Monday, March 23, 2009

Putting Your Faith in Cyber Security

Sometimes you can judge a book by its cover blurbs. Virtual Integrity: Faithfully Navigating the Brave New Web by Daniel J. Lohrmann is one of those books.

Some of the expert endorsements on the back cover and first page are the sorts you'd expect for a book on computer and online security. California's chief information officer and New York state's director of cyber security are among those lending support to the book by their colleague, Lohrmann, who is the acting chief technology officer and infrastructure director for the state of Michigan.

But the book's other endorsements are clearly aimed at a less-secular audience than your typical technology tome. There are plugs from the president of the Family Research Council, a professor from Grand Rapids Theological Seminary and an official from the Board of Social Witness of Presbyterian Church in Ireland. While not technologists, they share many of Dan Lohrmann's concerns about the information and activities the Internet enables.

Brazos Press published Virtual Integrity last fall, a couple of weeks before Dan came to Washington to be recognized as one of GOVERNING's Public Officials of the Year for his work as Michigan's first chief information security officer. Dan is a 12-year state employee who also worked on government computer systems as private contractor and as a network analyst at the National Security Agency (here's his official bio). In a video from our November awards dinner, you can hear Dan's conviction about "the promise of new, exciting opportunities" and "the good that 21st century technology allows." But he also warned our guests about the "harsh new realities" of the online world, many of which directly "threaten our integrity."

That's the theme that gave Dan the title of his book. Virtual Integrity focuses on how "e-temptation" creates "powerful challenges to our values and beliefs" -- issues Dan addresses from a distinctly Christian and pro-technology point of view. Throughout his short but ambitious book, Dan easily alt-tabs from descriptions of malware and the limitations of Web filtering tools to passages of scripture and biblical analogies.

This was interesting reading, even for someone who does not share Dan's particular faith but who tries to lead a moral life -- which is why I invited Dan to answer some questions here about his views on the relationships that connect personal ethics and responsibility, religion, public roles and technology.

Talk about what you mean by "virtual integrity." Is there a governmental role in preventing what you call "integrity theft?"

By "virtual" I mean online life. I'm addressing the ways we logon to the Internet at home and work -- from answering emails with work Blackberrys to surfing the net with school laptops to using Facebook on home PCs to connect with family and friends. More people are even creating avatars (online representations of themselves) to have fun, attend training, or travel to meet others in "virtual worlds" such as Second Life.

Almost every institution in our society talks about having "integrity." A Zogby poll in 2005 reported that 97% of Americans consider themselves to be trustworthy. There are many definitions of integrity such as "what you do when no on else is watching." My preferred definition is from the Yale Law School professor Stephen L. Carter, who wrote a book called Integrity (BasicBooks 1996):

"Integrity involves three steps. The first is to discern what is right and wrong. Discernment takes time and emotional energy. It's much easier to follow the crowd. The second step is to struggle to live according to the sense of right and wrong you have discerned. The third is to be willing to say what we are doing and why we are doing it."

So by "Virtual Integrity" I am attempting to put the two concepts together and challenge individuals to examine their online life at home and work. Simplistic answers are not solving our complex problems online. After describing many of those problems, I offer new approaches to help "surf your values."

I coined the phrase "integrity theft," to highlight scary new cultural trends that are different than the well-publicized issues surrounding identity theft. With Integrity theft, rather than your money or personal information being at risk from unseen hackers, your reputation, your career, or your important relationships are threatened by online temptations to do wrong. As we surf the Internet, we are offered intriguing images, videos, and other content that vie for our thoughts, dreams, time and money. Advertisers and others "tempt the click." We can be enticed by clever schemes to act against our professed values and beliefs.

The focus of the book is on personal responsibility and the actions that individuals and families can take to protect themselves and be a force for good online. However, there is absolutely a role for government -- as well as technology companies, online businesses, advertisers and others in cyberspace. We have many laws prohibiting unwanted spam, deceptive practices, sending child pornography, communication with minors without parental consent, and various other Internet practices. As the 21st century moves forward, we need to increase what Microsoft calls "end-to-end trust." In some cases violators will need to be prosecuted.

There is also an education role. Most Americans agree that government has a role in supporting safe, healthy lifestyles. From food and drug safety at the FDA to healthy school lunches to ensuring fair mortgage terms and conditions with banks to laws governing our highways, our various government organizations must play an essential role in helping citizens make wise choices. The Internet is our new 21st century superhighway system. As we do more and more online, there are important freedoms, legal protections and elements of security and privacy that governments must provide.

Your book is written specifically from a Christian perspective and you use scripture in forming your arguments and in the recommendations you make for Christian families and Christian businesses. How is the idea of "virtual integrity" relevant to people from other faith backgrounds. Is "virtual integrity" strictly a religious idea?

