ROBINSON: At the moment, my group’s become sort of the hub for federal

government and doing work in Virtual Worlds. One of the reasons we have academics in the

Federal Consortium is because we believe that they provide an interesting venue for

research and helping us reflect on what’s best practices. There are a variety of agencies

doing work with universities. Our particular--our instance in Second Life was created by a

university, and we’ve gotten a couple of papers. I’m co-editing a special issue of the Journal

for Virtual Worlds Research, where we’re going to be accepting some research papers, but

also some project type of papers. If somebody’s interested, they can contact me. Some of

the federal government projects are looking for research partners as well, so they can join

the Consortium in our Wiki and asks those kinds of questions in the Wiki.

ROBERT BLOOMFIELD: Okay. Great. We’re coming toward the end of our hour. Rocky, I

don’t know how much you can talk about this, but I’d love to hear a little bit more about your

lab at the college and how you’re using it to learn more about the security of Virtual Worlds.

Can you give us a sense of what goes on in that lab?

ROBERT YOUNG: Sure. Actually, we’re looking into many of the Virtual Worlds, including

Second Life, There.com, some of the other PlayStation Virtual Worlds. And what we do is,

we go in with our avatar, Betwinda, and we actually go in and try to get people to hack us,

and we try to capture what happens, look at the code, evaluate it. And just ten [minutes?]

ago, we released students here. We actually reviewed the dangers of Virtual Worlds, what’s

out there, so they’re aware of the Virtual World, and, like you said, we actually told them

what a Virtual World was. They didn’t know. So we brought them into the lab, but we do not

feel safe enough to let students venture into Second Life alone because I cannot control the

content. We went into a couple places. We did go to IRMC, which is a protected island. We

have our own island that Paulette manages and runs and took them there to show them

what was going on.

But then we took them out in the wild and showed that, within like three to five seconds,

people were actually already offering up tools. And I said, “Now we could look at this and

see what’s actually in this code and try to figure out what it is. But when you accept

something, hopefully, you’ll see a message that you accept it.” That’s what we’re trying to

show them. Was it a route kit that was passed to you? Was it just a piece of digital clothing?

Or was it just a sound or an action? And that’s a big thing is, don’t be hyper-paranoid, but

also be aware that, when you accept something, it’s no different than expecting something

that someone’s baked for you. If you don’t know who it is, you’re not going to accept

something that you don’t know what it is and eat it. So we just tell [AUDIO GLITCH] take a

bit of a chance. But we are using Second Life and a bunch of the other Virtual Worlds.

Forterra is going to give us one World that we can actually put behind the firewall and bring

students in securely. We also have a World of Warcraft, like a Virtual World, that we’re

bringing students in to show them a little more fun. Because we don’t want security to not be

fun. We really enjoy it. So we bring them into World of Warcraft and show them, like on

eBay how you can buy gold levels and how you can buy different levels and how there is an

entire market out there of cyber crime going on in some of these Virtual Worlds. So it’s kind

of an awareness thing for them and also to know, if their kids are out there, you need to

keep an eye on what they’re doing in Virtual Worlds, and if they’re using the same systems

that you’re using for banking and for your tax returns and for all your private pictures, you

may be actually loading route kits and other things, unknowingly, to them, of course, but

unknowingly be loading malware or a home system that you use for everyday use. In the

laboratory, all of our systems are scrubbed. We use virtual machines. We bring up a virtual

machine. We launch into the Virtual World, and then we have a bit of protection between us

and the actual clients of a relationship.

ROBERT BLOOMFIELD: We have a member of the audience, Al Supercharge, who feels

quite confident that the Second Life viewer cannot install a route kit. Do you want to respond

to that?

ROBERT YOUNG: Sure. I would need to know who he was before I starting telling him

exactly how we know what it can do, and then we could exchange credentials, and then I

would tell him how it did it. Because that’s the big thing is, when your adversary’s using new

tools against you, you don’t run out and say, “Hey, we found this neat thing. We know it,”

because we want to do the same exact thing to them. We want to watch what they’re doing,

to see how they’re using the tool against us. You don’t put all your cards on the table. When

someone’s using a tool against you, you watch what the tool’s doing. That’s the same thing

we do. We get it into a network. We load what we need. We put a back door, and we

observe and find out what we’re going to do.

My thing is now the kids are being hacked, actually the young children, because their Social

Security numbers are still clean and so are their bank accounts because they haven’t had

them yet. So now you need to look at your kids are being the targets, not you. Your Social

Number’s already out there. A bot collected it years ago. And your credit card numbers are

already out there. But your kids are new clean accounts that are being collected and kept.

ROBERT BLOOMFIELD: Interesting. So time for one more question for each of you, and I

don’t know, Rocky, if you can answer this, but you used the words, “if you’re doing it to us,

we want to try it on you.” Sonja Strom has a question, “Does the U.S. government use

Virtual Worlds to gather information about people? And what’s going on in other countries?”

And I guess I’m wondering more generally: Is your role looking at cybersecurity at all more

offensive than simply defensive?

ROBERT YOUNG: I can’t really answer that question because, remember, I teach at the

National Defense University. I’m in Information Assurance. I’m a professional. I have

credentials and all that. I would never do anything illegal in the Virtual Worlds. What we do

is watch, but the question that you asked is perfect. Wouldn’t you do that exactly if on your

adversary, if you were a government and you knew things were being done to you? Would

you not do the same thing and watch on the other side? If you don’t know your enemy and

you don’t know how to defend against the attacks that are happening to your network, how

could you ever possibly defend? If you don’t know what the heck they’re doing, how could

you defend? That’s like trying to screw a light bulb in. If you’ve never see a light bulb, how

can you possibly know how to screw it in?

ROBERT BLOOMFIELD: Okay. Thank you. And, Paulette, my last question for you, and we

talked about this a little in the pre-interview, is, I’ve been dealing with Virtual Worlds, it

started out as a small part, just sort of a sideline of the research and teaching that I was

doing and over the last couple years has grown like kudzu or bamboo, and it really

establishes a foothold. I’m wondering, for you personally as an assistant dean at NDU, and

NDU more generally as an organization that is doing inter-agency training, how do you see

Virtual Worlds taking hold? Again, in your personal life and in the college as a whole.

PAULETTE ROBINSON: Well, in my personal life, I find Virtual Worlds one of the most

exciting places. I am also sitting for teaching, learning and technology so I’m responsible for

appropriately integrating technology into our courses in ways that help to facilitate students

learning. I think Virtual Worlds are incredibly interesting, in terms of from an instructional

design point of view and engaging students. I think it’s incredibly interesting, in terms of

using technology for analytical workspaces and doing our work in the future. So I find myself

more and more involved in Virtual Worlds. I personally believe that Virtual Worlds will be the

interface for the web, and it’s not going to be that far down the road.

And I think it’s a responsibility for me and others and the government, as well anyplace else,

particularly the government, to not let this happen to us, that we really can interact with the

citizens in ways where we can meet them, where they gather information. It’s taken over--I

like the kudzu metaphor--it’s really taken over a life of its own in my life because I value and

am committed to it. And so I am like a cheerleader. I’ve been cheering away, and the band’s

been following along.

ROBERT BLOOMFIELD: Well, go, team, go! And we’re glad to have you. The only thing is,

that makes it sounds like you’re on the sidelines when actually I think you’ve taken the ball

and started running with it.

PAULETTE ROBINSON: That’s pretty much what I’ve done.

ROBERT BLOOMFIELD: Thanks so much to both of you for coming on, and I look forward

to having you come on again in another year and tell us where you are then.

PAULETTE ROBINSON: It’s been a pleasure.

ROBERT YOUNG: Thanks so much.

ROBERT BLOOMFIELD: Thank you. Okay, now it’s time for my regular closing comment,

Connecting The Dots. And today the dots I want to connect are the ones that define the

outer boundaries of Metanomics. Our challenge is to define those boundaries broadly

enough that we can remain an influential voice for our community, people who are taking

Virtual Worlds seriously, as that community grows, as the technology grows and as it, like

kudzu, starts taking over more and more aspects of not just technology, but of our work and

social lives. On the other hand, we still need to be narrow enough that we’re not attempting

to be all things to all people or, even worse, trying to become experts in everything. There

are countless podcasts and webcasts about the internet as a whole, but I’m proud to say

there’s still only one Metanomics, and we want to keep that position as a leading voice in

this growing industry.

The heart of Metanomics remains, I think, as I defined it back in September of 2007:

business and policy in the so-called Metaverse of Virtual Worlds. What is a Virtual World?

Every conference I have attended and Paulette, as well, includes a heated debated on the

definition of a Virtual World. Does it need three dimensions? Does it need avatars? Does it

have to have commerce? Are games Virtual Worlds, or are they something different? These

debates are more of a blessing than a curse for Metanomics, and I take, personally, a very

broad perspective on this. As long as someone has a reasonable justification for calling a

platform a Virtual World, Metanomics is going to be there to take a good look at it, try to

understand who’s taking it seriously and what they are getting out of it.

But it’s more than just defining Virtual Worlds. We also need to decide when we should be

spending time on the business and policy of the internet as a whole, as we did earlier today

with the Cybersecurity Act, and, more generally, looking broadly at social movements that

might be affected by technology. As I mentioned at the top of the hour, just about every

enterprise and consumer relies on the internet, but none quite so much as those of us who

are exploring Virtual Worlds. To us, and especially to people who have immersed

themselves in Worlds like Second life, the internet is an ocean we call home. So we won’t

be covering just any internet technology. We’re going to continue to view this ocean through

the lens of our particular school of fish.

So for example, for many users of Virtual Worlds, social networking sites, like Twitter, Plurk

and Facebook, are really just an integral component of their businesses and their personal

lives. And we can’t understand how these people are taking Virtual Worlds seriously, without

understanding how they’re using these new technologies. From today’s conversation with

Paulette and Rocky, you can see that there are a variety of cybersecurity issues that are of

particular interest to Virtual World users, and we’re going to continue taking a close look at

the practices and policies that can protect us from tropical storms and determined sharks.

And, finally, we’ll be casting our policy net more broadly than that. We can’t understand the

business case for Virtual Worlds, without understanding, for example, the recent energy bill,

which may make carbon emissions far more costly than they are now. Whether that’s a

boon for Virtual Worlds is, I think, a more open question than many Virtual World users

seem to think. Sure, traveling is expensive, but Virtual Worlds have their own carbon

footprint, and I don’t think we yet have a good handle on just how big those feet are. So this

is going to be an exciting season for Metanomics as we grow into the new resources

Remedy Communications is bringing to bear. So I invite you all to come on in. The water’s

fine.

That’s all we have for this week.

Join us next week when we take a look at some legal issues, with James Gatto, of Pillsbury

law firm. We’re going to look at topics, including current patent battles. Some of you may

know of the Worlds.com, a battle going with NC Soft. We’re going to talk about terms of

service, intellectual property rights, protections for children. And relevant to what we’ve

discussed today, the legal liability that Virtual World developers, as well as users, might face

due to breaches of security and other failures.

Thanks to all of our staff members and volunteers who help us pull this off every week. This

is Robert Bloomfield signing off. Take care. And, we’ll see you all next Wednesday.

Document: cor1058.doc

Transcribed by: http://www.hiredhand.com Second Life Avatar: Transcriptionist Writer