Thanks for the comment, Mark. As a computer security professional and someone who has worked in (or in support of) various government organizations for my entire 24-year professional career, I tried to write for as wide an audience as possible, while grounding the book with scriptural truths that have been quoted and followed for thousands of years. Just as Stephen Covey addresses "Seven Habits of Highly Effective People" and public school programs offer programs like "Character Counts," I am confident that "virtual integrity" is relevant for most people in society regardless of religious belief.

My hope in writing the book was to bridge what I believe to be a large gap in current technology and/or religious dialogue. Solutions to our complex Internet problems need to address people, process, and technology at home, school and work. A big part of the "people" component must include our beliefs, values, and religious practices to be effective in the long-term. As virtual life and real life merge together in new ways, people from all faith backgrounds need to reassess what's working and what's not in cyberspace. I think the temptations and other challenges we experience online may be different for people with different religious beliefs, but we all experience online temptation that conflicts with those values.

People from different faith backgrounds have read the book and told me that they agree with the book's messages. For example, Dr. Peter Stephenson, associate director of the Masters of Science in Information Assurance program at Norwich University and author of many books, wrote, "Virtual Integrity offers a solid roadmap, grounded in universal truths, for corporations and governments alike. You don't need to be a Christian to benefit tremendously from Lohrmann's book."

In chapter ten, I mention Dinesh D'Souza's description of the majority view in the Muslim world regarding moral decadence in America. I am confident that most Muslims will agree that we need new approaches to morality online. I'd love to work with Muslims and those of other faiths to ensure that we respect the values of all surfers around the world -- regardless of their religious beliefs. That is true freedom of religion online.

I think most people desire to surf their values -- regardless of their religious belief. I had a fascinating discussion with a former Christian from a major software provider, who was now an agnostic, who said the same concepts articulated in chapters nine and ten could easily be adapted to most of the religions around the world or even to those who desire to "go green" in their lifestyle or support various other causes.

At points in your book you are critical of privacy and free-speech advocates in terms of the online practices and content they sometimes defend. But you also recognize and respect some of their concerns too, particularly related to censorship and constitutionally protected freedoms. What is the best way for government organizations and public officials to balance these kinds of issues as it relates to complex and fast-changing technology?

I think we need a new national strategy on cyber ethics that brings the different voices together. (I even provided the beginning of an outline in the appendix of my book.) I'd love to see government facilitate this debate. We need a task force, just as we had under President Bush on identity theft.

Just as we are bringing together multiple organizations and perspectives on health care and other topics of national significance, we need to debate cyber ethics separately from cyber security. Yes, there is overlap, but as health care insurance is debated separately from the ethics of using stem cells, so cyber ethics in society is different than changing passwords or applying virus filters or stopping hackers. Yes, we urgently need both.

We must also try and emulate "real-life" situations online to enable more trust. For example, when I go to the Disney Store at a nearby mall with my six-year-old son, I know what to expect and what not to expect in way of content on the walls and items sold in the store. The same is true when I attend our church or schools or for that matter go to (my brick and mortar) office. Online, these expectations are often violated -- sometimes intentionally, as we surf through cyberspace.

It may sound easy, but it can get very difficult to address. For example, in real life many people know me at work or at church, but who am I really online? Anonymity or false identities cannot be allowed to cause harm to others. Governments can help improve identity management by driving technology requirements and government contracts towards more secure solutions that ensure privacy and respect for the values of others. This will play a huge role in health IT and other government efforts. The goal needs to be end-to-end trust, and government should bring all the players to the table -- including faith-based groups .

Explain why you don't like the terms "adult" and "child" content -- and why you think "moral" and "immoral" are in fact better labels.

As every marketing company knows, words are very important. The porn industry has done a successful job of gradually changing the U.S. vocabulary over the past decade. Up until the 1990s, "adult entertainment" was called pornography. And yet, I have seen porn destroy marriages, careers, and church ministries.

People of many religious backgrounds believe that viewing pornography, and other material now labeled as "adult," is wrong. Many individuals and families don't want to see this content online, but numerous Internet companies merge various types of content under the label "adult," assuming that everyone 18 and older wants to see it. This impacts online trust and integrity for all of us. Because of the current situation, some people I know throw the baby out with the bathwater and totally avoid Internet use.

One medical doctor said it this way, "Pornography is not a victimless crime. The users and the subjects are both devastated and the societal cost is immense."

These labels even have a pattern of showing up in the technology products we use online. I work with many security and Internet filtering companies that are building technology around these definitions. For example, if you are 18 or over, filters work differently. In some cases, you must even lie and say you are under 18 if you want to block pornography or other unwanted content. Bottom line, a large number of "adults" don't want to see "adult" content, but content providers assume you do.

Many government organizations rely on filtering technologies to prevent public employees from accessing certain kinds of online content at work. Given what you say in your book about the limitations of many Web filtering tools, do you think this is a good practice?

Filters can help, but don't even come close to fixing many online problems at home and work. They can also create more problems or a sense of complacency. There are also many ways to get around filters. Filters will evolve and improve, but lasting solutions require changes in culture.

New issues have emerged with social networking that include a thousand shades of gray. The challenge is to allow social networking sites with accountability and a level of transparency. (There is no presumption of privacy on work computers.)

In the future, I believe we will need new approaches and new tools to allow us to surf our values. I lay out one such scenario in chapter nine, but we need content delivered in smarter ways based upon our profiles that include security, privacy and values. This new approach is not about blocking content, but delivering what people want to see. That's true personalization.

As a public official, are any of your cyber security responsibilities ever at odds with your personal beliefs?

Not really. I did have staff reporting to me in the past who performed official duties that included viewing content that I didn't want to see (for acceptable use investigations). We have a great security team, and I trusted their reports. No one was asked to violate their personal beliefs in the process.

In your remarks at the November 2008 dinner where you accepted your award as one of GOVERNING's Public Officials of the Year, you spoke briefly about how your faith helped you and your family through your cancer. Since your book also discusses religious views, can you say a bit about your faith and religious background and affiliations?

My father was a Lutheran Pastor, and my wife's father was a Presbyterian minister. I grew up in Baltimore as the youngest of seven children. I was active in the Lutheran church until my mid-20s. While in England, my wife and I were active in an Anglican church for about three years and an Evangelical Free Church for about four years.

When we moved back to Michigan, we settled into a Baptist Church in Grand Ledge. I often teach adult ministries classes, such as a course I just offered on the Internet and Christianity. My wife was on staff for two years as Child Ministries Director and she volunteers her time now to help with children. On Wednesday nights, we lead a weekly program together for about 75 children, and I lead music on the guitar.

About eight years ago, I was diagnosed with testicular cancer. I was shocked, confused, and honestly thought my career in technology was over. I spent many sleepless nights covered in cold sweat worrying about my family and my future. And yet at the same time I felt closer to God than ever before. I reexamined my goals, priorities, beliefs, habits and lifestyle. My faith grew tremendously as I prayed and read the Bible as well as other Christian books. My love for my wife and two daughters grew deeper as well.

The doctor told me exactly what kind of cancer I had after my operation, and he said my chances were good for a full recovery. After several weeks at home, I returned for more tests and a detailed plan -- but amazingly the pathology came back without cancer. Simply stated, I once had cancer, but it was gone. The doctor said that I was a 1 in 400 (odds).

I believe that my prayers were answered, but I knew that I didn't deserve this outcome. Many suffer for years with cancer. Others die. But by God's grace, I was given a clean bill of health. I was (and am) so thankful to God for his faithfulness.

Over the last five years, my wife and I adopted two more children from overseas. I have seen God bless my family and career, and I know that it is only by God's grace that I was able to publish the book: Virtual Integrity.

What role has your faith played in your career choices?

A very large role. Starting at the National Security Agency (NSA), I wanted to serve society, see the world and be involved with government in various capacities. I was very blessed with an excellent education at Valparaiso University in Computer Science, and NSA paid my way through Johns Hopkins University for my Master Degree as well. I've always felt God's calling on my career as more than just a paycheck, but as an opportunity to do good for my family, my local community, my state, and our nation.

Government service has provided an exciting role that makes me want to come in to work every day. At the same time it allows me to be home at night and not travel as much. It also allows me to be active in my church. Even when we were in England, I didn't travel very often, so I was able to get involved in church life. We have a close-knit extended family in Michigan, and we do quite a bit together.

I also realize that I've had great mentors who have influenced me, like Teri Takia, CIO of California; Rose Wilson, deputy director of Michigan DMB [Department of Management and Budget], and others. There are many wonderful, hard-working people in government all over the world, and I've been blessed to have great teams working with me. There are many men and women with strong faith in the military, and I saw that at NSA and in England on US/UK bases.

As far as the book goes, I am excited that a number of technology companies are interested in what I have to say about the future of Internet life. I have seen how my faith interacts with security, integrity and cyberspace and every aspect of my career. I don't push my beliefs on others at work. Rather, I hope my life and actions speak for themselves. Integrity and accountability are more than just words to me, and I hope others see my faith through my actions. I still make plenty of mistakes, but I know a loving God who forgives and that is life-changing.

My thanks to Dan for his time and patience with all of my questions, particularly the nosy personal ones. You can read more about Dan's views on these and other issues on his book site's blog, Faithfully Online, and his other blog on the CSO Web site. -- Mark

No comments: